MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b4c9aadd18c1b6f613bf9d6db71dcc010bbdfe8b770b4084eeb7d5c77d95f180. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



ArkeiStealer


Vendor detections: 14


Intelligence 14 IOCs YARA File information Comments

SHA256 hash: b4c9aadd18c1b6f613bf9d6db71dcc010bbdfe8b770b4084eeb7d5c77d95f180
SHA3-384 hash: 8d0c1e08445902891198f83f08dd19d4dfeeaa5d998a5f0bf8bc1d8f613d85dad4b9d67633577d6f7fd186cf28733a04
SHA1 hash: 0a559ebf6ab1cdf292c79aac5ac20c236d975eb7
MD5 hash: ed37ebbe1746dd0d566c8c4769655e0b
humanhash: moon-eight-lithium-spring
File name:555.exe
Download: download sample
Signature ArkeiStealer
File size:1'304'576 bytes
First seen:2022-03-22 22:47:41 UTC
Last seen:2022-03-23 00:55:40 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 5f3146513f84438aa6d693baf35ebf34 (1 x ArkeiStealer)
ssdeep 24576:atLyuIJLGWVpPq48nuzldzB2sZL7kHNWDzBHc6ewxl:KLgFGYq48nupdzB2sp7kHNW51eE
Threatray 212 similar samples on MalwareBazaar
TLSH T147550111E2C1C538E16326B04DBB8769093CFD604B3066DBB7D42E7E6F719D26A3631A
dhash icon 18f0f8d4b4e4f266 (1 x ArkeiStealer)
Reporter @malware_traffic
Tags:ArkeiStealer exe vidar


Twitter
@malware_traffic
Vidar sample from 2019

Intelligence


File Origin
# of uploads :
2
# of downloads :
245
Origin country :
US US
Mail intelligence
No data
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
2019-09-05-Vidar-from-Ursnif-style-URL-caused-by-Word-macro.exe
Verdict:
No threats detected
Analysis date:
2020-01-29 17:57:33 UTC
Tags:
n/a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% directory
Sending a custom TCP request
Searching for synchronization primitives
–°reating synchronization primitives
Modifying an executable file
Unauthorized injection to a recently created process
Launching the default Windows debugger (dwwin.exe)
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Behaviour
MalwareBazaar
MeasuringTime
SystemUptime
EvasionQueryPerformanceCounter
CheckCmdLine
EvasionGetTickCount
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
graftor greyware packed shade update.exe ursnif
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Oski Stealer Vidar
Detection:
malicious
Classification:
troj.spyw.evad
Score:
96 / 100
Signature
Antivirus / Scanner detection for submitted sample
Country aware sample found (crashes after keyboard check)
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Yara detected Oski Stealer
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Threat name:
Win32.Trojan.Graftor
Status:
Malicious
First seen:
2019-09-06 01:28:16 UTC
File Type:
PE (Exe)
Extracted files:
11
AV detection:
24 of 42 (57.14%)
Threat level:
  5/5
Result
Malware family:
Score:
  10/10
Tags:
family:vidar botnet:288 spyware stealer
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Reads user/profile data of web browsers
Vidar Stealer
Vidar
Malware Config
C2 Extraction:
http://dersed.com/
Unpacked files
SH256 hash:
7597d549f30698a93af08ce8b3d05405181c08751ffbc73fb94fde5ef55e1fdb
MD5 hash:
a62bd1145b3065bad8f72adee95d8a5a
SHA1 hash:
3a3e00bc1ebca496fca949435ab6383712ee8ee0
Detections:
win_vidar_g0 win_vidar_auto
SH256 hash:
b4c9aadd18c1b6f613bf9d6db71dcc010bbdfe8b770b4084eeb7d5c77d95f180
MD5 hash:
ed37ebbe1746dd0d566c8c4769655e0b
SHA1 hash:
0a559ebf6ab1cdf292c79aac5ac20c236d975eb7

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments