MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b53a176429fc65629b41f4ec548a61fe2a2632d53f009b9bc29785cba315fe30. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

ArkeiStealer

Vendor detections: 11

Intelligence 11 IOCs 1 YARA 4 File information Comments

SHA256 hash:	b53a176429fc65629b41f4ec548a61fe2a2632d53f009b9bc29785cba315fe30
SHA3-384 hash:	b956642a96d8d55c85d15e8354c655ff06c10eb3943a029ebc186c29372d36910b506da73a6d5b1bdce899f3effd306d
SHA1 hash:	4dcb75a9848d65b51e010c24af7eb850eedeeeca
MD5 hash:	ada65a834db20ae3d66f17c6dd8ffbb5
humanhash:	cup-march-steak-india
File name:	ada65a834db20ae3d66f17c6dd8ffbb5.exe
Download:	download sample
Signature	ArkeiStealer Create hunting rule
File size:	579'584 bytes
First seen:	2021-03-23 10:38:53 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	5d17de16c76266fd8d910bc0fc0e437c (3 x ArkeiStealer, 1 x DanaBot, 1 x RedLineStealer)
ssdeep	12288:6Caj0SP3TKYRHBNxcGLRXMfNfcvPxmWSWA+gua5SqPHmDpNyC:3k0SP+YPVuhcvsHWw5PvmD7y
Threatray	508 similar samples on MalwareBazaar
TLSH	A4C4E110A7E0C036F1F722B449B696A9993A79716F2C50CFA2C51BEE9E346F09C30757
Reporter	abuse_ch
Tags:	ArkeiStealer exe

abuse_ch

ArkeiStealer C2:
http://choohchooh.com/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
http://choohchooh.com/	https://threatfox.abuse.ch/ioc/4594/

Intelligence

File Origin

# of uploads :

# of downloads :

142

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

ada65a834db20ae3d66f17c6dd8ffbb5.exe

Verdict:

Malicious activity

Analysis date:

2021-03-23 10:39:21 UTC

Tags:

trojan stealer vidar loader

Link:

https://app.any.run/tasks/c5705890-064a-4559-9185-8eab2ccf3911

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/126537/

Detection(s):

Win.Malware.Generic-9845757-0

Win.Malware.Raccoon-9845043-1

Win.Malware.Raccoon-9845261-1

Win.Malware.Raccoon-9845296-1

Win.Malware.Raccoon-9845313-1

Result

Verdict:

Malware

Maliciousness:

Behaviour

DNS request

Sending a custom TCP request

Creating a file

Connection attempt

Sending an HTTP GET request

Deleting a recently created file

Replacing files

Reading critical registry keys

Creating a window

Delayed writing of the file

Sending a UDP request

Running batch commands

Creating a process with a hidden window

Using the Windows Management Instrumentation requests

Searching for the window

Launching a process

Stealing user critical data

Launching a tool to kill processes

Forced shutdown of a browser

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

Vidar

Detection:

malicious

Classification:

phis.troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/649821

Signature

Antivirus detection for URL or domain

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Tries to harvest and steal Bitcoin Wallet information

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Crypto Currency Wallets

Tries to steal Instant Messenger accounts or passwords

Tries to steal Mail credentials (via file access)

Yara detected Vidar stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/b53a176429fc65629b41f4ec548a61fe2a2632d53f009b9bc29785cba315fe30/

Threat name:

Win32.Trojan.Glupteba

Status:

Malicious

First seen:

2021-03-18 10:05:15 UTC

AV detection:

26 of 29 (89.66%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=wu5bozbj7rswfg2b6twfjctb7yvcmmwvh4ajxg6cs6c4xiyv7yya._file

Verdict:

malicious

ArkeiStealer

0e18d0556776d09a6bb586125fedcb650df7090a0e2cdf2cd75ac04c5fec4ba1

ArkeiStealer

2c2d88dbff1f9196148cc3c7501d4c45b05ef51887651b3bcdbb111fcc7a2ba2

ArkeiStealer

3b3aab241be2a7755d61bea54971d730f81ca09017f8ef5bbabd7e0d59b9e092

ArkeiStealer

4f42a3f5ab0feccba70fb3637052bb95359d2152f1b73d787b25ba0f75cec13a

ArkeiStealer

6ef31a13d71d059d6e007fb2305c8e2d7615c3d468c9f2f4e023b45490b50787

ArkeiStealer

b7fbd8164071eb1fffa561732f96d4569dc1480c01f99833a4b4d593cc3f1cd8

ArkeiStealer

e8519ee31b530c94681185e62245cc32c279a5a340cc423aca9e1793b807b038

ArkeiStealer

e9236502d303a733b1daf06ec731e09a67becdcf9d7178d10e7f5d6def2ace93

ArkeiStealer

f864c3ba8d40d3f461f21579a9e100f20ee15bea94a6d682b4154ebe22d6f0e4

ArkeiStealer

+ 498 additional samples on MalwareBazaar

Result

Malware family:

vidar

Score:

10/10

Tags:

family:vidar discovery spyware stealer

Link:

https://tria.ge/reports/210323-qs3gjzrr16/

Behaviour

Checks processor information in registry

Delays execution with timeout.exe

Kills process with taskkill

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Accesses 2FA software files, possible credential harvesting

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Deletes itself

Loads dropped DLL

Reads local data of messenger clients

Reads user/profile data of web browsers

Vidar

Unpacked files

SH256 hash:

7fe05231f4984892517420b14d7ad48350a90b2ac745b449a16109b494b75fed

MD5 hash:

ecaf87a03f838f7fcc310cfad8e0b3fd

SHA1 hash:

cc31ad6f6fbe59ba24990daa459b83ccfeb9218a

Detections:

win_vidar_auto

Link:

https://www.unpac.me/results/5ea0016b-5ce5-47ac-8102-31f12afb40c2/

Parent samples :

fc3285382ad7f58ef51da1a1041f1b67710d1ffc5633133fc126af1804be7702
64dc73c66a4afd86bf5a6cbc0679c5dd3e10e2fb86b2eb2990d46a073f6943e8
a558cba87687b22ee5227ccc4d109195b15ece0b3e7bf2de1f16f17f546b655e
d679fb2bc435b228ddaafd947f6be943c0a45c9bd949af04f2c4231e2e2052cd
1042014cc54a997f36926622c2b1bc3d9e3904598776e53d1fedc5bcf3528de1
57265e6674b80a1e6292f45a4cf8be1a1b623cb1e5f89b7e07d8b7916e381e30
77e169d522ad8577df2f250338c634d13b85525d20dbe185b3a4bf08e0ce9e81
5c0e2b35b86934ee3a0ad590a888eda3375a86afd01b55572eda349d06fa9364
68398faf26b078ea8fc1516d0192d7557683c2c7d8acd0baff2ad6dcec9372c4
f114a0219868914173ce8fe1e4dfedf5f61623cdc64a15f17aae25dddd430214
0d50613b9eb903a1fe157a6e183b105308ce7cbc4b56063deac1c63ade33ab74
66ed46015a4140900adbc246056f4d5b15ce78af90dbae9aa587039b09922a00
9379db9909eb90bc81cdb07b2d7dcbef69e5b1374e93b30153270ef2e58afe28
2741dd4405e19e5508adafb27ccc16460777cba41e79e4f0ece549c69e482008
b7fbd8164071eb1fffa561732f96d4569dc1480c01f99833a4b4d593cc3f1cd8
c518f1ab9ee78053ef0e0cd858d1a2eed284859e0a8c3bd77f697bd905dfce49
879da32561588f87ef6eba0f9175f10b600c0fe0b13f7f66bdc4c8d3063edb3b
3b3aab241be2a7755d61bea54971d730f81ca09017f8ef5bbabd7e0d59b9e092
39ed5733841151347086b530096621510bbd5ae523f75abbeb28d2df06af916f
1544df143ddc74b2261b8c580221d30b947188d9bb580f3ed916dfa34a13d5d6
02b6aee180e967f7564c8f4f85f2ad17350c4c66fb258ff5b23546bd0a5d6373
9c4796173941531c04e14e3c609819063517790b0955debae404845f00a186f5
b325c92fa540edeb89b95dbfd4400c1cb33599c66859a87aead820e568a2ebe7
b53a176429fc65629b41f4ec548a61fe2a2632d53f009b9bc29785cba315fe30
49bb4adbb9c4c008916876536f22f6d140b5ff8b5e581644267139a590cd3e60
d5cdf1ba09d7ae01bd144cd00f5603d2c13834b5d79ff6c486b85232c5248486
54251dcc9f29416e83749750e7cd3575b6a726cd4860a777367df3f373183b67
793fa56d22390ee4cce87bece9d80e633225bdc4f3e51347640cb4edbd3aee01
896f0217fc7dfbd7cab242663fd357c57326c6d2d0d693a736aca1cf8cd054d8
11e01b63a4019f8db21848bdec1b8fbd639b0ffed1e10ac256be1da118f1a976
83f723bc00bdf9847f4c2940332ef62253dd09d4b324b8a3af994776b88b554b
d2afcf566b8318ff4b7d2efa07377d1ff30226ac50edaa44313b509983f0a7ba
f248c1126e5df87d708519ae34ac00c8820cc38ef3324745f08b85bdc71d6796
0bcd04549f88ae97a142a6c8c34f46527b88ab15fc1fbebb90428e53e67ade7a
1fe985fd3e5aa0b87ea75dfa8007d020c3eb0ff339fe49568016551803386210
62d508d3cd5ee1bcf7e51d926a1158a42e27520686dd5644d50d3e3c2387560c
6735a63705ffd1faf9a0925cfeddda7868752db0965462cd3bb5d4a54f7fe2da
079fe13e3a3a631f7b9b444d3b43344bc9505a6926e188105e24b581d8ba9dc0

SH256 hash:

b53a176429fc65629b41f4ec548a61fe2a2632d53f009b9bc29785cba315fe30

MD5 hash:

ada65a834db20ae3d66f17c6dd8ffbb5

SHA1 hash:

4dcb75a9848d65b51e010c24af7eb850eedeeeca

Link:

https://www.unpac.me/results/5ea0016b-5ce5-47ac-8102-31f12afb40c2/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Kryptik

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/b53a176429fc65629b41f4ec548a61fe2a2632d53f009b9bc29785cba315fe30

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_EXE_References_CryptoWallets Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many cryptocurrency mining wallets or apps. Observed in information stealers

Rule name:	Ping_Del_method_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	cmd ping IP nul del

Rule name:	win_vidar_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator

Rule name:	with_sqlite Create hunting rule
Author:	Julian J. Gonzalez <info@seguridadparatodos.es>
Description:	Rule to detect the presence of SQLite data in raw image
Reference:	http://www.st2labs.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/126537/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample