MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b6c8d4806e4080ddee5a5b5ff6f3f12074fae9bd31464a147c7ac6851755ca4c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 8


Intelligence 8 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b6c8d4806e4080ddee5a5b5ff6f3f12074fae9bd31464a147c7ac6851755ca4c
SHA3-384 hash: d591fdd427d52661e7f56ec9bee6ac8ed71ea22fe589e0e8381f289895339768400c88b7ee7c3230c8eee2f054290ec2
SHA1 hash: 8df9b02c38b0e4467bfe890f3c27ed177b0c4e64
MD5 hash: e48c72a320b0720133df0552be39623a
humanhash: happy-indigo-whiskey-maine
File name:qqcwy3lu.bat
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:277'828 bytes
First seen:2022-12-19 06:00:05 UTC
Last seen:Never
File type:Batch (bat) bat
MIME type:text/x-msdos-batch
ssdeep 6144:zIuMegIXvpL7d9g3gmi40ag87LuuXBPFrDh+ltjn:zIu7gcXFmizMyWnKT
Threatray 17'509 similar samples on MalwareBazaar
TLSH T1C84423446A7A7E5B3D6881BC85FF6BDDA2958A5FF0CCC4D67A40DCA5108C26C13BB032
Reporter r3dbU7z
Tags:ArkeiStealer bat dropper

Intelligence

File Origin
# of uploads :
1
# of downloads :
260
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
vidar
Create hunting rule
ID:
1
File name:
qqcwy3lu.bat
Verdict:
Malicious activity
Analysis date:
2022-12-19 06:01:20 UTC
Tags:
trojan stealer vidar loader
Link:
https://app.any.run/tasks/36be1f3b-f60e-4616-9331-7b0c4da28230

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/347820/
Detection(s):
SecuriteInfo.com.Other.Malware-gen.8472.2092.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
powershell
Link:
https://www.filescan.io/uploads/639ffe1f0e2bd0da35759512/reports/b2a5feae-bb79-4896-94eb-b3aa7c5acf39/overview
Result
Verdict:
UNKNOWN
Result
Threat name:
Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1136884
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to compare user and computer (likely to detect sandboxes)
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Obfuscated command line found
PE file contains section with special chars
Self deletion via cmd or bat file
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 769614 Sample: qqcwy3lu.bat Startdate: 19/12/2022 Architecture: WINDOWS Score: 100 51 Malicious sample detected (through community Yara rule) 2->51 53 Antivirus detection for URL or domain 2->53 55 Yara detected Vidar stealer 2->55 57 5 other signatures 2->57 8 cmd.exe 2 2->8         started        process3 file4 35 C:\Users\user\Desktop\qqcwy3lu.bat.exe, PE32 8->35 dropped 61 Suspicious powershell command line found 8->61 12 qqcwy3lu.bat.exe 39 8->12         started        17 powershell.exe 7 8->17         started        19 conhost.exe 8->19         started        signatures5 process6 dnsIp7 45 t.me 149.154.167.99, 443, 49683 TELEGRAMRU United Kingdom 12->45 47 95.217.82.37, 49685, 80 HETZNER-ASDE Germany 12->47 49 5.252.22.202, 49684, 80 FIRSTDC-ASRU Russian Federation 12->49 37 C:\Users\user\AppData\...\nppshell[1].exe, PE32 12->37 dropped 39 C:\ProgramData\98450277520446089597.exe, PE32 12->39 dropped 41 C:\Users\user\...\qqcwy3lu.bat.exe.log, ASCII 12->41 dropped 63 Obfuscated command line found 12->63 65 Self deletion via cmd or bat file 12->65 67 Tries to harvest and steal browser information (history, passwords, etc) 12->67 69 2 other signatures 12->69 21 98450277520446089597.exe 6 12->21         started        25 cmd.exe 1 12->25         started        27 powershell.exe 5 12->27         started        file8 signatures9 process10 dnsIp11 43 upub4bzbcjoskcxztfr.cvs3avnspg0dutck 21->43 59 Machine Learning detection for dropped file 21->59 29 conhost.exe 25->29         started        31 timeout.exe 1 25->31         started        33 conhost.exe 27->33         started        signatures12 process13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b6c8d4806e4080ddee5a5b5ff6f3f12074fae9bd31464a147c7ac6851755ca4c/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=w3enjadoican33s2lnp7n47reb2pv2n5gfdeufd4pldikf2vzjga._file
Verdict:
malicious
Similar samples:
1041962780029fab7ba54ab21c49185c8f105f774f3e75286dd6f83f27a6a587
ArkeiStealer
221bcfad93520868aec7972924ea2cc5827dbf3da3965e2599b9668033ac7ec8
ArkeiStealer
3a56c8b9269a6dd225bc150dfd6bcf058aeadd2d5196ed02cec5bf00521238d9
ArkeiStealer
635329a3e60baf7fc0d50d16b87c4ddc8f9300c710696dde863c3d90abb1b4a3
ArkeiStealer
841572da329176a7f23da214406a8c5d19c4107206df3d83bfcd8dd6dc906ecf
ArkeiStealer
b14b1aee43f78548e382e6a5b5b59208f65f7c3a8e7aa1e3bdf7d8bea5217146
ArkeiStealer
bada6d6d493416c0992a375de60fe574ced09bef5496ebfac07c19a8b2785494
ArkeiStealer
d2c0dcfcf2d60c5aad8a239bbd8b064b4953e536187230aa1d9b5fffbdeb5c39
ArkeiStealer
ed75d66b5d971ec01613881d3e088081222411e8315428e6cb049d5699ce31bc
ArkeiStealer
fad1b92b67d6509a5d114b43395bd428b8fff6b827198083f1abc801a9c78525
ArkeiStealer
+ 17'499 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery spyware stealer
Link:
https://tria.ge/reports/221219-gqde7shd3v/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b6c8d4806e4080ddee5a5b5ff6f3f12074fae9bd31464a147c7ac6851755ca4c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:Telegram_Links
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ArkeiStealer

Batch (bat) bat b6c8d4806e4080ddee5a5b5ff6f3f12074fae9bd31464a147c7ac6851755ca4c

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/347820/

Comments