MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b9e2df677315f07b08f43626c99817ab16c1aceb5812b2ea20cdbc96cdbead4a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 13


Intelligence 13 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b9e2df677315f07b08f43626c99817ab16c1aceb5812b2ea20cdbc96cdbead4a
SHA3-384 hash: 02a94ba52d57cdbf7e0f972ab6ea0c5e5cb24bb7b2cdb9863304df02cd320e4c2aedafa7258cc7a4766c86db97cdd5f5
SHA1 hash: dc4d334d6c6969514c14f4b232e08ba31583ce35
MD5 hash: 03c7b8e50ff9a1ab2d0ae379c0180dec
humanhash: autumn-alabama-mango-georgia
File name:library_1
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:2'376'192 bytes
First seen:2022-11-21 12:00:23 UTC
Last seen:2022-11-21 13:46:56 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 407e3b5378b3b0b56c578f72b3227fa9 (5 x ArkeiStealer)
ssdeep 49152:QH039eANocGuhFFg6PDVN4fCNkTXlhVWS8K238nq3uiOVge0y/Ai:2gQSSCFLVN4KNQlhVp8/aq3updFAi
Threatray 16'605 similar samples on MalwareBazaar
TLSH T10BB522733E4AA0F2F1BC17F653529A7A18DF5D7F28C0511663D832F192B6762624C32A
TrID 52.9% (.EXE) Win32 Executable (generic) (4505/5/1)
23.5% (.EXE) Generic Win/DOS Executable (2002/3)
23.5% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):PE icon
dhash icon ccc7dbe5a39383ce (2 x RedLineStealer, 2 x ArkeiStealer)
Reporter JAMESWT_WT
Tags:ArkeiStealer exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
241
Origin country :
IT IT
Vendor Threat Intelligence
Malware family:
vidar
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2022-11-21 06:02:03 UTC
Tags:
installer loader cryptbot stealer trojan vidar
Link:
https://app.any.run/tasks/74043915-8bfc-45fe-9d7b-0883f3302876

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/336743/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.63762343.28687.20844.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for analyzing tools
Searching for the window
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Creating a file
Reading critical registry keys
Running batch commands
Creating a process with a hidden window
Launching a process
Stealing user critical data
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/637b68802609334c72c19946/reports/2a155ec4-f8bc-4e79-8baf-18fd0b72ec9b/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/085d69da-334a-4b36-9ef1-796e699379c6
Result
Threat name:
Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1118080
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Hides threads from debuggers
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Query firmware table information (likely to detect VMs)
Self deletion via cmd or bat file
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b9e2df677315f07b08f43626c99817ab16c1aceb5812b2ea20cdbc96cdbead4a/
Threat name:
Win32.Infostealer.Bandra
Create hunting rule
Status:
Malicious
First seen:
2022-11-20 16:26:51 UTC
File Type:
PE (Exe)
Extracted files:
13
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xhrn6z3tcxyhwchugytmtgaxvmlmdlhllajlf2razw6jntn6vvfa._file
Verdict:
malicious
Similar samples:
22d9733647f48990bbe74bd5236545bb2d77d2b85cf5fa671bdd5276ebe8f6c6
ArkeiStealer
3e9c629c225bf857fc3183cc5f17ae5816e04f20c7d9636d5d6adac849ed2279
ArkeiStealer
88f86b01cb6078c58fd2d5ab9f1beb7c24fa1e4b71e1ca558678d7718c418b66
ArkeiStealer
de96e27483b81bec57e86f32954d7de623bb7a6c89aefa721c136fb60d148768
ArkeiStealer
e8075dd2f74391aabe1a85eeb7282620b5be0236d6d0a23e7474cf033dd1628a
ArkeiStealer
f763556b253fa22454cdc3e21f288cfcf360c4938b14258ee00e9a3c0e39ae17
ArkeiStealer
+ 16'595 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:vidar botnet:1707 discovery evasion spyware stealer trojan
Link:
https://tria.ge/reports/221121-n6weaahd44/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks whether UAC is enabled
Checks BIOS information in registry
Deletes itself
Loads dropped DLL
Reads user/profile data of web browsers
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Vidar
Malware Config
C2 Extraction:
https://t.me/deadftx
https://www.tiktok.com/@user6068972597711
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/fa68e917-4f23-41ff-a459-fa59e71a3f96
Unpacked files
SH256 hash:
ee5443cf75eaa4405ea046dd7c34ef4bfbc80fac4b217c0b16121d7f5b064f03
MD5 hash:
382bf53bd7e2c23e9842682eebcbd77f
SHA1 hash:
66029f5cf98713608d5f872cf95cce40f83207c7
Link:
https://www.unpac.me/results/b0235338-7593-4eaf-b497-89533612bd90/
SH256 hash:
b9e2df677315f07b08f43626c99817ab16c1aceb5812b2ea20cdbc96cdbead4a
MD5 hash:
03c7b8e50ff9a1ab2d0ae379c0180dec
SHA1 hash:
dc4d334d6c6969514c14f4b232e08ba31583ce35
Link:
https://www.unpac.me/results/b0235338-7593-4eaf-b497-89533612bd90/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/b9e2df677315/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.60
Link:
https://yomi.yoroi.company/submissions/b9e2df677315f07b08f43626c99817ab16c1aceb5812b2ea20cdbc96cdbead4a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:HeavensGate
Create hunting rule
Author:kevoreilly
Description:Heaven's Gate: Switch from 32-bit to 64-mode
Rule name:INDICATOR_EXE_Packed_MPress
Create hunting rule
Author:ditekSHen
Description:Detects executables built or packed with MPress PE compressor
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/336743/

Comments