MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ba7b728d5fc575f8bcf20973897ddf6160bf93f10026bdccaacaf5915513e021. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 11


Intelligence 11 IOCs YARA 1 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ba7b728d5fc575f8bcf20973897ddf6160bf93f10026bdccaacaf5915513e021
SHA3-384 hash: 6cc96bed7ab50f09ea7c334210c1f8cc5237f2b8ce6ffca60040f393972a3230677639423978d215a99e9962a14e0bc4
SHA1 hash: f14b32f0e0961290e5c031f4b90eeaca45baaab4
MD5 hash: 6051ab4940e431020a0b3420f1369d39
humanhash: cold-low-vegan-march
File name:6051ab4940e431020a0b3420f1369d39
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:1'836'072 bytes
First seen:2022-06-24 08:13:32 UTC
Last seen:2022-07-23 04:32:30 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 42b065fa8a85c7841b659813cd94d508 (1 x ArkeiStealer)
ssdeep 49152:TyBsQwy1y8oMtXnpPF8BoLRUOZyUwFUfcruwL+QHjpKOZK2YLM:TyBsQwy1y8HXnE2LxEUwpaMpdbY4
Threatray 4'311 similar samples on MalwareBazaar
TLSH T116850200E750D039F8A3A0BA8EA5D778A6577CE2971190C722D93FEF27B71D09D32166
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 833161595951633e (1 x ArkeiStealer)
Reporter zbetcheckin
Tags:32 ArkeiStealer exe signed

Code Signing Certificate

Organisation:*.ghs.com
Issuer:DigiCert TLS RSA SHA256 2020 CA1
Algorithm:sha256WithRSAEncryption
Valid from:2022-04-05T00:00:00Z
Valid to:2023-04-27T23:59:59Z
Serial number: 08fd4a1d79f2df5c79e8616775fda075
Thumbprint Algorithm:SHA256
Thumbprint: 2c224bdfe1ba0c7e2a0eb156a885914b77ba4cca08e754b10af3f903b438d68f
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
4
# of downloads :
194
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/282938/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Launching a process
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Creating a file
Reading critical registry keys
Stealing user critical data
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/22656/overview
Behaviour
MalwareBazaar
SystemUptime
MeasuringTime
EvasionGetTickCount
CheckCmdLine
EvasionQueryPerformanceCounter
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware overlay packed
Link:
https://www.filescan.io/uploads/62b572897e9a4f0a86dc257d/reports/f71e9b5d-f0ea-4286-ae2d-9633bf80364a/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/60e232f7-b3b8-4551-aa14-d91e0d4bd8e7
Result
Threat name:
Vidar
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1019158
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
Drops PE files to the user root directory
Injects a PE file into a foreign processes
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 651654 Sample: Jke5jTAlnV Startdate: 24/06/2022 Architecture: WINDOWS Score: 100 56 Multi AV Scanner detection for domain / URL 2->56 58 Antivirus detection for URL or domain 2->58 60 Multi AV Scanner detection for submitted file 2->60 62 2 other signatures 2->62 8 Jke5jTAlnV.exe 2->8         started        11 good.exe 2->11         started        13 good.exe 2->13         started        process3 signatures4 68 Writes to foreign memory regions 8->68 70 Allocates memory in foreign processes 8->70 72 Injects a PE file into a foreign processes 8->72 15 InstallUtil.exe 25 8->15         started        process5 dnsIp6 42 infinite-stars.net 172.67.160.101, 443, 49841 CLOUDFLARENETUS United States 15->42 44 t.me 149.154.167.99, 443, 49805 TELEGRAMRU United Kingdom 15->44 46 2 other IPs or domains 15->46 32 C:\ProgramData\SAPGOG0UYVCZUS8DD36G.exe, PE32+ 15->32 dropped 34 C:\Users\user\AppData\Local\...\clip[1].exe, PE32+ 15->34 dropped 36 C:\ProgramData\vcruntime140.dll, PE32 15->36 dropped 38 5 other files (none is malicious) 15->38 dropped 48 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 15->48 50 Tries to steal Instant Messenger accounts or passwords 15->50 52 Tries to steal Mail credentials (via file / registry access) 15->52 54 2 other signatures 15->54 20 SAPGOG0UYVCZUS8DD36G.exe 1 1 15->20         started        24 cmd.exe 1 15->24         started        file7 signatures8 process9 file10 40 C:\Users\Public\good.exe, PE32+ 20->40 dropped 64 Multi AV Scanner detection for dropped file 20->64 66 Drops PE files to the user root directory 20->66 26 taskkill.exe 1 24->26         started        28 conhost.exe 24->28         started        30 timeout.exe 1 24->30         started        signatures11 process12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ba7b728d5fc575f8bcf20973897ddf6160bf93f10026bdccaacaf5915513e021/
Threat name:
Win32.Ransomware.StopCrypt
Create hunting rule
Status:
Malicious
First seen:
2022-06-24 08:14:10 UTC
File Type:
PE (Exe)
Extracted files:
12
AV detection:
17 of 26 (65.38%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xj5xfdk7yv27rphsbfzys7o7mfql7e7raatl3tfkzl2zcvit4aqq._file
Verdict:
malicious
Similar samples:
139cb9080845e4430473e3ad1e6f27c7c03be615c36afa86d58d69b7d9a5c0ef
ArkeiStealer
367f3a5a589ebb253496871b6b2d4cc956134e22c1b5d41edb0c19c890176a1f
ArkeiStealer
6351ac2c5e0124556db67bf3ad64416420ff710515c43004e33e6d64b5e9ef29
ArkeiStealer
711d8a94c429866e76447eb867f6408eb83b85d9bbea615084722e6055a9d939
ArkeiStealer
854f87724a1c31e24ae7fc1d2877500fe6a96292048b74e283878bdb70cb8e28
ArkeiStealer
8cea0e0bcfe1039d672e322ac7091ca84879f8f3ec8d44d5df38d72ee544b2e0
ArkeiStealer
9ec16b7ad0ac9eb821c6c037451d127e652cde49c6881a948503bc98f5f51111
ArkeiStealer
a422f25ad04555c45642bc5e4e15e634b9b6f2f987dadd9ad306be04ee80ffa4
ArkeiStealer
b3b578787d3f4eea1b43fa03453bf5a3f33483d0ed7aacfce7c0e791e6c17bf5
ArkeiStealer
+ 4'301 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:vidar botnet:1202 persistence spyware stealer suricata
Link:
https://tria.ge/reports/220624-j4zlpsdgd5/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Loads dropped DLL
Reads local data of messenger clients
Downloads MZ/PE file
Executes dropped EXE
Vidar Stealer
suricata: ET MALWARE W32/Agent.OGR!tr.pws Stealer
Vidar
Malware Config
C2 Extraction:
https://t.me/tg_superch
https://climatejustice.social/@olegf9844
Unpacked files
SH256 hash:
684ed87d6bd9d490609741da15f4eb417d1f9d22c16ef3e24301162889bd8892
MD5 hash:
03f3903fa94fbb3f90fcb86237db8bbd
SHA1 hash:
5b3795a81c07e58eae187d3c781ebf83723c6443
Link:
https://www.unpac.me/results/445e74db-4498-4783-994c-4ca9cd3d5a1f/
SH256 hash:
ea53cdb22a844f0dc7d8468cefb4b7f71e1e890a214dd2cc1920bc71bfdbb9bd
MD5 hash:
52344e43b557c36dccbf8f67d04e5d4e
SHA1 hash:
26e38666b193a5a4305ddc57343c5d8889c7f90b
Link:
https://www.unpac.me/results/445e74db-4498-4783-994c-4ca9cd3d5a1f/
SH256 hash:
ba7b728d5fc575f8bcf20973897ddf6160bf93f10026bdccaacaf5915513e021
MD5 hash:
6051ab4940e431020a0b3420f1369d39
SHA1 hash:
f14b32f0e0961290e5c031f4b90eeaca45baaab4
Link:
https://www.unpac.me/results/445e74db-4498-4783-994c-4ca9cd3d5a1f/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/ba7b728d5fc5/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ba7b728d5fc575f8bcf20973897ddf6160bf93f10026bdccaacaf5915513e021

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ArkeiStealer

Executable exe ba7b728d5fc575f8bcf20973897ddf6160bf93f10026bdccaacaf5915513e021

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2248747/
Cape
Cape
https://www.capesandbox.com/analysis/282938/

Comments


Avatar
zbet commented on 2022-06-24 08:13:36 UTC

url : hxxps://infinite-stars.net/files/vida.exe