MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bacdddfabf0476948f55a43f5bda407afa2f1cd4884e973a1722e3f674cc2a94. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bacdddfabf0476948f55a43f5bda407afa2f1cd4884e973a1722e3f674cc2a94
SHA3-384 hash: 23b51e7aa991adae8d5da713a02df9a9a7fd317534255bb979c6b9077e3a11227917acaf1f84c2b5a0c28a2436673134
SHA1 hash: 88e096acd8b176844b904cd3de8bd7a568c1513b
MD5 hash: b1aaf46b9ad59cce96b50b01a7b57a83
humanhash: arkansas-wyoming-lamp-chicken
File name:b1aaf46b9ad59cce96b50b01a7b57a83.exe
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:1'314'216 bytes
First seen:2022-12-06 06:15:17 UTC
Last seen:2022-12-06 07:38:50 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f2a7669845a558af78441959111ad23e (2 x LgoogLoader, 1 x RedLineStealer, 1 x ArkeiStealer)
ssdeep 24576:F2k+mpoFYW3BDVgiFxRfgvBrS7zui/EzQgzeGm490OlP0lldTRLlZV9N/:Ik+eRW3BDVgGxdGk7KnzQ/eplmlZRLlv
Threatray 1'198 similar samples on MalwareBazaar
TLSH T1C455D089349378B9DDF7713725CAFED67749C0E8A86719EBA2D41F6B190288F6070306
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon f0d4ace8d2f0cccc (1 x ArkeiStealer)
Reporter abuse_ch
Tags:ArkeiStealer exe signed

Code Signing Certificate

Organisation:lightweight.com
Issuer:R3
Algorithm:sha256WithRSAEncryption
Valid from:2022-10-23T01:34:00Z
Valid to:2023-01-21T01:33:59Z
Serial number: 03bd4d35d83158d19f0c08eb37233d489710
Intelligence: 5 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: 7d11caba69de183543b20390e9d20e6b93aba3d53e3fe404f388aed26c804570
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
abuse_ch
ArkeiStealer C2:
http://95.217.29.31/

Intelligence

File Origin
# of uploads :
2
# of downloads :
188
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
b1aaf46b9ad59cce96b50b01a7b57a83.exe
Verdict:
No threats detected
Analysis date:
2022-12-06 06:17:18 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/45c597cb-4800-4776-8074-5558031d582e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/343197/
Detection(s):
SecuriteInfo.com.Variant.Jaik.105529.25792.7469.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Launching a process
Sending a custom TCP request
Сreating synchronization primitives
Sending an HTTP GET request
Creating a file in the %temp% directory
Behavior that indicates a threat
Creating a file
Reading critical registry keys
Running batch commands
Creating a process with a hidden window
Stealing user critical data
Unauthorized injection to a system process
Sending an HTTP GET request to an infection source
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
exploit greyware overlay packed vidar
Link:
https://www.filescan.io/uploads/638ede2475655a0108ea6f0b/reports/5247566a-4007-4bd1-9f12-afb19e361815/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f78c0cc5-ee5b-48a5-85b3-1123484af2f2
Result
Threat name:
Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1128643
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 761367 Sample: IyQQLeB1yl.exe Startdate: 06/12/2022 Architecture: WINDOWS Score: 100 38 Multi AV Scanner detection for domain / URL 2->38 40 Antivirus detection for URL or domain 2->40 42 Multi AV Scanner detection for submitted file 2->42 44 3 other signatures 2->44 8 IyQQLeB1yl.exe 13 2->8         started        process3 dnsIp4 28 www.sssupersports.com 104.21.44.248, 443, 49701 CLOUDFLARENETUS United States 8->28 30 akiswnxox5lp4qetjjo.6xkxnbp6szgbhfrxz 8->30 46 Writes to foreign memory regions 8->46 48 Allocates memory in foreign processes 8->48 50 Injects a PE file into a foreign processes 8->50 12 ngentask.exe 19 8->12         started        16 ngentask.exe 8->16         started        signatures5 process6 dnsIp7 32 t.me 149.154.167.99, 443, 49702 TELEGRAMRU United Kingdom 12->32 34 95.217.29.31, 49704, 80 HETZNER-ASDE Germany 12->34 36 steamcommunity.com 2.21.52.150, 443, 49703 AKAMAI-ASUS European Union 12->36 52 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 12->52 54 Tries to harvest and steal browser information (history, passwords, etc) 12->54 56 Tries to steal Crypto Currency Wallets 12->56 18 cmd.exe 1 12->18         started        20 WerFault.exe 24 9 12->20         started        22 WerFault.exe 12->22         started        signatures8 process9 process10 24 conhost.exe 18->24         started        26 timeout.exe 1 18->26         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bacdddfabf0476948f55a43f5bda407afa2f1cd4884e973a1722e3f674cc2a94/
Threat name:
Win32.Trojan.Fragtor
Create hunting rule
Status:
Malicious
First seen:
2022-11-26 18:57:42 UTC
File Type:
PE (Exe)
Extracted files:
7
AV detection:
19 of 26 (73.08%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=xlg536v7ar3jjd2vuq7vxwsapl5c6hgurbhjooqxelr7m5gmfkka._file
Verdict:
malicious
Similar samples:
0544e0fcb370f6d4e5691f820cbd673ef7d0e1a973dbe76e4956a514b0862566
ArkeiStealer
08c7eb81c268bbae91dedf391c1901461e786ee5cd401872100efad10812efc9
ArkeiStealer
2c993eb220436695d78783d2a6520951e4ce2b65311a96b904a063abdc088235
ArkeiStealer
6eaa17442216edf6c184c03e3b7468922c1b6d59fbf419f811552e2e86e0bcfe
ArkeiStealer
9cd59f476fd53c288245f63281a754b99d65d4198ffc5038e65a5285648d9dcd
ArkeiStealer
d7c42d1df0e957935b672b0633cf3dad39b5d8c85eec4631c62191915af02379
ArkeiStealer
+ 1'188 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/221206-g1f9vaed4x/
Behaviour
Suspicious behavior: EnumeratesProcesses
Program crash
Unpacked files
SH256 hash:
4a4f8fff6e09e75401530663ec9da35175bf83cfea2eabb95228b37b7d4576e4
MD5 hash:
76e645c384922748c193e1bd0f0de4f8
SHA1 hash:
6834ffd7d75c3e31af6bdb0f18436efd73490a9a
Link:
https://www.unpac.me/results/3ace25fb-9c68-49b6-bc0e-934b2e9d3ffa/
SH256 hash:
bacdddfabf0476948f55a43f5bda407afa2f1cd4884e973a1722e3f674cc2a94
MD5 hash:
b1aaf46b9ad59cce96b50b01a7b57a83
SHA1 hash:
88e096acd8b176844b904cd3de8bd7a568c1513b
Link:
https://www.unpac.me/results/3ace25fb-9c68-49b6-bc0e-934b2e9d3ffa/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.96
Link:
https://yomi.yoroi.company/submissions/bacdddfabf0476948f55a43f5bda407afa2f1cd4884e973a1722e3f674cc2a94

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/343197/

Comments