MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bb5938ca20203ecde3fc65a31025801a1c136b90c76d7816edcb58db733ca3ed. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bb5938ca20203ecde3fc65a31025801a1c136b90c76d7816edcb58db733ca3ed
SHA3-384 hash: 03cbf245061d3c00a67c6de7d7e9eab12d8d14202073d5c068c585f07dcc37653099007aa5934a1bdcd0396b99eafc0f
SHA1 hash: dab4b60feea4a9a06154a55cd260f7f2476e8df9
MD5 hash: 5532eb31a0dfcf10114a9861d828c7b5
humanhash: twenty-lamp-december-one
File name:library_2
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:5'580'927 bytes
First seen:2022-09-26 06:30:18 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 6c9b62aae6117060f9867b92d139b95e (9 x ArkeiStealer, 2 x Smoke Loader, 1 x RedLineStealer)
ssdeep 49152:HBI6nrEmvRmaNtqp6S0QGHHStTITGaRQXLKp8fm3ileWPH5Hxk:HaURnsjfaRQbKp8fm3iMGHQ
Threatray 476 similar samples on MalwareBazaar
TLSH T1BA468E23B349643EC06B193A492BD6D89C3F7F61791ACC4A7BF4194CCF361416A3A61B
TrID 61.8% (.EXE) Inno Setup installer (109740/4/30)
23.4% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
5.9% (.EXE) Win64 Executable (generic) (10523/12/4)
2.5% (.EXE) Win32 Executable (generic) (4505/5/1)
1.6% (.MZP) WinArchiver Mountable compressed Archive (3000/1)
File icon (PE):PE icon
dhash icon f0d4b06969e8cc70 (2 x ArkeiStealer, 1 x AsyncRAT)
Reporter JAMESWT_WT
Tags:ArkeiStealer exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
272
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
stop
Create hunting rule
ID:
1
File name:
File.zip
Verdict:
Malicious activity
Analysis date:
2022-09-26 05:11:09 UTC
Tags:
stealer opendir loader ransomware stop evasion redline
Link:
https://app.any.run/tasks/b40814b7-4ccb-4128-83d6-f60d45222843

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/313432/
Detection(s):
PUA.Win.Adware.Dealply-6619245-0
Create hunting rule

PUA.Win.Adware.Dealply-6619266-0
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a window
Searching for synchronization primitives
Delayed reading of the file
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/39164/overview
Behaviour
MalwareBazaar
CPUID_Instruction
LanguageCheck
CheckNumberOfProcessor
CheckCmdLine
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
75%
Tags:
cmd.exe fingerprint greyware keylogger overlay regasm.exe rundll32.exe
Link:
https://www.filescan.io/uploads/633147a56963f27ddc3514db/reports/f0ded0cf-6646-4b6f-9082-4a138d4b6105/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/99f151af-486b-42d0-bfbe-f083944d5d12
Result
Threat name:
Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1078878
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bb5938ca20203ecde3fc65a31025801a1c136b90c76d7816edcb58db733ca3ed/
Threat name:
Win32.Trojan.Smokeloader
Create hunting rule
Status:
Malicious
First seen:
2022-09-26 01:00:30 UTC
File Type:
PE (Exe)
Extracted files:
79
AV detection:
23 of 40 (57.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xnmtrsraea7m3y74mwrrajmadiobg24qy5wxqfxnznmnw4z4upwq._file
Verdict:
malicious
Label(s):
raccoon
Create hunting rule
Similar samples:
01dd09f52d0accfd655731ed746a9c3742dc7ee7684aa5a4002155897147dc20
ArkeiStealer
2231160e71faf8674b8efc0cedf3384db3acc5d66f0276c76b18c7cb5f842ce0
ArkeiStealer
3f79eef1aceb629f11e4f298319df9b094e5fac8658babe3730127a280c549c0
ArkeiStealer
6c11af0bbd346329224255d38a07fb9db5828881d3520ab4623c7a5fc09ecd47
ArkeiStealer
8ecbe3f78c01ca3ddb3cd79498d97441c9f08cc3c2d2416546aee250ff84877e
ArkeiStealer
9d5f1be092ee806db3f058fa773d20f7f4a9c120c44f0f0ab365e1e2a822cb36
ArkeiStealer
b2531fbdd1d763ac1d257cc43b7806c8cc6b71f65bbc5cc3513a9a11cda2b228
ArkeiStealer
ee5cd7f14bf98534291bdb1b34d1424bebb1fbc27e01915ff15e928dc9ea73f6
ArkeiStealer
+ 466 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:vidar botnet:1636 discovery spyware stealer
Link:
https://tria.ge/reports/220926-g92xxahgc6/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Delays execution with timeout.exe
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
Vidar
Malware Config
C2 Extraction:
https://t.me/dghzq
https://t.me/zjsqpz
https://t.me/fqwexzq
Verdict:
Informative
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/ce047eaf-b670-460d-9015-6519bd903116
Unpacked files
SH256 hash:
61e71885942cbb64d50d1cac66a94452dd997e8e6df81abd1cb997d93ab8da60
MD5 hash:
821954255d4088ee4a72247f19580cc4
SHA1 hash:
6c39b6101b30c0fa9f36692284cbfc9f32d650cc
Detections:
win_vidar_auto
Create hunting rule
Link:
https://www.unpac.me/results/8af747b8-de68-4cc9-b2b1-e49831cce398/
Parent samples :
b3fb5417f369f276a7db43531dabc38241f6fb329bcec6b26f1d9ccd1f817c22
ee5cd7f14bf98534291bdb1b34d1424bebb1fbc27e01915ff15e928dc9ea73f6
8ecbe3f78c01ca3ddb3cd79498d97441c9f08cc3c2d2416546aee250ff84877e
bb5938ca20203ecde3fc65a31025801a1c136b90c76d7816edcb58db733ca3ed
455e9b43d3df1c83df5182936603a66d04658d6d1cb3098e9676978549e926fa
SH256 hash:
f6ca8a05cff95a69b812d60bb66b7b262a509e06b44136ee2cc7ea58dbebeae1
MD5 hash:
4c543a3c34cdd41c71f7a98352f13609
SHA1 hash:
1f29c220f002a7bfe856794a0639e4d317c31d96
Link:
https://www.unpac.me/results/8af747b8-de68-4cc9-b2b1-e49831cce398/
SH256 hash:
bb5938ca20203ecde3fc65a31025801a1c136b90c76d7816edcb58db733ca3ed
MD5 hash:
5532eb31a0dfcf10114a9861d828c7b5
SHA1 hash:
dab4b60feea4a9a06154a55cd260f7f2476e8df9
Link:
https://www.unpac.me/results/8af747b8-de68-4cc9-b2b1-e49831cce398/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/bb5938ca20203ecde3fc65a31025801a1c136b90c76d7816edcb58db733ca3ed

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/313432/

Comments