MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bc8a0dfae21c3a5319851f57837b294ea9aaae1d54a1be188169ac00b67db738. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

ArkeiStealer

Vendor detections: 13

Intelligence 13 IOCs YARA 6 File information Comments

SHA256 hash:	bc8a0dfae21c3a5319851f57837b294ea9aaae1d54a1be188169ac00b67db738
SHA3-384 hash:	478989bb4c189bfaad16d0502109324833cdc4cfce78d5085ae99292878725e7784f26f329a8735b39a6120733a0ea2b
SHA1 hash:	cd854fbfc2057604f0806c13badcbd979c4c6165
MD5 hash:	477c4b1f629a2031f38fede68475c7be
humanhash:	green-football-twenty-ack
File name:	bc8a0dfae21c3a5319851f57837b294ea9aaae1d54a1be188169ac00b67db738
Download:	download sample
Signature	ArkeiStealer Create hunting rule
File size:	2'804'528 bytes
First seen:	2022-06-10 07:45:37 UTC
Last seen:	2022-06-10 08:49:36 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	79b3362178937bf9559741c46bb9e035 (18 x LaplasClipper, 9 x RaccoonStealer, 8 x ArkeiStealer)
ssdeep	49152:yXG/fWcznLyvD3s1R7fl2/QQYvVVSatHhbG44Rs8QJStrAS0j/nM:r+4yg/79uMS/Rs8Qr/M
Threatray	17'300 similar samples on MalwareBazaar
TLSH	T106D533026B8F0010EBA28D3A9A152FE25AF4AD44331FDB4B2B5E751E5FB3B593F41854
TrID	52.9% (.EXE) Win32 Executable (generic) (4505/5/1) 23.5% (.EXE) Generic Win/DOS Executable (2002/3) 23.5% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):
dhash icon	78e0e6ecceb0e0f1 (1 x ArkeiStealer)
Reporter	crep1x
Tags:	ArkeiStealer exe vidar

Intelligence

File Origin

# of uploads :

# of downloads :

398

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

hiloti

ID:

File name:

setup.exe

Verdict:

Malicious activity

Analysis date:

2022-06-03 08:23:32 UTC

Tags:

installer loader hiloti trojan evasion stealer

Link:

https://app.any.run/tasks/c929d4c3-bc1c-4761-9e69-0552e713a5b5

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Vidar

Link:

https://www.capesandbox.com/analysis/278588/

Detection(s):

SecuriteInfo.com.Variant.Babar.44392.19560.13125.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for analyzing tools

Searching for the window

Сreating synchronization primitives

Sending an HTTP GET request

Creating a file

Reading critical registry keys

Sending a custom TCP request

Creating a window

Stealing user critical data

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

overlay packed

Link:

https://www.filescan.io/uploads/62a2f70c35540d251cdc941b/reports/101f2195-1567-4f2a-8ff0-f00d235335e7/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Arkei Stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/4099ef76-11cb-49a5-b2d8-0763077aeac3

Result

Threat name:

Vidar

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1010650

Signature

Antivirus detection for URL or domain

Detected unpacking (changes PE section rights)

Hides threads from debuggers

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Query firmware table information (likely to detect VMs)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to evade debugger and weak emulator (self modifying code)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected Vidar stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/bc8a0dfae21c3a5319851f57837b294ea9aaae1d54a1be188169ac00b67db738/

Threat name:

Win32.Trojan.Woreflint

Status:

Malicious

First seen:

2022-06-03 23:26:20 UTC

File Type:

PE (Exe)

Extracted files:

200

AV detection:

19 of 26 (73.08%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=xsfa36xcdq5fggmfd5lyg6zjj2u2vlq5ksq34gebngwabnt5w44a._file

Verdict:

malicious

ArkeiStealer

18f5a7d7fa2e52091504106547fc9c1e2d540ff70d75544c550765599c65be1b

ArkeiStealer

5972343370247c01cd49e0fda028bdece0507c15ec3773311ed41688da9b9e30

ArkeiStealer

82a108c44defd4e43bf5bdee2bbadbf7f62870683557276b698d15845267c722

ArkeiStealer

84737380889c0a048ca05cb8176457f85666beccc750c262d30c64441ffee857

ArkeiStealer

89ec309c384717284199d66d01669738ce37d9fb445a8f7f2259dfd6ca888f5d

ArkeiStealer

cf2a9a23fe444cf73084e201311e785dea3d6dbfd2fa77027ab8895995d47700

ArkeiStealer

e6cea0eb49c9b461c624ded82d794e9353499644a47f7975a6ab030a9f8123b8

ArkeiStealer

ffc1b9735633836ed935e403d56dd31a464f39c0814e22cb19bb3af6cd54b270

ArkeiStealer

+ 17'290 additional samples on MalwareBazaar

Result

Malware family:

vidar

Score:

10/10

Tags:

family:vidar discovery evasion spyware stealer suricata trojan

Link:

https://tria.ge/reports/220610-jly78aghaq/

Behaviour

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of NtSetInformationThreadHideFromDebugger

Accesses 2FA software files, possible credential harvesting

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Checks whether UAC is enabled

Checks BIOS information in registry

Loads dropped DLL

Reads user/profile data of web browsers

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Vidar Stealer

Vidar

suricata: ET MALWARE W32/Agent.OGR!tr.pws Stealer

Unpacked files

SH256 hash:

e4d9d86d4aeddd23e4280fadfa2c190d683b0939a61c832887233b6c9ab2e4a1

MD5 hash:

af6c757ed54b1299caea8a34b431d426

SHA1 hash:

f26dca7e8439a91baa02d701e6e9a86acc392159

Link:

https://www.unpac.me/results/edcbc47d-a462-44c8-9a67-ea6aeb6ccbaf/

SH256 hash:

bc8a0dfae21c3a5319851f57837b294ea9aaae1d54a1be188169ac00b67db738

MD5 hash:

477c4b1f629a2031f38fede68475c7be

SHA1 hash:

cd854fbfc2057604f0806c13badcbd979c4c6165

Link:

https://www.unpac.me/results/edcbc47d-a462-44c8-9a67-ea6aeb6ccbaf/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/bc8a0dfae21c3a5319851f57837b294ea9aaae1d54a1be188169ac00b67db738

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	grakate_stealer_nov_2021 Create hunting rule

Rule name:	INDICATOR_EXE_Packed_MPress Create hunting rule
Author:	ditekSHen
Description:	Detects executables built or packed with MPress PE compressor

Rule name:	INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL Create hunting rule
Author:	ditekSHen
Description:	Detects binaries and memory artifcats referencing sandbox DLLs typically observed in sandbox evasion

Rule name:	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore Create hunting rule
Author:	ditekSHen
Description:	Detects executables containing SQL queries to confidential data stores. Observed in infostealers

Rule name:	INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation Create hunting rule
Author:	ditekSHen
Description:	Detects executables containing potential Windows Defender anti-emulation checks

Rule name:	Vidar Create hunting rule
Author:	kevoreilly
Description:	Vidar Payload

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/278588/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample