MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bc995cf9cc10d39e6ec3917325798ef6f5e4f8805210b1b8416c1eef6c4fd31c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 16


Intelligence 16 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bc995cf9cc10d39e6ec3917325798ef6f5e4f8805210b1b8416c1eef6c4fd31c
SHA3-384 hash: ea55978fbafd80d9da496bb017f953dd601907b3bcf301ca42139264366db59c013e663132ded63cead2c5cbaedf52f8
SHA1 hash: 7910905a8a0a0e12bf6f4a003d73eaa6de469b39
MD5 hash: 5b0e490618f2b1f5a5ae4318d4db813f
humanhash: bakerloo-johnny-carpet-december
File name:file.exe
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:335'360 bytes
First seen:2023-05-23 06:06:14 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f76f27c730e6db54fe2a82dc14343db2 (4 x RedLineStealer, 3 x GCleaner, 3 x Smoke Loader)
ssdeep 6144:bYZSitAsZGxTygAeB8WgDx2wndq8U5Qim3yoC7nEj0x:bToAsZG8gn+Wccoq8AQiyyoC7E
Threatray 23 similar samples on MalwareBazaar
TLSH T12D64E0113AD5C071E25741344EF5C6A1DE2BB8B25BA29DCB3B9466BE0F352C2DB7031A
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 001030646c686800 (1 x ArkeiStealer)
Reporter abuse_ch
Tags:ArkeiStealer exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
266
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
arkei
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2023-05-23 05:01:02 UTC
Tags:
installer gcleaner loader stealer arkei vidar asyncrat redline laplasclipper
Link:
https://app.any.run/tasks/cd62a7c7-ac42-4d02-9965-64cab4ea15df

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Sanesecurity.Malware.29323.BadIN.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Creating a file
Reading critical registry keys
Using the Windows Management Instrumentation requests
Creating a window
Searching for synchronization primitives
Stealing user critical data
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/87505/overview
Behaviour
MalwareBazaar
MeasuringTime
SystemUptime
EvasionGetTickCount
CheckCmdLine
EvasionQueryPerformanceCounter
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/646c580658680c1bcc8ad5bc/reports/3e9887b7-a261-4db9-9c0d-fb02312626df/overview
Verdict:
Malicious
Labled as:
Zusy.Generic
Link:
https://www.hybrid-analysis.com/sample/bc995cf9cc10d39e6ec3917325798ef6f5e4f8805210b1b8416c1eef6c4fd31c
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5dd76662-96fc-4629-a34d-4561df096c2f
Result
Threat name:
Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1240507
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses known network protocols on non-standard ports
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bc995cf9cc10d39e6ec3917325798ef6f5e4f8805210b1b8416c1eef6c4fd31c/
Threat name:
Win32.Trojan.Smokeloader
Create hunting rule
Status:
Malicious
First seen:
2023-05-23 03:49:44 UTC
File Type:
PE (Exe)
Extracted files:
8
AV detection:
21 of 23 (91.30%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=xsmvz6omcdjz43wdsfzsk6mo6326j6eakiildocbnqpo63cp2moa._file
Verdict:
malicious
Similar samples:
1171766b3c8e74122333aedfcf8ff32bcd2e059043af434dc57a70b6015b3e63
ArkeiStealer
26d83413c54af6d99ff06a2cc8a2d2c3f3c4bd1833263705511ec2ac3341b960
ArkeiStealer
28aec7fadc4fac6d849aa513024bdf78d4e69dba855f480354da15d9a24d950e
ArkeiStealer
47533aa05bded994f2d8eac00f941a9cd79ed7bbe7dce1a43e5bdb37604d90f1
ArkeiStealer
581304c1ecc96f13dc1fcd999afed03ce2844937b63f463269352d9ba60666cb
ArkeiStealer
a5bbd1c4644020a43ce19b00933127c6dd7ab45f46b023167faffd42ab77fccf
ArkeiStealer
aa4cc3628a90b029fd7fb6d61b3b436f57d98bcda0c71d1271e04afaea7ef091
ArkeiStealer
d5fcee9cd7ad5b8ed93815ea3e1fad2443366c25f5dcba3907d0dd4cdc3be789
ArkeiStealer
e9b7c7b03d379e1399e3611040fc5c5a0af3085d438689fd468acda5fdd6bf54
ArkeiStealer
efdcb0067912e9a254be5c3d6f6d7fec22df943209ed0cc093aa8c788792390b
ArkeiStealer
+ 13 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:vidar botnet:79367833613cbd2c8f8379283bd5931b discovery spyware stealer
Link:
https://tria.ge/reports/230523-gva6msdh93/
Behaviour
Checks processor information in registry
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Enumerates physical storage devices
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Vidar
Malware Config
C2 Extraction:
https://steamcommunity.com/profiles/76561199508624021
https://t.me/looking_glassbot
Unpacked files
SH256 hash:
dc1c8b4ff1fe6edfebbdb081db8ca0a139cb37717f45058d9368baba4e6f09d0
MD5 hash:
1ab2db5fc81b191542578556f660f362
SHA1 hash:
05df1a2f9c344df383760a26a701e780e0c6afdc
Detections:
VidarStealer
Create hunting rule
Link:
https://www.unpac.me/results/1ea252da-06f9-4edf-96a7-39bd1f2c38ff/
SH256 hash:
bc995cf9cc10d39e6ec3917325798ef6f5e4f8805210b1b8416c1eef6c4fd31c
MD5 hash:
5b0e490618f2b1f5a5ae4318d4db813f
SHA1 hash:
7910905a8a0a0e12bf6f4a003d73eaa6de469b39
Link:
https://www.unpac.me/results/1ea252da-06f9-4edf-96a7-39bd1f2c38ff/
Malware family:
Vidar.A
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/bc995cf9cc10/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/bc995cf9cc10d39e6ec3917325798ef6f5e4f8805210b1b8416c1eef6c4fd31c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:has_telegram_urls
Create hunting rule
Author:Aaron DeVera<aaron@backchannel.re>
Description:Detects Telegram URLs
Rule name:INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
Author:ditekSHen
Description:Detects Windows executables referencing non-Windows User-Agents
Rule name:Telegram_Links
Create hunting rule
Rule name:Vidar
Create hunting rule
Author:kevoreilly,rony
Description:Vidar Payload
Rule name:Windows_Trojan_Smokeloader_3687686f
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments