MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c03acc879dac0a637d563811493a14730f0c6401c0c4939a22a06ad4b0befa14. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

ArkeiStealer

Vendor detections: 13

Intelligence 13 IOCs YARA 5 File information Comments

SHA256 hash:	c03acc879dac0a637d563811493a14730f0c6401c0c4939a22a06ad4b0befa14
SHA3-384 hash:	16b81ef2b2f9e6b363f1ac5b0fabef9bca2d32e7337c9b4dfb5e52576e36907804aeb0af9bd60c3dd4edc088fa9a7f8d
SHA1 hash:	c62ee8d09c32e242a5a098b13008219786dfd041
MD5 hash:	5bf5406c951e5f6ad8d5fce00424456c
humanhash:	utah-black-johnny-tennis
File name:	5bf5406c951e5f6ad8d5fce00424456c.exe
Download:	download sample
Signature	ArkeiStealer Create hunting rule
File size:	427'008 bytes
First seen:	2022-06-19 09:52:56 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	9830cdb1956c01d9ae950ff245361c4a (2 x ArkeiStealer)
ssdeep	6144:eNQXzf8jjSoJ7e6FsfeDfIr1D7gUkjhJvHx:8af8HSgSCsfYfS1ngZv
Threatray	342 similar samples on MalwareBazaar
TLSH	T11A94F12133E0C037C38754714435CB526BFA7912AE7B584B27AC263A6F706C2B67932A
TrID	40.3% (.EXE) Win64 Executable (generic) (10523/12/4) 19.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 17.2% (.EXE) Win32 Executable (generic) (4505/5/1) 7.7% (.EXE) OS/2 Executable (generic) (2029/13) 7.6% (.EXE) Generic Win/DOS Executable (2002/3)
File icon (PE):
dhash icon	38b078cccacccc43 (123 x Smoke Loader, 83 x Stop, 63 x RedLineStealer)
Reporter	abuse_ch
Tags:	ArkeiStealer exe

Intelligence

File Origin

# of uploads :

# of downloads :

265

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Vidar

Link:

https://www.capesandbox.com/analysis/281245/

Detection(s):

Win.Malware.Azorult-9949206-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

DNS request

Sending a custom TCP request

Sending an HTTP GET request

Query of malicious DNS domain

Sending a TCP request to an infection source

Result

Malware family:

n/a

Score:

8/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/21917/overview

Behaviour

MalwareBazaar

SystemUptime

MeasuringTime

CheckCmdLine

EvasionQueryPerformanceCounter

EvasionGetTickCount

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

azorult greyware lockbit packed

Link:

https://www.filescan.io/uploads/62aef1ffc07f2e38a15cee84/reports/7fee4b4b-ed3f-48af-90ac-f0a125b8b222/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Arkei Stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/581beeaf-c228-46a6-a100-be4c2319bc02

Result

Threat name:

Vidar

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1015847

Signature

Antivirus detection for URL or domain

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found evasive API chain (may stop execution after checking mutex)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Yara detected Vidar stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/c03acc879dac0a637d563811493a14730f0c6401c0c4939a22a06ad4b0befa14/

Threat name:

Win32.Ransomware.StopCrypt

Status:

Malicious

First seen:

2022-06-19 06:09:47 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

23 of 26 (88.46%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ya5mzb45vqfgg7kwhaiusoquomhqyzabydcjhgrcubvnjmf67ika._file

Verdict:

malicious

ArkeiStealer

5972343370247c01cd49e0fda028bdece0507c15ec3773311ed41688da9b9e30

ArkeiStealer

7420a4599f32e3ebcdd0faab35d5aeba791dd0a7216e851f2e22cd000576b0d4

ArkeiStealer

7e768693b8e4916e06d09492a041b4b5c62db44dbfeba0121c116a04d7aae6f0

ArkeiStealer

b9ba3633e6ae613c553bb7311affb973b5d3c5f41de5a9e5f1b048cb2cda8a34

ArkeiStealer

ff18c43df97a7c61d933d4274641528644604a8e12289734f9f524e57c345e00

ArkeiStealer

+ 332 additional samples on MalwareBazaar

Result

Malware family:

vidar

Score:

10/10

Tags:

family:vidar botnet:1448 stealer

Link:

https://tria.ge/reports/220619-lwmchsdhfk/

Behaviour

Modifies system certificate store

Vidar Stealer

Vidar

Malware Config

C2 Extraction:

https://t.me/tg_randomacc
https://indieweb.social/@ronxik333

Unpacked files

SH256 hash:

3bf80e132ec5858cb4353f9a5c5c7eefc637b52163c6682a5b228eace2b5d007

MD5 hash:

184b6556885e12aafd6b1a9e25cf8a5c

SHA1 hash:

8cd1113f3380766ba933ef312f99de315e6cd3bb

Link:

https://www.unpac.me/results/af16e767-705f-465f-a26c-f78816e2e76d/

SH256 hash:

c03acc879dac0a637d563811493a14730f0c6401c0c4939a22a06ad4b0befa14

MD5 hash:

5bf5406c951e5f6ad8d5fce00424456c

SHA1 hash:

c62ee8d09c32e242a5a098b13008219786dfd041

Link:

https://www.unpac.me/results/af16e767-705f-465f-a26c-f78816e2e76d/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/c03acc879dac0a637d563811493a14730f0c6401c0c4939a22a06ad4b0befa14

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	exploit_any_poppopret Create hunting rule
Author:	Jeff White [karttoon@gmail.com] @noottrak
Description:	Identify POP -> POP -> RET opcodes for quick ROP Gadget creation in target binaries.

Rule name:	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore Create hunting rule
Author:	ditekSHen
Description:	Detects executables containing SQL queries to confidential data stores. Observed in infostealers

Rule name:	INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation Create hunting rule
Author:	ditekSHen
Description:	Detects executables containing potential Windows Defender anti-emulation checks

Rule name:	pdb_YARAify Create hunting rule
Author:	@wowabiy314
Description:	PDB

Rule name:	Vidar Create hunting rule
Author:	kevoreilly
Description:	Vidar Payload

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ArkeiStealer

exe c03acc879dac0a637d563811493a14730f0c6401c0c4939a22a06ad4b0befa14

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/2237666/

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/281245/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample