MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c12e490c818469384c4317e24281d2233d561663a17a74ba79365b4c74f4d673. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c12e490c818469384c4317e24281d2233d561663a17a74ba79365b4c74f4d673
SHA3-384 hash: bfb2ca786b46b8023c50639ab33ef1d4eb84a5af229d27635abe3ab0a8393f688923a27e17d4e23f0a501299dd9a3ae3
SHA1 hash: 2b532c15adb523c20a96eefa4e2db001fcf34c95
MD5 hash: 71842b9abd318f78fba2f8375acc6b68
humanhash: zebra-six-asparagus-louisiana
File name:GuardiansOfThrone_Launcher.exe
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:1'779'200 bytes
First seen:2022-12-01 17:57:42 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 879dbf1364cc64f8a8169e5a551dfab3 (1 x ArkeiStealer)
ssdeep 24576:b4d89kiMHUavvvTK+jrmW8qwb3ID8yVaQY25sdCQG4gFIu0RReV0JYM:a8tMH3HTK+jCM7Vaysdv2II0
TLSH T1DD856D01B7A15018FCF316FA9AFE206C992CBDE1072C90D751C42AED9A65AF07D31B67
TrID 88.3% (.CPL) Windows Control Panel Item (generic) (197083/11/60)
4.7% (.EXE) Win64 Executable (generic) (10523/12/4)
2.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
2.0% (.EXE) Win32 Executable (generic) (4505/5/1)
0.9% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 8470eb8ce4781144 (2 x ArkeiStealer)
Reporter iamdeadlyz
Tags:ArkeiStealer exe FakeGOTT vidar


Avatar
Iamdeadlyz
From guardiansrpg.com (impersonation of play.google.com/store/apps/details?id=com.elight.got.gp)
De-pump of: d75bd016762760fc822510a42542f89b3b87782e05f6f4d4c7e0d4c2cbc0bb20
Vidar C&C:
https://t.me/headshotsonly -> mycsgoserv http://95.217.31.208:80|
https://steamcommunity.com/profiles/76561199436777531 -> mycsgoserv http://95.217.29.31|

Intelligence

File Origin
# of uploads :
1
# of downloads :
149
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
GuardiansOfThrone_Launcher.exe
Verdict:
No threats detected
Analysis date:
2022-12-01 17:58:13 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/78fde26b-f08d-4c78-abee-8bbd8cebe0a0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/341254/
Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Сreating synchronization primitives
Sending a custom TCP request
Creating a window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/6388eb2b82d906eb418934aa/reports/59f0fcc2-dcd0-4c15-8d47-ef2f4ea22042/overview
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/08c77f7a-7b4b-4045-b5c7-feeaabe5c4d5
Result
Threat name:
Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/1125641
Signature
C2 URLs / IPs found in malware configuration
Multi AV Scanner detection for domain / URL
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c12e490c818469384c4317e24281d2233d561663a17a74ba79365b4c74f4d673/
Threat name:
Win32.Trojan.Vidar
Create hunting rule
Status:
Malicious
First seen:
2022-12-01 18:00:35 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
15 of 24 (62.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=yexesdebqrutqtcdc7refaosem6vmftduf5hjotzgznuy5hu2zzq._file
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:vidar botnet:1784 discovery spyware stealer
Link:
https://tria.ge/reports/221201-wj6kqsha21/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Vidar
Malware Config
C2 Extraction:
https://t.me/headshotsonly
https://steamcommunity.com/profiles/76561199436777531
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/616c363d-0809-46b9-82c4-ca6286982021
Unpacked files
SH256 hash:
f2681513e323483bccd9fa278b46605cd3e7253fac31f2ab933e030a58f9526b
MD5 hash:
a8a7b20cb421e5a2a1c0a14a0727bfa2
SHA1 hash:
73573c34c6ed6dfb4e07852d32b25ca75b00748b
Link:
https://www.unpac.me/results/4af6ba18-a569-4c39-ae2d-cf21cb52e226/
SH256 hash:
c12e490c818469384c4317e24281d2233d561663a17a74ba79365b4c74f4d673
MD5 hash:
71842b9abd318f78fba2f8375acc6b68
SHA1 hash:
2b532c15adb523c20a96eefa4e2db001fcf34c95
Link:
https://www.unpac.me/results/4af6ba18-a569-4c39-ae2d-cf21cb52e226/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/c12e490c8184/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c12e490c818469384c4317e24281d2233d561663a17a74ba79365b4c74f4d673

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:meth_peb_parsing
Create hunting rule
Author:Willi Ballenthin

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ArkeiStealer

zip 2eabd0638c8ecdfc5c19c1523c72536c4697916e54236f55c2fe8197a850bd62

ArkeiStealer

Executable exe c12e490c818469384c4317e24281d2233d561663a17a74ba79365b4c74f4d673

(this sample)

zip ca5837c6b4cdde0e3ef9942ba308ca19e9b51439048bd0c2fcf5753e1403a517

  
Dropped by
SHA256 2eabd0638c8ecdfc5c19c1523c72536c4697916e54236f55c2fe8197a850bd62
  
Dropped by
SHA256 d75bd016762760fc822510a42542f89b3b87782e05f6f4d4c7e0d4c2cbc0bb20
  
Dropping
SHA256 ca5837c6b4cdde0e3ef9942ba308ca19e9b51439048bd0c2fcf5753e1403a517
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/341254/
  
Dropped by
MD5 c6468dd91c2fceeba8e0f2cd784739c3

Comments