MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c37ab7fc4b65b54fcb9c3c6493a94ae57e32b6a9fe2c6b61f835e7c5aed744dc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 13


Intelligence 13 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c37ab7fc4b65b54fcb9c3c6493a94ae57e32b6a9fe2c6b61f835e7c5aed744dc
SHA3-384 hash: 4bfee72d04f11d9d4e30938a6e8b82319e3dcb154d6139cf6ac1e3fd2c02ca98ed359c0814ea21af6cb62f3caa80e339
SHA1 hash: d2f59f783b1126df4b3c1d5f70ad7b173685a02f
MD5 hash: 879bdb1fc2d0cbb8f7882345063f045c
humanhash: chicken-nevada-minnesota-autumn
File name:c37ab7fc4b65b54fcb9c3c6493a94ae57e32b6a9fe2c6b61f835e7c5aed744dc
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:1'521'720 bytes
First seen:2022-05-20 06:54:06 UTC
Last seen:2022-05-20 07:59:21 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 06a834e3824803366fcfecb5c9777295 (3 x RedLineStealer, 3 x ArkeiStealer, 1 x Gozi)
ssdeep 24576:so57xHGcyUjVjRL8J5t/GuktBed1tz3mmFBYd1xVbQLz2AI+kxceipwT:soL1yWVBq/+Bed1kmgfxxQeg1eipwT
TLSH T1E4651211A360C1F4F4AB16BC9D6692D11C2EB49097A946CF3E4006FF5BA93E8ECB1717
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon d8fcfcdcf4ecccdc (1 x ArkeiStealer)
Reporter JAMESWT_WT
Tags:ArkeiStealer exe exxon-com signed

Code Signing Certificate

Organisation:exxon.com
Issuer:GeoTrust RSA CA 2018
Algorithm:sha256WithRSAEncryption
Valid from:2021-12-30T00:00:00Z
Valid to:2022-09-02T23:59:59Z
Serial number: 0a2787fbb4627c91611573e323584113
Intelligence: 18 malware samples on MalwareBazaar are signed with this code signing certificate
MalwareBazaar Blocklist:This certificate is on the MalwareBazaar code signing certificate blocklist (CSCB)
Thumbprint Algorithm:SHA256
Thumbprint: 77d48e3f85563f91977cd976c46a79e68d171bccb65f10a82ad6a1e4eeba3b0b
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
265
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
c37ab7fc4b65b54fcb9c3c6493a94ae57e32b6a9fe2c6b61f835e7c5aed744dc
Verdict:
Malicious activity
Analysis date:
2022-05-20 07:06:39 UTC
Tags:
trojan stealer
Link:
https://app.any.run/tasks/483a4a2e-c729-4f3b-9d81-cf0c23602e9d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Vidar
Create hunting rule
Link:
https://www.capesandbox.com/analysis/272870/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.39661264.8475.15451.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Сreating synchronization primitives
Creating a file
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  9/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/19129/overview
Behaviour
MalwareBazaar
CallSleep
SystemUptime
MeasuringTime
CheckCmdLine
EvasionGetTickCount
EvasionQueryPerformanceCounter
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware overlay packed
Link:
https://www.filescan.io/uploads/62873b53206e08161834745c/reports/63c9d72f-76bc-41d7-82fb-01b82c88c781/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/99af34fb-4faf-40e4-a5a5-19a1625aa85b
Result
Threat name:
Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/998308
Signature
Allocates memory in foreign processes
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 630804 Sample: mMZDQDz2Xr Startdate: 20/05/2022 Architecture: WINDOWS Score: 100 36 Snort IDS alert for network traffic 2->36 38 Malicious sample detected (through community Yara rule) 2->38 40 Multi AV Scanner detection for submitted file 2->40 42 4 other signatures 2->42 8 mMZDQDz2Xr.exe 2->8         started        process3 signatures4 44 Writes to foreign memory regions 8->44 46 Allocates memory in foreign processes 8->46 48 Injects a PE file into a foreign processes 8->48 11 InstallUtil.exe 147 8->11         started        process5 dnsIp6 32 95.217.244.73, 49794, 80 HETZNER-ASDE Germany 11->32 34 t.me 149.154.167.99, 443, 49793 TELEGRAMRU United Kingdom 11->34 24 C:\ProgramData\vcruntime140.dll, PE32 11->24 dropped 26 C:\ProgramData\softokn3.dll, PE32 11->26 dropped 28 C:\ProgramData\nss3.dll, PE32 11->28 dropped 30 3 other files (none is malicious) 11->30 dropped 50 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 11->50 52 Tries to steal Mail credentials (via file / registry access) 11->52 54 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 11->54 56 2 other signatures 11->56 16 cmd.exe 1 11->16         started        file7 signatures8 process9 process10 18 taskkill.exe 1 16->18         started        20 conhost.exe 16->20         started        22 timeout.exe 1 16->22         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c37ab7fc4b65b54fcb9c3c6493a94ae57e32b6a9fe2c6b61f835e7c5aed744dc/
Threat name:
Win32.Infostealer.Bandra
Create hunting rule
Status:
Malicious
First seen:
2022-05-17 00:40:32 UTC
File Type:
PE (Exe)
Extracted files:
11
AV detection:
20 of 26 (76.92%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=yn5lp7clmw2u7s44hrsjhkkk4v7dfnvj7ywgwypygxt4llwxitoa._file
Verdict:
malicious
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:vidar botnet:1326 spyware stealer suricata
Link:
https://tria.ge/reports/220520-hpsdeaefg2/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Loads dropped DLL
Vidar Stealer
Vidar
suricata: ET MALWARE Vidar/Arkei/Megumin Stealer Keywords Retrieved
suricata: ET MALWARE W32/Agent.OGR!tr.pws Stealer
Malware Config
C2 Extraction:
https://t.me/netflixaccsfree
https://mastodon.social/@ronxik12
Unpacked files
SH256 hash:
0192efec5c79f88ab48f88d1eefa8bb63f70e1a030ec311f8fc208c561d13ccf
MD5 hash:
a533186826ad3869af8f88c9e5306384
SHA1 hash:
c9ce88a9d599eac53624362ef0856aa3dc6fb416
Link:
https://www.unpac.me/results/49e74dd8-5a96-4fb0-9b26-87d7c0eb82ab/
SH256 hash:
c37ab7fc4b65b54fcb9c3c6493a94ae57e32b6a9fe2c6b61f835e7c5aed744dc
MD5 hash:
879bdb1fc2d0cbb8f7882345063f045c
SHA1 hash:
d2f59f783b1126df4b3c1d5f70ad7b173685a02f
Link:
https://www.unpac.me/results/49e74dd8-5a96-4fb0-9b26-87d7c0eb82ab/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/c37ab7fc4b65/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c37ab7fc4b65b54fcb9c3c6493a94ae57e32b6a9fe2c6b61f835e7c5aed744dc

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:malware_shellcode_hash
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect shellcode api hash value

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/272870/

Comments