MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c65843189ff4683d957d94ad74b7a455a96736a51d66716182208c45bdb08c55. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 17


Intelligence 17 IOCs YARA 17 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c65843189ff4683d957d94ad74b7a455a96736a51d66716182208c45bdb08c55
SHA3-384 hash: 21cdda9d3e39776166f008d79a9b0706ce541b5d41e7777df64eaa4eb87f40c33cf7f26a22579ea6b4973ee7778e8640
SHA1 hash: 676859d7a9d8b6a44e0fcd1384284aeb0a37f1a9
MD5 hash: 5c3d28d428bb30d59eb8ff498540a5d8
humanhash: xray-twenty-early-salami
File name:5c3d28d428bb30d59eb8ff498540a5d8
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:549'888 bytes
First seen:2023-08-08 02:12:45 UTC
Last seen:2023-08-25 17:29:53 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 035152f08fc01104c539a9694e78d939 (1 x RedLineStealer, 1 x ArkeiStealer)
ssdeep 12288:o+Gj+NagcanPVUynnIe26AL560FgkMKqWST1XH/KtBY:otjzjanP2+o0BpDRKf
Threatray 4 similar samples on MalwareBazaar
TLSH T14FC4B00B89994D9BDBEEA5FB2C5CB6953D93F4241740411E7CD814EE8B6086B3D2EC32
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter zbetcheckin
Tags:32 ArkeiStealer exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
434
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
arkei
Create hunting rule
ID:
1
File name:
5c3d28d428bb30d59eb8ff498540a5d8
Verdict:
Malicious activity
Analysis date:
2023-08-08 02:13:30 UTC
Tags:
stealer arkei vidar
Link:
https://app.any.run/tasks/45d60321-5dc7-41fd-b1a7-edb8dbe79f0c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Vidar
Create hunting rule
Link:
https://www.capesandbox.com/analysis/441158/
Detection(s):
SecuriteInfo.com.Win32.CrypterX-gen.14285.31930.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Creating a file
Reading critical registry keys
Using the Windows Management Instrumentation requests
Creating a window
Searching for the window
Stealing user critical data
Sending an HTTP GET request to an infection source
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware
Link:
https://www.filescan.io/uploads/64d1a4b0daa9db5053400f11/reports/14035636-00b9-458e-af7b-c7bd4a1eb253/overview
Verdict:
Malicious
Labled as:
Jaik.Generic
Link:
https://www.hybrid-analysis.com/sample/c65843189ff4683d957d94ad74b7a455a96736a51d66716182208c45bdb08c55
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
WeeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/79078596-4465-4f98-9300-b066a8efe511
Result
Threat name:
Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1287385
Signature
Antivirus / Scanner detection for submitted sample
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Searches for specific processes (likely to inject)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses known network protocols on non-standard ports
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c65843189ff4683d957d94ad74b7a455a96736a51d66716182208c45bdb08c55/
Threat name:
Win32.Trojan.RedLineStealer
Create hunting rule
Status:
Malicious
First seen:
2023-08-07 19:12:17 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
23 of 38 (60.53%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=yzmegge76rud3fl5sswxjn5ekwuwonvfdvthcymcecgelpnqrrkq._file
Verdict:
malicious
Similar samples:
8506490bd404c8b37462c5c04db5dc14fdc425dcb66fe4d6d2f3b669de115eb3
ArkeiStealer
bd5aff6936d77e3deae4e45195b44ec5d4e7ba4f2a9dfe68ee7d6f7be2cfd97a
ArkeiStealer
d6a373eb8f771884afc984fba23ff81b034146282f9285e5beaf5eb31d886366
ArkeiStealer
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:vidar botnet:47fbb7be9dc835e157f564d072327190 spyware stealer
Link:
https://tria.ge/reports/230808-cnes2abf9w/
Behaviour
Delays execution with timeout.exe
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Accesses 2FA software files, possible credential harvesting
Loads dropped DLL
Reads user/profile data of web browsers
Vidar
Malware Config
C2 Extraction:
https://t.me/tatlimark
https://steamcommunity.com/profiles/76561199536605936
Unpacked files
SH256 hash:
8f3bd205b1c6ee675b1ca1c75702d859e62d33789ba0e7d26daa5fed94eff0c8
MD5 hash:
a3a3b5f38391be2a3b8b402474de7eb1
SHA1 hash:
66afb8c77a1819f71fe788cc1f3acb2148bc3f3d
Detections:
VidarStealer
Create hunting rule
Link:
https://www.unpac.me/results/7a07222b-8e02-475c-ac39-d44aefc32ec3/
SH256 hash:
c65843189ff4683d957d94ad74b7a455a96736a51d66716182208c45bdb08c55
MD5 hash:
5c3d28d428bb30d59eb8ff498540a5d8
SHA1 hash:
676859d7a9d8b6a44e0fcd1384284aeb0a37f1a9
Link:
https://www.unpac.me/results/7a07222b-8e02-475c-ac39-d44aefc32ec3/
Malware family:
Vidar.A
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/c65843189ff4/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c65843189ff4683d957d94ad74b7a455a96736a51d66716182208c45bdb08c55

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Check_OutputDebugStringA_iat
Create hunting rule
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:grakate_stealer_nov_2021
Create hunting rule
Rule name:has_telegram_urls
Create hunting rule
Author:Aaron DeVera<aaron@backchannel.re>
Description:Detects Telegram URLs
Rule name:INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs
Create hunting rule
Author:ditekSHen
Description:Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.
Rule name:INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
Author:ditekSHen
Description:Detects Windows executables referencing non-Windows User-Agents
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:Telegram_Links
Create hunting rule
Rule name:Vidar
Create hunting rule
Author:kevoreilly,rony
Description:Vidar Payload
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques
Rule name:win_vidar_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.vidar.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ArkeiStealer

Executable exe c65843189ff4683d957d94ad74b7a455a96736a51d66716182208c45bdb08c55

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/441158/
  
URLhaus
https://urlhaus.abuse.ch/url/2701874/

Comments


Avatar
zbet commented on 2023-08-08 02:12:46 UTC

url : hxxp://193.233.255.9/lend/Alligator_Gamers.exe