MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c66a4935069beb02e41e97bbba95116bb91179bfed968d5e9e8117d5c64a4be7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 9


Intelligence 9 IOCs 1 YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c66a4935069beb02e41e97bbba95116bb91179bfed968d5e9e8117d5c64a4be7
SHA3-384 hash: c9272897eb413f0bad33996a70d4f5ec0985a0365c506ce3303cf8ba81bf40c11cf810b7b13e80b187e3b2e40eff6b45
SHA1 hash: e929e8c2941ff4ee66be525073cf1821b035b331
MD5 hash: 80cd05176fdc80da9c13417247092404
humanhash: one-march-single-yellow
File name:80CD05176FDC80DA9C13417247092404.exe
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:1'653'248 bytes
First seen:2021-03-22 15:41:46 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep 49152:Q/5v6gTKeMsRRbuLNXI3BbVs4X5N5cd5j:y5igGJ2bWNXIxbVsUgj
TLSH D975F15AFA8AA1B1F4FFF77082E1487DE89DF39271284304D1A4FF158B150EE65205BA
Reporter abuse_ch
Tags:ArkeiStealer exe


Avatar
abuse_ch
ArkeiStealer C2:
http://juhjuh.com/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://juhjuh.com/ https://threatfox.abuse.ch/ioc/4395/

Intelligence

File Origin
# of uploads :
1
# of downloads :
131
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
80CD05176FDC80DA9C13417247092404.exe
Verdict:
Malicious activity
Analysis date:
2021-03-22 15:43:03 UTC
Tags:
trojan stealer vidar
Link:
https://app.any.run/tasks/f64cd8f2-0a35-4051-9712-2851f64a40ea

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/125980/
Detection(s):
SecuriteInfo.com.Mal.Generic-S.25009.23758.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% subdirectories
Running batch commands
Creating a process with a hidden window
DNS request
Launching cmd.exe command interpreter
Launching a process
Creating a process from a recently created file
Deleting a recently created file
Sending a UDP request
Sending a custom TCP request
Creating a file
Connection attempt
Sending an HTTP GET request
Replacing files
Reading critical registry keys
Delayed writing of the file
Using the Windows Management Instrumentation requests
Searching for the window
Unauthorized injection to a recently created process by context flags manipulation
Stealing user critical data
Launching a tool to kill processes
Forced shutdown of a browser
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4bc723b8-7d42-4f31-9eac-784a4788da44
Result
Threat name:
Vidar
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/648065
Signature
Antivirus / Scanner detection for submitted sample
Binary contains a suspicious time stamp
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Obfuscated command line found
Submitted sample is a known malware sample
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 372995 Sample: DTxUmCCF0n.exe Startdate: 22/03/2021 Architecture: WINDOWS Score: 100 87 Found malware configuration 2->87 89 Antivirus / Scanner detection for submitted sample 2->89 91 Multi AV Scanner detection for submitted file 2->91 93 4 other signatures 2->93 10 DTxUmCCF0n.exe 1 6 2->10         started        12 rundll32.exe 2->12         started        process3 process4 14 cmd.exe 1 10->14         started        16 cmd.exe 1 10->16         started        signatures5 19 cmd.exe 3 14->19         started        22 conhost.exe 14->22         started        71 Submitted sample is a known malware sample 16->71 73 Obfuscated command line found 16->73 75 Uses ping.exe to sleep 16->75 77 Uses ping.exe to check the status of other devices and networks 16->77 24 cmd.exe 1 16->24         started        26 conhost.exe 16->26         started        process6 signatures7 95 Obfuscated command line found 19->95 97 Uses ping.exe to sleep 19->97 28 Ora.exe.com 19->28         started        30 PING.EXE 1 19->30         started        33 findstr.exe 1 19->33         started        36 taskkill.exe 1 24->36         started        38 conhost.exe 24->38         started        40 timeout.exe 1 24->40         started        process8 dnsIp9 42 Ora.exe.com 28->42         started        65 127.0.0.1 unknown unknown 30->65 51 C:\Users\user\AppData\Local\...\Ora.exe.com, Targa 33->51 dropped file10 process11 dnsIp12 61 192.168.2.1 unknown unknown 42->61 63 iAoTLoCcZtQIypvhEAniDwhpek.iAoTLoCcZtQIypvhEAniDwhpek 42->63 99 Injects a PE file into a foreign processes 42->99 46 Ora.exe.com 88 42->46         started        signatures13 process14 dnsIp15 67 juhjuh.com 157.90.224.148, 49731, 80 REDIRISRedIRISAutonomousSystemES United States 46->67 69 api.faceit.com 104.17.63.50, 443, 49730 CLOUDFLARENETUS United States 46->69 53 C:\Users\user\AppData\Local\...\nss3[1].dll, PE32 46->53 dropped 55 C:\Users\user\AppData\...\msvcp140[1].dll, PE32 46->55 dropped 57 C:\Users\user\AppData\...\softokn3[1].dll, PE32 46->57 dropped 59 9 other files (none is malicious) 46->59 dropped 79 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 46->79 81 Tries to steal Instant Messenger accounts or passwords 46->81 83 Tries to steal Mail credentials (via file access) 46->83 85 3 other signatures 46->85 file16 signatures17
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c66a4935069beb02e41e97bbba95116bb91179bfed968d5e9e8117d5c64a4be7/
Threat name:
Win32.Trojan.Chapak
Create hunting rule
Status:
Malicious
First seen:
2021-03-21 03:52:00 UTC
AV detection:
14 of 28 (50.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=yzvesnigtpvqfza6s653vfirno4rc6n75wli2xu6qel5lrskjptq._file
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:vidar discovery persistence spyware stealer
Link:
https://tria.ge/reports/210322-3hvzt8mwfx/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Kills process with taskkill
Modifies system certificate store
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Loads dropped DLL
Reads local data of messenger clients
Reads user/profile data of web browsers
Executes dropped EXE
Vidar
Unpacked files
SH256 hash:
cff66f4033bf7a296600fa5efa83183ce7386601cd370575d95a0887c9013d12
MD5 hash:
3054a23f6731a53b91feedc2c73b4bd7
SHA1 hash:
4c993c0a70acce982ef99e3756c785a61583ed23
Link:
https://www.unpac.me/results/5da285ac-72dc-4c16-b6e9-e17b9161e789/
SH256 hash:
c66a4935069beb02e41e97bbba95116bb91179bfed968d5e9e8117d5c64a4be7
MD5 hash:
80cd05176fdc80da9c13417247092404
SHA1 hash:
e929e8c2941ff4ee66be525073cf1821b035b331
Link:
https://www.unpac.me/results/5da285ac-72dc-4c16-b6e9-e17b9161e789/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c66a4935069beb02e41e97bbba95116bb91179bfed968d5e9e8117d5c64a4be7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/125980/

Comments