MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cafafc019f410ecf18ae5f44a816e77e790e90a4720e5801b051113c0caa37bb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 4


Intelligence 4 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cafafc019f410ecf18ae5f44a816e77e790e90a4720e5801b051113c0caa37bb
SHA3-384 hash: aae21440eb40ef59d14e6b0a15e59ab92520776b7d280cdc979d608acf3a794d660d6f33c0a81b280b8a5b201e93f6bd
SHA1 hash: c9979a8615456cb649a0effea5f962955209ba2b
MD5 hash: f51ea0bf84ed5e1ffd4e44508e572990
humanhash: spring-mike-iowa-undress
File name:SecuriteInfo.com.Variant.Razy.666259.23910.2558
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:3'185'664 bytes
First seen:2020-05-07 12:01:22 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 9d6b988ee2ff900bb46f7b1ad8162182 (3 x ArkeiStealer)
ssdeep 49152:vQnQbtEHZ1sKw85LQxYESVA+b/Njw+sunuwP1nj3ZdTLsjbTJNhCcXH6F0:oQq51OWLLVv/xewdZlLITRCcKF
Threatray 1'027 similar samples on MalwareBazaar
TLSH B7E533023952B466CBD5F9F7726AA9D88198CE4DA1D3567BE739B39C9DB4007CC0302E
Reporter SecuriteInfoCom
Tags:ArkeiStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
87
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Variant.Razy.666259.23910.2558.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Occamy
Create hunting rule
Status:
Malicious
First seen:
2020-05-07 06:22:05 UTC
File Type:
PE (Exe)
Extracted files:
12
AV detection:
27 of 31 (87.10%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
33ffacc3e517f4f1dad47f1ca28d26188e202d5e2e300e1e71bc0a57e682292a
ArkeiStealer
389875d4c35ff8da276f122cb6b4ebd1b1d65ce5da5c05defefaf40c2609dbaf
ArkeiStealer
433811102726bc15416ca338a2df55ec1daaf3f2565ee00d7f6484064746fb30
ArkeiStealer
610ef8befe605dd4ba3277c221c25932ffd6e1b939728da70ebd0d1b96fddaa4
ArkeiStealer
7c2bcbc90aad473e93b52051f11b1c1d8f3d9436b7d95b49e1ca4c7c835b0115
ArkeiStealer
9b2ad325e0cda26d0cd3769bea307050581d5c38d40d1281ff7e6b56420369cd
ArkeiStealer
b56f704d8baea24179931e0f4efe389e4fb6175c7fb83c49d31aac5ab1e00a03
ArkeiStealer
d6ba040d10d1fb8e0f6a8b1d5378be566f6d3816bf1a00fb3e0bb6eed29346b2
ArkeiStealer
daac1aafd4f0f7b1e1e0112e913285543d73179216bc42cdf67036dae67955f0
ArkeiStealer
e9e9a0314ec1302997e3382807436f43a70e0dc2c165aafa6b5b8f3856d04d0d
ArkeiStealer
+ 1'017 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:vidar discovery evasion spyware stealer trojan
Link:
https://tria.ge/reports/201109-ydsgthzk42/
Behaviour
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of NtSetInformationThreadHideFromDebugger
Accesses 2FA software files, possible credential harvesting
Checks installed software on the system
Checks whether UAC is enabled
Looks up external IP address via web service
Checks BIOS information in registry
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Vidar
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_vidar_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:win_vidar_g0
Create hunting rule
Author:Slavo Greminger, SWITCH-CERT
Rule name:with_sqlite
Create hunting rule
Author:Julian J. Gonzalez <info@seguridadparatodos.es>
Description:Rule to detect the presence of SQLite data in raw image
Reference:http://www.st2labs.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ArkeiStealer

Executable exe cafafc019f410ecf18ae5f44a816e77e790e90a4720e5801b051113c0caa37bb

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/359361/
  
Delivery method
Distributed via web download

Comments