MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cdb8a35b197e7f1a6133e029ee861c525d915ffb60cef5af1ec52ee9628686b8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cdb8a35b197e7f1a6133e029ee861c525d915ffb60cef5af1ec52ee9628686b8
SHA3-384 hash: 2f5a8a5752853e29e92fac440a3519ce45e734a65134d6a3885fbdbbad62ac895ae543e4e8393f2427624ad86cd89820
SHA1 hash: a7bdc73e107fe067e852eb70548b5508418ee5b6
MD5 hash: 6b2715b3c6ce4879c41ea44a261bbdd0
humanhash: mobile-rugby-nineteen-single
File name:6b2715b3c6ce4879c41ea44a261bbdd0
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:1'674'321 bytes
First seen:2021-06-10 23:13:10 UTC
Last seen:2021-06-10 23:45:14 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 011a034751880c1944da3b5ecc18520d (8 x RedLineStealer, 4 x CryptBot, 3 x ArkeiStealer)
ssdeep 24576:y9btxEOMPVJ1BppR9q4aObWX5KK/p/mEncYT5ZllnoD+OgD0Idg/CNG6/HRP:yNNMNrBpZTNaJ/p/VncYT5Htoix0agw
TLSH BC75234673D1C17AF5F319740847A3B119B5AA30075D8AEB2BC04F1B6A307DADEB62C9
Reporter zbetcheckin
Tags:ArkeiStealer exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
172
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
6b2715b3c6ce4879c41ea44a261bbdd0
Verdict:
No threats detected
Analysis date:
2021-06-10 23:14:18 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/0a09d239-ce2a-4f4f-a26f-75ef0ba84f06

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/165977/
Detection(s):
PUA.Win.Downloader.Driverpack-6998194-0
Create hunting rule

PUA.Win.Adware.Generic-7505646-0
Create hunting rule

PUA.Win.File.Generic-7557964-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% subdirectories
Running batch commands
Creating a process with a hidden window
Launching cmd.exe command interpreter
Launching a process
Creating a process from a recently created file
DNS request
Creating a file in the %AppData% subdirectories
Deleting a recently created file
Sending a UDP request
Creating a file
Replacing files
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/800562
Signature
Contains functionality to register a low level keyboard hook
Deletes itself after installation
Drops PE files with a suspicious file extension
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Obfuscated command line found
Sigma detected: Copying Sensitive Files with Credential Data
Submitted sample is a known malware sample
Uses nslookup.exe to query domains
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 432958 Sample: FZTyH785xh Startdate: 11/06/2021 Architecture: WINDOWS Score: 100 59 bandakere.tumblr.com 2->59 75 Multi AV Scanner detection for submitted file 2->75 77 Yara detected Vidar stealer 2->77 79 Machine Learning detection for sample 2->79 81 Sigma detected: Copying Sensitive Files with Credential Data 2->81 12 FZTyH785xh.exe 7 2->12         started        15 EAvqxQkjJG.exe.com 2->15         started        signatures3 process4 signatures5 87 Contains functionality to register a low level keyboard hook 12->87 17 cmd.exe 1 12->17         started        89 Drops PE files with a suspicious file extension 15->89 20 EAvqxQkjJG.exe.com 5 15->20         started        process6 dnsIp7 67 Submitted sample is a known malware sample 17->67 69 Obfuscated command line found 17->69 71 Uses ping.exe to sleep 17->71 73 Uses ping.exe to check the status of other devices and networks 17->73 24 cmd.exe 3 17->24         started        27 conhost.exe 17->27         started        63 jhGStadDFeXWZzqBmhvvvUESkDWy.jhGStadDFeXWZzqBmhvvvUESkDWy 20->63 53 C:\Windows\SysWOW64\...AvqxQkjJG.exe.com, PE32 20->53 dropped 29 schtasks.exe 1 20->29         started        file8 signatures9 process10 signatures11 83 Obfuscated command line found 24->83 85 Uses ping.exe to sleep 24->85 31 Distinte.exe.com 24->31         started        34 PING.EXE 1 24->34         started        37 findstr.exe 1 24->37         started        40 conhost.exe 29->40         started        process12 dnsIp13 99 Drops PE files with a suspicious file extension 31->99 101 Uses schtasks.exe or at.exe to add and modify task schedules 31->101 103 Uses nslookup.exe to query domains 31->103 42 Distinte.exe.com 5 31->42         started        61 127.0.0.1 unknown unknown 34->61 55 C:\Users\user\AppData\...\Distinte.exe.com, Targa 37->55 dropped file14 signatures15 process16 dnsIp17 65 jhGStadDFeXWZzqBmhvvvUESkDWy.jhGStadDFeXWZzqBmhvvvUESkDWy 42->65 57 C:\Users\user\AppData\...AvqxQkjJG.exe.com, PE32 42->57 dropped 91 Uses nslookup.exe to query domains 42->91 93 Deletes itself after installation 42->93 95 Writes to foreign memory regions 42->95 97 Injects a PE file into a foreign processes 42->97 47 schtasks.exe 1 42->47         started        49 nslookup.exe 12 42->49         started        file18 signatures19 process20 process21 51 conhost.exe 47->51         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cdb8a35b197e7f1a6133e029ee861c525d915ffb60cef5af1ec52ee9628686b8/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-06-10 20:05:24 UTC
File Type:
PE (Exe)
Extracted files:
22
AV detection:
12 of 46 (26.09%)
Threat level:
  5/5
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:vidar spyware stealer
Link:
https://tria.ge/reports/210610-kpv2p6tzsj/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Delays execution with timeout.exe
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Deletes itself
Loads dropped DLL
Downloads MZ/PE file
Executes dropped EXE
Vidar Stealer
Vidar
Unpacked files
SH256 hash:
3bbecd76ebc02a11e92887a59b420b9fb5bb7cadd35c73c67cb19a50320048b5
MD5 hash:
2b1b4e03fa1ce498e2ebe0899bd362e3
SHA1 hash:
6a4e5db17d0402bbf4568648b43e3dbf3c130a66
Link:
https://www.unpac.me/results/f1f1828d-9752-428e-8556-1ff4ef17a4ad/
SH256 hash:
cdb8a35b197e7f1a6133e029ee861c525d915ffb60cef5af1ec52ee9628686b8
MD5 hash:
6b2715b3c6ce4879c41ea44a261bbdd0
SHA1 hash:
a7bdc73e107fe067e852eb70548b5508418ee5b6
Link:
https://www.unpac.me/results/f1f1828d-9752-428e-8556-1ff4ef17a4ad/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cdb8a35b197e7f1a6133e029ee861c525d915ffb60cef5af1ec52ee9628686b8

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ArkeiStealer

Executable exe cdb8a35b197e7f1a6133e029ee861c525d915ffb60cef5af1ec52ee9628686b8

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1351527/
Cape
Cape
https://www.capesandbox.com/analysis/165977/

Comments