MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cf2a9a23fe444cf73084e201311e785dea3d6dbfd2fa77027ab8895995d47700. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

ArkeiStealer

Vendor detections: 12

Intelligence 12 IOCs YARA 6 File information Comments

SHA256 hash:	cf2a9a23fe444cf73084e201311e785dea3d6dbfd2fa77027ab8895995d47700
SHA3-384 hash:	0bc3d2a0b78e88f628bc91e8d8bccfe7e634446df57c97c5889f1f1c1aa75a5e34c0ca78d602b9488d35a208ce1e7bd0
SHA1 hash:	7a1f8008bd8b4097eb74fbff4948f8ab58ac4655
MD5 hash:	2ffde889be6fa3c1e4f2f6a218cf8a1e
humanhash:	high-high-hamper-ceiling
File name:	cf2a9a23fe444cf73084e201311e785dea3d6dbfd2fa77027ab8895995d47700
Download:	download sample
Signature	ArkeiStealer Create hunting rule
File size:	1'934'336 bytes
First seen:	2022-06-10 07:45:40 UTC
Last seen:	2022-06-10 08:49:43 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	79b3362178937bf9559741c46bb9e035 (18 x LaplasClipper, 9 x RaccoonStealer, 8 x ArkeiStealer)
ssdeep	49152:ctx3kC2aGu7ua8gh0ghxjC2uutJnVUJzM:H/uKy0gPdnmt
Threatray	17'299 similar samples on MalwareBazaar
TLSH	T1FD95334AD20D63A9CC3193B9C5A38D624719FCA762591217376CBF40DEB7B036E43AC8
TrID	52.9% (.EXE) Win32 Executable (generic) (4505/5/1) 23.5% (.EXE) Generic Win/DOS Executable (2002/3) 23.5% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):
dhash icon	d8d09090ccdacaec (2 x ArkeiStealer)
Reporter	crep1x
Tags:	ArkeiStealer exe vidar

Intelligence

File Origin

# of uploads :

# of downloads :

410

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

cf2a9a23fe444cf73084e201311e785dea3d6dbfd2fa77027ab8895995d47700

Verdict:

Malicious activity

Analysis date:

2022-06-10 08:09:29 UTC

Tags:

trojan stealer

Link:

https://app.any.run/tasks/1e275f26-58d4-4cbc-8923-b9f23f2448ae

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Vidar

Link:

https://www.capesandbox.com/analysis/278590/

Detection(s):

SecuriteInfo.com.Trojan.PWS.Siggen3.17990.6703.20218.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Searching for analyzing tools

Сreating synchronization primitives

Sending an HTTP GET request

Creating a file

Reading critical registry keys

Creating a window

Sending a custom TCP request

Stealing user critical data

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/62a2f70f55f7892290318a0f/reports/ee0e0a65-b1b6-42ac-ac8f-e7cfef48e441/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/385ee28a-ef45-425d-abb0-28d8f699df40

Result

Threat name:

Vidar

Detection:

malicious

Classification:

phis.troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1010648

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Detected unpacking (changes PE section rights)

Hides threads from debuggers

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Query firmware table information (likely to detect VMs)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to evade debugger and weak emulator (self modifying code)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Crypto Currency Wallets

Tries to steal Instant Messenger accounts or passwords

Yara detected Vidar stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/cf2a9a23fe444cf73084e201311e785dea3d6dbfd2fa77027ab8895995d47700/

Threat name:

Win32.Trojan.Tiggre

Status:

Malicious

First seen:

2022-06-06 00:37:25 UTC

File Type:

PE (Exe)

Extracted files:

212

AV detection:

19 of 26 (73.08%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=z4vjui76irgpomee4iatchtylxvd23n72l5hoat2xcevtfouo4aa._file

Verdict:

malicious

ArkeiStealer

18f5a7d7fa2e52091504106547fc9c1e2d540ff70d75544c550765599c65be1b

ArkeiStealer

5972343370247c01cd49e0fda028bdece0507c15ec3773311ed41688da9b9e30

ArkeiStealer

82a108c44defd4e43bf5bdee2bbadbf7f62870683557276b698d15845267c722

ArkeiStealer

84737380889c0a048ca05cb8176457f85666beccc750c262d30c64441ffee857

ArkeiStealer

89ec309c384717284199d66d01669738ce37d9fb445a8f7f2259dfd6ca888f5d

ArkeiStealer

bc8a0dfae21c3a5319851f57837b294ea9aaae1d54a1be188169ac00b67db738

ArkeiStealer

e6cea0eb49c9b461c624ded82d794e9353499644a47f7975a6ab030a9f8123b8

ArkeiStealer

ffc1b9735633836ed935e403d56dd31a464f39c0814e22cb19bb3af6cd54b270

ArkeiStealer

+ 17'289 additional samples on MalwareBazaar

Result

Malware family:

vidar

Score:

10/10

Tags:

family:vidar discovery evasion spyware stealer suricata trojan

Link:

https://tria.ge/reports/220610-jlzhzsghbj/

Behaviour

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of NtSetInformationThreadHideFromDebugger

Accesses 2FA software files, possible credential harvesting

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Checks whether UAC is enabled

Checks BIOS information in registry

Loads dropped DLL

Reads local data of messenger clients

Reads user/profile data of web browsers

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Vidar Stealer

Vidar

suricata: ET MALWARE W32/Agent.OGR!tr.pws Stealer

Unpacked files

SH256 hash:

94b620d95355ba3daa8b3823805bcbcf1a91ea3c6e956b70088671eb0ec90e4c

MD5 hash:

c5132634968e4b2f60b6c278827bf7cd

SHA1 hash:

007b9f476923cd0f441139492ffa1c7abb5ef1d6

Link:

https://www.unpac.me/results/ff143232-a537-40db-bca6-16dea00b3dd7/

SH256 hash:

cf2a9a23fe444cf73084e201311e785dea3d6dbfd2fa77027ab8895995d47700

MD5 hash:

2ffde889be6fa3c1e4f2f6a218cf8a1e

SHA1 hash:

7a1f8008bd8b4097eb74fbff4948f8ab58ac4655

Link:

https://www.unpac.me/results/ff143232-a537-40db-bca6-16dea00b3dd7/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/cf2a9a23fe444cf73084e201311e785dea3d6dbfd2fa77027ab8895995d47700

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	grakate_stealer_nov_2021 Create hunting rule

Rule name:	INDICATOR_EXE_Packed_MPress Create hunting rule
Author:	ditekSHen
Description:	Detects executables built or packed with MPress PE compressor

Rule name:	INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL Create hunting rule
Author:	ditekSHen
Description:	Detects binaries and memory artifcats referencing sandbox DLLs typically observed in sandbox evasion

Rule name:	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore Create hunting rule
Author:	ditekSHen
Description:	Detects executables containing SQL queries to confidential data stores. Observed in infostealers

Rule name:	INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation Create hunting rule
Author:	ditekSHen
Description:	Detects executables containing potential Windows Defender anti-emulation checks

Rule name:	Vidar Create hunting rule
Author:	kevoreilly
Description:	Vidar Payload

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/278590/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample