MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d0a8fcc939ff496d2a2e4c5ad862b297913d2fee8b7f0a89c01f4a0bdf40bb26. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 14


Intelligence 14 IOCs YARA 12 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d0a8fcc939ff496d2a2e4c5ad862b297913d2fee8b7f0a89c01f4a0bdf40bb26
SHA3-384 hash: 2ae2373a8ee6be92bd8d73bcb46bc23b478d48b87892dfc500fe70f71453e6208002f117bfdf47d6fbe9122534359c28
SHA1 hash: f5a4e9e899cdde1a13fafdc96b9526fa679da479
MD5 hash: 33c0ff96857b7c9a62ad797ea8b99e40
humanhash: pip-mississippi-bravo-nineteen
File name:33c0ff96857b7c9a62ad797ea8b99e40.exe
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:462'336 bytes
First seen:2023-08-14 07:12:04 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 9abb349fb2529ebfb2be5d3078c97f33 (1 x RedLineStealer, 1 x ArkeiStealer)
ssdeep 12288:SbK/qcpcIc55AOnmxLb7fTrK09SnfXeMtIPd:Sgqc4CLb7fT3Sn/eMtIP
Threatray 15 similar samples on MalwareBazaar
TLSH T11AA4D013A681FC74EA5607319E2DC2F47A6DB1604E1A6B66321C2F2F19F31B1D67BE01
TrID 37.3% (.EXE) Win64 Executable (generic) (10523/12/4)
17.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
16.0% (.EXE) Win32 Executable (generic) (4505/5/1)
7.3% (.ICL) Windows Icons Library (generic) (2059/9)
7.2% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 060604011a383000 (1 x ArkeiStealer)
Reporter abuse_ch
Tags:ArkeiStealer exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
294
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
vidar
Create hunting rule
ID:
1
File name:
33c0ff96857b7c9a62ad797ea8b99e40.exe
Verdict:
Malicious activity
Analysis date:
2023-08-14 07:16:02 UTC
Tags:
stealer vidar trojan arkei
Link:
https://app.any.run/tasks/0b8667cd-2d48-4332-9d5d-1bd0cb6f4e54

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/442603/
Detection(s):
Win.Packer.pkr_ce1a-9980177-0
Create hunting rule

Result
Verdict:
Clean
Maliciousness:
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware packed xpack
Link:
https://www.filescan.io/uploads/64d9d3fe2a1db2a88ace92ec/reports/3f3d6a0e-2a4b-49e1-ae5c-8029686a5d46/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/d0a8fcc939ff496d2a2e4c5ad862b297913d2fee8b7f0a89c01f4a0bdf40bb26
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c511ab4e-d402-45ec-a4c4-298dabd6eabe
Result
Threat name:
Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1290832
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Searches for specific processes (likely to inject)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses known network protocols on non-standard ports
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d0a8fcc939ff496d2a2e4c5ad862b297913d2fee8b7f0a89c01f4a0bdf40bb26/
Threat name:
Win32.Trojan.Amadey
Create hunting rule
Status:
Malicious
First seen:
2023-08-13 14:29:49 UTC
File Type:
PE (Exe)
Extracted files:
27
AV detection:
22 of 24 (91.67%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=2cupzsjz75ew2krojrnnqyvss6it2l7orn7qvcoad5faxx2axmta._file
Verdict:
malicious
Similar samples:
0f0edb7f25b876773ac2318600e0a493edcb6ea3a0235a9b0a3141ff6247c4f9
ArkeiStealer
190799d08ea8f5f3ff77f68c1fc6d2d231b3412c46407b9fa72bd485132de1c8
ArkeiStealer
38936812027f8a25f120857b93a85fdf3561059c0e36b96e7b3b326d98037ca2
ArkeiStealer
ada3f1fca37b6aa5a1b851c10e9d35fb9fd7d757c6e6bcccba173e933ef30837
ArkeiStealer
bd5aff6936d77e3deae4e45195b44ec5d4e7ba4f2a9dfe68ee7d6f7be2cfd97a
ArkeiStealer
c65843189ff4683d957d94ad74b7a455a96736a51d66716182208c45bdb08c55
ArkeiStealer
e0463b5d50bc14313cc77cd321893788e68b2741c7db81a391837f797c5704a1
ArkeiStealer
f155342f5bb62210ca274f42d22e4345fd8ca58a1c4c05d06e1ff86b8888a8cb
ArkeiStealer
+ 5 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:vidar botnet:d2840cabd9794f85353e1fae1cd95a0b spyware stealer
Link:
https://tria.ge/reports/230814-h1kgyaad57/
Behaviour
Delays execution with timeout.exe
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Loads dropped DLL
Reads user/profile data of web browsers
Vidar
Malware Config
C2 Extraction:
https://t.me/tatlimark
https://steamcommunity.com/profiles/76561199536605936
Unpacked files
SH256 hash:
8ed82e6684d58b08b6e2516915556dfa26998767467a9b12619252afc6728a53
MD5 hash:
34af8501c6609aeebdb08ebdbce1462b
SHA1 hash:
8d57cb5e22ddb14894cb84ebcf3d9033cee3ea19
Detections:
VidarStealer
Create hunting rule
Link:
https://www.unpac.me/results/09f9a057-71d8-4721-82b3-b44de7dca800/
Parent samples :
f57210d90101da3bc77c55f813ba64f35dbb6d0db50f71467f18816486b9d6d0
d0a8fcc939ff496d2a2e4c5ad862b297913d2fee8b7f0a89c01f4a0bdf40bb26
e0463b5d50bc14313cc77cd321893788e68b2741c7db81a391837f797c5704a1
SH256 hash:
d0a8fcc939ff496d2a2e4c5ad862b297913d2fee8b7f0a89c01f4a0bdf40bb26
MD5 hash:
33c0ff96857b7c9a62ad797ea8b99e40
SHA1 hash:
f5a4e9e899cdde1a13fafdc96b9526fa679da479
Link:
https://www.unpac.me/results/09f9a057-71d8-4721-82b3-b44de7dca800/
Malware family:
Vidar.A
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d0a8fcc939ff/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:grakate_stealer_nov_2021
Create hunting rule
Rule name:has_telegram_urls
Create hunting rule
Author:Aaron DeVera<aaron@backchannel.re>
Description:Detects Telegram URLs
Rule name:INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs
Create hunting rule
Author:ditekSHen
Description:Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.
Rule name:INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
Author:ditekSHen
Description:Detects Windows executables referencing non-Windows User-Agents
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:Telegram_Links
Create hunting rule
Rule name:Vidar
Create hunting rule
Author:kevoreilly,rony
Description:Vidar Payload
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques
Rule name:win_vidar_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.vidar.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ArkeiStealer

Executable exe d0a8fcc939ff496d2a2e4c5ad862b297913d2fee8b7f0a89c01f4a0bdf40bb26

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2635570/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/442603/

Comments