MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d12d5083ce7afb1d81db8145482489404e6a02bb2c652ded4572b9ba4d9cd8e1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

ArkeiStealer

Vendor detections: 8

Intelligence 8 IOCs YARA File information Comments

SHA256 hash:	d12d5083ce7afb1d81db8145482489404e6a02bb2c652ded4572b9ba4d9cd8e1
SHA3-384 hash:	787be3502ac775c80efd7cab307031eef876b60900516decf3fe7589a7c97c41ee9bfa5366dc93e76ed86df62e9b3264
SHA1 hash:	ba3fce8fb344da7adc460bec02cd8ca21f580b88
MD5 hash:	72cb46fc068ae9873c76fd17efb4db7f
humanhash:	louisiana-eight-berlin-tennis
File name:	Setup.exe
Download:	download sample
Signature	ArkeiStealer Create hunting rule
File size:	798'720 bytes
First seen:	2022-12-08 14:34:42 UTC
Last seen:	2022-12-08 16:30:39 UTC
File type:	exe
MIME type:	application/x-dosexec
ssdeep	24576:HyGuO95zmcYnvUNIATq80Fpw+c1Kd5HT:HyMzfSvU1qPFpwBo
TLSH	T18C050228ABDC8543C6DE53B8E1D1406067F1EA4EBF87F7E7344C66E02E51396A80519F
TrID	40.9% (.EXE) Win64 Executable (generic) (10523/12/4) 19.5% (.EXE) Win16 NE executable (generic) (5038/12/1) 8.0% (.EXE) Win16/32 Executable Delphi generic (2072/23) 8.0% (.ICL) Windows Icons Library (generic) (2059/9) 7.8% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):
dhash icon	b271e8d49ccce871 (1 x ArkeiStealer)
Reporter	abuse_ch
Tags:	ArkeiStealer exe

Intelligence

File Origin

# of uploads :

# of downloads :

192

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/344394/

Detection(s):

SecuriteInfo.com.Win64.PWSX-gen.7318.16946.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Launching a process

Creating a file

Сreating synchronization primitives

DNS request

Sending a custom TCP request

Sending an HTTP GET request

Reading critical registry keys

Creating a window

Running batch commands

Creating a process with a hidden window

Forced shutdown of a system process

Stealing user critical data

Unauthorized injection to a system process

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/6391f6179a505ad9423e1c16/reports/579bccc8-31e0-4f9b-9ece-3711ec4ffb16/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/c928d892-5806-4c9f-8c26-26e574498fd8

Result

Threat name:

Vidar

Detection:

malicious

Classification:

troj.spyw.evad

Score:

92 / 100

Link:

https://www.joesandbox.com/analysis/1130821

Signature

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Hides threads from debuggers

Injects a PE file into a foreign processes

Machine Learning detection for sample

PE file contains section with special chars

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Crypto Currency Wallets

Writes to foreign memory regions

Yara detected Vidar stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/d12d5083ce7afb1d81db8145482489404e6a02bb2c652ded4572b9ba4d9cd8e1/

Threat name:

ByteCode-MSIL.Infostealer.Bandra

Status:

Malicious

First seen:

2022-12-08 14:35:08 UTC

File Type:

PE+ (.Net Exe)

Extracted files:

AV detection:

12 of 26 (46.15%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=2ewvba6opl5r3ao3qfcuqjejibhguav3frss33kfok43utm43dqq._file

Result

Malware family:

vidar

Score:

10/10

Tags:

family:vidar botnet:1821 spyware stealer

Link:

https://tria.ge/reports/221208-rx1jesac64/

Behaviour

Checks processor information in registry

Delays execution with timeout.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Program crash

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Accesses 2FA software files, possible credential harvesting

Accesses cryptocurrency files/wallets, possible credential harvesting

Loads dropped DLL

Vidar

Malware Config

C2 Extraction:

https://t.me/dishasta
https://steamcommunity.com/profiles/76561199441933804

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/afaf10f5-46b8-4df4-8416-4206f01c164c

Unpacked files

SH256 hash:

d12d5083ce7afb1d81db8145482489404e6a02bb2c652ded4572b9ba4d9cd8e1

MD5 hash:

72cb46fc068ae9873c76fd17efb4db7f

SHA1 hash:

ba3fce8fb344da7adc460bec02cd8ca21f580b88

Link:

https://www.unpac.me/results/bb1a56d3-02fa-4443-9679-5938997bd4bb/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.45

Link:

https://yomi.yoroi.company/submissions/d12d5083ce7afb1d81db8145482489404e6a02bb2c652ded4572b9ba4d9cd8e1

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/344394/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample