MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d2349196b611e963c2099768c35e7b9de02436e1bccfe1b49d8311c41cd1ef55. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 15


Intelligence 15 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d2349196b611e963c2099768c35e7b9de02436e1bccfe1b49d8311c41cd1ef55
SHA3-384 hash: ab5a163d45d6064f84250774156b21257f988cf013a3e1be5c8a70e00f7db28ebdc5449ed62dbfd7db277e23cfa94ade
SHA1 hash: e91e9169490b8cc0e74b7929dd0e8e66d28ef1ca
MD5 hash: ad302d8824a2e13a170604176ae1b571
humanhash: social-freddie-double-romeo
File name:ad302d8824a2e13a170604176ae1b571.exe
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:402'432 bytes
First seen:2023-06-28 14:42:01 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash e452f645761244958e067c651397e7c8 (1 x ArkeiStealer)
ssdeep 6144:boSslQizKDaL7Du9V7auzgNpdTSRwhZM3i+3U6DB1InEInXJR3:b8ltKDajuKuzKpNSR6+3dDB18nXJ
Threatray 9 similar samples on MalwareBazaar
TLSH T1ED84B00362F1BC61E5164A319E2ECAE4761FFAA08F1D776B22185EAF09B01F1D273750
TrID 37.3% (.EXE) Win64 Executable (generic) (10523/12/4)
17.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
16.0% (.EXE) Win32 Executable (generic) (4505/5/1)
7.3% (.ICL) Windows Icons Library (generic) (2059/9)
7.2% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 0003303428001901 (1 x ArkeiStealer)
Reporter abuse_ch
Tags:ArkeiStealer exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
293
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
ad302d8824a2e13a170604176ae1b571.exe
Verdict:
Malicious activity
Analysis date:
2023-06-28 14:42:31 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/74ca5f04-7a1d-4914-b0cf-a839765dbf64

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Vidar
Create hunting rule
Link:
https://www.capesandbox.com/analysis/403581/
Detection(s):
SecuriteInfo.com.Trojan.DownLoader45.59306.18740.25513.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Creating a file
Reading critical registry keys
Using the Windows Management Instrumentation requests
Creating a window
Running batch commands
Creating a process with a hidden window
Launching a process
Launching the default Windows debugger (dwwin.exe)
Searching for the window
Stealing user critical data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/649c46bee1b9083ea6db9dee/reports/bd37c72e-066c-4551-9463-290d292fe44c/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/d2349196b611e963c2099768c35e7b9de02436e1bccfe1b49d8311c41cd1ef55
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4c700df8-0c9e-4831-bb5d-ceab9df73d05
Result
Threat name:
Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1262739
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Searches for specific processes (likely to inject)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses known network protocols on non-standard ports
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d2349196b611e963c2099768c35e7b9de02436e1bccfe1b49d8311c41cd1ef55/
Threat name:
Win32.Trojan.Gcleaner
Create hunting rule
Status:
Malicious
First seen:
2023-06-27 14:12:22 UTC
File Type:
PE (Exe)
Extracted files:
38
AV detection:
33 of 37 (89.19%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=2i2jdfvwchuwhqqjs5umgxt3txqcinxbxth6dne5qmi4ihgr55kq._file
Verdict:
malicious
Similar samples:
4997b19ed2d5a3e06598efc01500219a1d858eb48d79b7c867842e73466ba376
ArkeiStealer
6b209f87abd2ba2ac812bce1ab1c9738b2ca93626bbd6cac56de7a6dcbaa49b7
ArkeiStealer
6fb30c4e262ddab6ff3891852c92f5cf640e130da29af9e1445f803ace1418eb
ArkeiStealer
87f58956937f84708706f515675d0b48125ace13ede701886e433cc8b336720d
ArkeiStealer
8bcef7f2318c046a3e75cd30dc002ebbf60d55c669a73e861c2bf1bb76dc9010
ArkeiStealer
c393f4266b3411f9de7951fe1a2deb8e7bd37387e6c6a5b814f822df7633b76e
ArkeiStealer
c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3
ArkeiStealer
cd621988496f0c54d5e56cc9d0f1fd944c82dcab5eb66b294e456b85a962aaad
ArkeiStealer
e356f807c297edf59ba7b0e1e0eb2a2186cc02246ad4bbe8d6fa42c7383b46c7
ArkeiStealer
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:vidar botnet:12403f3562ffd49d3a3d2ce5d201f221 discovery spyware stealer
Link:
https://tria.ge/reports/230628-r21d8aaa42/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks computer location settings
Deletes itself
Loads dropped DLL
Reads user/profile data of web browsers
Vidar
Malware Config
C2 Extraction:
https://steamcommunity.com/profiles/76561199520592470
https://t.me/motafan
Unpacked files
SH256 hash:
b207d230e4b63dba0a34d800407d89585a062c02c5c31286aa295f69043350c2
MD5 hash:
fc1ba0544b94b6e6f1188ac272048973
SHA1 hash:
dc2676ed2814ee4f1c353e9e9661f5db6f6c4330
Link:
https://www.unpac.me/results/30d87f03-1d63-4a75-8fb8-f8153f13caeb/
SH256 hash:
74be00ada04859fb74e9be352547c2b04630697a53bb1fb6feeaeb69b888e2ca
MD5 hash:
fb5a75ea2dce249f92ffb82ae9755097
SHA1 hash:
2b5feaeb189e2cf4344d240d6a5b4e5d1f83c706
Detections:
VidarStealer
Create hunting rule
VidarStealer
Create hunting rule
Link:
https://www.unpac.me/results/30d87f03-1d63-4a75-8fb8-f8153f13caeb/
Parent samples :
4997b19ed2d5a3e06598efc01500219a1d858eb48d79b7c867842e73466ba376
d2349196b611e963c2099768c35e7b9de02436e1bccfe1b49d8311c41cd1ef55
SH256 hash:
b207d230e4b63dba0a34d800407d89585a062c02c5c31286aa295f69043350c2
MD5 hash:
fc1ba0544b94b6e6f1188ac272048973
SHA1 hash:
dc2676ed2814ee4f1c353e9e9661f5db6f6c4330
Link:
https://www.unpac.me/results/30d87f03-1d63-4a75-8fb8-f8153f13caeb/
SH256 hash:
74be00ada04859fb74e9be352547c2b04630697a53bb1fb6feeaeb69b888e2ca
MD5 hash:
fb5a75ea2dce249f92ffb82ae9755097
SHA1 hash:
2b5feaeb189e2cf4344d240d6a5b4e5d1f83c706
Detections:
VidarStealer
Create hunting rule
VidarStealer
Create hunting rule
Link:
https://www.unpac.me/results/30d87f03-1d63-4a75-8fb8-f8153f13caeb/
Parent samples :
4997b19ed2d5a3e06598efc01500219a1d858eb48d79b7c867842e73466ba376
d2349196b611e963c2099768c35e7b9de02436e1bccfe1b49d8311c41cd1ef55
SH256 hash:
d2349196b611e963c2099768c35e7b9de02436e1bccfe1b49d8311c41cd1ef55
MD5 hash:
ad302d8824a2e13a170604176ae1b571
SHA1 hash:
e91e9169490b8cc0e74b7929dd0e8e66d28ef1ca
Link:
https://www.unpac.me/results/30d87f03-1d63-4a75-8fb8-f8153f13caeb/
Malware family:
Vidar.A
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d2349196b611/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d2349196b611e963c2099768c35e7b9de02436e1bccfe1b49d8311c41cd1ef55

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:has_telegram_urls
Create hunting rule
Author:Aaron DeVera<aaron@backchannel.re>
Description:Detects Telegram URLs
Rule name:INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
Author:ditekSHen
Description:Detects Windows executables referencing non-Windows User-Agents
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:Telegram_Links
Create hunting rule
Rule name:Vidar
Create hunting rule
Author:kevoreilly,rony
Description:Vidar Payload
Rule name:Windows_Trojan_Smokeloader_3687686f
Create hunting rule
Author:Elastic Security
Rule name:win_vidar
Create hunting rule
Author:Matthew @ Embee_Research
Description:Detection of Vidar Stealer and Variants via strings present in final unpacked payloads

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ArkeiStealer

Executable exe d2349196b611e963c2099768c35e7b9de02436e1bccfe1b49d8311c41cd1ef55

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2672124/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/403581/

Comments