MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d5b91fba7466b663294137d24edce9e9822d30b2e2f8c87c8799044221e36921. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d5b91fba7466b663294137d24edce9e9822d30b2e2f8c87c8799044221e36921
SHA3-384 hash: 916f2ca0c064636cdf3dba25953c174bb657b30aa649bfa976fb519be382bf3a188283a6a7e184cfafe21d275efdeb9f
SHA1 hash: 3b8cc7bc56b64e8aefa8bdde5b1bb6bba4239b9a
MD5 hash: add4cb48c9cfc6e2247b6d1d3af6a7a1
humanhash: autumn-carbon-march-spring
File name:file
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:549'488 bytes
First seen:2023-01-29 13:19:49 UTC
Last seen:2023-01-29 15:07:05 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 6144:t2vlz5cq7hDadDL+8r12UNsgSqP0Z4FeyDfHpQTyZ7iVFg34fL3FPU:t25ckU5LxsGFRDpmy+Z8
Threatray 682 similar samples on MalwareBazaar
TLSH T11FC4A68BBB60CD45E09531B2C1DF0A22A3F153A71B73C156FE161AA28AC27851F57BC7
TrID 59.4% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.6% (.SCR) Windows screen saver (13097/50/3)
8.5% (.EXE) Win64 Executable (generic) (10523/12/4)
5.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.0% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon 8f55cc8ecc4d7933 (3 x RedLineStealer, 1 x ArkeiStealer)
Reporter andretavare5
Tags:ArkeiStealer exe signed

Code Signing Certificate

Organisation:Hangil IT Co., Ltd
Issuer:Sectigo Public Code Signing CA R36
Algorithm:sha384WithRSAEncryption
Valid from:2021-11-10T00:00:00Z
Valid to:2024-11-09T23:59:59Z
Serial number: 0139dde119bb320dfb9f5defe3f71245
Intelligence: 17 malware samples on MalwareBazaar are signed with this code signing certificate
MalwareBazaar Blocklist:This certificate is on the MalwareBazaar code signing certificate blocklist (CSCB)
Cert Central Blocklist:This certificate is on the Cert Central blocklist
Thumbprint Algorithm:SHA256
Thumbprint: 23d13a8e48a6eff191a5d6a0635b99467c2e7242ae520479cae130fbd41cc645
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
andretavare5
Sample downloaded from https://cyberaya.com/NickhTyr84965232.exe

Intelligence

File Origin
# of uploads :
31
# of downloads :
227
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
vidar
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2023-01-29 13:21:15 UTC
Tags:
opendir loader evasion trojan stealer vidar
Link:
https://app.any.run/tasks/77c8a255-c596-488a-b044-90fa4b7c68a9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/357931/
Detection(s):
SecuriteInfo.com.Variant.Jatif.4776.27270.3295.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Changing a file
Creating a window
Launching a process
Creating a file
Sending a custom TCP request
DNS request
Creating a file in the %temp% directory
Creating a process from a recently created file
Forced shutdown of a system process
Query of malicious DNS domain
Sending a TCP request to an infection source
Unauthorized injection to a recently created process
Unauthorized injection to a system process
Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/63d67286447edb203a01d6ba/reports/0d149de1-ba52-4573-9580-9e0dd7479552/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/fcd01a6b-42ed-4d8b-9acb-e6da0893dbf9
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/1161030
Signature
Antivirus detection for dropped file
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 793767 Sample: file.exe Startdate: 29/01/2023 Architecture: WINDOWS Score: 96 41 Multi AV Scanner detection for domain / URL 2->41 43 Malicious sample detected (through community Yara rule) 2->43 45 Multi AV Scanner detection for submitted file 2->45 47 Machine Learning detection for sample 2->47 8 file.exe 3 2->8         started        process3 file4 31 C:\Users\user\AppData\Local\...\file.exe.log, ASCII 8->31 dropped 11 powershell.exe 17 8->11         started        process5 dnsIp6 35 45.93.201.114, 49700, 49711, 80 ASBAXETNRU Russian Federation 11->35 57 Hides threads from debuggers 11->57 15 aspnet_compiler.exe 3 11->15         started        19 conhost.exe 11->19         started        signatures7 process8 dnsIp9 37 cyberaya.com 15.235.145.82, 49704, 49705, 49706 HP-INTERNET-ASUS United States 15->37 39 blackhk1.beget.tech 5.101.153.227, 49701, 49702, 49703 BEGET-ASRU Russian Federation 15->39 27 C:\Users\user\AppData\...\9KLC2ADKFAL01A7.exe, PE32 15->27 dropped 29 C:\Users\user\AppData\...\4MH0I384BII7B89.exe, PE32+ 15->29 dropped 21 4MH0I384BII7B89.exe 25 15->21         started        25 9KLC2ADKFAL01A7.exe 2 15->25         started        file10 process11 dnsIp12 33 iplogger.org 148.251.234.83, 443, 49710 HETZNER-ASDE Germany 21->33 49 Antivirus detection for dropped file 21->49 51 Multi AV Scanner detection for dropped file 21->51 53 May check the online IP address of the machine 21->53 55 Machine Learning detection for dropped file 25->55 signatures13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d5b91fba7466b663294137d24edce9e9822d30b2e2f8c87c8799044221e36921/
Threat name:
Win32.Trojan.Privateloader
Create hunting rule
Status:
Malicious
First seen:
2023-01-29 13:20:10 UTC
File Type:
PE (.Net Exe)
Extracted files:
10
AV detection:
12 of 26 (46.15%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2w4r7otum23ggkkbg7je5xhj5gbc2mfs4l4mq7ehteceeipdneqq._file
Verdict:
malicious
Similar samples:
122d3657eca3ae04fe7072488f6b1c1cde4225462792a5466729867437003e2d
ArkeiStealer
192896dbc7744f51c63044f4bf8a0fd260cc73ddcc84200161ce45b81c7e9e50
ArkeiStealer
39640aaf46028232858f4c0e42520aa38fe5f9864575b81adb9c6d30b87089a9
ArkeiStealer
4f4e3e3c855256df5e4de448afc3c08fe1635ee8a1200e0ea2818210506f0319
ArkeiStealer
77b7fa89c446b127b0c1d8ad0c5dc5fb57c8121dd3c40a67b77e5c0a35d75114
ArkeiStealer
8bcc9ea07aa49b1c774327cb2fffaea269806805538b40aa8b7d2a89b8cfbca8
ArkeiStealer
a9524141feab182697ee45965c0d91577eb32f4c9252160b1b50be3ed9b000e2
ArkeiStealer
b4a9350c9b97dd32fe445e00e8d9501279e5845351609c6cd715def5ca98e404
ArkeiStealer
d4444e8245f9dc5c2e49888bad1994ea74a20725128f4004abd46d27751783f4
ArkeiStealer
f60f2206408f200da52f4cb7f8535e12450e94fb0b96f513509b3ccc10fe9b2f
ArkeiStealer
+ 672 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:vidar botnet:589 spyware stealer
Link:
https://tria.ge/reports/230129-qk384sgh48/
Behaviour
Checks processor information in registry
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Legitimate hosting services abused for malware hosting/C2
Loads dropped DLL
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
.NET Reactor proctector
Vidar
Malware Config
C2 Extraction:
https://t.me/litlebey
https://steamcommunity.com/profiles/76561199472399815
Unpacked files
SH256 hash:
d5b91fba7466b663294137d24edce9e9822d30b2e2f8c87c8799044221e36921
MD5 hash:
add4cb48c9cfc6e2247b6d1d3af6a7a1
SHA1 hash:
3b8cc7bc56b64e8aefa8bdde5b1bb6bba4239b9a
Link:
https://www.unpac.me/results/57d039d1-326e-408e-922e-e96f0280993f/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d5b91fba7466/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.12
Link:
https://yomi.yoroi.company/submissions/d5b91fba7466b663294137d24edce9e9822d30b2e2f8c87c8799044221e36921

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_DotNetReactor
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with unregistered version of .NET Reactor
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/357931/
  
URLhaus
https://urlhaus.abuse.ch/url/2521815/

Comments