MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d97f78a38e32043654572cc3a775c339f9b19a746238b9fef2c5815915d312f7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d97f78a38e32043654572cc3a775c339f9b19a746238b9fef2c5815915d312f7
SHA3-384 hash: b6054c3efcc46dc3888404088877bfc0c12acdd6d41f84e6b85f8d18695a174265beab973ae99eca960715f56d7e7ade
SHA1 hash: 1ee6edd9b6a93b14894db7da37684c68fa077bc1
MD5 hash: a04f84cdac141d1e399db028541c2f3c
humanhash: whiskey-shade-robin-social
File name:d97f78a38e32043654572cc3a775c339f9b19a746238b9fef2c5815915d312f7
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:948'736 bytes
First seen:2022-11-08 14:04:48 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep 24576:yyCZqM7LxUXL3ZZ7AM13IOD2OtL55RX8fYm4Dfz+DbUNgx58J:ZwqMuTVGOJVhsfYZDi/UNgH8
TLSH T16A152351A7D6C833D6B81BF10CF213531A3DBDA26D94936A2390A8162CB39C8F57177B
TrID 38.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
20.5% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
13.0% (.EXE) Win64 Executable (generic) (10523/12/4)
8.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon 848868e87224848c (2 x ArkeiStealer)
Reporter adrian__luca
Tags:ArkeiStealer exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
172
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
d97f78a38e32043654572cc3a775c339f9b19a746238b9fef2c5815915d312f7
Verdict:
Malicious activity
Analysis date:
2022-11-08 14:04:31 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/d22166d4-092f-4566-b651-6d3a5e6db21e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Vidar
Create hunting rule
Link:
https://www.capesandbox.com/analysis/330570/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.62696407.20145.260.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% subdirectories
Creating a process with a hidden window
Running batch commands
Launching cmd.exe command interpreter
Sending a custom TCP request
Launching a process
Using the Windows Management Instrumentation requests
Moving a file to the %temp% subdirectory
Creating a process from a recently created file
DNS request
Launching the process to create tasks for the scheduler
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/50099/overview
Behaviour
MalwareBazaar
SystemUptime
MeasuringTime
EvasionGetTickCount
EvasionQueryPerformanceCounter
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
advpack.dll anti-vm packed rundll32.exe setupapi.dll shell32.dll
Link:
https://www.filescan.io/uploads/636a620e1b78baadf87fab57/reports/7c66c1ff-1085-4374-96a9-326a02cdc8d2/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/ee9d29dd-af25-4bea-9708-c38e1b33c7d9
Result
Threat name:
Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.evad.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1108723
Behaviour
Behavior Graph:
n/a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d97f78a38e32043654572cc3a775c339f9b19a746238b9fef2c5815915d312f7/
Threat name:
Win32.Spyware.Vidar
Create hunting rule
Status:
Suspicious
First seen:
2022-10-27 02:13:24 UTC
AV detection:
17 of 26 (65.38%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3f7xri4ogicdmvcxftb2o5odhh43dgtumi4lt7xsywavsfotcl3q._file
Verdict:
malicious
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:vidar botnet:1014 persistence stealer
Link:
https://tria.ge/reports/221108-rdta1abbd4/
Behaviour
Enumerates processes with tasklist
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
Vidar
Malware Config
C2 Extraction:
https://t.me/slivetalks
https://c.im/@xinibin420
Unpacked files
SH256 hash:
b3d61426be52e5513709e6dc4101dcc7b2e976682badf130ec192a928e9cefa6
MD5 hash:
1b7086634219eff28f21c814a485e821
SHA1 hash:
6ce9831b469f8263e8f073b09dc7f03f54b71bc1
Link:
https://www.unpac.me/results/e884ab6d-1092-4063-8a4e-f6da1af6bf72/
SH256 hash:
d97f78a38e32043654572cc3a775c339f9b19a746238b9fef2c5815915d312f7
MD5 hash:
a04f84cdac141d1e399db028541c2f3c
SHA1 hash:
1ee6edd9b6a93b14894db7da37684c68fa077bc1
Link:
https://www.unpac.me/results/e884ab6d-1092-4063-8a4e-f6da1af6bf72/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/330570/

Comments