MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 da271da1daacb415125be5ab9eacc9fdf9738776c83fc512c146e467d5930ded. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

ArkeiStealer

Vendor detections: 10

Intelligence 10 IOCs 1 YARA 1 File information Comments

SHA256 hash:	da271da1daacb415125be5ab9eacc9fdf9738776c83fc512c146e467d5930ded
SHA3-384 hash:	db03d44f44224fb69c0ffeab78239001ff077e58001fe79b1c47663558af10d7d9b934c7850113fc61ad3626d1435024
SHA1 hash:	53c048cbe8dc93405bde9cb4851735d016bbeeb8
MD5 hash:	b54f00eccda7ff1849e8f3451f77043c
humanhash:	music-alabama-hawaii-ohio
File name:	library_1
Download:	download sample
Signature	ArkeiStealer Create hunting rule
File size:	912'384 bytes
First seen:	2022-10-24 08:33:03 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	a4b378a292400abd4e511d28d655f978 (2 x RedLineStealer, 1 x ArkeiStealer)
ssdeep	24576:lzJLPuiAjzw4RQ9rWmHnopfaw0K/cRgOnmq9g6GVWbHqs:Li9g4RCyvswncOU7m6gWbKs
TLSH	T15515335B241FB1CCE0863A73BD2BFF6256113491A8C9E4947F982B5FD8BC948BDE4540
TrID	27.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 20.7% (.EXE) Win16 NE executable (generic) (5038/12/1) 18.5% (.EXE) Win32 Executable (generic) (4505/5/1) 8.5% (.EXE) Win16/32 Executable Delphi generic (2072/23) 8.3% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter	JAMESWT_WT
Tags:	ArkeiStealer exe

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
http://195.201.252.190/	https://threatfox.abuse.ch/ioc/891306/

Intelligence

File Origin

# of uploads :

# of downloads :

210

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

ficker

ID:

File name:

file

Verdict:

Malicious activity

Analysis date:

2022-10-22 21:46:52 UTC

Tags:

installer loader evasion trojan ficker stealer vidar opendir

Link:

https://app.any.run/tasks/9182e430-d28a-4c86-be76-b619959a7b6d

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/323310/

Detection(s):

PUA.Win.Packer.Asprotect-3

Result

Verdict:

Clean

Maliciousness:

Behaviour

Searching for synchronization primitives

Launching the default Windows debugger (dwwin.exe)

Launching a process

Creating a file

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/d6120125-fcb8-40ca-ada9-45a93997558d

Result

Threat name:

Vidar

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1096327

Signature

C2 URLs / IPs found in malware configuration

DLL side loading technique detected

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

PE file has nameless sections

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Crypto Currency Wallets

Writes to foreign memory regions

Yara detected Vidar stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/da271da1daacb415125be5ab9eacc9fdf9738776c83fc512c146e467d5930ded/

Threat name:

Win32.Trojan.Fragtor

Status:

Malicious

First seen:

2022-10-21 07:24:58 UTC

File Type:

PE (Exe)

AV detection:

30 of 41 (73.17%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=3itr3io2vs2bkes34wvz5lgj7x4xhb3wza74kewbi3sgpvmtbxwq._file

Verdict:

malicious

Result

Malware family:

vidar

Score:

10/10

Tags:

family:vidar botnet:1707 spyware stealer

Link:

https://tria.ge/reports/221024-kgf2hsfec3/

Behaviour

Checks processor information in registry

Delays execution with timeout.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Program crash

Suspicious use of SetThreadContext

Accesses 2FA software files, possible credential harvesting

Accesses cryptocurrency files/wallets, possible credential harvesting

Loads dropped DLL

Uses the VBS compiler for execution

Vidar

Malware Config

C2 Extraction:

https://t.me/tg_privatetalk
https://nerdculture.de/@yixehi33

Unpacked files

SH256 hash:

9fc40d20b1d3b760bf641274511dcf1c22a9e5f183608400ec3d49bca04f7f7e

MD5 hash:

1dd374d4b75dad3baafb07073236e1fd

SHA1 hash:

11d9909a145bca8ed3cabe251bc0fc8def4297f9

Link:

https://www.unpac.me/results/0cd09f64-bcf5-44ca-95c9-bce58793cb5d/

SH256 hash:

8e731ff2579d7ade5919bd6de8f18f7460f070647009d11398e428a580a2a2a8

MD5 hash:

7b33412bff125ee6fc3693b0cef5e7cf

SHA1 hash:

d86ae6e0cfaa75809c723d6b53c6606bd547263d

Link:

https://www.unpac.me/results/0cd09f64-bcf5-44ca-95c9-bce58793cb5d/

SH256 hash:

da271da1daacb415125be5ab9eacc9fdf9738776c83fc512c146e467d5930ded

MD5 hash:

b54f00eccda7ff1849e8f3451f77043c

SHA1 hash:

53c048cbe8dc93405bde9cb4851735d016bbeeb8

Link:

https://www.unpac.me/results/0cd09f64-bcf5-44ca-95c9-bce58793cb5d/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/da271da1daac/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/da271da1daacb415125be5ab9eacc9fdf9738776c83fc512c146e467d5930ded

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Vidar Create hunting rule
Author:	kevoreilly,rony
Description:	Vidar Payload

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/323310/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample