MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dcc0540fe2bce6179ad316123fa95dbb338e74063f10197fcf5b61ddfafdafcd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 10


Intelligence 10 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: dcc0540fe2bce6179ad316123fa95dbb338e74063f10197fcf5b61ddfafdafcd
SHA3-384 hash: 8987164cfafcb19f4fd51da4e243822574069cee753c746841711a1643593aaf8232402ca6567e51316dbb66dfe3aff6
SHA1 hash: 9143f69be3dcf05d127eeacf0c37c84f568addfb
MD5 hash: a1a9074fb991b4cf6946a27662de77d5
humanhash: uranus-eleven-massachusetts-fourteen
File name:SecuriteInfo.com.Generic.mg.a1a9074fb991b4cf.14053
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:1'153'024 bytes
First seen:2020-12-16 13:34:53 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f1273d98cad69240b4181684cf97269f (1 x ArkeiStealer)
ssdeep 24576:SKlf4kRJj0Hl8cvPG4Uio4y3pCRcnOKZTZz1CsUCZqHUDZkcin2NQ8kB47nPx0xN:N4g0Hl82PG4Jo4y3pCRcZZzzin2NQ8U1
Threatray 628 similar samples on MalwareBazaar
TLSH 3C355C3A9654595DC461DEFBA83077EDC30B1F3C25AFC0221ED0B3EB1E75AA18839916
Reporter SecuriteInfoCom
Tags:ArkeiStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
227
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.Generic.mg.a1a9074fb991b4cf.14053
Verdict:
Malicious activity
Analysis date:
2020-12-16 13:38:18 UTC
Tags:
trojan stealer vidar loader evasion
Link:
https://app.any.run/tasks/1fc7a379-b5e6-49db-afba-c44ea37bd394

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Generic.mg.a1a9074fb991b4cf.14053.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Connection attempt
Sending an HTTP GET request
Sending a UDP request
Creating a file
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Vidar
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/564270
Signature
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/dcc0540fe2bce6179ad316123fa95dbb338e74063f10197fcf5b61ddfafdafcd/
Threat name:
Win32.Trojan.Chapak
Create hunting rule
Status:
Malicious
First seen:
2020-12-16 10:11:25 UTC
AV detection:
21 of 29 (72.41%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=3tafid7cxttbpgwtcyjd7kk5xmzy45agh4ibs76plnq536x5v7gq._file
Verdict:
malicious
Similar samples:
02520a277c94450cc2f969e332af38eb0558c403191842030a9690f49951ec11
ArkeiStealer
2c9538aaf6058783ac6e7c6676769ba3904a584b0bbc8c475852b11096c3c368
ArkeiStealer
6781df227455e026b2717f0e975492726959accd0f049d5357d4202984d9e447
ArkeiStealer
87bb815e33c316953aef8faf6d07c55b2d2faf13fa53b2a90fdc92c9bb35809e
ArkeiStealer
9617dc1938ef945ab37282b04d7d083412485c144dd60c96d68f508da8a1a7c1
ArkeiStealer
a8ca93adc4384dc66b6c8c6034ae5942d29d0aa5291f35d4b80189413d64f76c
ArkeiStealer
c0c4bd54064f87aaa939711a78f6ce26ee4860db2d12d5996ac83a96662a5c34
ArkeiStealer
c5fda98009d72d3b78ad7f051d7356d7328575fb8acbc3edd21bd908875db3b3
ArkeiStealer
ec855bf0f35b2f38db047587591d3963f2836dfb73c4894590df75378ed7ebfa
ArkeiStealer
f1a10725589836a8b8959f7ceb298f84b1e5a9736fe97f32a816028aaff55001
ArkeiStealer
+ 618 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:vidar discovery spyware stealer
Link:
https://tria.ge/reports/201216-y8ex28s33j/
Behaviour
Checks processor information in registry
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
JavaScript code in executable
Looks up external IP address via web service
Deletes itself
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Vidar
Unpacked files
SH256 hash:
dcc0540fe2bce6179ad316123fa95dbb338e74063f10197fcf5b61ddfafdafcd
MD5 hash:
a1a9074fb991b4cf6946a27662de77d5
SHA1 hash:
9143f69be3dcf05d127eeacf0c37c84f568addfb
Link:
https://www.unpac.me/results/a38de7ce-ef69-4913-8eeb-b8a1d35c8ac1/
SH256 hash:
3ed02dc427ace0d935b31f42c7407f4625e0f470833ce54428eac12aa5cebde8
MD5 hash:
3e23e5aab2ff7514d41898f92564e581
SHA1 hash:
eb779008ec74b1fbc746981fd6a045d4f910f46f
Detections:
win_vidar_g0
Create hunting rule
win_vidar_auto
Create hunting rule
Link:
https://www.unpac.me/results/a38de7ce-ef69-4913-8eeb-b8a1d35c8ac1/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Cryptor
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/dcc0540fe2bce6179ad316123fa95dbb338e74063f10197fcf5b61ddfafdafcd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Cryptocoin_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Steam in files like avemaria
Rule name:SUSP_XORed_URL_in_EXE
Create hunting rule
Author:Florian Roth
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834
Rule name:win_vidar_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:win_vidar_g0
Create hunting rule
Author:Slavo Greminger, SWITCH-CERT
Rule name:with_sqlite
Create hunting rule
Author:Julian J. Gonzalez <info@seguridadparatodos.es>
Description:Rule to detect the presence of SQLite data in raw image
Reference:http://www.st2labs.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ArkeiStealer

Executable exe dcc0540fe2bce6179ad316123fa95dbb338e74063f10197fcf5b61ddfafdafcd

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/922639/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/922660/

Comments