MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ddde937fc1cac25ab3c8e7b91b4f074f8eadf1d39ca93c88be816441ee58ff41. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ddde937fc1cac25ab3c8e7b91b4f074f8eadf1d39ca93c88be816441ee58ff41
SHA3-384 hash: 735c0d74e0b6cf0df7b501f93c57120c23b23fc50f5d3d16467208df9f9d536c27a6b8e32708ad45c3b48bc0fb653e1b
SHA1 hash: 8b9c7909fb006c4ad3c12fab71eb04892ec61896
MD5 hash: b28d42046580408265054e460886c110
humanhash: london-echo-magnesium-batman
File name:b28d42046580408265054e460886c110
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:665'088 bytes
First seen:2021-08-10 18:06:05 UTC
Last seen:2021-08-10 19:01:22 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash e3cf60b4d5be6f57956398dd6440990e (3 x Glupteba, 2 x DanaBot, 2 x Smoke Loader)
ssdeep 12288:cSgVVChs3tbgvLcFSXVqaGfnJStFnVkCxXN5Bj4OKRr3yPc/:kbcs3n9fnYR1xXzfKZM
Threatray 2'003 similar samples on MalwareBazaar
TLSH T148E4E130BB90C035E5F711F845B693BC6A2D7AB0973490CB52E21AFA57346E8AD31787
dhash icon 71f09cbcbc98c0e1 (1 x ArkeiStealer)
Reporter zbetcheckin
Tags:32 ArkeiStealer exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
138
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
b28d42046580408265054e460886c110
Verdict:
Suspicious activity
Analysis date:
2021-08-10 18:07:00 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/28562765-973d-428a-98d3-74fd153c5ded

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Vidar
Create hunting rule
Link:
https://www.capesandbox.com/analysis/178045/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware2.21190.22539.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Connection attempt
Sending a custom TCP request
Sending an HTTP GET request
Creating a file
Deleting a recently created file
Replacing files
Reading critical registry keys
Sending a UDP request
Delayed writing of the file
Running batch commands
Creating a process with a hidden window
Using the Windows Management Instrumentation requests
Searching for the window
Launching a process
Stealing user critical data
Launching a tool to kill processes
Forced shutdown of a browser
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Vidar
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e887070e-e545-49fc-ab83-28d2f692153d
Result
Threat name:
Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/830444
Signature
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected Vidar
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ddde937fc1cac25ab3c8e7b91b4f074f8eadf1d39ca93c88be816441ee58ff41/
Threat name:
Win32.Trojan.Chapak
Create hunting rule
Status:
Malicious
First seen:
2021-08-10 18:06:06 UTC
AV detection:
11 of 27 (40.74%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
09abe799d30cdceab1600a1421583b1d7a5d3a9b14fb89e7dfa8d4ca4e5c85ac
ArkeiStealer
42409087896ad827ca16b713215988bed28560c5fe0c929f7c30294854b5bfc2
ArkeiStealer
53379b36716f384e530dae9ec883c459d0c12f0260116614a0482ded7d9b5ba9
ArkeiStealer
88c98c6871442d02b5f26dc7625926c1dcd4de88a7d31bc53786f6182204c902
ArkeiStealer
8ed9f410b41e51f09304e5cdadc4d61f82562c9ee15be810e063f2f568812dd0
ArkeiStealer
926d7ec0b89588104045819ed00a8a950999d3b981c2260c69577b4877bb2594
ArkeiStealer
cab3e6e2c9a366a7e2276c6f224c8788d3ae7c03d217ac01bd43b1d7cc1b3758
ArkeiStealer
d7d0e1f49e7c3f5301cf8d8c4ea18340e7e9c29737c3fa65489c5c508df1c55d
ArkeiStealer
ff0ded61b02aa7c3a68eab0e7306e12b06093aefcdf4232b82738455d13a1d4a
ArkeiStealer
+ 1'993 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:vidar botnet:828 discovery spyware stealer suricata
Link:
https://tria.ge/reports/210810-tqn4dsa9na/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Kills process with taskkill
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Deletes itself
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Vidar Stealer
Vidar
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
Malware Config
C2 Extraction:
https://lenak513.tumblr.com/
Unpacked files
SH256 hash:
fee887fef18291467f2dc9ed36d1607f5f213163aa8c57bcd8360d38b778bbe3
MD5 hash:
d3ca6bea0e45dbee4a4ba59e72da4b5f
SHA1 hash:
23b6a8d1b1d2b92703ffc92a7a840e7e9e836823
Link:
https://www.unpac.me/results/39d6f183-efe5-4d72-a3eb-f796bfbfd280/
SH256 hash:
ddde937fc1cac25ab3c8e7b91b4f074f8eadf1d39ca93c88be816441ee58ff41
MD5 hash:
b28d42046580408265054e460886c110
SHA1 hash:
8b9c7909fb006c4ad3c12fab71eb04892ec61896
Link:
https://www.unpac.me/results/39d6f183-efe5-4d72-a3eb-f796bfbfd280/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/ddde937fc1ca/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ddde937fc1cac25ab3c8e7b91b4f074f8eadf1d39ca93c88be816441ee58ff41

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ArkeiStealer

Executable exe ddde937fc1cac25ab3c8e7b91b4f074f8eadf1d39ca93c88be816441ee58ff41

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1522225/
Cape
Cape
https://www.capesandbox.com/analysis/178045/

Comments


Avatar
zbet commented on 2021-08-10 18:06:06 UTC

url : hxxp://147.124.222.75/vidik.exe