MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 de96e27483b81bec57e86f32954d7de623bb7a6c89aefa721c136fb60d148768. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: de96e27483b81bec57e86f32954d7de623bb7a6c89aefa721c136fb60d148768
SHA3-384 hash: 15c96a34913281bc82557fb5192e6a2d4499aa4c1f56b66705aaf6398c7d692b794418d591f25c6a0bcc952f48abfd5b
SHA1 hash: 1f83e368c92ecbb9e5ebe6adb8bc5448d20db8e0
MD5 hash: a35da4b10269c87dfe1a5ff1493a16a5
humanhash: batman-october-carolina-cardinal
File name:file
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:4'793'856 bytes
First seen:2022-11-20 11:20:02 UTC
Last seen:2022-11-21 13:04:34 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 407e3b5378b3b0b56c578f72b3227fa9 (5 x ArkeiStealer)
ssdeep 98304:UXiMHYMwgkPGdDCSxFBqVZk6BGcHxXZNXzbcrKKGpCd05zB8Dhuv9LPtr:UyczpkPmDCSxTSZGc7N4vK18FulLPR
Threatray 16'554 similar samples on MalwareBazaar
TLSH T13A2633E1B743A5D0C94258F73035A18A2C4998A9E3AA1BB9FCED763F0CDF0567C34664
TrID 52.9% (.EXE) Win32 Executable (generic) (4505/5/1)
23.5% (.EXE) Generic Win/DOS Executable (2002/3)
23.5% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):PE icon
dhash icon dcf3d880882cb4cc (1 x ArkeiStealer)
Reporter andretavare5
Tags:ArkeiStealer exe


Avatar
andretavare5
Sample downloaded from https://vk.com/doc760750097_656460860?hash=OLQ8LWfmme0fPPhumEjFYvnwE9ZYbXYevZOBEwIxwGo&dl=G43DANZVGAYDSNY:1668942802:FyO0UxHZUL8LdfBHA2zdaZaX63kQY49h8F5rBdXwXpo&api=1&no_preview=1#CRYPTO_ALL

Intelligence

File Origin
# of uploads :
636
# of downloads :
265
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
vidar
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2022-11-20 11:22:35 UTC
Tags:
stealer trojan vidar
Link:
https://app.any.run/tasks/ca3149f2-0dc3-4b1a-83be-fdaf8baa7a13

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/336376/
Detection(s):
SecuriteInfo.com.Win32.Malware-gen.16154.16025.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Searching for analyzing tools
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Creating a file
Reading critical registry keys
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Stealing user critical data
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/637a0d65903ba0eaf36cb0cc/reports/cf293a83-9b09-4fc7-9c3c-0a11baa8d539/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/18eca9b0-dcf9-4816-8477-f0052d1a021b
Result
Threat name:
Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1117555
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Self deletion via cmd or bat file
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 750267 Sample: file.exe Startdate: 20/11/2022 Architecture: WINDOWS Score: 100 61 Multi AV Scanner detection for domain / URL 2->61 63 Malicious sample detected (through community Yara rule) 2->63 65 Antivirus detection for URL or domain 2->65 67 6 other signatures 2->67 8 file.exe 21 2->8         started        13 oobeldr.exe 2->13         started        process3 dnsIp4 43 t.me 149.154.167.99, 443, 49697 TELEGRAMRU United Kingdom 8->43 45 116.202.5.101, 49698, 80 HETZNER-ASDE Germany 8->45 47 cdn.discordapp.com 162.159.130.233, 443, 49699, 49702 CLOUDFLARENETUS United States 8->47 35 C:\Users\user\AppData\Local\...\Setup[1].exe, PE32 8->35 dropped 37 C:\ProgramData\59603573554648543776.exe, PE32 8->37 dropped 39 C:\ProgramData\10631165684829466673.exe, PE32 8->39 dropped 69 Detected unpacking (changes PE section rights) 8->69 71 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 8->71 73 Query firmware table information (likely to detect VMs) 8->73 81 6 other signatures 8->81 15 10631165684829466673.exe 1 8->15         started        19 59603573554648543776.exe 8->19         started        21 cmd.exe 1 8->21         started        75 Multi AV Scanner detection for dropped file 13->75 77 Tries to detect sandboxes and other dynamic analysis tools (window names) 13->77 79 Machine Learning detection for dropped file 13->79 23 schtasks.exe 1 13->23         started        file5 signatures6 process7 file8 41 C:\Users\user\AppData\Roaming\...\oobeldr.exe, PE32 15->41 dropped 49 Multi AV Scanner detection for dropped file 15->49 51 Query firmware table information (likely to detect VMs) 15->51 53 Machine Learning detection for dropped file 15->53 55 Uses schtasks.exe or at.exe to add and modify task schedules 15->55 25 schtasks.exe 1 15->25         started        57 Hides threads from debuggers 19->57 59 Tries to detect sandboxes / dynamic malware analysis system (registry check) 19->59 27 conhost.exe 21->27         started        29 timeout.exe 1 21->29         started        31 conhost.exe 23->31         started        signatures9 process10 process11 33 conhost.exe 25->33         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/de96e27483b81bec57e86f32954d7de623bb7a6c89aefa721c136fb60d148768/
Threat name:
Win32.Trojan.Privateloader
Create hunting rule
Status:
Malicious
First seen:
2022-11-20 11:21:24 UTC
File Type:
PE (Exe)
Extracted files:
13
AV detection:
9 of 25 (36.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=32loe5edxan6yv7in4zjktl54yr3w6tmrgxpu4q4cnx3mdiuq5ua._file
Verdict:
suspicious
Similar samples:
22d9733647f48990bbe74bd5236545bb2d77d2b85cf5fa671bdd5276ebe8f6c6
ArkeiStealer
2cf662a4d3efa315a348a9fbcaa3a8d4c1915f21d8f8841fc06b5f3c41ffc0c4
ArkeiStealer
3e9c629c225bf857fc3183cc5f17ae5816e04f20c7d9636d5d6adac849ed2279
ArkeiStealer
88f86b01cb6078c58fd2d5ab9f1beb7c24fa1e4b71e1ca558678d7718c418b66
ArkeiStealer
d3dd1a4eff9a3371d839a9cbdcd040edb03c5ac3140e142e6bf398905a9afad7
ArkeiStealer
e8075dd2f74391aabe1a85eeb7282620b5be0236d6d0a23e7474cf033dd1628a
ArkeiStealer
+ 16'544 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:vidar botnet:1679 discovery evasion spyware stealer trojan
Link:
https://tria.ge/reports/221120-nfenvaah68/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks whether UAC is enabled
Checks BIOS information in registry
Deletes itself
Loads dropped DLL
Reads user/profile data of web browsers
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Vidar
Malware Config
C2 Extraction:
https://t.me/deadftx
https://www.tiktok.com/@user6068972597711
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/aa804fe1-27f8-42dd-939e-5031636e7252
Unpacked files
SH256 hash:
0c3757108dd3122ce6a9326bdc858a29c015b7099b5450e2bb4b509d02b9eaf1
MD5 hash:
c8f7fdc90d75e295690c8c3828da5776
SHA1 hash:
cb186a250235a80af0d5cea2f2576c9aa8548bd2
Link:
https://www.unpac.me/results/3518a7f7-555e-4035-bffb-7c6e49e9d1c9/
SH256 hash:
de96e27483b81bec57e86f32954d7de623bb7a6c89aefa721c136fb60d148768
MD5 hash:
a35da4b10269c87dfe1a5ff1493a16a5
SHA1 hash:
1f83e368c92ecbb9e5ebe6adb8bc5448d20db8e0
Link:
https://www.unpac.me/results/3518a7f7-555e-4035-bffb-7c6e49e9d1c9/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/de96e27483b8/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:HeavensGate
Create hunting rule
Author:kevoreilly
Description:Heaven's Gate: Switch from 32-bit to 64-mode
Rule name:INDICATOR_EXE_Packed_MPress
Create hunting rule
Author:ditekSHen
Description:Detects executables built or packed with MPress PE compressor
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/336376/

Comments