MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e0463b5d50bc14313cc77cd321893788e68b2741c7db81a391837f797c5704a1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 13


Intelligence 13 IOCs YARA 12 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e0463b5d50bc14313cc77cd321893788e68b2741c7db81a391837f797c5704a1
SHA3-384 hash: 5f2a7c37d16d510d1ffed67150ea534547ad45cdb0a63b4f1dca32a3ac87e9cd356f9b26926d93ef736c72a3b44554df
SHA1 hash: 5d9f36ef5344b9ce8fc18d1e413cdce6ebd95a88
MD5 hash: 360b64a7fa47c27453a19c9aec6929aa
humanhash: arkansas-fifteen-double-nevada
File name:360b64a7fa47c27453a19c9aec6929aa.exe
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:462'336 bytes
First seen:2023-08-14 07:12:08 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fa3a729082b031ebea88917ef22244c7 (1 x Fabookie, 1 x Rhadamanthys, 1 x ArkeiStealer)
ssdeep 6144:nzLPOiJrg8eH+gBxReyKLofUO7Uq1Ayn6BvhSI+HIVMpOjCh6UbWc4WT+bj:nzdloSyKLoV7BzghcoKpZhXbPOj
Threatray 14 similar samples on MalwareBazaar
TLSH T179A4D0139291FC71F91646318D2EC6E87A6EF5604E596B6733182E2F18F31A2D27BF01
TrID 37.3% (.EXE) Win64 Executable (generic) (10523/12/4)
17.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
16.0% (.EXE) Win32 Executable (generic) (4505/5/1)
7.3% (.ICL) Windows Icons Library (generic) (2059/9)
7.2% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 0202061458501000 (1 x ArkeiStealer)
Reporter abuse_ch
Tags:ArkeiStealer exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
295
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
vidar
Create hunting rule
ID:
1
File name:
360b64a7fa47c27453a19c9aec6929aa.exe
Verdict:
Malicious activity
Analysis date:
2023-08-14 07:15:32 UTC
Tags:
stealer vidar trojan arkei
Link:
https://app.any.run/tasks/2972fba7-5fc2-471c-a6e6-9d96947c4367

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/442604/
Detection(s):
Win.Packer.pkr_ce1a-9980177-0
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Creating a window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Gathering data
Verdict:
Malicious
Labled as:
Mikey.Generic
Link:
https://www.hybrid-analysis.com/sample/e0463b5d50bc14313cc77cd321893788e68b2741c7db81a391837f797c5704a1
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8637b649-b375-4d5a-b35c-eeb16def6c4f
Result
Threat name:
Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1290839
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Contains functionality to inject code into remote processes
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Searches for specific processes (likely to inject)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses known network protocols on non-standard ports
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e0463b5d50bc14313cc77cd321893788e68b2741c7db81a391837f797c5704a1/
Threat name:
Win32.Trojan.Smokeloader
Create hunting rule
Status:
Malicious
First seen:
2023-08-13 13:27:08 UTC
File Type:
PE (Exe)
Extracted files:
27
AV detection:
28 of 38 (73.68%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=4bddwxkqxqkdcpghptjsdcjxrdtiwj2by7nydi4rqn7xs7cxasqq._file
Verdict:
malicious
Similar samples:
0f0edb7f25b876773ac2318600e0a493edcb6ea3a0235a9b0a3141ff6247c4f9
ArkeiStealer
190799d08ea8f5f3ff77f68c1fc6d2d231b3412c46407b9fa72bd485132de1c8
ArkeiStealer
292eb66bea876dfd5f031078192803e5861ad908d975ba3cb1d86b925616f758
ArkeiStealer
38936812027f8a25f120857b93a85fdf3561059c0e36b96e7b3b326d98037ca2
ArkeiStealer
bd5aff6936d77e3deae4e45195b44ec5d4e7ba4f2a9dfe68ee7d6f7be2cfd97a
ArkeiStealer
c65843189ff4683d957d94ad74b7a455a96736a51d66716182208c45bdb08c55
ArkeiStealer
f155342f5bb62210ca274f42d22e4345fd8ca58a1c4c05d06e1ff86b8888a8cb
ArkeiStealer
+ 4 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:vidar botnet:d2840cabd9794f85353e1fae1cd95a0b spyware stealer
Link:
https://tria.ge/reports/230814-h13nhsce2x/
Behaviour
Delays execution with timeout.exe
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Loads dropped DLL
Reads user/profile data of web browsers
Vidar
Malware Config
C2 Extraction:
https://t.me/tatlimark
https://steamcommunity.com/profiles/76561199536605936
Unpacked files
SH256 hash:
8ed82e6684d58b08b6e2516915556dfa26998767467a9b12619252afc6728a53
MD5 hash:
34af8501c6609aeebdb08ebdbce1462b
SHA1 hash:
8d57cb5e22ddb14894cb84ebcf3d9033cee3ea19
Detections:
VidarStealer
Create hunting rule
Link:
https://www.unpac.me/results/75d159f5-391e-4b76-90a4-d802e6a7953f/
Parent samples :
f57210d90101da3bc77c55f813ba64f35dbb6d0db50f71467f18816486b9d6d0
d0a8fcc939ff496d2a2e4c5ad862b297913d2fee8b7f0a89c01f4a0bdf40bb26
e0463b5d50bc14313cc77cd321893788e68b2741c7db81a391837f797c5704a1
SH256 hash:
e0463b5d50bc14313cc77cd321893788e68b2741c7db81a391837f797c5704a1
MD5 hash:
360b64a7fa47c27453a19c9aec6929aa
SHA1 hash:
5d9f36ef5344b9ce8fc18d1e413cdce6ebd95a88
Link:
https://www.unpac.me/results/75d159f5-391e-4b76-90a4-d802e6a7953f/
Malware family:
Vidar.A
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e0463b5d50bc/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:grakate_stealer_nov_2021
Create hunting rule
Rule name:has_telegram_urls
Create hunting rule
Author:Aaron DeVera<aaron@backchannel.re>
Description:Detects Telegram URLs
Rule name:INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs
Create hunting rule
Author:ditekSHen
Description:Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.
Rule name:INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
Author:ditekSHen
Description:Detects Windows executables referencing non-Windows User-Agents
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:Telegram_Links
Create hunting rule
Rule name:Vidar
Create hunting rule
Author:kevoreilly,rony
Description:Vidar Payload
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques
Rule name:win_vidar_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.vidar.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ArkeiStealer

Executable exe e0463b5d50bc14313cc77cd321893788e68b2741c7db81a391837f797c5704a1

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2635570/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/442604/

Comments