MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e065676a6d3fd822fed9b2a99771a1355035f63873142fa3999cb69659a984d8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

ArkeiStealer

Vendor detections: 12

Intelligence 12 IOCs YARA 16 File information Comments

SHA256 hash:	e065676a6d3fd822fed9b2a99771a1355035f63873142fa3999cb69659a984d8
SHA3-384 hash:	f59421ee35a0484d386fbbbd261d5347d39f014c209a92dc5930137349c11d0bba934c18310985dc2d9725725ba0f871
SHA1 hash:	f7cf48ece7fc4ebd6b39c5f8165e19b9372ede2c
MD5 hash:	7392975f3a93ad57583d78bc32d2c053
humanhash:	cardinal-foxtrot-equal-michigan
File name:	indicat.exe
Download:	download sample
Signature	ArkeiStealer Create hunting rule
File size:	3'158'528 bytes
First seen:	2023-10-03 08:27:00 UTC
Last seen:	2023-10-03 09:36:45 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	49152:cQ6skBCD29kd4cTv3sVRjQHkti3z+X4aZTX3s9K5TtHxsve3J:cQhy46RU2K7alXoK5TtHxF
Threatray	7 similar samples on MalwareBazaar
TLSH	T178E5073CDA259B23A275E13BD089550BF9A11587F1399F0E15CB4B896A0B6433FC9F8C
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10523/12/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):
dhash icon	f0387464289acaf9 (1 x ArkeiStealer)
Reporter	r3dbU7z
Tags:	ArkeiStealer exe vidar

Intelligence

File Origin

# of uploads :

# of downloads :

326

Origin country :

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.Win32.CrypterX-gen.26319.17317.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Creating a file in the %temp% directory

Launching a process

Creating a file

DNS request

Sending a custom TCP request

Sending an HTTP GET request

Reading critical registry keys

Using the Windows Management Instrumentation requests

Creating a window

Stealing user critical data

Unauthorized injection to a system process

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

lolbin packed regasm

Link:

https://www.filescan.io/uploads/651bd057426c8727d6e932be/reports/d02c7ba8-4578-4f4b-9a29-3da5642e7300/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/e065676a6d3fd822fed9b2a99771a1355035f63873142fa3999cb69659a984d8

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Arkei Stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/dd96a941-350b-43ba-a4d5-6303abb75a40

Result

Threat name:

Vidar

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1318539

Signature

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Connects to many ports of the same IP (likely port scanning)

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Crypto Currency Wallets

Uses known network protocols on non-standard ports

Writes to foreign memory regions

Yara detected AntiVM3

Yara detected Vidar stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/e065676a6d3fd822fed9b2a99771a1355035f63873142fa3999cb69659a984d8/

Threat name:

Win32.Spyware.Vidar

Status:

Malicious

First seen:

2023-10-02 18:29:53 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

15 of 34 (44.12%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=4bswo2tnh7mcf7wzwkuzo4nbgvidl5ryomkc7i4zts3jmwnjqtma._file

Verdict:

malicious

ArkeiStealer

8059343dd1bd2043009e81a54115ea921ebe7467c35ac05c43e6acd013eec085

ArkeiStealer

886342b2453f5e52cc908b181da9ddfd3d47ba2b63e85a8e00a23253c1d51192

ArkeiStealer

8a323c15d9371a15cedf914b75c2887a399d7372e0a0ed7107cec899b41472ee

ArkeiStealer

a45b0a2c9b50d058ed9b1fac56eca9d3fc92cf6a16b37d96a3284e127e7313ee

ArkeiStealer

ac0db3f8c382fc37ba05bc45a8f5751853b9a37e445f1e7dbef4a0ad65a3ab7b

ArkeiStealer

Result

Malware family:

vidar

Score:

10/10

Tags:

family:vidar botnet:0045e8577d0df745e80e2964a6672412 discovery spyware stealer

Link:

https://tria.ge/reports/231003-kcemwshd8w/

Behaviour

Checks processor information in registry

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Program crash

Suspicious use of SetThreadContext

Accesses 2FA software files, possible credential harvesting

Checks installed software on the system

Loads dropped DLL

Reads user/profile data of web browsers

Vidar

Malware Config

C2 Extraction:

https://steamcommunity.com/profiles/76561199557479327
https://t.me/grizmons

Unpacked files

SH256 hash:

35b6d32da08cffc802ac135d6686fb0b818042f7a569514d6dfa2761501c61a6

MD5 hash:

38f885320c5a4a4525089bd7a4e75bad

SHA1 hash:

cc8adbea4e009a0c3f5b1c1696797167435e8c5c

Detections:

VidarStealer

Link:

https://www.unpac.me/results/caf2dc79-6cf0-4822-a787-cd0aaaae60fd/

Parent samples :

e065676a6d3fd822fed9b2a99771a1355035f63873142fa3999cb69659a984d8
3b51460702df54688fa2aff8d0b63eb5c254ef4c9bae60a77b3e3e52dc4d4272

SH256 hash:

182f57d8c89fee4667fbb3420a9877b8198c4b9d0867660172c13dd9044f6f64

MD5 hash:

626b2239011878b0d6b779006bd66a91

SHA1 hash:

c79ecfe4c27d42c9d8f88a0be738790c56143d7d

Link:

https://www.unpac.me/results/caf2dc79-6cf0-4822-a787-cd0aaaae60fd/

SH256 hash:

6a26df7ee49de6fec6c5de1f3f7a94075d2dfbc50922e3b30fd8111f2e734f33

MD5 hash:

f45c1512d5a47375e6e396b4d1111e58

SHA1 hash:

8af036b8c60d10e85cf82212930bb04bc0553f36

Link:

https://www.unpac.me/results/caf2dc79-6cf0-4822-a787-cd0aaaae60fd/

SH256 hash:

dfce2d4d06de6452998b3c5b2dc33eaa6db2bd37810d04e3d02dc931887cfddd

MD5 hash:

544cd51a596619b78e9b54b70088307d

SHA1 hash:

4769ddd2dbc1dc44b758964ed0bd231b85880b65

Link:

https://www.unpac.me/results/caf2dc79-6cf0-4822-a787-cd0aaaae60fd/

SH256 hash:

e065676a6d3fd822fed9b2a99771a1355035f63873142fa3999cb69659a984d8

MD5 hash:

7392975f3a93ad57583d78bc32d2c053

SHA1 hash:

f7cf48ece7fc4ebd6b39c5f8165e19b9372ede2c

Link:

https://www.unpac.me/results/caf2dc79-6cf0-4822-a787-cd0aaaae60fd/

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Check_OutputDebugStringA_iat Create hunting rule

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	grakate_stealer_nov_2021 Create hunting rule

Rule name:	has_telegram_urls Create hunting rule
Author:	Aaron DeVera<aaron@backchannel.re>
Description:	Detects Telegram URLs

Rule name:	INDICATOR_EXE_Packed_DotNetReactor Create hunting rule
Author:	ditekSHen
Description:	Detects executables packed with unregistered version of .NET Reactor

Rule name:	INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs Create hunting rule
Author:	ditekSHen
Description:	Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.

Rule name:	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA Create hunting rule
Author:	ditekSHen
Description:	Detects Windows executables referencing non-Windows User-Agents

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Telegram_Links Create hunting rule

Rule name:	Vidar Create hunting rule
Author:	kevoreilly,rony
Description:	Vidar Payload

Rule name:	win_vidar_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.vidar.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ArkeiStealer

exe e065676a6d3fd822fed9b2a99771a1355035f63873142fa3999cb69659a984d8

(this sample)

Delivery method

Distributed via web download

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample