MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e45dbe7cb55c15faa395640121286cb2d61bb3655e9da26f9ea3d1d2f2c47880. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

ArkeiStealer

Vendor detections: 12

Intelligence 12 IOCs YARA File information Comments

SHA256 hash:	e45dbe7cb55c15faa395640121286cb2d61bb3655e9da26f9ea3d1d2f2c47880
SHA3-384 hash:	4cca623496b3b09b725b69df4a44eb55e04d74654f4808f802dc8402d236c9065fdba415395598a9cf9d8cbf3913450d
SHA1 hash:	8b1d8de5ccff3328afe1cf9784e81163bc89b3c5
MD5 hash:	cca944b8e306af7f9d0ab0cff13bf3a7
humanhash:	louisiana-mars-beryllium-virginia
File name:	Setup.exe
Download:	download sample
Signature	ArkeiStealer Create hunting rule
File size:	7'527'936 bytes
First seen:	2022-11-06 10:50:50 UTC
Last seen:	2022-11-06 13:03:14 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	343cbab479dddc5c6910a51ff69ec962 (1 x ArkeiStealer)
ssdeep	196608:DsAIJgne0xMOEkC14KqFaitT9AMeptlkYdi+dO2o:DAJgnpjEtqFlpAMMqYIM
TLSH	T16D7623A373551088E4FDCC359437BEE0F2F11A3E9AC198B974A5FAC115374E4EA26A43
TrID	29.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 22.7% (.EXE) Win16 NE executable (generic) (5038/12/1) 20.3% (.EXE) Win32 Executable (generic) (4505/5/1) 9.1% (.EXE) OS/2 Executable (generic) (2029/13) 9.0% (.EXE) Generic Win/DOS Executable (2002/3)
File icon (PE):
dhash icon	d044651919191b14 (1 x ArkeiStealer)
Reporter	abuse_ch
Tags:	ArkeiStealer exe

abuse_ch

ArkeiStealer C2:
http://95.217.27.240/

Intelligence

File Origin

# of uploads :

# of downloads :

229

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

vidar

ID:

File name:

Setup.exe

Verdict:

Malicious activity

Analysis date:

2022-11-06 10:50:59 UTC

Tags:

trojan stealer vidar

Link:

https://app.any.run/tasks/18baa074-1a30-4c39-af3e-58db023abf95

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/329412/

Detection(s):

SecuriteInfo.com.Win32.Evo-gen.15654.17993.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

DNS request

Sending a custom TCP request

Sending an HTTP GET request

Creating a file

Reading critical registry keys

Running batch commands

Creating a process with a hidden window

Launching a process

Stealing user critical data

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/49226/overview

Behaviour

MalwareBazaar

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/63679197d998c15a09ab315d/reports/5812e101-93c3-4786-8c2d-0ff38c32a5fe/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/111a2046-e49a-48c6-a298-0c23022e4d95

Result

Threat name:

Vidar

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1106558

Signature

Antivirus detection for URL or domain

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

PE file contains section with special chars

Self deletion via cmd or bat file

Tries to detect virtualization through RDTSC time measurements

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected Vidar stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/e45dbe7cb55c15faa395640121286cb2d61bb3655e9da26f9ea3d1d2f2c47880/

Threat name:

Win32.Infostealer.Bandra

Status:

Malicious

First seen:

2022-11-06 10:51:18 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

15 of 26 (57.69%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=4ro347fvlqk7vi4vmqasckdmwllbxm3fl2o2e346upi5f4wepcaa._file

Verdict:

unknown

Result

Malware family:

vidar

Score:

10/10

Tags:

family:vidar botnet:1707 discovery spyware stealer

Link:

https://tria.ge/reports/221106-mxtcwsgcd9/

Behaviour

Checks processor information in registry

Delays execution with timeout.exe

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Accesses 2FA software files, possible credential harvesting

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Checks computer location settings

Loads dropped DLL

Reads user/profile data of web browsers

Vidar

Malware Config

C2 Extraction:

https://t.me/tg_turgay
https://ioc.exchange/@xiteb15011

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/2120d9cc-80e6-4317-8e9a-9083633c5018

Unpacked files

SH256 hash:

f44ff6da6f6c4fc66873504b0120d0e68eaab47b823eac0f7ec1bdf4b18db238

MD5 hash:

a2f7d18cd651cff2ef9ea26a56bd8fd4

SHA1 hash:

e070c65c4ada9a2ae443537b1c9eb31197feb0b1

Link:

https://www.unpac.me/results/028c0619-0d9e-4913-a00f-339890200ea8/

SH256 hash:

e45dbe7cb55c15faa395640121286cb2d61bb3655e9da26f9ea3d1d2f2c47880

MD5 hash:

cca944b8e306af7f9d0ab0cff13bf3a7

SHA1 hash:

8b1d8de5ccff3328afe1cf9784e81163bc89b3c5

Link:

https://www.unpac.me/results/028c0619-0d9e-4913-a00f-339890200ea8/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/e45dbe7cb55c/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/e45dbe7cb55c15faa395640121286cb2d61bb3655e9da26f9ea3d1d2f2c47880

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/329412/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample