MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e7190c8a68ed71ef349252ad40cf83c1f31af5868215b938ee84de5696143399. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 11


Intelligence 11 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e7190c8a68ed71ef349252ad40cf83c1f31af5868215b938ee84de5696143399
SHA3-384 hash: 71171a8dcf69a41a992cfea9674ef8dd98d50f68e502093d0a5d952229dbfdbede774571f680d7fb5e16bf5820005f9f
SHA1 hash: 084cbe85a81cabad1e1f1e622e20daf2ac40d2cb
MD5 hash: fa5b72c92c1796cc9b9cd2241c9c73dd
humanhash: india-mountain-mirror-skylark
File name:file
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:5'040'128 bytes
First seen:2022-11-07 15:24:11 UTC
Last seen:2022-11-08 12:27:24 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 914c2821c519473dbe537abb87276f02 (1 x ArkeiStealer)
ssdeep 98304:F+VdHr2qXCenpNYiNnofQknM4madHnBEeIY+DvZRZWtFS:AVprjDpbnoNnDm6HBEeqBRAq
Threatray 16'057 similar samples on MalwareBazaar
TLSH T13C363362B340E9D2D49E10365C1B93A81621F916DE45729F338D377F7FB23A7290BA84
TrID 52.9% (.EXE) Win32 Executable (generic) (4505/5/1)
23.5% (.EXE) Generic Win/DOS Executable (2002/3)
23.5% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):PE icon
dhash icon 90210e16b6ae06c9 (1 x ArkeiStealer)
Reporter andretavare5
Tags:ArkeiStealer exe


Avatar
andretavare5
Sample downloaded from https://vk.com/doc760750097_655575180?hash=ytzFAlRMxeb3RUD92SOkc4XN6GIJguITZvpdKpMinyX&dl=G43DANZVGAYDSNY:1667833622:KbEzCy3i1zVruVzK6fnI5ZAb5AlHnr7y8p7MwV4mV3P&api=1&no_preview=1#CRYPTO_ALL

Intelligence

File Origin
# of uploads :
548
# of downloads :
286
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
vidar
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2022-11-07 15:26:33 UTC
Tags:
trojan stealer vidar
Link:
https://app.any.run/tasks/e0a15b2e-c6d6-4da1-8dfa-0969ac096dfa

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/330022/
Detection(s):
SecuriteInfo.com.HEUR.Trojan-PSW.Win32.Convagent.gen.11048.6935.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for analyzing tools
Searching for the window
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Creating a file
Reading critical registry keys
Creating a window
Running batch commands
Creating a process with a hidden window
Launching a process
Stealing user critical data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/636923507da1a723acc6a19a/reports/f0d7a4d0-fd75-4509-a3cd-f3d81c2af655/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/fcf35a2c-0b8a-46b5-96a4-32836742bbc5
Result
Threat name:
Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1107382
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Query firmware table information (likely to detect VMs)
Self deletion via cmd or bat file
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e7190c8a68ed71ef349252ad40cf83c1f31af5868215b938ee84de5696143399/
Threat name:
Win32.Infostealer.Convagent
Create hunting rule
Status:
Malicious
First seen:
2022-11-07 15:25:29 UTC
File Type:
PE (Exe)
Extracted files:
222
AV detection:
16 of 26 (61.54%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=44mqzcti5vy66neskkwubt4dyhzrv5mgqik3sohoqtpfnfqugomq._file
Verdict:
unknown
Similar samples:
1a12d9c9ac19873abafa62c6d37eb8c31495a0818e8aa99987b41126cd31cd02
ArkeiStealer
22d9733647f48990bbe74bd5236545bb2d77d2b85cf5fa671bdd5276ebe8f6c6
ArkeiStealer
2cf662a4d3efa315a348a9fbcaa3a8d4c1915f21d8f8841fc06b5f3c41ffc0c4
ArkeiStealer
6ed5e19aac6c1cf5f1d2cd08f1db7fec2f1455fc79a9ddaa7cc45a8ce43a9fbe
ArkeiStealer
8fbf0b841a18807b33e676c7224f11b4e6aa7725aa410ae66a9dbcea614009a9
ArkeiStealer
b9c544f7eef189e45cd0cb1cf50d9d1e163ce810c2b57d111eaf8cd417be24f7
ArkeiStealer
d3dd1a4eff9a3371d839a9cbdcd040edb03c5ac3140e142e6bf398905a9afad7
ArkeiStealer
e8075dd2f74391aabe1a85eeb7282620b5be0236d6d0a23e7474cf033dd1628a
ArkeiStealer
+ 16'047 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:vidar botnet:1795 discovery evasion spyware stealer trojan
Link:
https://tria.ge/reports/221107-stl3asfhdn/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks whether UAC is enabled
Checks BIOS information in registry
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Vidar
Malware Config
C2 Extraction:
https://t.me/tg_turgay
https://ioc.exchange/@xiteb15011
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/57ff54de-e271-4c64-a207-eb69a5cf47c6
Unpacked files
SH256 hash:
41abf8961e8a333e238fc67403c2eb021c955843e0fb6a93393ffaa9b862f401
MD5 hash:
2bf6c64b2bca36fb949747a5a561767d
SHA1 hash:
00ff49dbf41c24971a0d5cb6f7d0dcd58392a67d
Link:
https://www.unpac.me/results/c625645d-c850-4740-9d0f-3f92a5ef23e4/
SH256 hash:
e7190c8a68ed71ef349252ad40cf83c1f31af5868215b938ee84de5696143399
MD5 hash:
fa5b72c92c1796cc9b9cd2241c9c73dd
SHA1 hash:
084cbe85a81cabad1e1f1e622e20daf2ac40d2cb
Link:
https://www.unpac.me/results/c625645d-c850-4740-9d0f-3f92a5ef23e4/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e7190c8a68ed/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.70
Link:
https://yomi.yoroi.company/submissions/e7190c8a68ed71ef349252ad40cf83c1f31af5868215b938ee84de5696143399

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:HeavensGate
Create hunting rule
Author:kevoreilly
Description:Heaven's Gate: Switch from 32-bit to 64-mode
Rule name:INDICATOR_EXE_Packed_MPress
Create hunting rule
Author:ditekSHen
Description:Detects executables built or packed with MPress PE compressor
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/330022/

Comments