MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e8ce6cee6554f2699605da7a59abe4ff81d96c5f2e4066e2314ddac92363fdd3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 12


Intelligence 12 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e8ce6cee6554f2699605da7a59abe4ff81d96c5f2e4066e2314ddac92363fdd3
SHA3-384 hash: 1de9daf002a7baf74853ff8283e8353c73a977d56b663b2de8ccb3cb21ffbecb9b5eda47de612fa06f5f1fd281fc26bc
SHA1 hash: 77f6bf5d39ef4025c59deb8cf419358745ef83a7
MD5 hash: f9c2e5090004f7443c29151429788a78
humanhash: autumn-ten-maine-alabama
File name:file
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:1'917'136 bytes
First seen:2023-01-25 21:08:51 UTC
Last seen:2023-01-27 19:56:37 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 0c97ddc9d63b0f26cfbe7178cd8dbee0 (1 x ArkeiStealer, 1 x RustyStealer, 1 x RecordBreaker)
ssdeep 49152:URcCv54VSke0577PvNfkoYBNVRWn2ixGdqjOJrx:URcC+Skf7PNyNVMnDx8qgV
Threatray 2'592 similar samples on MalwareBazaar
TLSH T1F69591706670BF54FF6ACA30CB2351F9BA98A4930D557EAF9845CB2BF9F01C34092199
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon f0cca4cccce8d4cc (1 x ArkeiStealer)
Reporter andretavare5
Tags:ArkeiStealer exe signed

Code Signing Certificate

Organisation:scu.org
Issuer:DigiCert SHA2 Extended Validation Server CA
Algorithm:sha256WithRSAEncryption
Valid from:2022-08-08T00:00:00Z
Valid to:2023-09-08T23:59:59Z
Serial number: 0a56dd6061943ff4f98611c43fa42174
Intelligence: 2 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: 7282c1115a19c42724b93a03d679508339fef85cca5a4354834d9ddf7d27ace1
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
andretavare5
Sample downloaded from https://vk.com/doc139074685_654958626?hash=umzVpTspdCN4aGQi2BPk9WkJxyEPk8WYhd0UxZoe8Cc&dl=GEZTSMBXGQ3DQNI:1674660099:PIJomL6nPGda7MBCBhLZOaEMg10mWlseTTU8OtW2d8D&api=1&no_preview=1#us8

Intelligence

File Origin
# of uploads :
77
# of downloads :
220
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2023-01-25 21:10:11 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/dae467d3-d222-48f4-8512-15526d67db6f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/356885/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching the default Windows debugger (dwwin.exe)
Searching for the window
Creating a file in the %AppData% directory
Deleting a recently created file
DNS request
Launching a process
Creating a file in the %temp% directory
Сreating synchronization primitives
Using the Windows Management Instrumentation requests
Sending a custom TCP request
Sending an HTTP GET request
Creating a file
Reading critical registry keys
Detecting VM
Searching for synchronization primitives
Stealing user critical data
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  9/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/63088/overview
Behaviour
MalwareBazaar
MeasuringTime
SystemUptime
CPUID_Instruction
EvasionQueryPerformanceCounter
CheckCmdLine
EvasionGetTickCount
Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Tags:
greyware overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/63d19a6f89bd67c10fda3722/reports/0fe8f3c9-125e-4527-9d3c-9dbaaacf1eeb/overview
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6d70fb55-9e6b-4613-bb70-5fbb67c03014
Result
Threat name:
RHADAMANTHYS, Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1159079
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to compare user and computer (likely to detect sandboxes)
Encrypted powershell cmdline option found
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Queues an APC in another process (thread injection)
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected RHADAMANTHYS Stealer
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 791813 Sample: file.exe Startdate: 25/01/2023 Architecture: WINDOWS Score: 100 71 Snort IDS alert for network traffic 2->71 73 Malicious sample detected (through community Yara rule) 2->73 75 Multi AV Scanner detection for dropped file 2->75 77 10 other signatures 2->77 11 file.exe 9 2->11         started        process3 dnsIp4 69 uoq7keyinvmb4zjgegitou3cnd.xgisc8qk4v5iztgoj5vh6mqu 11->69 57 C:\Users\user\AppData\Local\...\4417656.dll, PE32 11->57 dropped 109 Writes to foreign memory regions 11->109 111 Allocates memory in foreign processes 11->111 113 Injects a PE file into a foreign processes 11->113 16 fontview.exe 1 11->16         started        21 ngentask.exe 16 11->21         started        23 WerFault.exe 19 9 11->23         started        25 WerFault.exe 11->25         started        file5 signatures6 process7 dnsIp8 59 109.206.243.168, 49715, 49733, 49735 AWMLTNL Germany 16->59 49 C:\Users\user\AppData\...\nsis_uns4406ac.dll, PE32+ 16->49 dropped 79 Query firmware table information (likely to detect VMs) 16->79 81 Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines) 16->81 83 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 16->83 91 3 other signatures 16->91 27 rundll32.exe 16->27         started        30 BackgroundTransferHost.exe 16->30         started        61 t.me 149.154.167.99, 443, 49691 TELEGRAMRU United Kingdom 21->61 63 95.217.16.127, 49692, 80 HETZNER-ASDE Germany 21->63 85 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 21->85 87 Tries to steal Crypto Currency Wallets 21->87 89 Contains functionality to compare user and computer (likely to detect sandboxes) 21->89 32 WerFault.exe 23 9 21->32         started        51 C:\ProgramData\Microsoft\...\Report.wer, Unicode 23->51 dropped 53 C:\ProgramData\Microsoft\...\Report.wer, Unicode 25->53 dropped file9 signatures10 process11 dnsIp12 101 System process connects to network (likely due to code injection or exploit) 27->101 103 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 27->103 105 Tries to steal Mail credentials (via file / registry access) 27->105 107 4 other signatures 27->107 35 dllhost.exe 27->35         started        40 WerFault.exe 27->40         started        65 192.168.2.1 unknown unknown 32->65 signatures13 process14 dnsIp15 67 transfer.sh 144.76.136.153, 443, 49734 HETZNER-ASDE Germany 35->67 55 C:\Users\user\AppData\Local\...\Library.exe, PE32+ 35->55 dropped 93 System process connects to network (likely due to code injection or exploit) 35->93 42 Library.exe 35->42         started        file16 signatures17 process18 signatures19 95 Antivirus detection for dropped file 42->95 97 Machine Learning detection for dropped file 42->97 99 Encrypted powershell cmdline option found 42->99 45 powershell.exe 42->45         started        process20 process21 47 conhost.exe 45->47         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e8ce6cee6554f2699605da7a59abe4ff81d96c5f2e4066e2314ddac92363fdd3/
Threat name:
Win32.Spyware.Vidar
Create hunting rule
Status:
Malicious
First seen:
2023-01-25 16:07:30 UTC
File Type:
PE (Exe)
Extracted files:
27
AV detection:
12 of 26 (46.15%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5dhgz3tfktzgtfqf3j5ftk7e76a5s3c7fzagnyrrjxnmsi3d7xjq._file
Verdict:
malicious
Similar samples:
5866f921e4e7d2eef8693f9fefb19ccd46224c02bb46dd51639d8680de185a40
ArkeiStealer
63043e1230b491042c4a30039ae44055b99134597aaf5f659822dc321489992d
ArkeiStealer
9146cee3d387cb3d665885b95d885734541f281cbb2a4726b6a59df922a83ee7
ArkeiStealer
a355fbce3b91a02a5b3e3af9a2b7b6fbaf9da6fdd5b2260e8e7c7b8ec1c1e2d2
ArkeiStealer
b0a22e9a9850fa4356f5603905f45645489ae04d60d630772b3b8227a21b1956
ArkeiStealer
ca871a9028d80e2b3d73a8fe07b9d1628b52e0f9163402a3ab3199f512a36ab1
ArkeiStealer
ee8ea5570b0a2c9f6aef8e551cc0d3fbd0be45dc5c11c50ca7056eef2d85d77d
ArkeiStealer
f2eaeba4b3b7016304f9c348f973bf57a80dce2969f3a814250a0a506df4a5eb
ArkeiStealer
f92b81ca5eebd6f7fb97f0c94d92874c97d738db54887421b82cade3a4be90cd
ArkeiStealer
fee142712ee9fba0c3cc57b4e314480bf976e4b1707bbeb202a58ca2b98f39bd
ArkeiStealer
+ 2'582 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:rhadamanthys family:vidar botnet:701 spyware stealer
Link:
https://tria.ge/reports/230125-zzfk2acc61/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Loads dropped DLL
Rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess
Vidar
Detect rhadamanthys stealer shellcode
Malware Config
C2 Extraction:
https://t.me/litlebey
https://steamcommunity.com/profiles/76561199472399815
Unpacked files
SH256 hash:
641ddeb4b2a0286985ad9faf1d1d4c48c106a82e9f15adad8579d91b83f6171c
MD5 hash:
23b3b83804ba30ba05e1600ab127b6b9
SHA1 hash:
32e3b37989f36eabb638efb619728bfb8d4f75f9
Link:
https://www.unpac.me/results/8e7f37a8-f06b-4951-a6f1-f1016f78d36e/
SH256 hash:
e8ce6cee6554f2699605da7a59abe4ff81d96c5f2e4066e2314ddac92363fdd3
MD5 hash:
f9c2e5090004f7443c29151429788a78
SHA1 hash:
77f6bf5d39ef4025c59deb8cf419358745ef83a7
Link:
https://www.unpac.me/results/8e7f37a8-f06b-4951-a6f1-f1016f78d36e/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e8ce6cee6554/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e8ce6cee6554f2699605da7a59abe4ff81d96c5f2e4066e2314ddac92363fdd3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:Telegram_Links
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/356885/

Comments