MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 eb792aefeecd5bf6d7464223729cc0c5b6de0c77e6e4bb4914a397cf14c15473. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



ArkeiStealer


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments

SHA256 hash: eb792aefeecd5bf6d7464223729cc0c5b6de0c77e6e4bb4914a397cf14c15473
SHA3-384 hash: 439be7fe79acb2ad9109e88c96adc85d68be2c848f40685f3edaf238d485503522c14a6a6be19ce90dbff6ef5ab0ab58
SHA1 hash: 7351de26de050ddf22c3494a195842b6506698f0
MD5 hash: 05ddd41b70316164380ed7167d0b11f7
humanhash: tango-bulldog-twenty-butter
File name:Setup_x64.exe
Download: download sample
Signature ArkeiStealer
File size:721'920 bytes
First seen:2023-01-31 15:58:32 UTC
Last seen:2023-01-31 17:29:44 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash ea3425e7a35fb163de9905f007d5a0f2 (1 x ArkeiStealer, 1 x Vidar)
ssdeep 12288:j/3T66QpF7gpLPRVfl98jAfkrtXuWLtrbSrVOSYqoVJUKXBkc7bIUxaotUd:j/3T66QT7gpLPROjAet+WLtrbSrVhYqX
TLSH T1F5E4BE3D37B664B0C567507D0B708E364ABEBD310E4336ABAFC43D6A9E706906631396
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter abuse_ch
Tags:ArkeiStealer exe

Intelligence


File Origin
# of uploads :
2
# of downloads :
223
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Setup_x64.exe
Verdict:
Malicious activity
Analysis date:
2023-01-31 16:00:07 UTC
Tags:
stealer

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Creating a file
Reading critical registry keys
Using the Windows Management Instrumentation requests
Creating a window
Creating a process from a recently created file
Running batch commands
Creating a process with a hidden window
Creating a file in the %temp% subdirectories
Stealing user critical data
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Behaviour
MalwareBazaar
MeasuringTime
EvasionQueryPerformanceCounter
CheckCmdLine
Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Tags:
greyware packed
Result
Threat name:
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
C2 URLs / IPs found in malware configuration
Contains functionality to compare user and computer (likely to detect sandboxes)
Contains functionality to inject code into remote processes
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected Vidar stealer
Behaviour
Behavior Graph:
behaviorgraph top1 signatures2 2 Behavior Graph ID: 795317 Sample: Setup_x64.exe Startdate: 31/01/2023 Architecture: WINDOWS Score: 100 34 Antivirus / Scanner detection for submitted sample 2->34 36 Multi AV Scanner detection for submitted file 2->36 38 Yara detected Vidar stealer 2->38 40 2 other signatures 2->40 8 Setup_x64.exe 1 2->8         started        process3 signatures4 42 Contains functionality to inject code into remote processes 8->42 44 Writes to foreign memory regions 8->44 46 Allocates memory in foreign processes 8->46 48 Injects a PE file into a foreign processes 8->48 11 vbc.exe 19 8->11         started        15 WerFault.exe 24 9 8->15         started        18 conhost.exe 8->18         started        process5 dnsIp6 28 t.me 149.154.167.99, 443, 49696 TELEGRAMRU United Kingdom 11->28 30 65.109.168.191, 49700, 80 ALABANZA-BALTUS United States 11->30 50 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 11->50 52 Tries to steal Mail credentials (via file / registry access) 11->52 54 Tries to harvest and steal browser information (history, passwords, etc) 11->54 56 2 other signatures 11->56 20 cmd.exe 1 11->20         started        32 192.168.2.1 unknown unknown 15->32 26 C:\ProgramData\Microsoft\...\Report.wer, Unicode 15->26 dropped file7 signatures8 process9 process10 22 conhost.exe 20->22         started        24 timeout.exe 1 20->24         started       
Threat name:
Win32.Trojan.Vidar
Status:
Malicious
First seen:
2023-01-31 15:59:06 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
22 of 26 (84.62%)
Threat level:
  5/5
Result
Malware family:
Score:
  10/10
Tags:
family:vidar botnet:713 spyware stealer
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Loads dropped DLL
Uses the VBS compiler for execution
Vidar
Malware Config
C2 Extraction:
https://t.me/mantarlars
https://steamcommunity.com/profiles/76561199474840123
Unpacked files
SH256 hash:
e910739833ef780c3286ba421639bfda1d74532c4d85e31b930a46b443a9bc5e
MD5 hash:
45985656c7d436ccef1337cedfdc258b
SHA1 hash:
b7ac1e8edc70adfd139db60447984d00089a46d9
SH256 hash:
eb792aefeecd5bf6d7464223729cc0c5b6de0c77e6e4bb4914a397cf14c15473
MD5 hash:
05ddd41b70316164380ed7167d0b11f7
SHA1 hash:
7351de26de050ddf22c3494a195842b6506698f0
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:Telegram_Links

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments