MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ec359f0518ed640b2653a6588445bb35d6f7041b34efd620a35e112aea4bd0b3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 13


Intelligence 13 IOCs 1 YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ec359f0518ed640b2653a6588445bb35d6f7041b34efd620a35e112aea4bd0b3
SHA3-384 hash: 6e1cad752d388089320da9f14be48ba9cafb54171e89683bc81580ab0f9ec40ef5e9dcb0434eeb7633b712fc9107bb14
SHA1 hash: 1b5320903eb0ff584ebe9f798a486e6ceb08fd1e
MD5 hash: 81e9b5196db38fc501523fc82593f885
humanhash: tango-shade-beer-alpha
File name:file
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:1'882'624 bytes
First seen:2022-09-07 11:08:22 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash ef9371ed02b661d8bb8252cd147a7c72 (1 x ArkeiStealer)
ssdeep 24576:mojvoPo60y64JQdc2UfPKpE/CFW6dafDwNRuAz9gLWxJaRqD+aEqI:mojvoPpGWQdc1CFW6dow7z9gLYJkJaE
Threatray 4'253 similar samples on MalwareBazaar
TLSH T18E957B11BB519119F8F705FB49FE206CA52CBAE0076894C7A1C42AEE866DBF07D32753
TrID 32.2% (.EXE) Win64 Executable (generic) (10523/12/4)
20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
13.7% (.EXE) Win32 Executable (generic) (4505/5/1)
6.2% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter andretavare5
Tags:ArkeiStealer exe


Avatar
andretavare5
Sample downloaded from https://vk.com/doc523958404_646011596?hash=PjXSyokEPPE9JxZVofEtqX5XG6CbxYLbtOZCM78vjpD&dl=GUZDGOJVHA2DANA:1662548832:caFKnjDMxQwmoY1W1zEOj73gkF6nTormKtGnAQws8PH&api=1&no_preview=1#encrypted

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://94.130.75.65/ https://threatfox.abuse.ch/ioc/848402/

Intelligence

File Origin
# of uploads :
1
# of downloads :
314
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2022-09-07 11:11:12 UTC
Tags:
trojan stealer
Link:
https://app.any.run/tasks/15721094-2e3b-41f8-962a-b432cb403939

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/308465/
Detection(s):
SecuriteInfo.com.Win32.Evo-gen.27736.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the system32 subdirectories
Creating a file
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Reading critical registry keys
Creating a window
Searching for synchronization primitives
Creating a file in the %AppData% subdirectories
Moving a file to the %AppData% subdirectory
Launching the default Windows debugger (dwwin.exe)
Searching for the window
Stealing user critical data
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/36930/overview
Behaviour
MalwareBazaar
MeasuringTime
EvasionQueryPerformanceCounter
CheckCmdLine
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/63187c28a90642bcbbe950de/reports/bf86adef-3f1c-425f-8c35-dab1eaf267aa/overview
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/27506a43-bfdf-4973-aa8c-00d554c840db
Result
Threat name:
Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/1066306
Signature
Detected unpacking (creates a PE file in dynamic memory)
Found many strings related to Crypto-Wallets (likely being stolen)
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Self deletion via cmd or bat file
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ec359f0518ed640b2653a6588445bb35d6f7041b34efd620a35e112aea4bd0b3/
Threat name:
Win32.Infostealer.Coins
Create hunting rule
Status:
Malicious
First seen:
2022-09-07 11:09:09 UTC
File Type:
PE (Exe)
Extracted files:
2
AV detection:
17 of 26 (65.38%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5q2z6biy5vsawjstuzmiirn3gxlpoba3gtx5mifdlyisv2sl2czq._file
Verdict:
malicious
Similar samples:
035476e090a9b48358022a1f621bc66080cadc63bac16d6c21a6adc2335277b9
ArkeiStealer
3033615c656623c5cb1c3c8ed9955a010cdead860289fbd30e5ab3cc19551890
ArkeiStealer
3819206572678f720748a6e68edd46ad3f5f780fc751009f1816f3aa78fe2eeb
ArkeiStealer
3a3349c81fcc62b902e98fb074a96d573f8a0586f02dca4d63e997a355c284d4
ArkeiStealer
3b7c41820030dd3392cd3be48b358d2f819418f6e26dccfb2caea57a9c9f4f57
ArkeiStealer
a6260a202c91161af5663fbf6b92e6bea949d6c4057fc1c50bed6d5eef648414
ArkeiStealer
b238622028e1c8056e42ffd70ce536e15dcf72de6e5ee4d931a3d2f84dcb085f
ArkeiStealer
ccfe14df961e512e8caea0159172066b46ca4b9ce4a791d938a9e68a6ab4e0e4
ArkeiStealer
d27953e7a1c041251f57bf1c29760eb5bcc1e3ab7095172880aba5cccc8f82ad
ArkeiStealer
dfaf2f93303fe52caa66f107d5305053640f22333bedb22748a091b85105a5ac
ArkeiStealer
+ 4'243 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery spyware stealer
Link:
https://tria.ge/reports/220907-m84yrsbhc6/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
f635c9dcd4a8502c5fd540e97e395b2e170284c19dfcf42a40ec27f9f619ba1a
MD5 hash:
4e015cae967d46ed71cb7d31bbb6cb42
SHA1 hash:
b294f555421e654dd0ad9ff909cd640c46ece152
Detections:
win_vidar_auto
Create hunting rule
Link:
https://www.unpac.me/results/599dadb8-ae55-459f-aea9-cc2aacc2a453/
SH256 hash:
ec359f0518ed640b2653a6588445bb35d6f7041b34efd620a35e112aea4bd0b3
MD5 hash:
81e9b5196db38fc501523fc82593f885
SHA1 hash:
1b5320903eb0ff584ebe9f798a486e6ceb08fd1e
Link:
https://www.unpac.me/results/599dadb8-ae55-459f-aea9-cc2aacc2a453/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/ec359f0518ed/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ec359f0518ed640b2653a6588445bb35d6f7041b34efd620a35e112aea4bd0b3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:meth_peb_parsing
Create hunting rule
Author:Willi Ballenthin
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/308465/

Comments