MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 edf0c8016d4968b1784a0121e2dbaac68445f8a8280a0a590b44e31a15bf3355. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: edf0c8016d4968b1784a0121e2dbaac68445f8a8280a0a590b44e31a15bf3355
SHA3-384 hash: 2ed8eea5154c340803dfa7c297efb4526be10892dcb0b1080b1a6a71fb492b4142e8ed9706959d3ead636f6fc3d76898
SHA1 hash: ea845f88acc2ac84ab79fab324e70d6e4d3a2277
MD5 hash: 22ff4cab9b222f7bcc57ac3c317b02f5
humanhash: cold-five-timing-lion
File name:22ff4cab9b222f7bcc57ac3c317b02f5.exe
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:557'568 bytes
First seen:2021-08-16 09:09:39 UTC
Last seen:2021-08-16 09:52:18 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash b6eb307a53194f1a2629d22afffc5564 (4 x Smoke Loader, 3 x DanaBot, 2 x RedLineStealer)
ssdeep 12288:50ctR6ZNVxmaf+3q6bZOH44o87LQDiWkUlZmSCr:VtRaxQg44Itnx
Threatray 2'674 similar samples on MalwareBazaar
TLSH T168C4121DB18FC1B2C745B2714033CA6D19291F51DB7B153F1B9426AE6F32FB02B262A6
dhash icon 4839b2b0e8c38890 (105 x RaccoonStealer, 38 x Smoke Loader, 33 x RedLineStealer)
Reporter abuse_ch
Tags:ArkeiStealer exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
149
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
22ff4cab9b222f7bcc57ac3c317b02f5.exe
Verdict:
Malicious activity
Analysis date:
2021-08-16 09:19:43 UTC
Tags:
trojan stealer vidar loader
Link:
https://app.any.run/tasks/d074211d-783c-46b5-97fd-51a4757da640

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Vidar
Create hunting rule
Link:
https://www.capesandbox.com/analysis/179473/
Detection(s):
Win.Dropper.Jaik-9886409-0
Create hunting rule

Win.Malware.Filerepmalware-9886452-0
Create hunting rule

Win.Malware.Generic-9886453-0
Create hunting rule

Win.Malware.Filerepmalware-9886465-0
Create hunting rule

Win.Malware.Filerepmalware-9886466-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching the default Windows debugger (dwwin.exe)
Sending a custom TCP request
DNS request
Connection attempt
Sending an HTTP GET request
Creating a file
Deleting a recently created file
Replacing files
Reading critical registry keys
Creating a window
Delayed writing of the file
Sending a UDP request
Running batch commands
Creating a process with a hidden window
Using the Windows Management Instrumentation requests
Searching for the window
Launching a process
Query of malicious DNS domain
Connection attempt to an infection source
Sending a TCP request to an infection source
Stealing user critical data
Launching a tool to kill processes
Sending an HTTP GET request to an infection source
Forced shutdown of a browser
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Vidar
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1ce8dcf0-0955-4099-a4dc-5391afa1bec8
Result
Threat name:
Unknown
Detection:
malicious
Classification:
n/a
Score:
56 / 100
Link:
https://www.joesandbox.com/analysis/833406
Signature
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Sigma detected: SAM Dump to AppData
Sigma detected: Suspicious PowerShell Invocations - Specific
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/edf0c8016d4968b1784a0121e2dbaac68445f8a8280a0a590b44e31a15bf3355/
Threat name:
Win32.Trojan.Azorult
Create hunting rule
Status:
Malicious
First seen:
2021-08-15 14:23:49 UTC
AV detection:
18 of 46 (39.13%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=5xymqalnjfulc6ckaeq6fw5ky2cel6fifafauwilitrrufn7gnkq._file
Verdict:
malicious
Similar samples:
0a58e56eb815ca0c156ff9398906670d14a7302034742add4e1376c6e1f3e95e
ArkeiStealer
32635b6aa5bcbdd18166e5a9b9469104ccc57a19bfe72dc3e3caca761ebc311a
ArkeiStealer
54619b816d64d1a770ef510c94d06d4cee747ca885188c80f71fd69434d057c4
ArkeiStealer
607b9c1a8aee003955b0715d05e9a044ec8937e6f169b5d166bef5ce8d269d39
ArkeiStealer
96a1db9bd739ffcc097a408fee67929b677a74f889876ab90bc8643e555e8e98
ArkeiStealer
b184aed51e28a42979f25172db1f3a91567ee7bc74a8af25ae296a5b833ad573
ArkeiStealer
c14ef442698e3a613e47deb6a6fb477235a88f857ce3f5a8f5cfcbe43c4f7742
ArkeiStealer
f90939a50612f3e71e75c355d16b3f2fc41e126900d4db8a33a9db58336b65b8
ArkeiStealer
+ 2'664 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:vidar botnet:916 discovery spyware stealer suricata
Link:
https://tria.ge/reports/210816-yxpt7g7d9n/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Kills process with taskkill
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Deletes itself
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Vidar Stealer
Vidar
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
Suspicious use of NtCreateProcessExOtherParentProcess
Malware Config
C2 Extraction:
https://lenak513.tumblr.com/
Unpacked files
SH256 hash:
65f353ef1e15371f2f84995da14d9d4d26f21c4f27786b1e11b9d7d3ef73ab63
MD5 hash:
d214cd08287dcad86d6c915003e67cfe
SHA1 hash:
211ccf327307d3f21a534de3b373cdc5c107e9d2
Link:
https://www.unpac.me/results/b5dc0526-d1ad-47a4-b3ec-6b4dc58ae02f/
SH256 hash:
edf0c8016d4968b1784a0121e2dbaac68445f8a8280a0a590b44e31a15bf3355
MD5 hash:
22ff4cab9b222f7bcc57ac3c317b02f5
SHA1 hash:
ea845f88acc2ac84ab79fab324e70d6e4d3a2277
Link:
https://www.unpac.me/results/b5dc0526-d1ad-47a4-b3ec-6b4dc58ae02f/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/edf0c8016d49/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/edf0c8016d4968b1784a0121e2dbaac68445f8a8280a0a590b44e31a15bf3355

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ArkeiStealer

Executable exe edf0c8016d4968b1784a0121e2dbaac68445f8a8280a0a590b44e31a15bf3355

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1532715/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/179473/

Comments