MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f0cd7710ff81d06494b7130e510dbdd80503aa290be1cc845f465c068301747c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 11


Intelligence 11 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f0cd7710ff81d06494b7130e510dbdd80503aa290be1cc845f465c068301747c
SHA3-384 hash: 4702f16c3f2a1b12b9827c1423b8ef139b160ef2b8c81f4e3f7b36e907de795d8012335744b89ef803290b4ecae91d9f
SHA1 hash: 620d97ef5a4122a47ce90bf1f3493bf818ccd7dd
MD5 hash: a22e658934911479aa3e867fbd6d07b6
humanhash: mockingbird-april-coffee-sixteen
File name:a22e658934911479aa3e867fbd6d07b6.exe
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:517'632 bytes
First seen:2021-01-15 15:36:57 UTC
Last seen:2021-01-15 17:51:00 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 49257c1f93fe219efd45cd7e37f55a0d (2 x ArkeiStealer, 1 x RedLineStealer, 1 x RaccoonStealer)
ssdeep 12288:YfQjTThHobWQ4jckD4Zcb2pN7zVR++05dCuI3ElnYS+0gcK:YfQvTeaQXk3b4N7D05h6EtYEFK
Threatray 1'543 similar samples on MalwareBazaar
TLSH 24B423C64B1B40FCE0D605F0CA7A9EA05E196D217745F1A2DC6BE1A646B9FCCB0C17CA
Reporter abuse_ch
Tags:ArkeiStealer exe


Avatar
abuse_ch
ArkeiStealer C2:
http://altmessager.com/

Intelligence

File Origin
# of uploads :
2
# of downloads :
201
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
a22e658934911479aa3e867fbd6d07b6.exe
Verdict:
Malicious activity
Analysis date:
2021-01-15 15:40:04 UTC
Tags:
stealer evasion trojan vidar
Link:
https://app.any.run/tasks/79c6caac-47e8-43da-a517-1a77d3a2a458

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Vidar
Create hunting rule
Link:
https://www.capesandbox.com/analysis/112221/
Detection(s):
PUA.Win.Packer.Upx-48
Create hunting rule

PUA.Win.Packer.Upolyx-12
Create hunting rule

PUA.Win.Packer.Upx-4
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
DNS request
Creating a file
Deleting a recently created file
Replacing files
Reading critical registry keys
Connection attempt
Creating a window
Delayed writing of the file
Running batch commands
Creating a process with a hidden window
Using the Windows Management Instrumentation requests
Searching for the window
Connection attempt to an infection source
Stealing user critical data
Launching a tool to kill processes
Sending an HTTP GET request to an infection source
Forced shutdown of a browser
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Vidar
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/582578
Signature
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
May check the online IP address of the machine
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f0cd7710ff81d06494b7130e510dbdd80503aa290be1cc845f465c068301747c/
Threat name:
Win32.Trojan.Azorult
Create hunting rule
Status:
Malicious
First seen:
2021-01-15 15:37:04 UTC
AV detection:
21 of 29 (72.41%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=6dgxoeh7qhigjffxcmhfcdn53acqhkrjbpq4zbc7izoanaybor6a._file
Verdict:
malicious
Similar samples:
107903edf7408b9ae8a33bd3b996a48ee5a2268a30aac7f235dfba4b72294187
ArkeiStealer
146de084ff60046edb599a6f8ae1503aa2a7f39c550807e9af069c2e8c9ea34c
ArkeiStealer
493ba8398eed500e3af5e0ae2ea45fa5bfdfbc6371bf67a17ee20c050c117927
ArkeiStealer
4e4cd19c835a2fafb63df3429c6db21507e34fcb33c3072c93f28fb4fc32967b
ArkeiStealer
7fa734ae8d4dd945ab53df6bc39a42134e91411aa06ea0bdda0425e7c60911c6
ArkeiStealer
a863c5d16b5aa24f51529b7482d42401caf457ef0560545725be60bbbc16bd6a
ArkeiStealer
ad3c67acd7773a47ac0d46c544f1bcaa03ddbeb577b195e66fc4a15cd4413dab
ArkeiStealer
b05d95907bad3746cc161aa8bd74c71191a25fc383557fbf754d7c417daeb8f4
ArkeiStealer
d16be9bd809afa992d073da2f25af20fc450b33d9e645de51ea086b5c8f07978
ArkeiStealer
d80f533d3202def1e03d6b4a21cc01eefb5cec003e4740174dbcfbc9112e17f4
ArkeiStealer
+ 1'533 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:vidar discovery spyware stealer upx
Link:
https://tria.ge/reports/210115-vcgsk2m7fa/
Behaviour
Checks processor information in registry
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
JavaScript code in executable
Looks up external IP address via web service
Deletes itself
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Vidar
Unpacked files
SH256 hash:
9989b81c109294d64d3f7652f45ad1d48b57f96f7928c413a8b075f779f2a224
MD5 hash:
7a63c203cd483992950dc7286b6fd2e0
SHA1 hash:
4849f09dc3e083d9ee393ab03039d8fd8fc4cb9c
Detections:
win_vidar_g0
Create hunting rule
Link:
https://www.unpac.me/results/7bf3e96c-e5b6-41a8-8a94-93f80a0d47ca/
SH256 hash:
5fe072fa104c9848f725a5262bf88a5ae5dde417c2084c27b6857bb962750a8d
MD5 hash:
2022d627cdd7e15b1bcabb232271e598
SHA1 hash:
7dfcbd8d0968375745b55c8a03fbe5e92578e63c
Link:
https://www.unpac.me/results/7bf3e96c-e5b6-41a8-8a94-93f80a0d47ca/
SH256 hash:
f0cd7710ff81d06494b7130e510dbdd80503aa290be1cc845f465c068301747c
MD5 hash:
a22e658934911479aa3e867fbd6d07b6
SHA1 hash:
620d97ef5a4122a47ce90bf1f3493bf818ccd7dd
Link:
https://www.unpac.me/results/7bf3e96c-e5b6-41a8-8a94-93f80a0d47ca/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.44
Link:
https://yomi.yoroi.company/submissions/f0cd7710ff81d06494b7130e510dbdd80503aa290be1cc845f465c068301747c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_References_CryptoWallets
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many cryptocurrency mining wallets or apps. Observed in information stealers
Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/
Rule name:win_vidar_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:win_vidar_g0
Create hunting rule
Author:Slavo Greminger, SWITCH-CERT
Rule name:with_sqlite
Create hunting rule
Author:Julian J. Gonzalez <info@seguridadparatodos.es>
Description:Rule to detect the presence of SQLite data in raw image
Reference:http://www.st2labs.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ArkeiStealer

Executable exe f0cd7710ff81d06494b7130e510dbdd80503aa290be1cc845f465c068301747c

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/927868/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/112221/

Comments