MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f4d0518740e6b904a853dc465dc28b7d07b8960af83347dad891795fa36b1866. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 13


Intelligence 13 IOCs 1 YARA 4 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f4d0518740e6b904a853dc465dc28b7d07b8960af83347dad891795fa36b1866
SHA3-384 hash: 45bc3edbda4c8b9b1074ae233332676a817f701cddc7173463b1a7f8648688c70e81a2f182395c3129ead25d753b8a04
SHA1 hash: 86f96267f7dd4deb95dca6b6b951ee9fede63788
MD5 hash: 4f5bf39c67ddb9f7fad0d0fc409e0938
humanhash: utah-arizona-lake-tango
File name:4f5bf39c67ddb9f7fad0d0fc409e0938
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:500'224 bytes
First seen:2022-10-27 09:38:38 UTC
Last seen:2022-10-27 13:18:38 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 5378c4b372fa22317ad4c167e8f3ced7 (2 x RedLineStealer, 2 x ArkeiStealer)
ssdeep 6144:vzJuoXyxgC7hTXQGzMWU4YtUgsAOuaVwKywfb9EsZk6lFFWHPewwbt973BFwpIcp:7JyxgC7ZXmsp3yw9E2yHy3PwfEef
Threatray 787 similar samples on MalwareBazaar
TLSH T1D1B4C000B1918C71E9723E3234FCDE6465EAF493CA61AE5727C80F195FB8602B719E79
TrID 32.2% (.EXE) Win64 Executable (generic) (10523/12/4)
20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
13.7% (.EXE) Win32 Executable (generic) (4505/5/1)
6.2% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter zbetcheckin
Tags:32 ArkeiStealer exe

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://95.217.29.33/ https://threatfox.abuse.ch/ioc/950016/

Intelligence

File Origin
# of uploads :
2
# of downloads :
245
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
4f5bf39c67ddb9f7fad0d0fc409e0938
Verdict:
Malicious activity
Analysis date:
2022-10-27 09:39:21 UTC
Tags:
trojan stealer
Link:
https://app.any.run/tasks/304acd4c-9612-45e8-9cc3-92a059253d67

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Vidar
Create hunting rule
Link:
https://www.capesandbox.com/analysis/324808/
Detection(s):
SecuriteInfo.com.Trojan.Siggen18.61965.1856.6029.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Searching for the window
Sending a custom TCP request
Сreating synchronization primitives
DNS request
Sending an HTTP GET request
Creating a file
Reading critical registry keys
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Stealing user critical data
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/45922/overview
Behaviour
MalwareBazaar
MeasuringTime
CheckCmdLine
EvasionQueryPerformanceCounter
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2f420a0d-7628-459b-bbdd-10a6be1a600f
Result
Threat name:
Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/1099159
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
DLL side loading technique detected
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f4d0518740e6b904a853dc465dc28b7d07b8960af83347dad891795fa36b1866/
Threat name:
Win32.Infostealer.Bandra
Create hunting rule
Status:
Malicious
First seen:
2022-10-27 09:52:01 UTC
File Type:
PE (Exe)
AV detection:
19 of 26 (73.08%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6tifdb2a424qjkct3rdf3qulpud3rfqk7azupwwysf4v7i3ldbta._file
Verdict:
malicious
Similar samples:
1d0f51c2537302f0585d483c5186b713900ac64a1dcb2a5924660d71558aa330
ArkeiStealer
33b834d43e55548d511dd46076c7ba48db7ffe4a50accc66bd43fa98d6793e41
ArkeiStealer
569ea2229b464fe4cbffdb473cff09912f91fb593a16be9003f38dc8c083a62a
ArkeiStealer
ae5fa45e7af9a7fe4e5f96a38578fc7c065c2c4f438b3669f71b24f603188549
ArkeiStealer
e1b703cb0718ac38b01753facb2dd66a8c60d5af82f190f00f90d3a2f53a8a4c
ArkeiStealer
f0e8c8856176b04515a8003e6830c2a371d52af0b66ebe70232a5fa1afb4a10d
ArkeiStealer
+ 777 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:vidar botnet:1707 spyware stealer
Link:
https://tria.ge/reports/221027-lml1dsbgek/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Loads dropped DLL
Vidar
Malware Config
C2 Extraction:
https://t.me/slivetalks
https://c.im/@xinibin420
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/598933d3-b6f0-405b-9b69-09605d1900f6
Unpacked files
SH256 hash:
f4d0518740e6b904a853dc465dc28b7d07b8960af83347dad891795fa36b1866
MD5 hash:
4f5bf39c67ddb9f7fad0d0fc409e0938
SHA1 hash:
86f96267f7dd4deb95dca6b6b951ee9fede63788
Link:
https://www.unpac.me/results/6a6a8349-f8c0-49c1-a405-52f5376cf054/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f4d0518740e6b904a853dc465dc28b7d07b8960af83347dad891795fa36b1866

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:Vidar
Create hunting rule
Author:kevoreilly,rony
Description:Vidar Payload
Rule name:Windows_Trojan_Vidar_114258d5
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ArkeiStealer

Executable exe f4d0518740e6b904a853dc465dc28b7d07b8960af83347dad891795fa36b1866

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2387688/
Cape
Cape
https://www.capesandbox.com/analysis/324808/

Comments


Avatar
zbet commented on 2022-10-27 09:38:41 UTC

url : hxxp://gitcdn.link/cdn/gta11113/fgjhfh/main/ro5io8xv.rt