MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f763556b253fa22454cdc3e21f288cfcf360c4938b14258ee00e9a3c0e39ae17. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 9


Intelligence 9 IOCs YARA 3 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f763556b253fa22454cdc3e21f288cfcf360c4938b14258ee00e9a3c0e39ae17
SHA3-384 hash: 309d5b3a527c76aa2d053f878e54fa48cf1b4cae4acd52291b3cc26ef517fe33ed2492be121b5dbcebf90c01a421d350
SHA1 hash: e91991cbe6f1b9037d2912db41313f7186cfa20f
MD5 hash: 7803876440d7a0ea73e4dd883911142b
humanhash: early-zulu-virginia-single
File name:7803876440d7a0ea73e4dd883911142b
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:2'870'432 bytes
First seen:2022-11-20 15:00:58 UTC
Last seen:2023-08-26 21:40:35 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 407e3b5378b3b0b56c578f72b3227fa9 (5 x ArkeiStealer)
ssdeep 49152:b91KitqTJqFfMnxkBKwoFw8AKMBLIjdm6miDW6ET7+Dpir2pByUB/BHTdmw+RExl:bT/wlMf667vKM1wfuT7/rOBblBzd1+Rq
Threatray 16'558 similar samples on MalwareBazaar
TLSH T166D53304F32A9D25C49E837258932A5A4B37B94B5F068B93778C334EAF773927E49314
TrID 52.9% (.EXE) Win32 Executable (generic) (4505/5/1)
23.5% (.EXE) Generic Win/DOS Executable (2002/3)
23.5% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):PE icon
dhash icon c88e8e0f07a6f8f8 (1 x ArkeiStealer)
Reporter zbetcheckin
Tags:ArkeiStealer exe signed

Code Signing Certificate

Organisation:Toshiba MQ01ABDxx 2.5 MQ01ABD050
Issuer:Toshiba MQ01ABDxx 2.5 MQ01ABD050
Algorithm:sha1WithRSAEncryption
Valid from:2022-06-20T19:19:10Z
Valid to:2032-06-21T19:19:10Z
Serial number: 2320ba761be80ea7406d3cb4d4c4abdd
Intelligence: 19 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: b6740db45e30524fb24d5be9637932f227224ce743488c0d5884a8fc328a70fb
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
4
# of downloads :
319
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
7803876440d7a0ea73e4dd883911142b
Verdict:
Malicious activity
Analysis date:
2022-11-20 15:01:09 UTC
Tags:
stealer
Link:
https://app.any.run/tasks/be0c99ec-4d2c-4fc6-b694-48056a23a965

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/336409/
Detection(s):
SecuriteInfo.com.Win32.CrypterX-gen.4863.29789.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Searching for analyzing tools
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Creating a file
Reading critical registry keys
Creating a window
Running batch commands
Creating a process with a hidden window
Launching a process
Stealing user critical data
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/637a41353bc7ee0904b3f8c1/reports/4049960a-701e-403a-9176-d297c4005360/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8e74216d-9459-4b11-858b-a020e111c997
Result
Threat name:
Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1117587
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Hides threads from debuggers
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Query firmware table information (likely to detect VMs)
Self deletion via cmd or bat file
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f763556b253fa22454cdc3e21f288cfcf360c4938b14258ee00e9a3c0e39ae17/
Threat name:
Win32.Infostealer.Bandra
Create hunting rule
Status:
Malicious
First seen:
2022-11-20 15:01:26 UTC
File Type:
PE (Exe)
Extracted files:
112
AV detection:
19 of 26 (73.08%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=65rvk2zfh6rcivgnyprb6kem7tzwbretrmkcldxab2ndydrzvylq._file
Verdict:
suspicious
Similar samples:
22d9733647f48990bbe74bd5236545bb2d77d2b85cf5fa671bdd5276ebe8f6c6
ArkeiStealer
2cf662a4d3efa315a348a9fbcaa3a8d4c1915f21d8f8841fc06b5f3c41ffc0c4
ArkeiStealer
3e9c629c225bf857fc3183cc5f17ae5816e04f20c7d9636d5d6adac849ed2279
ArkeiStealer
88f86b01cb6078c58fd2d5ab9f1beb7c24fa1e4b71e1ca558678d7718c418b66
ArkeiStealer
d3dd1a4eff9a3371d839a9cbdcd040edb03c5ac3140e142e6bf398905a9afad7
ArkeiStealer
de96e27483b81bec57e86f32954d7de623bb7a6c89aefa721c136fb60d148768
ArkeiStealer
+ 16'548 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:vidar botnet:1829 discovery evasion spyware stealer trojan
Link:
https://tria.ge/reports/221120-sdwa2ahc78/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks whether UAC is enabled
Checks BIOS information in registry
Deletes itself
Loads dropped DLL
Reads user/profile data of web browsers
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Vidar
Malware Config
C2 Extraction:
https://t.me/deadftx
https://www.tiktok.com/@user6068972597711
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/dd181b63-8b66-4787-85b5-023a8b722032
Unpacked files
SH256 hash:
f45da30e4f30c0800aded2e533b9b14ae84de5166c52b27827888402ff9598cf
MD5 hash:
8420263bf8155f7daa1ceb0eab001ad0
SHA1 hash:
096172efdd78c59045c59966755a0e75bf1338ea
Link:
https://www.unpac.me/results/562f85cd-ce7b-43b6-b8fc-2d6ff6142e12/
SH256 hash:
f763556b253fa22454cdc3e21f288cfcf360c4938b14258ee00e9a3c0e39ae17
MD5 hash:
7803876440d7a0ea73e4dd883911142b
SHA1 hash:
e91991cbe6f1b9037d2912db41313f7186cfa20f
Link:
https://www.unpac.me/results/562f85cd-ce7b-43b6-b8fc-2d6ff6142e12/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f763556b253f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:HeavensGate
Create hunting rule
Author:kevoreilly
Description:Heaven's Gate: Switch from 32-bit to 64-mode
Rule name:INDICATOR_EXE_Packed_MPress
Create hunting rule
Author:ditekSHen
Description:Detects executables built or packed with MPress PE compressor
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ArkeiStealer

Executable exe f763556b253fa22454cdc3e21f288cfcf360c4938b14258ee00e9a3c0e39ae17

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2427619/
Cape
Cape
https://www.capesandbox.com/analysis/336409/

Comments


Avatar
zbet commented on 2022-11-20 15:01:04 UTC

url : hxxp://77.73.133.113/lego/mao.exe