MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fa7f51831c97c16b3e83e13c22e5c899a67c795347225a6713ef3fac7e300174. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

ArkeiStealer

Vendor detections: 9

Intelligence 9 IOCs YARA File information Comments

SHA256 hash:	fa7f51831c97c16b3e83e13c22e5c899a67c795347225a6713ef3fac7e300174
SHA3-384 hash:	4b0548557e025e7843a93c870fd14474ac8cf94b17fbb6c296437f47d5a9cd230fd289e9524e429a491d353f23ea1eda
SHA1 hash:	03780b8582b15caaddabde57df33e6fc619c4836
MD5 hash:	5c373b2e72f330eb36ad715c6fdda484
humanhash:	lamp-winner-oscar-glucose
File name:	5c373b2e72f330eb36ad715c6fdda484.exe
Download:	download sample
Signature	ArkeiStealer Create hunting rule
File size:	806'400 bytes
First seen:	2021-10-09 15:15:39 UTC
Last seen:	2021-10-09 16:22:56 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f67608135ffb289eb5361e495b501ce2 (1 x RaccoonStealer, 1 x DanaBot, 1 x ArkeiStealer)
ssdeep	24576:sz+0SalzFY8s9D/X04sB4k4z/i0P9rvn:Y+gID8z25N
TLSH	T18905E110B6A2D035F6B716F889B96378A52F7AE12B2454CB52D526FD4B349F0ED3030B
File icon (PE):
dhash icon	e2f8e8e8aa62a499 (1 x ArkeiStealer)
Reporter	abuse_ch
Tags:	ArkeiStealer exe

Intelligence

File Origin

# of uploads :

# of downloads :

320

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

5c373b2e72f330eb36ad715c6fdda484.exe

Verdict:

Malicious activity

Analysis date:

2021-10-09 15:23:40 UTC

Tags:

trojan stealer vidar loader

Link:

https://app.any.run/tasks/7574a53c-a438-4225-b133-f541d41e019f

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/196324/

Detection(s):

SecuriteInfo.com.W32.AIDetect.malware1.32224.12946.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Connection attempt to an infection source

Sending a TCP request to an infection source

Launching the default Windows debugger (dwwin.exe)

Query of malicious DNS domain

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/6161b239334ba92bd9232cd5/reports/a1d73486-9a6f-4517-958c-40bf3cd20d9c/overview

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/fa7f51831c97c16b3e83e13c22e5c899a67c795347225a6713ef3fac7e300174/

Threat name:

Win32.Trojan.Chapak

Status:

Malicious

First seen:

2021-10-09 15:16:21 UTC

AV detection:

21 of 28 (75.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=7j7vday4s7awwpud4e6cfzoitgthy6kti4rfuzyt5472y7rqaf2a._file

Verdict:

malicious

Result

Malware family:

vidar

Score:

10/10

Tags:

family:vidar botnet:1008 discovery spyware stealer

Link:

https://tria.ge/reports/211009-sngwdsfchm/

Behaviour

Checks processor information in registry

Delays execution with timeout.exe

Kills process with taskkill

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Program crash

Accesses 2FA software files, possible credential harvesting

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Loads dropped DLL

Reads user/profile data of web browsers

Downloads MZ/PE file

Vidar Stealer

Vidar

Malware Config

C2 Extraction:

https://mas.to/@serg4325

Unpacked files

SH256 hash:

c6320d7467927e78c205fdca10484c14e53730bddd3958d93e11263e7871536e

MD5 hash:

ce26ceb3191ffa06f2d2879349b77140

SHA1 hash:

8d74d2b1ce1708c5bdcb8462b6c4f04ba2faefb4

Link:

https://www.unpac.me/results/a30a1e8b-f880-4721-97a1-30649cbe0262/

SH256 hash:

fa7f51831c97c16b3e83e13c22e5c899a67c795347225a6713ef3fac7e300174

MD5 hash:

5c373b2e72f330eb36ad715c6fdda484

SHA1 hash:

03780b8582b15caaddabde57df33e6fc619c4836

Link:

https://www.unpac.me/results/a30a1e8b-f880-4721-97a1-30649cbe0262/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/fa7f51831c97/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/fa7f51831c97c16b3e83e13c22e5c899a67c795347225a6713ef3fac7e300174

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ArkeiStealer

exe fa7f51831c97c16b3e83e13c22e5c899a67c795347225a6713ef3fac7e300174

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/1584973/

Delivery method

Distributed via web download

URLhaus

https://urlhaus.abuse.ch/url/1586513/

Cape

https://www.capesandbox.com/analysis/196324/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample