MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 719f762fbc61df4c651dd30e07831c5aee2c7a8b8dac7dbb2ad61d040eeaa79b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 20


Intelligence 20 IOCs YARA 12 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 719f762fbc61df4c651dd30e07831c5aee2c7a8b8dac7dbb2ad61d040eeaa79b
SHA3-384 hash: 72d790d7f35b02b8b152de1973778e6244bf757247126617e2fab7b373dc60010a819b92dbdcd9b282b5dc07e4fb1f9c
SHA1 hash: 5ea11289e45a4693f43fdb40aed069df9120e5f0
MD5 hash: 1a1ded0861b7149c24b363d41c4c35e3
humanhash: wolfram-island-steak-eleven
File name:1a1ded0861b7149c24b363d41c4c35e3.exe
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:291'840 bytes
First seen:2026-01-10 13:27:46 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash d3e1b79045dd71f903756dd5623adaf6 (12 x Smoke Loader, 11 x Amadey, 8 x Tofsee)
ssdeep 6144:q6LAD0BncSjLwOw4x9lBA3bMI4QjsVKW/4lA+q:q684NcwpLArMUO4b
Threatray 614 similar samples on MalwareBazaar
TLSH T14B54E1123A90D033D05269305D29E2A5676BFDB39A39A943B79C3F6D6F711C26B36303
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10522/11/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
Reporter abuse_ch
Tags:ArkeiStealer exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
116
Origin country :
SE SE
Vendor Threat Intelligence
Malware configuration found for:
AceCryptor Vidar
Details
AceCryptor
an extracted shellcode loader component and the ms_c_rand-XOR seed
AceCryptor
an extracted payload
AceCryptor
an extracted shellcode loader component and a TEA decryption key
Vidar
c2 urls, a profile and profile ID, a version, and a c2 handshake magic value
Link:
https://research.acce.ciphertechsolutions.com/results/51888460-0a2b-48de-824b-02d3f9743e61/
Malware family:
arkei
Create hunting rule
ID:
1
File name:
1a1ded0861b7149c24b363d41c4c35e3.exe
Verdict:
Malicious activity
Analysis date:
2026-01-10 13:35:13 UTC
Tags:
telegram github arkei stealer
Link:
https://app.any.run/tasks/06a5557a-8b17-4fd4-bf7f-6495923c18d5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Vidar
Create hunting rule
Link:
https://www.capesandbox.com/analysis/48476/
Detection(s):
Win.Dropper.Tofsee-9977817-0
Create hunting rule

Win.Packed.Mokes-9977978-0
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=696254099922425f92ff9c5f
Tags:
dridex virus krypt hype
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
DNS request
Connection attempt
Sending a custom TCP request
Sending an HTTP GET request
Sending an HTTP GET request to an infection source
Sending a TCP request to an infection source
Connection attempt to an infection source
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
fingerprint krypt lockbit microsoft_visual_cc packed redline tofsee zeppelin
Link:
https://www.filescan.io/uploads/696253fa07ef5fa68e83b8e9/reports/c1e4085a-ace4-427c-aebe-7e0d8c5a260e/overview
Verdict:
Malicious
Labled as:
Ransom.Zeppelin.Generic
Link:
https://www.hybrid-analysis.com/sample/719f762fbc61df4c651dd30e07831c5aee2c7a8b8dac7dbb2ad61d040eeaa79b
Verdict:
Malicious
File Type:
exe x32
First seen:
2022-11-13T05:05:00Z UTC
Last seen:
2026-01-11T02:00:00Z UTC
Hits:
~1000
Detections:
VHO:Backdoor.Win32.Convagent.gen Trojan-Downloader.Banload.HTTP.C&C Trojan-Banker.Bandra.HTTP.C&C BSS:Trojan.Win32.Generic Trojan-PSW.Win32.Vidar.sb Trojan-PSW.Stealerc.HTTP.C&C BSS:Trojan.Win32.Generic.nblk Trojan-PSW.Win32.Coins.sb Trojan.Win32.Zenpak.sb Trojan.Win32.Yakes.sb Trojan.Win32.Strab.sb Trojan.Win32.Chapak.sb HEUR:Trojan-Banker.Win32.Bandra.gen
Link:
https://opentip.kaspersky.com/719f762fbc61df4c651dd30e07831c5aee2c7a8b8dac7dbb2ad61d040eeaa79b/results?tab=lookup
Malware family:
Arkei Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/984898c9-dc75-4746-9dac-c0646acb3934
Result
Threat name:
Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1847931
Signature
Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found many strings related to Crypto-Wallets (likely being stolen)
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Unusual module load detection (module proxying)
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/719f762fbc61df4c651dd30e07831c5aee2c7a8b8dac7dbb2ad61d040eeaa79b
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PDB Path PE (Portable Executable) PE File Layout Win 32 Exe x86
Link:
https://app.malva.re/file/1a1ded0861b7149c24b363d41c4c35e3
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/719f762fbc61df4c651dd30e07831c5aee2c7a8b8dac7dbb2ad61d040eeaa79b/
Verdict:
Malicious
Threat:
Family.ARKEI
Link:
https://tip.neiki.dev/file/719f762fbc61df4c651dd30e07831c5aee2c7a8b8dac7dbb2ad61d040eeaa79b
Threat name:
Win32.Trojan.Amadey
Create hunting rule
Status:
Malicious
First seen:
2026-01-07 09:44:00 UTC
File Type:
PE (Exe)
Extracted files:
15
AV detection:
23 of 24 (95.83%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ogpxml54mhpuyzi52mhapay4llxcy6ulrwwh3ozk2yoqidxku6nq._file
Verdict:
malicious
Label(s):
arkeistealer
Create hunting rule
shellcode_loader_002
Create hunting rule
Similar samples:
08b7fd4bd56c90d7bbf5f1d633da68fd062d90d2088ee539c9485974f6c9286a
ArkeiStealer
0b804c71fa3ef61f46306ca4990a466686eff28d0c816cc58fafa8776073b47a
ArkeiStealer
2b590ce7c3db61cf6b9126f3bd0be4b413af1fb01e8a5ccba31431891223ed34
ArkeiStealer
471663e6452ca1282187b6099ce97c9a0ed1c75453261a3f71f8853e7daef51f
ArkeiStealer
54dbe707cdf77a6a0cd1d85947a523d3a05ac1013ea0b8a3fbabe08e8aed2eb3
ArkeiStealer
59699cd3deadc901b8a84cc69f2ad4dc80eb7661e83e78173792ebd9bb39be0b
ArkeiStealer
63dfc4883925e801765aebe5ec190d88859c7719d19a36cefaa4f8dffef23ee7
ArkeiStealer
a0ab98e9e2136a860291deb49e5e4f72ea70a4fa869e049b3fc3cb6737c2338e
ArkeiStealer
b2cdeefc2c6eb822b922bf8bbbac517165033229818328c06490d5c3ca631f2b
ArkeiStealer
b4b05dc95616c249119a8939f817c083dc18e99ecb5797acdaaf6d05d73f3d10
ArkeiStealer
+ 604 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:vidar botnet:1744 discovery stealer
Link:
https://tria.ge/reports/260110-qqwffshz9f/
Behaviour
System Location Discovery: System Language Discovery
Contacts third-party web service commonly abused for C2
Vidar
Vidar family
Malware Config
C2 Extraction:
https://t.me/seclab_new
https://raw.githubusercontent.com/sebekeloytfu/simple-bash-scripts/master/calculator.sh
http://195.201.252.143:80
Verdict:
Unknown
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/a7085d31-6508-4e3d-a90b-4e06ad9496d6
Unpacked files
SH256 hash:
719f762fbc61df4c651dd30e07831c5aee2c7a8b8dac7dbb2ad61d040eeaa79b
MD5 hash:
1a1ded0861b7149c24b363d41c4c35e3
SHA1 hash:
5ea11289e45a4693f43fdb40aed069df9120e5f0
Link:
https://www.unpac.me/results/cb3ef9cd-b7c0-4f63-bdec-16aa98350cef/
SH256 hash:
db9e1b23db896f75cefe627e6775516b64e82b8b2487e7277be7845c8027f2b7
MD5 hash:
ddaac2b8ee2a15e4ee690d4fa7fadc06
SHA1 hash:
fa48ae196fd2f8d0acac9e5652cc19d12f5f824a
Detections:
win_vidar_auto
Create hunting rule
VidarStealer
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs
Create hunting rule
Link:
https://www.unpac.me/results/cb3ef9cd-b7c0-4f63-bdec-16aa98350cef/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/719f762fbc61df4c651dd30e07831c5aee2c7a8b8dac7dbb2ad61d040eeaa79b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:has_telegram_urls
Create hunting rule
Author:Aaron DeVera<aaron@backchannel.re>
Description:Detects Telegram URLs
Rule name:INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs
Create hunting rule
Author:ditekSHen
Description:Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.
Rule name:Macos_Infostealer_Wallets_8e469ea0
Create hunting rule
Author:Elastic Security
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:Vidar
Create hunting rule
Author:kevoreilly,rony
Description:Vidar Payload
Rule name:Windows_Trojan_Generic_2993e5a5
Create hunting rule
Author:Elastic Security
Rule name:Windows_Trojan_Vidar_c374cd85
Create hunting rule
Author:Elastic Security
Rule name:win_vidar_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.vidar.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/48476/

Comments