MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cc65eb40f9fbc0954b795d71a189b3ff6638e15b6cf3697906f5cfd7175d3287. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

ArkeiStealer

Vendor detections: 10

Intelligence 10 IOCs YARA 6 File information Comments

SHA256 hash:	cc65eb40f9fbc0954b795d71a189b3ff6638e15b6cf3697906f5cfd7175d3287
SHA3-384 hash:	d0afd3d12eab3846d6da1dc9553200af0fd35edf2dc5595664a01b70bac9614483811cd87887f3631523d10142af1aaf
SHA1 hash:	9f327dbe52011523ef28f1b5058c64ffcc94c498
MD5 hash:	672d13f333c6b4f54b8c97db212f59b9
humanhash:	golf-lion-johnny-berlin
File name:	672d13f333c6b4f54b8c97db212f59b9.exe
Download:	download sample
Signature	ArkeiStealer Create hunting rule
File size:	665'088 bytes
First seen:	2021-06-02 11:13:21 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	efd209e04a0fc625091564dc0f232d99 (1 x ArkeiStealer)
ssdeep	12288:tV//1LNipPrEmqk7kaCUhrwAOua/UHzGs3xq6W+5LE632a:tFnipPdsAOuahsA9+5w6
Threatray	301 similar samples on MalwareBazaar
TLSH	82E4E010B7D1C034F5F752BC99BEA27D9A2DB9A1676851CB03D42AEE06346E7AC30317
Reporter	abuse_ch
Tags:	ArkeiStealer exe

Intelligence

File Origin

# of uploads :

# of downloads :

158

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

672d13f333c6b4f54b8c97db212f59b9.exe

Verdict:

Malicious activity

Analysis date:

2021-06-02 11:18:48 UTC

Tags:

trojan stealer vidar

Link:

https://app.any.run/tasks/08b0e093-e335-4a1f-ba89-05858661a447

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Vidar

Link:

https://www.capesandbox.com/analysis/164016/

Detection(s):

Win.Malware.Generic-9866706-0

Win.Malware.Generic-9866728-0

Win.Malware.Generic-9866778-0

Win.Malware.Generic-9866820-0

Win.Malware.Generic-9866942-0

Win.Packed.Generic-9866972-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a custom TCP request

Sending a UDP request

DNS request

Connection attempt

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

Vidar

Detection:

malicious

Classification:

troj.spyw.evad

Score:

88 / 100

Link:

https://www.joesandbox.com/analysis/795805

Signature

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Yara detected Vidar stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/cc65eb40f9fbc0954b795d71a189b3ff6638e15b6cf3697906f5cfd7175d3287/

Threat name:

Win32.Trojan.Azorult

Status:

Malicious

First seen:

2021-06-01 12:55:22 UTC

AV detection:

30 of 47 (63.83%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=zrs6wqhz7pajks3zlvy2dcnt75tdryk3ntzws6ig6xh5of25gkdq._file

Verdict:

malicious

ArkeiStealer

7827054de38b851b5e28c8553d564eca5d1047d5756f7733250af348c689c8f1

ArkeiStealer

83f50d86c658c945ad095f32812422656d56612c31dc4f5ff72f850b604f2aac

ArkeiStealer

94da7af1d49aa6a664c46f994993e6e643514a538d9c5a87fd9110fce366f9c0

ArkeiStealer

9553d0dcdf7b666c65cb7d42c092927c8aeae349ef30a5358e36a3bba6d050a1

ArkeiStealer

9f8d1e417af0289e797bfec654fab1bbe4a2669086ae3a0f349d47b7c58c4000

ArkeiStealer

bbad903c167cb3dc56ed2b858f30f7b5bb3f3ee17344b094c35fa93086cae137

ArkeiStealer

d7e19e855c308e7e134b178ac91a877ed82b688882e3b43d21d121154e172a48

ArkeiStealer

d95e32a27fb48282c70ef999999d4892c2fbff18b43b68d632457f11261b2bfb

ArkeiStealer

fca7e429e6242b8d1fad50044984fc49f2ac9e3c8b64513334a78daffc5e7807

ArkeiStealer

+ 291 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

1/10

Tags:

n/a

Link:

https://tria.ge/reports/210602-scceh7mfgn/

Behaviour

Modifies system certificate store

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/cc65eb40f9fbc0954b795d71a189b3ff6638e15b6cf3697906f5cfd7175d3287

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_EXE_References_CryptoWallets Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many cryptocurrency mining wallets or apps. Observed in information stealers

Rule name:	MALWARE_Win_Vidar Create hunting rule
Author:	ditekSHen
Description:	Detects Vidar / ArkeiStealer

Rule name:	Ping_Del_method_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	cmd ping IP nul del

Rule name:	Vidar Create hunting rule
Author:	kevoreilly
Description:	Vidar Payload

Rule name:	win_vidar_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator

Rule name:	with_sqlite Create hunting rule
Author:	Julian J. Gonzalez <info@seguridadparatodos.es>
Description:	Rule to detect the presence of SQLite data in raw image
Reference:	http://www.st2labs.com