MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ccd8f858057e8f7b43f3ae2490de946c65dab843514f0239bd9f50ba207fb8da. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 12


Intelligence 12 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ccd8f858057e8f7b43f3ae2490de946c65dab843514f0239bd9f50ba207fb8da
SHA3-384 hash: e079e7b087af12cd9b75c150bfcc990d26b3966db52506c73ccacd871ba0c12d1976806c01e402fb731236c16f3ad217
SHA1 hash: 80f009dd7b2c7afe88558dbfb3aa50d71d4dfffd
MD5 hash: d47560986042fab20aa9bfbb7c7cc211
humanhash: eight-mirror-idaho-william
File name:file
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:1'499'024 bytes
First seen:2022-12-16 17:32:15 UTC
Last seen:2022-12-16 20:59:37 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 9f2c76418357be5cdc291649da90bd66 (5 x ArkeiStealer, 1 x RedLineStealer)
ssdeep 24576:RZeOPtcSLS2Z7MA77trZeJbpWGM9Qx11pQsGft/ItbJ3RwFgc2pRaO:fLPzntIJbO9QxbmFqJJJc2naO
Threatray 1'086 similar samples on MalwareBazaar
TLSH T11D658C9B031039B8D548FFB77B1993A4B0491DB3703956CA9B82A74CF4BB36241B66C7
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 9430b1b0c061c8cc (1 x ArkeiStealer)
Reporter andretavare5
Tags:ArkeiStealer exe signed

Code Signing Certificate

Organisation:doog.com
Issuer:R3
Algorithm:sha256WithRSAEncryption
Valid from:2022-11-04T03:08:52Z
Valid to:2023-02-02T03:08:51Z
Serial number: 037f9d60e0688fefb0f79afca85c492b7f14
Thumbprint Algorithm:SHA256
Thumbprint: 64b2b4d561abc9ec54bc35658a3aa0731556b391733e66d915840f15ba8acac4
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
andretavare5
Sample downloaded from http://91.213.50.68/files/install1.exe

Intelligence

File Origin
# of uploads :
89
# of downloads :
198
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
vidar
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2022-12-16 17:35:25 UTC
Tags:
trojan stealer vidar
Link:
https://app.any.run/tasks/4a334e29-d858-411b-acad-6dca4af7eb7f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/347065/
Detection(s):
SecuriteInfo.com.Mal.Generic-S.32070.1716.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Sending a custom TCP request
Сreating synchronization primitives
Sending an HTTP GET request
Creating a file
Reading critical registry keys
Using the Windows Management Instrumentation requests
Running batch commands
Creating a process with a hidden window
Launching a process
Stealing user critical data
Gathering data
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Mustang Panda
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5fb5c1e3-bb09-4ce6-8c97-8814194b26af
Result
Threat name:
Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/1135886
Signature
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ccd8f858057e8f7b43f3ae2490de946c65dab843514f0239bd9f50ba207fb8da/
Threat name:
Win32.Trojan.Strab
Create hunting rule
Status:
Malicious
First seen:
2022-12-16 17:33:08 UTC
File Type:
PE (Exe)
Extracted files:
7
AV detection:
12 of 26 (46.15%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ztmpqwafp2hxwq7tvysjbxuunrs5vocdkfhqeon5t5iluid7xdna._file
Verdict:
malicious
Similar samples:
33a9c4f53a214003ac5a5415db060701bc53b271a670f03167cd01bc67fcf23a
ArkeiStealer
40d0734b985f3b131a175222639d0621b1f7f7a0f90674c676df80191fb215aa
ArkeiStealer
58ae170573fd183ada1906291ca170724608a6a6217d84a6e5f0e400c3b1f481
ArkeiStealer
6eaa17442216edf6c184c03e3b7468922c1b6d59fbf419f811552e2e86e0bcfe
ArkeiStealer
a06867c5e8f32e4f33fc0455b26a792eb1647178918628765aec756c1a21c382
ArkeiStealer
ce3c6cc7e3d80c26246bb01b910992d8c77b1c3f30ec28b79346f15224a3c746
ArkeiStealer
e9dfa7091ae536608ed7d95240cb6abba1033e14af969d271c804edf477ea387
ArkeiStealer
+ 1'076 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/221216-v4vhjahh9t/
Behaviour
Suspicious behavior: EnumeratesProcesses
Program crash
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/a2614d13-13de-404e-956d-63aa9c35fc92
Unpacked files
SH256 hash:
8100b3970014eb941afb16beb25103da3bcf364bfb7d1bd97b893be9c9c56c77
MD5 hash:
1e7c903be1535139db1513ea7ab7c365
SHA1 hash:
da53c49d86e078206a2103c37c27c0869f43d178
Link:
https://www.unpac.me/results/40229ef2-90b1-4b6e-ae38-ae79b95fcc05/
SH256 hash:
ccd8f858057e8f7b43f3ae2490de946c65dab843514f0239bd9f50ba207fb8da
MD5 hash:
d47560986042fab20aa9bfbb7c7cc211
SHA1 hash:
80f009dd7b2c7afe88558dbfb3aa50d71d4dfffd
Link:
https://www.unpac.me/results/40229ef2-90b1-4b6e-ae38-ae79b95fcc05/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/ccd8f858057e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ccd8f858057e8f7b43f3ae2490de946c65dab843514f0239bd9f50ba207fb8da

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:malware_shellcode_hash
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect shellcode api hash value
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/347065/

Comments