MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cdac614b0ddd13a7de4b73ae76b8d351b63114677c1d40c70bf0d921ff1f6861. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

ArkeiStealer

Vendor detections: 10

Intelligence 10 IOCs YARA File information Comments

SHA256 hash:	cdac614b0ddd13a7de4b73ae76b8d351b63114677c1d40c70bf0d921ff1f6861
SHA3-384 hash:	e63684d1717716ae20533fe66f7cd8ec2826ae99e8c2ff8f28e74876fe2e865c8da910994bc156f16970bd1df96716f6
SHA1 hash:	4a0be269d3dc1f4f6a0dc24af4bb5989bc7f20f0
MD5 hash:	d635404d16b304eb17f60634fd3f9213
humanhash:	dakota-alpha-batman-vegan
File name:	scp109.xll
Download:	download sample
Signature	ArkeiStealer Create hunting rule
File size:	557'568 bytes
First seen:	2022-03-14 16:51:38 UTC
Last seen:	2022-03-14 18:39:30 UTC
File type:	xll
MIME type:	application/x-dosexec
imphash	a31761b5a590c4c499d5f4a347d75c12 (23 x Formbook, 17 x AgentTesla, 6 x RedLineStealer)
ssdeep	12288:Ln/zjvGHAykHJRLW/4+8bzbBSreM3dqZGDx:Dz7GHAzH7jX1eFx
Threatray	91 similar samples on MalwareBazaar
TLSH	T109C48E57F7DBF6F0E6BE827A86B1891D52B774520270A78F664072896D23382443DB0F
Reporter	Anonymous
Tags:	ArkeiStealer xll

Intelligence

File Origin

# of uploads :

2

# of downloads :

138

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

1

File name:

scp109.xll

Verdict:

Malicious activity

Analysis date:

2022-03-14 15:55:12 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/1b89bb2d-d6e2-48db-897d-8cb5812a7423

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

SecuriteInfo.com.Trojan.GenericKD.48594865.24391.21208.UNOFFICIAL

Result

Verdict:

Malicious

File Type:

Office Add-Ins - Suspicious

Link:

https://app.docguard.net/cdac614b0ddd13a7de4b73ae76b8d351b63114677c1d40c70bf0d921ff1f6861/results/dashboard

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware packed packed

Link:

https://www.filescan.io/uploads/622f72b5dfdfa8501c9ef2c6/reports/0aef00ff-2fe4-4e29-bf11-eae7f1d68fea/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/cdac614b0ddd13a7de4b73ae76b8d351b63114677c1d40c70bf0d921ff1f6861/

Threat name:

ByteCode-MSIL.Trojan.ExcelAddin

Status:

Malicious

First seen:

2022-03-14 11:52:13 UTC

File Type:

PE+ (Dll)

Extracted files:

3

AV detection:

13 of 27 (48.15%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=zwwgcsyn3uj2pxslooxhnogtkg3dcfdhpqoubryl6dmsd7y7nbqq._file

Verdict:

malicious

Similar samples:

0826127414e576d46c0accdc05df229fc1109b5b88e49e899fa4aee289dc4556

0838b673be73014ff6e29d784247ad3b44a794dd2134301bb25c8dd0a3f5b0ae

68315f9b95450e287e19be6f014114f36aa6fd98eef733e839efe670f302fced

93eaa02e5c7c465410e6981da4b4ea3ebd730b8016932d328022da0e8091e763

ade73b7033e024443c9ebffc25a424d3a1fc4e67c674fcd585e9d5d5d2c774a0

b1b5046988f030694c9e4a29e8b61990ac1e4da7a98f0c1fdb3906a60bcbcba0

b3f6afb079d5d25bea3a043d033091d5a0a8fde399c900a6337bc5e1dd65d279

b73f062242ecaf86430950a2990dd69bc5080cfea2a1012efc7436d4a7a3a346

c7ecbd646727c85760706a61c2283909c13cb5cd80f51f3ce5af83ed438d293d

e5013497a297e36f89cc5dc3e369faf27bb9b88684cad53accad8b006433a6c5

+ 81 additional samples on MalwareBazaar

Result

Malware family:

vidar

Score:

10/10

Tags:

family:vidar botnet:1132 stealer

Link:

https://tria.ge/reports/220314-vdepdsaab3/

Behaviour

Checks processor information in registry

Enumerates system info in registry

Modifies Internet Explorer settings

Modifies registry class

Suspicious behavior: AddClipboardFormatListener

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Program crash

Suspicious use of SetThreadContext

Loads dropped DLL

Vidar Stealer

Process spawned unexpected child process

Vidar

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/cdac614b0ddd13a7de4b73ae76b8d351b63114677c1d40c70bf0d921ff1f6861

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample