MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cdd1ac2ccf205bcc0e8fecb0b117b809fcade0fcc0eba5f6b85a5dfc88443344. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cdd1ac2ccf205bcc0e8fecb0b117b809fcade0fcc0eba5f6b85a5dfc88443344
SHA3-384 hash: 145c447500b75a3cdd857f00c5788f394085d40608240120d4b29af3f674c501164b0216759b3c9b0c872da262edcc4a
SHA1 hash: c427a514f70410dba47e5799f23bd511ce39ec14
MD5 hash: 5e968b323d6dc7777a4eb797c8b99ac1
humanhash: two-skylark-double-wisconsin
File name:5e968b323d6dc7777a4eb797c8b99ac1.exe
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:1'103'872 bytes
First seen:2021-10-11 18:40:39 UTC
Last seen:2021-10-11 20:17:39 UTC
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 24576:XWu5DVqymRic1W4c2vRMILLwStCOrMA0/lCrtvti:XWu7s1WDrOsStCfA0Itv
Threatray 4'061 similar samples on MalwareBazaar
TLSH T1653512CD721876DFC867C9726AA41CB9E6A074BB930F1643A45305FE9A4C887DF580F1
Reporter abuse_ch
Tags:ArkeiStealer exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
299
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
5e968b323d6dc7777a4eb797c8b99ac1.exe
Verdict:
No threats detected
Analysis date:
2021-10-11 19:19:53 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/296f88b7-980e-4121-92c4-ce0ba2f26df8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/196715/
Detection(s):
SecuriteInfo.com.Variant.Cerbu.116471.24577.3698.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file
Creating a process from a recently created file
Connection attempt to an infection source
Sending a TCP request to an infection source
Launching the default Windows debugger (dwwin.exe)
Query of malicious DNS domain
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/616485439fb4d8593d61c127/reports/d71a2a09-9360-484b-b696-ee65e0174ea7/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/07ef1c26-5e59-4dae-addd-0fd9355f6a9c
Result
Threat name:
Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/867822
Signature
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected Vidar
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cdd1ac2ccf205bcc0e8fecb0b117b809fcade0fcc0eba5f6b85a5dfc88443344/
Threat name:
ByteCode-MSIL.Trojan.Chapak
Create hunting rule
Status:
Malicious
First seen:
2021-10-11 16:42:51 UTC
AV detection:
8 of 45 (17.78%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
trickbot
Create hunting rule
Similar samples:
14816f6846eec2f130ff1010f2c80dccfeda6b926f48a39ad89351d3c0ce73ef
ArkeiStealer
4922891e6b053807054a0c672b1c32ac287e9784200da2d6d75ef5c124da366e
ArkeiStealer
4a79bdb6cd4aa22e5a56ad766f1b0dd5e5d6d1b19ec2a42b6195f29afe943e88
ArkeiStealer
8e2498decf8c6a639d6f72f7e6221b0a8538ffc61b8f454806c7e36fe2b90eb4
ArkeiStealer
904c5e2719ea54377d1cc10d28fbf7e99dab11df5c143033d4c9b01b3bc8ee81
ArkeiStealer
938e2b2ee7af3e3dcb1e21f7dfb426f5bde3d715802d3b4bf07119f65c1e0fe6
ArkeiStealer
98d46fad42062e453d5b8dbcc1fa0173fef88c3d9d777fad9a604cb3fd30fb8c
ArkeiStealer
b044b5fc07f51f91be8fc7b7cc7fd9ce6595ea238951f94410eec6d364d75d59
ArkeiStealer
d025453a3fb7fff337bbe1d3d0b496db587c9aa57ef774a63e6c5b63b385d323
ArkeiStealer
fe7f352d558ba1ed571223801f1cedaff170819528bef1a9c49ae20fd90c75eb
ArkeiStealer
+ 4'051 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:vidar botnet:921 discovery spyware stealer
Link:
https://tria.ge/reports/211011-xbrx2shhd2/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Kills process with taskkill
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
Vidar Stealer
Vidar
Malware Config
C2 Extraction:
https://mas.to/@oleg98
Unpacked files
SH256 hash:
cdd1ac2ccf205bcc0e8fecb0b117b809fcade0fcc0eba5f6b85a5dfc88443344
MD5 hash:
5e968b323d6dc7777a4eb797c8b99ac1
SHA1 hash:
c427a514f70410dba47e5799f23bd511ce39ec14
Link:
https://www.unpac.me/results/73ee2b8f-f6eb-446b-870c-0087707292cd/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/cdd1ac2ccf20/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
vidar
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cdd1ac2ccf205bcc0e8fecb0b117b809fcade0fcc0eba5f6b85a5dfc88443344

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ArkeiStealer

Executable exe cdd1ac2ccf205bcc0e8fecb0b117b809fcade0fcc0eba5f6b85a5dfc88443344

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1666411/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/196715/

Comments