MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ce6cc42aa09da7448f7ba9a992584cdd69e76b3759edfabb1cfcadea4edf2abe. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 12


Intelligence 12 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ce6cc42aa09da7448f7ba9a992584cdd69e76b3759edfabb1cfcadea4edf2abe
SHA3-384 hash: 6ef6044129ab0fc1705124456f7ceaf62d42a112428cc276cd879a1e6ada365c048f3e5da970bae06a4f4549fb17de4e
SHA1 hash: fd9dbbda57b02ff92b00a636043efaf10b5ba3b6
MD5 hash: 9f8ad8037c1a22d0f1c0329c3340ec18
humanhash: montana-pip-coffee-ohio
File name:file
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:1'470'608 bytes
First seen:2022-12-16 17:01:23 UTC
Last seen:2022-12-16 17:27:51 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 9f2c76418357be5cdc291649da90bd66 (5 x ArkeiStealer, 1 x RedLineStealer)
ssdeep 24576:BK2zcqHdKzg670sxJPgIO/eoFhEvTiWFBpXe0ZgbEyzrqybobBZy/MlCoy2aVMW:A2z7dk70sxJPgIO/e3vTJjLWQyz+yboW
Threatray 1'088 similar samples on MalwareBazaar
TLSH T10065AD40DFB0B692E3CE14F4BD35D2AF202668235F20554A6AD89EAFDABD4D30DC5742
TrID 32.2% (.EXE) Win64 Executable (generic) (10523/12/4)
20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
13.7% (.EXE) Win32 Executable (generic) (4505/5/1)
6.2% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon f0cccad5d4acecf0 (1 x ArkeiStealer)
Reporter andretavare5
Tags:ArkeiStealer exe signed

Code Signing Certificate

Organisation:unknown
Issuer:unknown
Algorithm:sha256WithRSAEncryption
Valid from:2019-03-26T02:46:15Z
Valid to:2029-03-23T02:46:15Z
Serial number: e6af1549ef331a8c
Intelligence: 5 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: 46b3ba527644d693bdc2f346a732be696eb630ad03dd515924f882c634c69c4a
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
andretavare5
Sample downloaded from http://91.213.50.68/files/install1.exe

Intelligence

File Origin
# of uploads :
10
# of downloads :
180
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
vidar
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2022-12-16 17:01:55 UTC
Tags:
trojan stealer vidar
Link:
https://app.any.run/tasks/23a34bf8-ddaa-4847-9f7b-abe69a4a4240

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/347058/
Detection(s):
SecuriteInfo.com.BScope.TrojanSpy.Stealer.3056.19328.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
DNS request
Sending a custom TCP request
Сreating synchronization primitives
Sending an HTTP GET request
Creating a file
Reading critical registry keys
Using the Windows Management Instrumentation requests
Running batch commands
Creating a process with a hidden window
Launching a process
Stealing user critical data
Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Tags:
greyware overlay packed
Link:
https://www.filescan.io/uploads/639ca48cef9641a43886f037/reports/a1442a53-6717-4df0-9d67-186b71a9c54a/overview
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9c0bb698-1f87-4cb7-a1ad-9729412f05ad
Result
Threat name:
Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/1135875
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to compare user and computer (likely to detect sandboxes)
Found many strings related to Crypto-Wallets (likely being stolen)
Found stalling execution ending in API Sleep call
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Self deletion via cmd or bat file
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ce6cc42aa09da7448f7ba9a992584cdd69e76b3759edfabb1cfcadea4edf2abe/
Threat name:
Win32.Trojan.Strab
Create hunting rule
Status:
Malicious
First seen:
2022-12-16 17:02:08 UTC
File Type:
PE (Exe)
Extracted files:
7
AV detection:
9 of 26 (34.62%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zzwmikvatwtujd33vguzewcm3vu6o2zxlhw7voy47sw6utw7fk7a._file
Verdict:
malicious
Similar samples:
33a9c4f53a214003ac5a5415db060701bc53b271a670f03167cd01bc67fcf23a
ArkeiStealer
40d0734b985f3b131a175222639d0621b1f7f7a0f90674c676df80191fb215aa
ArkeiStealer
6eaa17442216edf6c184c03e3b7468922c1b6d59fbf419f811552e2e86e0bcfe
ArkeiStealer
a06867c5e8f32e4f33fc0455b26a792eb1647178918628765aec756c1a21c382
ArkeiStealer
ccd8f858057e8f7b43f3ae2490de946c65dab843514f0239bd9f50ba207fb8da
ArkeiStealer
ce3c6cc7e3d80c26246bb01b910992d8c77b1c3f30ec28b79346f15224a3c746
ArkeiStealer
cf7e87560e6226eca45aa85b0b0b7b0791c08a94c105e7263cd762a56b02154b
ArkeiStealer
e9dfa7091ae536608ed7d95240cb6abba1033e14af969d271c804edf477ea387
ArkeiStealer
+ 1'078 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/221216-vj4kpshh6s/
Behaviour
Suspicious behavior: EnumeratesProcesses
Program crash
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/7fd1fffe-fbbc-4f04-b95b-4b1a19dc6b35
Unpacked files
SH256 hash:
ac7fed3310d8a822e93a5dc4b04ff242d827059278e300ae766c65d8dc32a8bd
MD5 hash:
7b788f4b7898fe67190b41dda9f5556e
SHA1 hash:
20e2d672d7a8a5cf56f7858f96e8061dfd49e469
Link:
https://www.unpac.me/results/030a3a4c-b382-4a63-ae5a-8e1460533b15/
SH256 hash:
ce6cc42aa09da7448f7ba9a992584cdd69e76b3759edfabb1cfcadea4edf2abe
MD5 hash:
9f8ad8037c1a22d0f1c0329c3340ec18
SHA1 hash:
fd9dbbda57b02ff92b00a636043efaf10b5ba3b6
Link:
https://www.unpac.me/results/030a3a4c-b382-4a63-ae5a-8e1460533b15/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ce6cc42aa09da7448f7ba9a992584cdd69e76b3759edfabb1cfcadea4edf2abe

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:malware_shellcode_hash
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect shellcode api hash value
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/347058/

Comments