MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cf1e04b5bdcdea701bcccd48ad40f5cd709e059ba35d935b821d6808e0fecd14. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 14


Intelligence 14 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cf1e04b5bdcdea701bcccd48ad40f5cd709e059ba35d935b821d6808e0fecd14
SHA3-384 hash: 5944682dda68606f096d8bdd7b74119a86ddbd9beb036fc92dfb6bb4514442845f69de1b4e762222386436f60e2d7461
SHA1 hash: 5ebafd1d768de88f97f82f5190b3a1f13761e32e
MD5 hash: d57205b8fc2868a73b2e85a1e89162c7
humanhash: mike-may-fish-east
File name:file.exe
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:413'184 bytes
First seen:2023-05-13 06:06:26 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash ee2cc8de8216a98a04e64dc8ea701849 (1 x ArkeiStealer, 1 x RedLineStealer, 1 x Smoke Loader)
ssdeep 6144:G79/LJshkr0m+Ox9F3buue6yxfrUur+eEIDB+riRUVRU:Gp9shkriOXVe6mCHIDSiRCRU
Threatray 140 similar samples on MalwareBazaar
TLSH T14094AF0392E26C51E5674A73BE2EC2E4362EB1604F5967BB13249E2F18B01F1D673B13
TrID 37.3% (.EXE) Win64 Executable (generic) (10523/12/4)
17.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
16.0% (.EXE) Win32 Executable (generic) (4505/5/1)
7.3% (.ICL) Windows Icons Library (generic) (2059/9)
7.2% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 00020d2919130b89 (1 x ArkeiStealer)
Reporter abuse_ch
Tags:ArkeiStealer exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
255
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
arkei
Create hunting rule
ID:
1
File name:
file.exe
Verdict:
Malicious activity
Analysis date:
2023-05-13 06:08:49 UTC
Tags:
stealer arkei vidar
Link:
https://app.any.run/tasks/7713a391-0ae3-43e3-b7a5-0435e6eabfa1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Vidar
Create hunting rule
Link:
https://www.capesandbox.com/analysis/388827/
Detection(s):
Win.Packer.pkr_ce1a-9980177-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Creating a file
Reading critical registry keys
Using the Windows Management Instrumentation requests
Creating a window
Searching for synchronization primitives
Stealing user critical data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/645f2908446f9ce94a659642/reports/3a0aef41-b3f5-47d4-a1fb-66aff95819e4/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/cf1e04b5bdcdea701bcccd48ad40f5cd709e059ba35d935b821d6808e0fecd14
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/42b2a58b-93c1-4c83-9c2d-39b0f38fc5ed
Result
Threat name:
Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1232009
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses known network protocols on non-standard ports
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cf1e04b5bdcdea701bcccd48ad40f5cd709e059ba35d935b821d6808e0fecd14/
Threat name:
Win32.Trojan.Woreflint
Create hunting rule
Status:
Malicious
First seen:
2023-05-13 06:07:08 UTC
File Type:
PE (Exe)
Extracted files:
36
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=z4pajnn5zxvhag6mzvek2qhvzvyj4bm3unozgw4cdvuaryh6zuka._file
Verdict:
malicious
Similar samples:
0b51b2819a128abdfab0006900667b5e05329aa0416445c43db76e2f503b92ff
ArkeiStealer
0da9becd4c6f6af2eb648a057cefb53d17cb2f468503a77d49d5e5f63d16d30c
ArkeiStealer
0f99eef3431f8f04eef23ccab335afcd7129e1ca69728ba2bfc929de3010e402
ArkeiStealer
13eb578533117f116142d75633ad3f5fcd8366a145da5e60754139fefd495e98
ArkeiStealer
2068c94f118c1921f4333d97935e35ce175803820c44444277563fe0f82398fb
ArkeiStealer
331952066aee8437403773b213a4b7ebee56e905929e86432c4a7623f05ac79a
ArkeiStealer
9b7720640ea927b47581425a91027c4f5eb4871c7b00bc86ce39079e789bcbf8
ArkeiStealer
afd33d4aa80a47b1cf9bb0ea15ba7cedee6dbd453aca2c7bce5fa59d04143363
ArkeiStealer
e0c350a16bb3fec4d9306d413e93241c733412f14cbdc9a4e95e9f973aa1bcff
ArkeiStealer
ee5e1cf8922e2c866beb155a2227d47e98bf31e35507ee135a7c8b1f9a3413ba
ArkeiStealer
+ 130 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:vidar botnet:d8958658dc9e134f3763d2801e6c3d03 discovery spyware stealer
Link:
https://tria.ge/reports/230513-gvbgeahg9x/
Behaviour
Checks processor information in registry
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Enumerates physical storage devices
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Vidar
Malware Config
C2 Extraction:
https://steamcommunity.com/profiles/76561198272578552
https://t.me/libpcre
Unpacked files
SH256 hash:
d695eeb7564fbd4aed1e6a1565e44c63c63a0cf56b7c551ad49f830ea1e097dc
MD5 hash:
2b451ca06d1d0451edf19fd525933976
SHA1 hash:
0a46ce0cd05256a47a7b278153f593e9dc33f0f2
Detections:
VidarStealer
Create hunting rule
Link:
https://www.unpac.me/results/5e8c4e70-943d-4ec8-9485-85b08e6de56a/
Parent samples :
cf1e04b5bdcdea701bcccd48ad40f5cd709e059ba35d935b821d6808e0fecd14
4c89e04ebf04b92bcd16357f0423fb3b5aad86c2f937df0afadc452fddcf8c80
SH256 hash:
cf1e04b5bdcdea701bcccd48ad40f5cd709e059ba35d935b821d6808e0fecd14
MD5 hash:
d57205b8fc2868a73b2e85a1e89162c7
SHA1 hash:
5ebafd1d768de88f97f82f5190b3a1f13761e32e
Link:
https://www.unpac.me/results/5e8c4e70-943d-4ec8-9485-85b08e6de56a/
Malware family:
Vidar.A
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/cf1e04b5bdcd/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:has_telegram_urls
Create hunting rule
Author:Aaron DeVera<aaron@backchannel.re>
Description:Detects Telegram URLs
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:Telegram_Links
Create hunting rule
Rule name:Vidar
Create hunting rule
Author:kevoreilly,rony
Description:Vidar Payload
Rule name:Windows_Trojan_Smokeloader_3687686f
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/388827/

Comments