MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cf7e87560e6226eca45aa85b0b0b7b0791c08a94c105e7263cd762a56b02154b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 12


Intelligence 12 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cf7e87560e6226eca45aa85b0b0b7b0791c08a94c105e7263cd762a56b02154b
SHA3-384 hash: 4ef0086881a7c1bce066292a6c015f6b368f534aad58cd0e5bde25f2b2b43fd45bc1592963b474b820af929c143bd102
SHA1 hash: 7078aadc464f7ebfadea00fd6ea7795623c3470b
MD5 hash: f7abe6e19c02217cb7aaa08438e3d0ba
humanhash: single-kilo-florida-bulldog
File name:file
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:1'490'576 bytes
First seen:2022-12-16 21:01:56 UTC
Last seen:2022-12-16 23:30:56 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 9f2c76418357be5cdc291649da90bd66 (5 x ArkeiStealer, 1 x RedLineStealer)
ssdeep 24576:0gYIGiRuPNrjDIg3ouUXbpRQkm/HSxqoD15glqYIzQmtAEfhvNsDmtyDi6nEa:0gYI/uPxj8g3ouUXdRAHSwoD15pYJmtc
Threatray 1'088 similar samples on MalwareBazaar
TLSH T193656018314FFA93D6C8BC31AB6B7BFA69C21F54394C888DB2637D150D703506A16BB9
TrID 32.2% (.EXE) Win64 Executable (generic) (10523/12/4)
20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
13.7% (.EXE) Win32 Executable (generic) (4505/5/1)
6.2% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 9633e1d2d8cd311e (1 x ArkeiStealer)
Reporter andretavare5
Tags:ArkeiStealer exe signed

Code Signing Certificate

Organisation:unknown
Issuer:unknown
Algorithm:sha256WithRSAEncryption
Valid from:2019-03-26T02:46:15Z
Valid to:2029-03-23T02:46:15Z
Serial number: e6af1549ef331a8c
Intelligence: 5 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: 3bbc2924b5eaf1b27c30d4b274117a842f8e5a12d88d1ea4607f0783da39015e
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
andretavare5
Sample downloaded from http://91.213.50.68/files/install1.exe

Intelligence

File Origin
# of uploads :
63
# of downloads :
176
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
vidar
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2022-12-16 21:02:29 UTC
Tags:
trojan stealer vidar
Link:
https://app.any.run/tasks/b49b55d7-e484-4f9e-ba4b-18dbbb224ffe

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/347110/
Detection(s):
SecuriteInfo.com.Mal.Generic-S.20975.12027.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
DNS request
Sending a custom TCP request
Сreating synchronization primitives
Sending an HTTP GET request
Creating a file
Reading critical registry keys
Using the Windows Management Instrumentation requests
Running batch commands
Creating a process with a hidden window
Launching a process
Stealing user critical data
Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Tags:
greyware overlay packed
Link:
https://www.filescan.io/uploads/639cdccbe0ca3e0946e98f19/reports/7bc31e89-da35-4fb1-952f-c00423768471/overview
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Mustang Panda
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/62dc8408-049e-4873-8eaa-266f396411f2
Result
Threat name:
Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/1135977
Signature
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Self deletion via cmd or bat file
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cf7e87560e6226eca45aa85b0b0b7b0791c08a94c105e7263cd762a56b02154b/
Threat name:
Win32.Trojan.Strab
Create hunting rule
Status:
Malicious
First seen:
2022-12-16 21:02:09 UTC
File Type:
PE (Exe)
Extracted files:
7
AV detection:
8 of 26 (30.77%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=z57iovqomitozjc2vbnqwc33a6i4bcuuyec6ojr425rkk2yccvfq._file
Verdict:
malicious
Similar samples:
33a9c4f53a214003ac5a5415db060701bc53b271a670f03167cd01bc67fcf23a
ArkeiStealer
40d0734b985f3b131a175222639d0621b1f7f7a0f90674c676df80191fb215aa
ArkeiStealer
6eaa17442216edf6c184c03e3b7468922c1b6d59fbf419f811552e2e86e0bcfe
ArkeiStealer
a06867c5e8f32e4f33fc0455b26a792eb1647178918628765aec756c1a21c382
ArkeiStealer
ccd8f858057e8f7b43f3ae2490de946c65dab843514f0239bd9f50ba207fb8da
ArkeiStealer
ce3c6cc7e3d80c26246bb01b910992d8c77b1c3f30ec28b79346f15224a3c746
ArkeiStealer
ce6cc42aa09da7448f7ba9a992584cdd69e76b3759edfabb1cfcadea4edf2abe
ArkeiStealer
e9dfa7091ae536608ed7d95240cb6abba1033e14af969d271c804edf477ea387
ArkeiStealer
+ 1'078 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/221216-zve4psae5t/
Behaviour
Suspicious behavior: EnumeratesProcesses
Program crash
Gathering data
Unpacked files
SH256 hash:
d798dc686de47a25b5e7efaa01586c84e1615e0c843967892a5dd22679c16a7b
MD5 hash:
b47ed8151d47e6c0dffebb10ad31673a
SHA1 hash:
b6259a58ba2b6cdb9fe11bc59cf992a02cb17ab7
Link:
https://www.unpac.me/results/da0f1491-4069-4d03-a0c8-6b1eaa5b2f9b/
SH256 hash:
cf7e87560e6226eca45aa85b0b0b7b0791c08a94c105e7263cd762a56b02154b
MD5 hash:
f7abe6e19c02217cb7aaa08438e3d0ba
SHA1 hash:
7078aadc464f7ebfadea00fd6ea7795623c3470b
Link:
https://www.unpac.me/results/da0f1491-4069-4d03-a0c8-6b1eaa5b2f9b/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/cf7e87560e62/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cf7e87560e6226eca45aa85b0b0b7b0791c08a94c105e7263cd762a56b02154b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:malware_shellcode_hash
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect shellcode api hash value
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/347110/

Comments