MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e8da10d6d1bc9983ce35416b130f9814e346ada4ea0117fe78b4805c26c96a72. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e8da10d6d1bc9983ce35416b130f9814e346ada4ea0117fe78b4805c26c96a72
SHA3-384 hash: 146c0f872aef45b9a55ae7bc4dc6b694dcb22aa0cf2937665db04a0a622346fbb25cf8fa64fcc3860261c2e2336dc135
SHA1 hash: 5c03c4a8934e1e154c12781bb8de77ee5e9879eb
MD5 hash: ccf44bab7e22f13f93f47ae06d318832
humanhash: march-failed-pennsylvania-uniform
File name:ccf44bab7e22f13f93f47ae06d318832.exe
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:1'158'656 bytes
First seen:2021-06-10 13:07:32 UTC
Last seen:2021-06-10 13:55:03 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 12b930a1e7db8a579742052858d8f1c0 (2 x ArkeiStealer)
ssdeep 24576:HJiV7EgaHMl0VhSvOYzERm/E+rOu5drbrS3Qw:HJ8dl0fSjIyE+rOuPb
Threatray 1'084 similar samples on MalwareBazaar
TLSH B135D022F2D08937CD732A398C5752585B26BE413924587A2FE82F4C5F797813B3B297
Reporter abuse_ch
Tags:ArkeiStealer exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
142
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
ccf44bab7e22f13f93f47ae06d318832.exe
Verdict:
Malicious activity
Analysis date:
2021-06-10 13:42:22 UTC
Tags:
trojan stealer vidar loader
Link:
https://app.any.run/tasks/8a426065-b6ef-434a-a421-ea5e278aaf20

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Vidar
Create hunting rule
Link:
https://www.capesandbox.com/analysis/165869/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware2.32170.25979.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Launching the default Windows debugger (dwwin.exe)
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/800193
Signature
Country aware sample found (crashes after keyboard check)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e8da10d6d1bc9983ce35416b130f9814e346ada4ea0117fe78b4805c26c96a72/
Threat name:
Win32.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2021-06-10 13:08:15 UTC
AV detection:
18 of 29 (62.07%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
186e9e1877c50ecf4619bf75856c84bf1305ce117ad9b2e14410a340cccfd2a0
ArkeiStealer
3b36f51b91f67c01015777197970e7ea37e291ff8b6401a853e9582b0a1d90cb
ArkeiStealer
3c2fa1d04daaea31991c29bb4118c3d146a50815a033ea5ae325c3171ebdf713
ArkeiStealer
712e9e9e2976782e38288d45a2d177f1dc3757c7610b4b9bae9e35be9f20b913
ArkeiStealer
73756dd47abcedb8cbd652643ff4edb42e43cebf5b576291f604f684e0612280
ArkeiStealer
8358e817e423f16dcdcd3f213229f7b7b63de4a1ccce5f7ab07997a57183f758
ArkeiStealer
83f50d86c658c945ad095f32812422656d56612c31dc4f5ff72f850b604f2aac
ArkeiStealer
86b8e5e4868bd3d427a2aaa35d362660a8624315227cee5c607f7458e467b2c7
ArkeiStealer
cb3c387163302fbf8ddb4c13e9d786c1070a4185a74bdd3faebd1649d02b2b30
ArkeiStealer
f91c7c2e15b7343d97bc5c3961f43ebd659440102a4a9c3359d7a9e6e0aef9d3
ArkeiStealer
+ 1'074 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:vidar discovery spyware stealer
Link:
https://tria.ge/reports/210610-jh12y3gsgx/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Kills process with taskkill
Modifies system certificate store
NTFS ADS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Deletes itself
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Downloads MZ/PE file
Suspicious use of NtCreateProcessExOtherParentProcess
Vidar
Unpacked files
SH256 hash:
e8da10d6d1bc9983ce35416b130f9814e346ada4ea0117fe78b4805c26c96a72
MD5 hash:
ccf44bab7e22f13f93f47ae06d318832
SHA1 hash:
5c03c4a8934e1e154c12781bb8de77ee5e9879eb
Link:
https://www.unpac.me/results/aef0f1d8-e590-4ab8-bcfc-fba369a407ba/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e8da10d6d1bc9983ce35416b130f9814e346ada4ea0117fe78b4805c26c96a72

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ArkeiStealer

Executable exe e8da10d6d1bc9983ce35416b130f9814e346ada4ea0117fe78b4805c26c96a72

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1347959/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/165869/

Comments