MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ea8c332279f6b57a1f7b435bb2e6893a300116f2c5e820630a31b41eeb124964. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ea8c332279f6b57a1f7b435bb2e6893a300116f2c5e820630a31b41eeb124964
SHA3-384 hash: a9d89cd69621ff23f07b62afbcd5bba620ee71f2c637ec49f453583c5cfa0980aed8fd30bb14626dedaf373ef24a5d8d
SHA1 hash: 3b514a5bcaf18a6eea0b0e4b73d9977c4c8fb865
MD5 hash: 38670867ac5939b21b2807807966fcc7
humanhash: earth-nine-robin-finch
File name:38670867ac5939b21b2807807966fcc7
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:410'112 bytes
First seen:2022-07-14 07:02:50 UTC
Last seen:2022-07-14 10:09:31 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 1a4f23e91afbe6769e9bf6b424a59b6d (3 x ArkeiStealer)
ssdeep 12288:HYkQ3L0OU/BE9O8nVHS2dEz//DJvJyUEq:JX/BEO2dEzHDZJy7q
Threatray 4'536 similar samples on MalwareBazaar
TLSH T19294BE10BA90C435F5B712F84AB69368B93E3AA1577490CF63D91AEE47346E0EC3135B
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon b6dacabecee6baa6 (72 x Stop, 68 x RedLineStealer, 55 x Smoke Loader)
Reporter openctibr
Tags:ArkeiStealer exe OpenCTI.BR Sandboxed

Intelligence

File Origin
# of uploads :
2
# of downloads :
140
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/288702/
Detection(s):
Win.Packed.Pwsx-9954566-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Creating a file
Reading critical registry keys
Creating a window
Stealing user critical data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/62cfbfc43ec0b06899788ad5/reports/297d0cc1-8f46-4552-aa96-f1c4d17aa040/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1031553
Behaviour
Behavior Graph:
n/a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ea8c332279f6b57a1f7b435bb2e6893a300116f2c5e820630a31b41eeb124964/
Threat name:
Win32.Ransomware.StopCrypt
Create hunting rule
Status:
Malicious
First seen:
2022-07-03 18:34:33 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
23 of 26 (88.46%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5kgdgitz622xuh33inn3fzujhiyacfxsyxucayykgg2b52ysjfsa._file
Verdict:
malicious
Similar samples:
045e5ff06628f4d38cdcf2f09b51f122691c3c012fe4f1277a414e71c1dc1168
ArkeiStealer
4b9c3f97058d275a2bf4ee013ec4d99ef91c8470f08269a7341212404098e3f0
ArkeiStealer
594acba68fec8156b81fc9d049041012c5e296738d247dfa85fc6d77f418ebef
ArkeiStealer
752125cf8e65610b3643591b04a4f10bdb805929a8a90500b3e1d188ce2f8ded
ArkeiStealer
839f3c45e51af32450e7f1ae966fc9fde7eb41115e77e6cbb49771dc49a8b0dc
ArkeiStealer
8941448f32966c561aad283d8c3aa5e814429bc35f112b4257d5fcf18e902d49
ArkeiStealer
abbf182f0973c3b988241626f82c82ab2d75e6f5f05bde00138074d9579b7645
ArkeiStealer
c6d30b29aef0b3adc7a385daa826012f821a267f11a1b6e797eb376de3a678b9
ArkeiStealer
fb0ecd1b84070564676f8ccfa6f92b2635db737cde63d28494f45ff52ab920bf
ArkeiStealer
+ 4'526 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:vidar botnet:1448 stealer
Link:
https://tria.ge/reports/220714-hvdr7sedf2/
Behaviour
Modifies system certificate store
Vidar Stealer
Vidar
Malware Config
C2 Extraction:
https://t.me/ch_inagroup
https://mastodon.social/@olegf9844e
Unpacked files
SH256 hash:
3fd144b1df08dd9e3a157a35a9cfee34265b950337367ecafc5d14090818bd61
MD5 hash:
663181e1d62882de03fb57f1cadb4fe1
SHA1 hash:
bd6d71724f146e5adbddec18d968247d504998c8
Link:
https://www.unpac.me/results/70a9c3bb-1d3d-4a31-96ec-64a1361b051a/
SH256 hash:
ea8c332279f6b57a1f7b435bb2e6893a300116f2c5e820630a31b41eeb124964
MD5 hash:
38670867ac5939b21b2807807966fcc7
SHA1 hash:
3b514a5bcaf18a6eea0b0e4b73d9977c4c8fb865
Link:
https://www.unpac.me/results/70a9c3bb-1d3d-4a31-96ec-64a1361b051a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ea8c332279f6b57a1f7b435bb2e6893a300116f2c5e820630a31b41eeb124964

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ArkeiStealer

Executable exe ea8c332279f6b57a1f7b435bb2e6893a300116f2c5e820630a31b41eeb124964

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2237500/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/288702/

Comments