MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ebf487d463e3e54459f57c250c9ad14b571d1b1d08979f9ef3039bde9e491f58. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 10


Intelligence 10 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ebf487d463e3e54459f57c250c9ad14b571d1b1d08979f9ef3039bde9e491f58
SHA3-384 hash: 9db533b394f4cd65bca5a0fda39d0687ecc160fdd2e3434cb300ae0446b0dd9fb230ce05a45fd68b61aa24a3cae682d9
SHA1 hash: f91566948a611619c6e26b88cc892544bc9714a7
MD5 hash: c47170812c4a50c035b4201efc2c5496
humanhash: july-wolfram-spring-charlie
File name:c47170812c4a50c035b4201efc2c5496.exe
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:714'240 bytes
First seen:2021-09-20 17:59:11 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash d0a8c3f24685503ba25bd76f34c13b9e (8 x RedLineStealer, 3 x RaccoonStealer, 2 x DanaBot)
ssdeep 12288:v6Gf8ZaSrSPaITS2K/ZbG1/ntJkkwsEmrXUyjBftSyQo5xHI:vX8jrlcEZMndwszr5Qf8xH
Threatray 157 similar samples on MalwareBazaar
TLSH T1B2E4F120A6A0C035F4B752B459BAB3A8792DFD716B23C0CF12D226DE66386D4DC3175B
File icon (PE):PE icon
dhash icon 9824e7d0c4e72158 (35 x RedLineStealer, 23 x Smoke Loader, 14 x ArkeiStealer)
Reporter abuse_ch
Tags:ArkeiStealer exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
161
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
c47170812c4a50c035b4201efc2c5496.exe
Verdict:
Malicious activity
Analysis date:
2021-09-20 18:02:11 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/fbaa5916-a473-43a3-b0a9-5abb245b2ba5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Vidar
Create hunting rule
Link:
https://www.capesandbox.com/analysis/189565/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware2.6552.21150.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a custom TCP request
Launching the default Windows debugger (dwwin.exe)
DNS request
Connection attempt
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7a5a8a92-4e5b-40f5-bace-e7351e5fd3e2
Result
Threat name:
Unknown
Detection:
malicious
Classification:
n/a
Score:
52 / 100
Link:
https://www.joesandbox.com/analysis/854331
Signature
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ebf487d463e3e54459f57c250c9ad14b571d1b1d08979f9ef3039bde9e491f58/
Threat name:
Win32.Trojan.Racealer
Create hunting rule
Status:
Malicious
First seen:
2021-09-20 18:00:20 UTC
AV detection:
15 of 28 (53.57%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=5p2ipvdd4psuiwpvpqsqzgwrjnlr2gy5bclz7hxtaon55hsjd5ma._file
Verdict:
malicious
Similar samples:
27f1cb676fd7024b4fb99e610372d4434c598feae92decc398c86a91915dfc43
ArkeiStealer
461a8adf2ceed23fc21c2d8b0a45d9dd91d2d9f0af62b3f8850f8d2920d8b7f9
ArkeiStealer
68057c01ea50c5514b856ded8170ba2285ad782f71c27bcc87cb9aaf91da3166
ArkeiStealer
7b0409caebe92c8b64a6f3b3f071bf7829eb98e4904d077b291695e2b2619413
ArkeiStealer
7b603dd82cb87eca59e93b2cd9c0eb8e613339097b23ac07daa9220a2eb4a7b4
ArkeiStealer
95cc8eb2e2e0064a0788032bec3c3bdcbd4edef6b0952e071d5dac5b29f6e51f
ArkeiStealer
b83c933c2216e6b6251fec84fdcce2f341f20f52934977355331cf3a140b83c5
ArkeiStealer
bb5a82d435e5b35379d83d69c5c9ff7881b1963a8480b9b15193245927fd55f8
ArkeiStealer
c25818485a3fe4e6728db023c55168a494810364ffa1421995a1e13309a61c2a
ArkeiStealer
c456fe04ee50e4816038ca556e02ec2adae117665d9874dac92d64bd1899d904
ArkeiStealer
+ 147 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:vidar botnet:1008 stealer
Link:
https://tria.ge/reports/210920-wlcenshdek/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Vidar Stealer
Suspicious use of NtCreateProcessExOtherParentProcess
Vidar
Malware Config
C2 Extraction:
https://petrenko96.tumblr.com/
Unpacked files
SH256 hash:
afbced77762d814a12d80286c5744519541c4836a0c7464c6b4f9e166d474990
MD5 hash:
5cecd28e592ff348a9ac717a1e557a4f
SHA1 hash:
a82750b90b40eb6b583cb6bf97b8a02b8219f730
Link:
https://www.unpac.me/results/a8379ef7-5f7b-44dc-b561-3462e2d185e6/
SH256 hash:
ebf487d463e3e54459f57c250c9ad14b571d1b1d08979f9ef3039bde9e491f58
MD5 hash:
c47170812c4a50c035b4201efc2c5496
SHA1 hash:
f91566948a611619c6e26b88cc892544bc9714a7
Link:
https://www.unpac.me/results/a8379ef7-5f7b-44dc-b561-3462e2d185e6/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ebf487d463e3e54459f57c250c9ad14b571d1b1d08979f9ef3039bde9e491f58

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation
Create hunting rule
Author:ditekSHen
Description:Detects executables containing potential Windows Defender anti-emulation checks
Rule name:MALWARE_Win_Vidar
Create hunting rule
Author:ditekSHen
Description:Detects Vidar / ArkeiStealer
Rule name:Vidar
Create hunting rule
Author:kevoreilly
Description:Vidar Payload

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ArkeiStealer

Executable exe ebf487d463e3e54459f57c250c9ad14b571d1b1d08979f9ef3039bde9e491f58

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/189565/
  
URLhaus
https://urlhaus.abuse.ch/url/1584973/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1586513/

Comments