MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 138ed0d540b78da8f5dd520d84efc55e924a321dfc05312d512065f4a7d8ac1c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 10


Intelligence 10 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 138ed0d540b78da8f5dd520d84efc55e924a321dfc05312d512065f4a7d8ac1c
SHA3-384 hash: 924db1b6b3c56867669fdc4fc1bb1cb70f76198ac9cb29f8b02ace7c84ba741d4af459c3ce17d383007e23a4ea02c9b1
SHA1 hash: c5d6bec5989bb15286df0bcfba41cb5dd9f9df34
MD5 hash: 1f7324d4de9523591836011c357d7479
humanhash: florida-may-batman-dakota
File name:1F7324D4DE9523591836011C357D7479.exe
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:8'367'284 bytes
First seen:2021-03-25 21:10:29 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash dbb1eb5c3476069287a73206929932fd (27 x NetSupport, 1 x Retefe, 1 x ArkeiStealer)
ssdeep 196608:4l8ChbYfAf0QKWS/JMCafKdxg+DKBABwJk/CSETR7x6j7:vCUNNWS/JM6Lg+XBFETxx6f
Threatray 49 similar samples on MalwareBazaar
TLSH 6E8633B2738D90F9E5B431707DEA2E8C926CEC24C8797E4F23C183196E79AD1B765412
Reporter abuse_ch
Tags:ArkeiStealer exe


Avatar
abuse_ch
ArkeiStealer C2:
http://ciaociaoline.com/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://ciaociaoline.com/ https://threatfox.abuse.ch/ioc/5151/

Intelligence

File Origin
# of uploads :
1
# of downloads :
211
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
1F7324D4DE9523591836011C357D7479.exe
Verdict:
Malicious activity
Analysis date:
2021-03-25 21:14:32 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/d2f9ea01-cf4c-47dd-bcbc-b605726053f5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.FakeAV.VXC.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Creating a file in the Windows subdirectories
Creating a process from a recently created file
Creating a file in the %temp% subdirectories
Sending a custom TCP request
DNS request
Sending an HTTP GET request
Creating a file
Deleting a recently created file
Reading critical registry keys
Sending a UDP request
Creating a process with a hidden window
Replacing files
Delayed writing of the file
Running batch commands
Using the Windows Management Instrumentation requests
Launching a process
Searching for analyzing tools
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Stealing user critical data
Launching a tool to kill processes
Sending a TCP request to an infection source
Sending an HTTP GET request to an infection source
Forced shutdown of a browser
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Gathering data
Result
Threat name:
RedLine Vidar
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/654532
Signature
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Drops PE files to the document folder of the user
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Machine Learning detection for dropped file
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Yara detected RedLine Stealer
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 376201 Sample: KsNar1S9Ao.exe Startdate: 25/03/2021 Architecture: WINDOWS Score: 100 108 api.ip.sb 2->108 110 checkip.us-east-1.prod.check-ip.aws.a2z.com 2->110 112 2 other IPs or domains 2->112 134 Multi AV Scanner detection for domain / URL 2->134 136 Antivirus detection for dropped file 2->136 138 Multi AV Scanner detection for submitted file 2->138 140 8 other signatures 2->140 11 KsNar1S9Ao.exe 11 2->11         started        14 Windows Host.exe 2->14         started        16 Windows Host.exe 2->16         started        signatures3 process4 file5 82 C:\Users\user\Desktop\p4.exe, PE32 11->82 dropped 84 C:\Users\user\Desktop\p2.exe, PE32 11->84 dropped 86 C:\Users\user\Desktop\p1.exe, PE32 11->86 dropped 88 2 other files (1 malicious) 11->88 dropped 18 handler.exe 58 11->18         started        process6 file7 64 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 18->64 dropped 66 C:\Users\user\AppData\Local\...\ucrtbase.dll, PE32+ 18->66 dropped 68 C:\Users\user\AppData\Local\...\select.pyd, PE32+ 18->68 dropped 70 49 other files (none is malicious) 18->70 dropped 21 handler.exe 1 18->21         started        24 conhost.exe 18->24         started        process8 dnsIp9 114 104.21.57.186, 443, 49708 CLOUDFLARENETUS United States 21->114 116 estrix.xyz 172.67.165.117, 443, 49705, 49706 CLOUDFLARENETUS United States 21->116 26 p1.exe 16 6 21->26         started        31 p2.exe 87 21->31         started        33 p3.exe 19 21->33         started        35 p4.exe 21->35         started        process10 dnsIp11 120 mightydollars.xyz 104.21.72.188, 443, 49717 CLOUDFLARENETUS United States 26->120 90 C:\ProgramData\7720320.84, PE32 26->90 dropped 92 C:\ProgramData\6376722.70, PE32 26->92 dropped 94 C:\ProgramData\4836897.53, PE32 26->94 dropped 158 May check the online IP address of the machine 26->158 37 7720320.84 26->37         started        42 6376722.70 26->42         started        44 4836897.53 26->44         started        122 ciaociaoline.com 78.46.142.223, 49712, 80 HETZNER-ASDE Germany 31->122 130 2 other IPs or domains 31->130 96 C:\Users\user\AppData\...\softokn3[1].dll, PE32 31->96 dropped 98 C:\Users\user\AppData\...\freebl3[1].dll, PE32 31->98 dropped 106 10 other files (none is malicious) 31->106 dropped 160 Detected unpacking (changes PE section rights) 31->160 162 Detected unpacking (overwrites its own PE header) 31->162 164 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 31->164 170 4 other signatures 31->170 46 cmd.exe 31->46         started        124 101.36.107.74, 49711, 80 UHGL-AS-APUCloudHKHoldingsGroupLimitedHK China 33->124 100 C:\Users\user\Documents\...\p3.exe, MS-DOS 33->100 dropped 166 Drops PE files to the document folder of the user 33->166 168 Tries to harvest and steal browser information (history, passwords, etc) 33->168 126 iplogger.org 35->126 128 uehge4g6gh.2ihsfa.com 207.246.80.14, 49719, 49724, 49725 AS-CHOOPAUS United States 35->128 132 6 other IPs or domains 35->132 102 C:\Users\user\AppData\...\jfiag3g_gg.exe, PE32 35->102 dropped 104 C:\Users\user\AppData\Local\Temp\haleng.exe, PE32 35->104 dropped 48 jfiag3g_gg.exe 35->48         started        50 jfiag3g_gg.exe 35->50         started        52 jfiag3g_gg.exe 35->52         started        54 3 other processes 35->54 file12 signatures13 process14 dnsIp15 118 stonehamm3r.xyz 172.67.204.200, 443, 49718 CLOUDFLARENETUS United States 37->118 72 C:\ProgramData\41\vcruntime140.dll, PE32 37->72 dropped 74 C:\ProgramData\41\sqlite3.dll, PE32 37->74 dropped 76 C:\ProgramData\41\softokn3.dll, PE32 37->76 dropped 80 4 other files (none is malicious) 37->80 dropped 142 Antivirus detection for dropped file 37->142 144 Multi AV Scanner detection for dropped file 37->144 146 Detected unpacking (changes PE section rights) 37->146 154 3 other signatures 37->154 148 Query firmware table information (likely to detect VMs) 42->148 150 Tries to detect sandboxes and other dynamic analysis tools (window names) 42->150 152 Machine Learning detection for dropped file 42->152 156 3 other signatures 42->156 78 C:\ProgramData\...\Windows Host.exe, PE32 44->78 dropped 56 Windows Host.exe 44->56         started        58 conhost.exe 46->58         started        60 taskkill.exe 46->60         started        62 timeout.exe 46->62         started        file16 signatures17 process18
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/138ed0d540b78da8f5dd520d84efc55e924a321dfc05312d512065f4a7d8ac1c/
Threat name:
Win32.Infostealer.Passteal
Create hunting rule
Status:
Malicious
First seen:
2021-03-23 02:56:42 UTC
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=cohnbvkaw6g2r5o5kigyj36fl2jeumq57qctclkrebs7jj6yvqoa._file
Verdict:
malicious
Similar samples:
06eeeac97751699903c4751be6fce5d4d453e25830e8a02cc118f41d592308c9
ArkeiStealer
24d6774c1e91ab5d03b2bc857f8f35534acbc8f4ed8aaf802372588638100cb4
ArkeiStealer
260809d850f42fd71f5ddff0bf68a241a82595aa062d82fa5ca6c7bf8076ad15
ArkeiStealer
2ce89d5d8b680b72063d34470ff0e9b77075e25056bd0a50899c06e193fe2452
ArkeiStealer
470ffa493e7716c84c02bcf84c1cde3116160f3904d1166c7da3defa4fad5f94
ArkeiStealer
4ddfd623ef499cb59cd55be3a72e22acefb23488d1631692baaff001471b2bea
ArkeiStealer
554b54dd18ef35af4bfe0f065f0310a29a3ae19bfc518bc50be481744aaa01fe
ArkeiStealer
62842cffd1c663ac2b2abe85a9fd482fcffc1c2e0683d1a536d8791b9f99cd3b
ArkeiStealer
e68a310f4d4a1a9d76c462cf0404a702bc138296a1badd2a7728656b3757c254
ArkeiStealer
eb9a70ac0d1f7c413f10f5308bda81e1da5a9b5bfd2ab7c8d89232eada71c143
ArkeiStealer
+ 39 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:redline family:vidar discovery evasion infostealer persistence pyinstaller spyware stealer themida trojan upx
Link:
https://tria.ge/reports/210325-3c86vmbqaj/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Kills process with taskkill
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Detects Pyinstaller
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks BIOS information in registry
Loads dropped DLL
Reads local data of messenger clients
Reads user/profile data of web browsers
themida
Executes dropped EXE
UPX packed file
Identifies VirtualBox via ACPI registry values (likely anti-VM)
RedLine
Vidar
Unpacked files
SH256 hash:
138ed0d540b78da8f5dd520d84efc55e924a321dfc05312d512065f4a7d8ac1c
MD5 hash:
1f7324d4de9523591836011c357d7479
SHA1 hash:
c5d6bec5989bb15286df0bcfba41cb5dd9f9df34
Link:
https://www.unpac.me/results/2e444c9f-386a-4c61-9d77-8d5d338464fc/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Scar
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/138ed0d540b78da8f5dd520d84efc55e924a321dfc05312d512065f4a7d8ac1c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments