MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1ac6d1275df2a3c1c7331666e29259aaecc303f6be32f9248c3c6bc5d2638e55. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 11


Intelligence 11 IOCs 1 YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1ac6d1275df2a3c1c7331666e29259aaecc303f6be32f9248c3c6bc5d2638e55
SHA3-384 hash: fc10bba06dd78884fbc8eb252ca9e44572e62d2ba3aaf53aa7ae3986d41832bfc1d1bf6ecf5fa1c8940fe6a61301dbf0
SHA1 hash: 4571b88d2a1676ec39cd22fe85924bee388bc9a6
MD5 hash: 6c7af21b8f75446e103cd942cb8b93b4
humanhash: uniform-april-minnesota-lactose
File name:6C7AF21B8F75446E103CD942CB8B93B4.exe
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:8'192 bytes
First seen:2021-03-26 22:47:12 UTC
Last seen:2021-03-27 00:39:34 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 96:jP4DkFl6GlazMI27XlqWgzJ47SDrG4++64c1OPitqtA9DWsLV1QhzNt:jgY6GL71Ji47gd+h4+OPqqi9DWsLV+j
Threatray 583 similar samples on MalwareBazaar
TLSH 8EF1B914F7D88137E9F70A76AC6382915335FB46DC93979F15C9618BAE2271409B2332
Reporter abuse_ch
Tags:ArkeiStealer exe


Avatar
abuse_ch
ArkeiStealer C2:
http://data.parafia-strumiany.pl/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://data.parafia-strumiany.pl/ https://threatfox.abuse.ch/ioc/5527/

Intelligence

File Origin
# of uploads :
2
# of downloads :
209
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Pastebin Payload.exe
Verdict:
No threats detected
Analysis date:
2021-03-24 08:07:13 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/9dc8f074-d5ec-497e-8e31-e0d231b6a2fa

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/127215/
Detection(s):
SecuriteInfo.com.Trojan.DownLoader38.9663.9993.17144.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Connecting to a non-recommended domain
Sending a UDP request
Creating a file
Creating a process from a recently created file
Creating a file in the %temp% directory
Creating a window
Deleting a recently created file
Sending an HTTP POST request
Creating a process with a hidden window
Reading critical registry keys
Running batch commands
Launching a process
Replacing files
Delayed writing of the file
Using the Windows Management Instrumentation requests
Searching for the window
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Stealing user critical data
Launching a tool to kill processes
Forced shutdown of a browser
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a4ffec3d-b520-457f-bdd5-fe2bc8a1cf46
Result
Threat name:
Vidar SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/655610
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Connects to a pastebin service (likely for C&C)
Creates a thread in another existing process (thread injection)
Creates multiple autostart registry keys
Detected Info Stealer Vidar
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Drops PE files to the document folder of the user
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Renames NTDLL to bypass HIPS
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Yara detected SmokeLoader
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 376737 Sample: R2o3eEx5Zj.exe Startdate: 26/03/2021 Architecture: WINDOWS Score: 100 115 junntd.xyz 2->115 117 facebook.websmails.com 2->117 119 15 other IPs or domains 2->119 177 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->177 179 Multi AV Scanner detection for domain / URL 2->179 181 Found malware configuration 2->181 183 11 other signatures 2->183 12 R2o3eEx5Zj.exe 24 13 2->12         started        signatures3 process4 dnsIp5 139 privacytoolsforyou.site 195.123.214.146, 49707, 49817, 80 ITL-LV Bulgaria 12->139 141 www.investinae.com 12->141 143 8 other IPs or domains 12->143 99 C:\Users\...\yjonuynOSkqY4UkdkFeJNlJU.exe, PE32 12->99 dropped 101 C:\Users\...\lnLQHV0OqCFu110N1X1hXRcT.exe, PE32 12->101 dropped 103 C:\Users\...\cYo0cAJqem28LdeC2tS9cEFO.exe, PE32 12->103 dropped 105 7 other malicious files 12->105 dropped 199 Drops PE files to the document folder of the user 12->199 201 Creates multiple autostart registry keys 12->201 17 yjonuynOSkqY4UkdkFeJNlJU.exe 12->17         started        20 Pjrzqpx7gdziTxGzDvi3VC8E.exe 12->20         started        24 R6YQNuoX0rDDW113HAJ5iGe1.exe 87 12->24         started        26 7 other processes 12->26 file6 signatures7 process8 dnsIp9 151 Detected unpacking (changes PE section rights) 17->151 28 yjonuynOSkqY4UkdkFeJNlJU.exe 17->28         started        79 C:\ProgramData\...\screenshot.jpg, JPEG 20->79 dropped 81 C:\ProgramData\...\information.txt, ISO-8859 20->81 dropped 93 6 other files (none is malicious) 20->93 dropped 153 Detected Info Stealer Vidar 20->153 155 Detected unpacking (overwrites its own PE header) 20->155 157 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 20->157 173 2 other signatures 20->173 32 cmd.exe 20->32         started        127 data.parafia-strumiany.pl 157.90.227.5, 49725, 49730, 49735 REDIRISRedIRISAutonomousSystemES United States 24->127 129 api.faceit.com 104.17.62.50, 443, 49721, 49727 CLOUDFLARENETUS United States 24->129 83 C:\ProgramData\...\screenshot.jpg, JPEG 24->83 dropped 85 C:\ProgramData\...\information.txt, ISO-8859 24->85 dropped 95 6 other files (none is malicious) 24->95 dropped 159 Tries to steal Instant Messenger accounts or passwords 24->159 161 Tries to steal Mail credentials (via file access) 24->161 163 Tries to steal Crypto Currency Wallets 24->163 34 cmd.exe 24->34         started        131 iplogger.org 26->131 133 iplogger.org 26->133 135 9 other IPs or domains 26->135 87 C:\Users\user\AppData\Local\Temp\haleng.exe, PE32 26->87 dropped 89 C:\Users\user\AppData\...\jfiag3g_gg.exe, PE32 26->89 dropped 91 C:\Users\user\AppData\Local\Temp\CC4F.tmp, PE32 26->91 dropped 165 Antivirus detection for dropped file 26->165 167 Machine Learning detection for dropped file 26->167 175 6 other signatures 26->175 36 cmd.exe 26->36         started        39 cmd.exe 26->39         started        41 6rClOL4a5ZtcEPuncbx8V31h.exe 26->41         started        43 5 other processes 26->43 file10 169 System process connects to network (likely due to code injection or exploit) 131->169 171 May check the online IP address of the machine 133->171 signatures11 process12 dnsIp13 97 C:\Users\user\AppData\Local\Temp\4DD3.tmp, PE32 28->97 dropped 187 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 28->187 189 Renames NTDLL to bypass HIPS 28->189 191 Maps a DLL or memory area into another process 28->191 197 2 other signatures 28->197 45 explorer.exe 28->45 injected 64 3 other processes 32->64 50 conhost.exe 34->50         started        52 taskkill.exe 34->52         started        54 timeout.exe 34->54         started        137 1.1.1.1 CLOUDFLARENETUS Australia 36->137 193 Uses ping.exe to sleep 36->193 195 Uses ping.exe to check the status of other devices and networks 36->195 56 conhost.exe 36->56         started        58 PING.EXE 36->58         started        60 conhost.exe 39->60         started        62 PING.EXE 39->62         started        file14 signatures15 process16 dnsIp17 145 junntd.xyz 85.226.6.5, 49756, 49768, 49769 TELENOR-NEXTELTelenorNorgeASNO Sweden 45->145 147 185.20.185.59, 49786, 80 DELTAHOST-ASUA Ukraine 45->147 149 16 other IPs or domains 45->149 107 C:\Users\user\AppData\Roaming\bidvsch, PE32 45->107 dropped 109 C:\Users\user\AppData\Local\Temp\50D1.exe, PE32 45->109 dropped 111 C:\Users\user\AppData\Local\Temp\44DA.exe, PE32 45->111 dropped 113 2 other files (none is malicious) 45->113 dropped 203 System process connects to network (likely due to code injection or exploit) 45->203 205 Benign windows process drops PE files 45->205 207 Hides that the sample has been downloaded from the Internet (zone.identifier) 45->207 66 cYo0cAJqem28LdeC2tS9cEFO.exe 45->66         started        71 R6YQNuoX0rDDW113HAJ5iGe1.exe 45->71         started        file18 signatures19 process20 dnsIp21 121 www.wws23dfwe.com 66->121 77 C:\Users\user\AppData\Local\...\Login Data1, SQLite 66->77 dropped 185 Tries to harvest and steal browser information (history, passwords, etc) 66->185 73 cmd.exe 66->73         started        123 data.parafia-strumiany.pl 71->123 125 api.faceit.com 71->125 file22 signatures23 process24 process25 75 conhost.exe 73->75         started       
Detection:
redlinestealer
Create hunting rule
Link:
https://mwdb.cert.pl/sample/1ac6d1275df2a3c1c7331666e29259aaecc303f6be32f9248c3c6bc5d2638e55/
Threat name:
ByteCode-MSIL.Trojan.Injuke
Create hunting rule
Status:
Malicious
First seen:
2021-03-24 10:05:44 UTC
AV detection:
9 of 29 (31.03%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=dldncj256kr4drztcztofeszvlwmga7wxyzpsjemhrv4lutdrzkq._file
Verdict:
malicious
Similar samples:
0e18d0556776d09a6bb586125fedcb650df7090a0e2cdf2cd75ac04c5fec4ba1
ArkeiStealer
170ddb2583efd2402e84a7eb2c48754d978c8862e5c033fef9b7df34eadceb52
ArkeiStealer
2c2d88dbff1f9196148cc3c7501d4c45b05ef51887651b3bcdbb111fcc7a2ba2
ArkeiStealer
3419cd3aa1836577742af73aefa4d0fd5a198cbc4474af670408e6752f0dd89e
ArkeiStealer
3b3aab241be2a7755d61bea54971d730f81ca09017f8ef5bbabd7e0d59b9e092
ArkeiStealer
6ef31a13d71d059d6e007fb2305c8e2d7615c3d468c9f2f4e023b45490b50787
ArkeiStealer
b53a176429fc65629b41f4ec548a61fe2a2632d53f009b9bc29785cba315fe30
ArkeiStealer
cc693d1a82022a4cd51053b34035613174eb71b4ba079ac829c90ec5558c3f07
ArkeiStealer
f248c1126e5df87d708519ae34ac00c8820cc38ef3324745f08b85bdc71d6796
ArkeiStealer
fc3285382ad7f58ef51da1a1041f1b67710d1ffc5633133fc126af1804be7702
ArkeiStealer
+ 573 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:raccoon family:redline family:smokeloader family:vidar botnet:afefd33a49c7cbd55d417545269920f24c85aa37 botnet:dd478ff8ed48e4864892644c2a5502e502f6869c backdoor discovery infostealer persistence spyware stealer trojan upx
Link:
https://tria.ge/reports/210326-slqv9j7ape/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Delays execution with timeout.exe
Kills process with taskkill
Modifies system certificate store
Runs ping.exe
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Enumerates connected drives
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Drops startup file
Loads dropped DLL
Modifies file permissions
Reads local data of messenger clients
Reads user/profile data of web browsers
Executes dropped EXE
UPX packed file
Raccoon
RedLine
SmokeLoader
Suspicious use of NtCreateProcessExOtherParentProcess
Vidar
Malware Config
C2 Extraction:
http://10022020newfolder1002002131-service1002.space/
http://10022020newfolder1002002231-service1002.space/
http://10022020newfolder3100231-service1002.space/
http://10022020newfolder1002002431-service1002.space/
http://10022020newfolder1002002531-service1002.space/
http://10022020newfolder33417-01242510022020.space/
http://10022020test125831-service1002012510022020.space/
http://10022020test136831-service1002012510022020.space/
http://10022020test147831-service1002012510022020.space/
http://10022020test146831-service1002012510022020.space/
http://10022020test134831-service1002012510022020.space/
http://10022020est213531-service100201242510022020.ru/
http://10022020yes1t3481-service1002012510022020.ru/
http://10022020test13561-service1002012510022020.su/
http://10022020test14781-service1002012510022020.info/
http://10022020test13461-service1002012510022020.net/
http://10022020test15671-service1002012510022020.tech/
http://10022020test12671-service1002012510022020.online/
http://10022020utest1341-service1002012510022020.ru/
http://10022020uest71-service100201dom2510022020.ru/
http://10022020test61-service1002012510022020.website/
http://10022020test51-service1002012510022020.xyz/
http://10022020test41-service100201pro2510022020.ru/
http://10022020yest31-service100201rus2510022020.ru/
http://10022020rest21-service1002012510022020.eu/
http://10022020test11-service1002012510022020.press/
http://10022020newfolder4561-service1002012510022020.ru/
http://10022020rustest213-service1002012510022020.ru/
http://10022020test281-service1002012510022020.ru/
http://10022020test261-service1002012510022020.space/
http://10022020yomtest251-service1002012510022020.ru/
http://10022020yirtest231-service1002012510022020.ru/
http://xsss99.icu/upload/
http://bingooodsg.icu/upload/
http://junntd.xyz/upload/
http://ginessa11.xyz/upload/
http://overplayninsx.xyz/upload/
http://bananinze.com/upload/
http://daunimlas.com/upload/
Unpacked files
SH256 hash:
1ac6d1275df2a3c1c7331666e29259aaecc303f6be32f9248c3c6bc5d2638e55
MD5 hash:
6c7af21b8f75446e103cd942cb8b93b4
SHA1 hash:
4571b88d2a1676ec39cd22fe85924bee388bc9a6
Link:
https://www.unpac.me/results/c6c30059-30c2-457a-8861-ffd0bec63d7c/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1ac6d1275df2a3c1c7331666e29259aaecc303f6be32f9248c3c6bc5d2638e55

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:Select_from_enumeration
Create hunting rule
Author:James_inthe_box
Description:IP and port combo

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/127215/

Comments