MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 217db596785d9b7b31ed6c2333c654bf974810dc7ececfd19fcfbb695cfae622. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 217db596785d9b7b31ed6c2333c654bf974810dc7ececfd19fcfbb695cfae622
SHA3-384 hash: a9cbc475e238b091fa136e0ce794e705f986979f910540e038ae4e3436bc07271bfb5fe64cb35996c1ddb4307062ed9a
SHA1 hash: f3be7abb61428fe0ed1554c4d366f8407a9f0a33
MD5 hash: dad0cd9fe3c9a36e05e1d56bd6988685
humanhash: robert-mississippi-rugby-timing
File name:dad0cd9fe3c9a36e05e1d56bd6988685.exe
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:761'344 bytes
First seen:2021-07-07 05:46:45 UTC
Last seen:2021-07-07 06:54:27 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash da5446b036e9ca50ec91ebae60e40a39 (2 x RedLineStealer, 1 x ArkeiStealer)
ssdeep 12288:MS25qFjXZxLIaHckTo7phEpEih31izKoRXOS/wFkIHwM36FRzMfaYbEn7lo2zV8S:MS25mdxLjckU7phEpE+UOo0fHwM2Rof+
Threatray 338 similar samples on MalwareBazaar
TLSH B2F412527D95C433C69244B05838DBA0263AFC6B2466960BB698FB4F4F331D267FA353
Reporter abuse_ch
Tags:ArkeiStealer exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
183
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
dad0cd9fe3c9a36e05e1d56bd6988685.exe
Verdict:
Suspicious activity
Analysis date:
2021-07-07 05:47:57 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/ff543509-3909-4c15-a797-4658005d7495

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
STOP
Create hunting rule
Link:
https://www.capesandbox.com/analysis/170110/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.46591248.12191.1529.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
STOP Ransomware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c6b23a89-c6f7-42ba-bb13-287e8edf1f6f
Result
Threat name:
Djvu Vidar
Create hunting rule
Detection:
malicious
Classification:
rans.spre.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/812698
Signature
Antivirus detection for URL or domain
Contains functionality to inject code into remote processes
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found ransom note / readme
Infects executable files (exe, dll, sys, html)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies existing user documents (likely ransomware behavior)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes many files with high entropy
Yara detected Djvu Ransomware
Yara detected Vidar
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 445109 Sample: tCgQxi2KmS.exe Startdate: 07/07/2021 Architecture: WINDOWS Score: 100 83 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->83 85 Multi AV Scanner detection for domain / URL 2->85 87 Found malware configuration 2->87 89 8 other signatures 2->89 12 tCgQxi2KmS.exe 2->12         started        15 tCgQxi2KmS.exe 2->15         started        17 tCgQxi2KmS.exe 2->17         started        process3 signatures4 113 Detected unpacking (changes PE section rights) 12->113 115 Detected unpacking (overwrites its own PE header) 12->115 117 Contains functionality to inject code into remote processes 12->117 119 Writes many files with high entropy 12->119 19 tCgQxi2KmS.exe 1 18 12->19         started        121 Injects a PE file into a foreign processes 15->121 23 tCgQxi2KmS.exe 13 15->23         started        25 tCgQxi2KmS.exe 17->25         started        process5 dnsIp6 77 api.2ip.ua 77.123.139.190, 443, 49718, 49724 VOLIA-ASUA Ukraine 19->77 61 C:\Users\...\tCgQxi2KmS.exe:Zone.Identifier, ASCII 19->61 dropped 27 tCgQxi2KmS.exe 19->27         started        30 icacls.exe 19->30         started        file7 process8 signatures9 111 Injects a PE file into a foreign processes 27->111 32 tCgQxi2KmS.exe 1 23 27->32         started        process10 dnsIp11 71 astdg.top 179.38.57.175, 49726, 80 TelefonicadeArgentinaAR Argentina 32->71 73 dgos.top 135.181.250.8, 49727, 80 HETZNER-ASDE Germany 32->73 75 api.2ip.ua 32->75 53 C:\Users\user\AppData\Local\...\spartan.edb, DOS 32->53 dropped 55 C:\Users\user\...\UnistackCircular.etl, COM 32->55 dropped 57 C:\Users\user\AppData\Local\...\messages.json, COM 32->57 dropped 59 164 other files (156 malicious) 32->59 dropped 91 Tries to harvest and steal browser information (history, passwords, etc) 32->91 93 Infects executable files (exe, dll, sys, html) 32->93 95 Modifies existing user documents (likely ransomware behavior) 32->95 37 build2.exe 32->37         started        file12 signatures13 process14 signatures15 97 Detected unpacking (changes PE section rights) 37->97 99 Detected unpacking (overwrites its own PE header) 37->99 101 Machine Learning detection for dropped file 37->101 103 Injects a PE file into a foreign processes 37->103 40 build2.exe 37->40         started        process16 dnsIp17 79 sergeevih43.tumblr.com 74.114.154.22, 443, 49731 AUTOMATTICUS Canada 40->79 81 162.55.223.232, 49732, 80 ACPCA United States 40->81 63 C:\Users\user\AppData\...\softokn3[1].dll, PE32 40->63 dropped 65 C:\Users\user\AppData\...\freebl3[1].dll, PE32 40->65 dropped 67 C:\Users\user\AppData\Local\...\nss3[1].dll, PE32 40->67 dropped 69 9 other files (none is malicious) 40->69 dropped 105 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 40->105 107 Tries to harvest and steal browser information (history, passwords, etc) 40->107 109 Tries to steal Crypto Currency Wallets 40->109 45 cmd.exe 40->45         started        file18 signatures19 process20 process21 47 conhost.exe 45->47         started        49 taskkill.exe 45->49         started        51 timeout.exe 45->51         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/217db596785d9b7b31ed6c2333c654bf974810dc7ececfd19fcfbb695cfae622/
Threat name:
Win32.Trojan.Pwsx
Create hunting rule
Status:
Malicious
First seen:
2021-07-07 04:40:24 UTC
File Type:
PE (Exe)
Extracted files:
26
AV detection:
22 of 46 (47.83%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
0e55e17532909ad5ad34eb4e35d791b27c6951dd15a8baba34c29ae572c884d0
ArkeiStealer
4fc4936de4eb693ec57ae17e722c1c68e46afbc0c82f3c45d254c39571008f8b
ArkeiStealer
7c75df63bc40beca5ccf65db76c33539ee9f3468a4149e1a0c0bfd30949f4b4d
ArkeiStealer
869bd0ca39150a6e0f87609ca7e927211ba9cf636b69c33c3cd09db85922dd94
ArkeiStealer
99ee06f5fb4f0aa90678d6a6405d2d01138bcd128c6d2aabecda07c110361ba2
ArkeiStealer
a08affbf0b72b993cc827615ae916ae9eef32484c1252e3ab403ec091d28f5e0
ArkeiStealer
a3c074948f5e3d2b89f0035bbf7bd74b1a3ec0525dc1496b4463f55ef15f3521
ArkeiStealer
c97b731d2d70f964dbe2775fcf0fd7cf0d7ff68a0fdb31c3038a9c97ca4da6b4
ArkeiStealer
e9dda7fbf6815a714cac3c369a5c7f137db0c53b09a804db968612d17bed855b
ArkeiStealer
ed8a7ffec56f450a365e758012db092883bbd23565f3f9fbb004c189fb703de3
ArkeiStealer
+ 328 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:vidar botnet:517 discovery persistence ransomware spyware stealer
Link:
https://tria.ge/reports/210707-wmt3cm6nz6/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Kills process with taskkill
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Looks up external IP address via web service
Loads dropped DLL
Modifies file permissions
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
Modifies extensions of user files
Vidar Stealer
Vidar
Malware Config
C2 Extraction:
https://sergeevih43.tumblr.com
Unpacked files
SH256 hash:
e5c2a756fb9d4b599bfa8826d5909e1ac862447e164ec015915037698c9b9233
MD5 hash:
f9e52237d90accade616b5131375fcdc
SHA1 hash:
07b6449521b4e1b8d50057e520403cdd65d36376
Detections:
win_stop_auto
Create hunting rule
Link:
https://www.unpac.me/results/1c42f0d9-90c6-4ba9-8b71-224b0f176167/
Parent samples :
34ce0db0264cb552d28100353840f27bb546729685684bb80691e05afbfe2b26
a55632167d72b88cf7a2d5449a9a1badf9e7030ffaff386324405f0813f99d39
2027503755cd5d8fad6af24071640dd5cfa7925c980f22dd23ab2ca5b1b24391
d0da8d292459d68df7dbbd65379e80e970b79f93307f05aca7b95e967ad86d52
e9dda7fbf6815a714cac3c369a5c7f137db0c53b09a804db968612d17bed855b
217db596785d9b7b31ed6c2333c654bf974810dc7ececfd19fcfbb695cfae622
a08affbf0b72b993cc827615ae916ae9eef32484c1252e3ab403ec091d28f5e0
SH256 hash:
217db596785d9b7b31ed6c2333c654bf974810dc7ececfd19fcfbb695cfae622
MD5 hash:
dad0cd9fe3c9a36e05e1d56bd6988685
SHA1 hash:
f3be7abb61428fe0ed1554c4d366f8407a9f0a33
Link:
https://www.unpac.me/results/1c42f0d9-90c6-4ba9-8b71-224b0f176167/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/217db596785d9b7b31ed6c2333c654bf974810dc7ececfd19fcfbb695cfae622

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_STOP
Create hunting rule
Author:ditekSHen
Description:Detects STOP ransomware
Rule name:SUSP_XORed_URL_in_EXE
Create hunting rule
Author:Florian Roth
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ArkeiStealer

Executable exe 217db596785d9b7b31ed6c2333c654bf974810dc7ececfd19fcfbb695cfae622

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1423741/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/170110/

Comments