MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 280c314b18ddf2481c1173c653acf508262e0ad3dbf2dfa8b64f48d75bd10765. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 13


Intelligence 13 IOCs 2 YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 280c314b18ddf2481c1173c653acf508262e0ad3dbf2dfa8b64f48d75bd10765
SHA3-384 hash: 20e4bdc84dda63704744356af084552b7df268e6ea4df608f4d37ce7e220e739b13620efd3d6abae798d2202f3449d99
SHA1 hash: e68f3e3bf13589534534775314f0a8d0c9ae260f
MD5 hash: d95bc24372683e79b6e64692fec36ce7
humanhash: carolina-robert-mobile-missouri
File name:280C314B18DDF2481C1173C653ACF508262E0AD3DBF2D.exe
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:3'310'434 bytes
First seen:2022-10-07 19:50:43 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 32569d67dc210c5cb9a759b08da2bdb3 (122 x RedLineStealer, 42 x DiamondFox, 37 x RaccoonStealer)
ssdeep 98304:xYqdUDZvPnnmRaR7TIndd4HNb3h30VVcCvLUBsKZ3yEE:xpYnKaRvInYtb3NevLUCKoEE
TLSH T101E53370BBCBC0F6E64151B19A0A1BF2E1BCC3C81A754AD7B340550E5F298B1B66B85F
TrID 33.5% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
21.3% (.EXE) Win64 Executable (generic) (10523/12/4)
13.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
10.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.1% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 848c5454baf47474 (2'088 x Adware.Neoreklami, 101 x RedLineStealer, 33 x DiamondFox)
Reporter abuse_ch
Tags:ArkeiStealer exe


Avatar
abuse_ch
ArkeiStealer C2:
http://en.xml-post.xyz/xC0m3/index.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://en.xml-post.xyz/xC0m3/index.php https://threatfox.abuse.ch/ioc/872206/
http://en.eredirected.xyz/xC0m3/index.php https://threatfox.abuse.ch/ioc/872207/

Intelligence

File Origin
# of uploads :
1
# of downloads :
392
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/317736/
Detection(s):
Win.Packed.Barys-9859531-0
Create hunting rule

Win.Malware.Generic-9863888-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Win.Packed.Trojanx-9873669-0
Create hunting rule

Win.Packed.SmokeLoader-9873637-1
Create hunting rule

Win.Dropper.Malwarex-9882460-0
Create hunting rule

Win.Malware.Malwarex-9882661-0
Create hunting rule

Win.Malware.Malwarex-9882703-0
Create hunting rule

Win.Dropper.Malwarex-9882944-0
Create hunting rule

Win.Malware.Upatre-9882660-1
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Сreating synchronization primitives
Creating a process from a recently created file
Searching for the window
Sending a custom TCP request
Moving a file to the %temp% subdirectory
Running batch commands
DNS request
Searching for synchronization primitives
Creating a window
Launching the default Windows debugger (dwwin.exe)
Creating a process with a hidden window
Launching cmd.exe command interpreter
Launching a process
Unauthorized injection to a recently created process
Query of malicious DNS domain
Sending an HTTP GET request to an infection source
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/6340832a49c58ce767c68feb/reports/f8908fbe-b161-4b46-bf3b-89d855896047/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/9b72e10f-8a85-4f65-b871-3822ef598d0c
Result
Threat name:
Nymaim, PrivateLoader, SmokeLoader, Vida
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1086007
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Checks if the current machine is a virtual machine (disk enumeration)
Connects to a pastebin service (likely for C&C)
Creates HTML files with .exe extension (expired dropper behavior)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Detected VMProtect packer
Disable Windows Defender real time protection (registry)
Drops PE files to the document folder of the user
Drops PE files with a suspicious file extension
Found C&C like URL pattern
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
PE file contains section with special chars
PE file has a writeable .text section
PE file has nameless sections
Performs DNS queries to domains with low reputation
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Yara detected Generic Downloader
Yara detected Nymaim
Yara detected PrivateLoader
Yara detected SmokeLoader
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 718561 Sample: 280C314B18DDF2481C1173C653A... Startdate: 07/10/2022 Architecture: WINDOWS Score: 100 160 t.me 2->160 162 107.182.129.235 META-ASUS Reserved 2->162 164 9 other IPs or domains 2->164 216 Snort IDS alert for network traffic 2->216 218 Multi AV Scanner detection for domain / URL 2->218 220 Malicious sample detected (through community Yara rule) 2->220 224 20 other signatures 2->224 14 280C314B18DDF2481C1173C653ACF508262E0AD3DBF2D.exe 16 2->14         started        signatures3 222 May check the online IP address of the machine 160->222 process4 file5 134 C:\Users\user\AppData\...\setup_install.exe, PE32 14->134 dropped 136 C:\Users\user\AppData\Local\...\sahiba_8.txt, PE32+ 14->136 dropped 138 C:\Users\user\AppData\Local\...\sahiba_7.txt, PE32 14->138 dropped 140 11 other files (10 malicious) 14->140 dropped 17 setup_install.exe 1 14->17         started        process6 dnsIp7 156 127.0.0.1 unknown unknown 17->156 158 watira.xyz 17->158 122 C:\Users\user~1\...\sahiba_8.exe (copy), PE32+ 17->122 dropped 124 C:\Users\user~1\...\sahiba_7.exe (copy), PE32 17->124 dropped 126 C:\Users\user~1\...\sahiba_6.exe (copy), PE32 17->126 dropped 128 5 other malicious files 17->128 dropped 226 Performs DNS queries to domains with low reputation 17->226 22 cmd.exe 1 17->22         started        24 cmd.exe 1 17->24         started        26 cmd.exe 1 17->26         started        29 7 other processes 17->29 file8 signatures9 process10 signatures11 31 sahiba_6.exe 22->31         started        36 sahiba_7.exe 24->36         started        232 Obfuscated command line found 26->232 234 Uses ping.exe to sleep 26->234 236 Drops PE files with a suspicious file extension 26->236 238 Uses ping.exe to check the status of other devices and networks 26->238 38 sahiba_1.exe 2 26->38         started        40 sahiba_5.exe 15 3 29->40         started        42 sahiba_4.exe 2 29->42         started        44 sahiba_3.exe 14 29->44         started        46 2 other processes 29->46 process12 dnsIp13 174 212.193.30.115, 49718, 80 SPD-NETTR Russian Federation 31->174 176 37.0.11.8, 80 WKD-ASIE Netherlands 31->176 180 15 other IPs or domains 31->180 92 C:\Users\...\vJr7yv5EIukxcGrMwKFm134R.exe, PE32 31->92 dropped 94 C:\Users\...\_1AujC5OmSKpDZ9AXc2W9Eea.exe, PE32 31->94 dropped 96 C:\Users\...\YK76Uc4xd8dcUPmB0pnj64EE.exe, PE32+ 31->96 dropped 102 16 other malicious files 31->102 dropped 188 Drops PE files to the document folder of the user 31->188 190 May check the online IP address of the machine 31->190 192 Creates HTML files with .exe extension (expired dropper behavior) 31->192 194 Disable Windows Defender real time protection (registry) 31->194 48 RHxojjVdKsoeTcRHI0VLcYvM.exe 31->48         started        53 MmESH7SJ1_z9lPBmaoKoxJlS.exe 31->53         started        55 H_cTUao8lr0qEiG2_46YMHjS.exe 31->55         started        65 6 other processes 31->65 98 C:\Users\user\AppData\Local\...\Compatto.rtf, ASCII 36->98 dropped 57 cmd.exe 36->57         started        59 sahiba_1.exe 38->59         started        182 2 other IPs or domains 40->182 196 Detected unpacking (changes PE section rights) 40->196 198 Performs DNS queries to domains with low reputation 40->198 100 C:\Users\user\AppData\Local\...\sahiba_4.tmp, PE32 42->100 dropped 200 Obfuscated command line found 42->200 61 sahiba_4.tmp 42->61         started        184 2 other IPs or domains 44->184 202 Detected unpacking (overwrites its own PE header) 44->202 178 s.lletlee.com 46->178 186 2 other IPs or domains 46->186 204 Maps a DLL or memory area into another process 46->204 206 Checks if the current machine is a virtual machine (disk enumeration) 46->206 63 explorer.exe 46->63 injected file14 signatures15 process16 dnsIp17 142 163.123.143.4 ILIGHT-NETUS Reserved 48->142 144 49.12.226.201 HETZNER-ASDE Germany 48->144 152 2 other IPs or domains 48->152 104 C:\Users\...\A4YfpKDC2gxg47Sqw0XYXd0K.exe, PE32 48->104 dropped 106 C:\Users\user\AppData\Local\...\WW14[1].exe, PE32 48->106 dropped 108 C:\...\PowerControl_Svc.exe, PE32 48->108 dropped 208 Drops PE files to the document folder of the user 48->208 110 C:\Users\user\AppData\...\mT4LgdFJCjP2.exe, PE32 53->110 dropped 210 Detected unpacking (changes PE section rights) 53->210 212 Detected unpacking (overwrites its own PE header) 53->212 214 Tries to harvest and steal browser information (history, passwords, etc) 55->214 67 cmd.exe 57->67         started        71 conhost.exe 57->71         started        146 192.168.2.1 unknown unknown 59->146 154 3 other IPs or domains 59->154 73 conhost.exe 59->73         started        148 superstationcity.com 194.163.135.248, 49709, 80 NEXINTO-DE Germany 61->148 150 requested404.com 61->150 112 C:\Users\user\AppData\Local\Temp\...\idp.dll, PE32 61->112 dropped 114 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 61->114 dropped 116 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 61->116 dropped 118 C:\Users\user\AppData\Local\...\SETUP_~1.EXE, PE32 65->118 dropped 120 C:\Users\user\AppData\Local\...\CVy2bKEn.cpl, PE32 65->120 dropped 75 conhost.exe 65->75         started        77 conhost.exe 65->77         started        file18 signatures19 process20 file21 130 C:\Users\user\AppData\...\Triste.exe.com, PE32 67->130 dropped 228 Obfuscated command line found 67->228 230 Uses ping.exe to sleep 67->230 79 Triste.exe.com 67->79         started        81 findstr.exe 67->81         started        83 PING.EXE 67->83         started        signatures22 process23 process24 85 Triste.exe.com 79->85         started        dnsIp25 166 XvFGsHKHPpgkvS.XvFGsHKHPpgkvS 85->166 132 C:\Users\user\AppData\Local\...\RegAsm.exe, PE32 85->132 dropped 89 RegAsm.exe 85->89         started        file26 process27 dnsIp28 168 193.56.146.36 LVLT-10753US unknown 89->168 170 eurekabike.com 160.153.249.159 GODADDY-AMSDE United States 89->170 172 5 other IPs or domains 89->172
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/280c314b18ddf2481c1173c653acf508262e0ad3dbf2dfa8b64f48d75bd10765/
Threat name:
Win32.Packed.Confuser
Create hunting rule
Status:
Malicious
First seen:
2021-07-28 21:50:40 UTC
File Type:
PE (Exe)
Extracted files:
122
AV detection:
21 of 26 (80.77%)
Threat level:
  1/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=fagdcsyy3xzeqharopdfhlhvbatc4cwt3pzn7kfwj5enow6ra5sq._file
Verdict:
malicious
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:nullmixer family:nymaim family:privateloader family:smokeloader family:vidar botnet:706 aspackv2 backdoor dropper evasion loader main persistence spyware stealer trojan
Link:
https://tria.ge/reports/221007-yktnnsdefr/
Behaviour
Checks SCSI registry key(s)
Creates scheduled task(s)
Enumerates system info in registry
Modifies system certificate store
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Drops file in System32 directory
Suspicious use of SetThreadContext
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks BIOS information in registry
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
ASPack v2.12-2.42
Downloads MZ/PE file
Executes dropped EXE
Vidar Stealer
Detects Smokeloader packer
Modifies Windows Defender Real-time Protection settings
NullMixer
NyMaim
PrivateLoader
SmokeLoader
Vidar
Malware Config
C2 Extraction:
http://watira.xyz/
http://91.241.19.125/pub.php?pub=one
http://sarfoods.com/index.php
https://xeronxikxxx.tumblr.com/
208.67.104.97
85.31.46.167
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/20df0932-f9f6-42ec-9e09-39b05475f766
Unpacked files
SH256 hash:
e427f8ef21691e3d8c2313d11129ad08ddef69a158eca2f77c170603478ff0c4
MD5 hash:
0dedd909aae9aa0a89b4422106310e9e
SHA1 hash:
271d36afa5b729ee590cf8066166ca5e9c9d0340
Link:
https://www.unpac.me/results/412a1a76-a551-4b57-baba-a34cb5811573/
SH256 hash:
64939754308d10b596016bedc01b4c4d45ddce712435ccf738e9571551b70f71
MD5 hash:
0c90240d7ddd30bf1cdfa650a1f21ee3
SHA1 hash:
ca60f66f95613785875456b4fb3b2c405edc7379
Link:
https://www.unpac.me/results/412a1a76-a551-4b57-baba-a34cb5811573/
SH256 hash:
f3809c2693d85812d0ed4f06fd2af9f4299d7de6c1d57633c50bc74c1de21f4e
MD5 hash:
0a8ab9fed28f10d3980e2c13eff9a23c
SHA1 hash:
12fe116ab580975ca777febdba37021e13a51b27
Link:
https://www.unpac.me/results/412a1a76-a551-4b57-baba-a34cb5811573/
SH256 hash:
ff5b7e9a2d5af436c13951d0746015237e3b12f4d4dc845a92b4e430c098e224
MD5 hash:
8ecc287212bb08f80f80c4ec1a7c6c4c
SHA1 hash:
59d08bda2e494600ed25fd608582b25261ec13b0
Detections:
win_vidar_auto
Create hunting rule
Link:
https://www.unpac.me/results/412a1a76-a551-4b57-baba-a34cb5811573/
Parent samples :
7fa24025283e6b745f20c81e15a8cdb866905fb079579b71efd9e659398cb574
65341b1f7f4018e163e564b546012d5bfa41a70c9b9926a0b48781ae4e3f9ec3
d3de52ec5e00eff831e15a2719c702f98fbcf95183849dea98d1483c6f171446
7140765cd0d5f61bb453f0511e24786e21d950c2cb3b30aa2945ba1846a4e0a5
280c314b18ddf2481c1173c653acf508262e0ad3dbf2dfa8b64f48d75bd10765
dad9e695e9f592e48326dd349556f81987c115ad152bf3433f12d969135d943a
dc812fa1ae68dfa017cfde268e2ae523019308b102bce0acb1656c08b34dc818
SH256 hash:
207056003b4b6e55dfe2557a2d1ca119c7785cfe626328a4a8c74323238933e9
MD5 hash:
4955a27a03f35933fdbd801f425b6c58
SHA1 hash:
97f3b8f33fd1a49cf9db5a246d996047beef3c12
Detections:
win_smokeloader_a2
Create hunting rule
SmokeLoaderStage2
Create hunting rule
Link:
https://www.unpac.me/results/412a1a76-a551-4b57-baba-a34cb5811573/
Parent samples :
db50d646494970b78887d4d84f52147c4cdbaa0b23cb4eb330ffa2403735937c
f1e1b516a83f303659e53d513c9c3da9dfd466f40b96f8de86ca37ce9544d234
d3de52ec5e00eff831e15a2719c702f98fbcf95183849dea98d1483c6f171446
7140765cd0d5f61bb453f0511e24786e21d950c2cb3b30aa2945ba1846a4e0a5
280c314b18ddf2481c1173c653acf508262e0ad3dbf2dfa8b64f48d75bd10765
93ac84d519edb6350cf53736449330985fe1cb52eff043857daf6cca916d6fa3
dad9e695e9f592e48326dd349556f81987c115ad152bf3433f12d969135d943a
dc812fa1ae68dfa017cfde268e2ae523019308b102bce0acb1656c08b34dc818
SH256 hash:
c916a8706f49a43b43cd58dd129234541fcc8642ca0d3014010a50d45f1bab40
MD5 hash:
9d69fe12fa6d4e6f0ddbc06a6fc462df
SHA1 hash:
b1b41c900cde2da580efdbd10cd33dd4deed5993
Link:
https://www.unpac.me/results/412a1a76-a551-4b57-baba-a34cb5811573/
SH256 hash:
71f5bb7d9ace05cfb89e95843499c1c19ca1d6c8b1cd66561d24ceb9ffa94862
MD5 hash:
7a99d0912a3371081b8a866c6ff48351
SHA1 hash:
6b1d33d1afec238f49a23be639790145ee0b3dfd
Detections:
PrivateLoader
Create hunting rule
win_privateloader_w0
Create hunting rule
win_privateloader_auto
Create hunting rule
win_privateloader_a0
Create hunting rule
Link:
https://www.unpac.me/results/412a1a76-a551-4b57-baba-a34cb5811573/
Parent samples :
7140765cd0d5f61bb453f0511e24786e21d950c2cb3b30aa2945ba1846a4e0a5
280c314b18ddf2481c1173c653acf508262e0ad3dbf2dfa8b64f48d75bd10765
SH256 hash:
bfebe04424e0a8621eb53d2d6da9d5c969e4b94e33ea532bb70e9212869ee9eb
MD5 hash:
28ddc420be08a62b8da803d14d0bcb93
SHA1 hash:
587ca5df9f7fdd3c6915f801f8cd15057342193f
Link:
https://www.unpac.me/results/412a1a76-a551-4b57-baba-a34cb5811573/
SH256 hash:
066ac142f91210ed2fe55e8e7e2b06427c6929c2321205be76b87aa586d263a7
MD5 hash:
e909471f2bf7157b1335d0b64538a83b
SHA1 hash:
2d47775d09ec88ff71da593fed536c8dc2dd6d37
Link:
https://www.unpac.me/results/412a1a76-a551-4b57-baba-a34cb5811573/
SH256 hash:
6ea92579c10ff6128399ec8092b44388da56b89e83103797601d334d6c866ca0
MD5 hash:
f14bcba48fb3817154228ed4cf9df6cb
SHA1 hash:
26ae758142d6dd0d69d5f4ff127a0d9c633b6690
Link:
https://www.unpac.me/results/412a1a76-a551-4b57-baba-a34cb5811573/
SH256 hash:
78958d664b1c140f2b45e56c4706108eeb5f14756977e2efd3409f8a788d3c98
MD5 hash:
c0d18a829910babf695b4fdaea21a047
SHA1 hash:
236a19746fe1a1063ebe077c8a0553566f92ef0f
Link:
https://www.unpac.me/results/412a1a76-a551-4b57-baba-a34cb5811573/
SH256 hash:
c8822c7fde8b5c3ef3746b8241f382f08738b9f1950defa9968b4b1330f0d1cb
MD5 hash:
d19abb439bf8598f766ad6d9f7ba5be1
SHA1 hash:
40f086a844e9658ea6548be673dddf35ab190fe1
Link:
https://www.unpac.me/results/412a1a76-a551-4b57-baba-a34cb5811573/
SH256 hash:
8408abf4f64221a8092734b105f68138b47f50b051c8084607fade8b9e3e3a0b
MD5 hash:
ac8ee0af6fa50dbd22db96a695c2e226
SHA1 hash:
5b7153d6d69d034dfaa5c24f344e8df984774f0a
Link:
https://www.unpac.me/results/412a1a76-a551-4b57-baba-a34cb5811573/
SH256 hash:
280c314b18ddf2481c1173c653acf508262e0ad3dbf2dfa8b64f48d75bd10765
MD5 hash:
d95bc24372683e79b6e64692fec36ce7
SHA1 hash:
e68f3e3bf13589534534775314f0a8d0c9ae260f
Link:
https://www.unpac.me/results/412a1a76-a551-4b57-baba-a34cb5811573/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/280c314b18dd/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/280c314b18ddf2481c1173c653acf508262e0ad3dbf2dfa8b64f48d75bd10765

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:command_and_control
Create hunting rule
Author:CD_R0M_
Description:This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group
Rule name:INDICATOR_EXE_Packed_ASPack
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ASPack
Rule name:MALWARE_Win_DLInjector03
Create hunting rule
Author:ditekSHen
Description:Detects unknown loader / injector

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/317736/

Comments