MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2a657c99025d05b2c5dddc0d7809644d1c3638977403ce62d16af9323e3c884e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 11


Intelligence 11 IOCs 1 YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2a657c99025d05b2c5dddc0d7809644d1c3638977403ce62d16af9323e3c884e
SHA3-384 hash: a14d93d6f569154a87c1738a4f14a7a1d05d6c502668c5ae823cc9e23cc7043122c4ee5e5a7f0c6983e24239ce66088b
SHA1 hash: c1b6117afef721b5f798630031ee48a014033b0f
MD5 hash: d6687321a99faf81d8a0e0df030fb8ce
humanhash: fanta-monkey-hot-purple
File name:SecuriteInfo.com.Trojan.Siggen12.47248.30665.24228
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:72'704 bytes
First seen:2021-03-22 06:46:08 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'665 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 768:adTddyzeY8phVbizLDQ9ANxKeE3R4ekDlEJJJJJJJJJJJJJJJJJcgll3YELFBk69:3lJE464sseeQXJH4CfK/CUcgQIO
Threatray 638 similar samples on MalwareBazaar
TLSH 0763284132A8DA17C57852F5C07250F057BA6E01E571EACF2CDA7CCE7AF6B120B82A47
Reporter SecuriteInfoCom
Tags:ArkeiStealer

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://juhjuh.com/ https://threatfox.abuse.ch/ioc/4395/

Intelligence

File Origin
# of uploads :
1
# of downloads :
113
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
http://45.133.1.139/PlayerUI4.exe
Verdict:
Malicious activity
Analysis date:
2021-03-22 04:45:37 UTC
Tags:
evasion loader trojan stealer autoit vidar
Link:
https://app.any.run/tasks/23f83d99-2ca6-489b-ab56-90e0c6256710

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.Siggen12.47248.30665.24228.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a custom TCP request
Creating a window
Creating a file in the %AppData% directory
Sending an HTTP GET request
DNS request
Using the Windows Management Instrumentation requests
Creating a file
Creating a process from a recently created file
Connecting to a non-recommended domain
Sending a UDP request
Deleting a recently created file
Creating a file in the %temp% subdirectories
Running batch commands
Creating a process with a hidden window
Searching for the window
Delayed reading of the file
Reading critical registry keys
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Launching a tool to kill processes
Stealing user critical data
Sending an HTTP GET request to an infection source
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
CobaltStrike
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e0f88e5c-4a29-4f4a-bb81-1b89b264025d
Result
Threat name:
Raccoon
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/647349
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
Contains functionality to inject code into remote processes
Creates multiple autostart registry keys
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Drops PE files to the document folder of the user
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected Raccoon Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 372638 Sample: SecuriteInfo.com.Trojan.Sig... Startdate: 22/03/2021 Architecture: WINDOWS Score: 100 149 Found malware configuration 2->149 151 Malicious sample detected (through community Yara rule) 2->151 153 Antivirus detection for URL or domain 2->153 155 6 other signatures 2->155 12 SecuriteInfo.com.Trojan.Siggen12.47248.30665.exe 17 6 2->12         started        17 Microsoftk05PQuLkyY0PezjS pn VISEUpdater.exe 16 6 2->17         started        19 MicrosoftWkoGHiR9KfeVjRSvij8PnxUiUpdater.exe 2->19         started        21 3 other processes 2->21 process3 dnsIp4 129 108.167.143.77 UNIFIEDLAYER-AS-1US United States 12->129 131 92.63.99.163 THEFIRST-ASRU Russian Federation 12->131 139 13 other IPs or domains 12->139 91 C:\Users\...\whY79pNZnvLkM5hiJnJjwxwu.exe, PE32 12->91 dropped 103 2 other malicious files 12->103 dropped 173 Drops PE files to the document folder of the user 12->173 175 Creates multiple autostart registry keys 12->175 23 whY79pNZnvLkM5hiJnJjwxwu.exe 24 12->23         started        133 104.21.66.169 CLOUDFLARENETUS United States 17->133 135 104.23.99.190 CLOUDFLARENETUS United States 17->135 93 C:\Users\...\Kn2Lt7TO6DB2IcQIyiPoQwEh.exe, PE32 17->93 dropped 105 2 other malicious files 17->105 dropped 28 Kn2Lt7TO6DB2IcQIyiPoQwEh.exe 17->28         started        137 192.168.2.1 unknown unknown 19->137 95 C:\Users\...\ZWfytFaJJv7KNxE3DTItXiaQ.exe, PE32 19->95 dropped 97 MicrosoftmTQuHqY5X...yU1VujqQUpdater.exe, PE32 19->97 dropped 99 MicrosoftmTQuHqY5X...exe:Zone.Identifier, ASCII 19->99 dropped 30 ZWfytFaJJv7KNxE3DTItXiaQ.exe 19->30         started        101 C:\Users\...\V0xdOWLi2ReZgNNNBwbjNDRN.exe, PE32 21->101 dropped 107 4 other files (none is malicious) 21->107 dropped file5 signatures6 process7 dnsIp8 125 91.200.41.57 HVOSTING-ASUA Ukraine 23->125 127 34.89.220.179 GOOGLEUS United States 23->127 75 C:\Users\user\AppData\...\13754966604.exe, PE32 23->75 dropped 77 C:\Users\user\AppData\...\05570543437.exe, PE32 23->77 dropped 79 C:\Users\user\AppData\Local\...\file[1].exe, PE32 23->79 dropped 167 Detected unpacking (changes PE section rights) 23->167 169 Detected unpacking (overwrites its own PE header) 23->169 32 cmd.exe 1 23->32         started        34 cmd.exe 1 23->34         started        36 cmd.exe 23->36         started        81 C:\Users\user\AppData\...\94999147280.exe, PE32 28->81 dropped 83 C:\Users\user\AppData\...\03859163481.exe, PE32 28->83 dropped 85 C:\Users\user\AppData\Local\...\file[1].exe, PE32 28->85 dropped 38 cmd.exe 28->38         started        87 C:\Users\user\AppData\Local\...\null[1], PE32 30->87 dropped 89 C:\Users\user\AppData\Local\...\null[1], PE32 30->89 dropped file9 signatures10 process11 process12 40 13754966604.exe 32->40         started        43 conhost.exe 32->43         started        45 05570543437.exe 30 34->45         started        47 conhost.exe 34->47         started        49 conhost.exe 36->49         started        51 taskkill.exe 36->51         started        53 94999147280.exe 38->53         started        55 conhost.exe 38->55         started        signatures13 157 Contains functionality to inject code into remote processes 40->157 57 13754966604.exe 40->57         started        159 Tries to harvest and steal browser information (history, passwords, etc) 45->159 161 Detected unpacking (changes PE section rights) 53->161 163 Detected unpacking (overwrites its own PE header) 53->163 165 Injects a PE file into a foreign processes 53->165 60 94999147280.exe 53->60         started        process14 signatures15 62 13754966604.exe 57->62         started        171 Injects a PE file into a foreign processes 60->171 67 94999147280.exe 60->67         started        process16 dnsIp17 141 195.201.225.248 HETZNER-ASDE Germany 62->141 143 34.91.189.70 GOOGLEUS United States 62->143 109 C:\...\api-ms-win-crt-utility-l1-1-0.dll, PE32 62->109 dropped 111 C:\Users\...\api-ms-win-crt-time-l1-1-0.dll, PE32 62->111 dropped 113 C:\Users\...\api-ms-win-crt-string-l1-1-0.dll, PE32 62->113 dropped 121 20 other files (none is malicious) 62->121 dropped 69 cmd.exe 62->69         started        115 C:\Users\user\AppData\LocalLow\sqlite3.dll, PE32 67->115 dropped 117 C:\Users\user\AppData\...\vcruntime140.dll, PE32 67->117 dropped 119 C:\Users\user\AppData\...\ucrtbase.dll, PE32 67->119 dropped 123 33 other files (none is malicious) 67->123 dropped 145 Tries to steal Mail credentials (via file access) 67->145 147 Tries to harvest and steal browser information (history, passwords, etc) 67->147 file18 signatures19 process20 process21 71 conhost.exe 69->71         started        73 timeout.exe 69->73         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2a657c99025d05b2c5dddc0d7809644d1c3638977403ce62d16af9323e3c884e/
Threat name:
Win32.Trojan.Pwsx
Create hunting rule
Status:
Malicious
First seen:
2021-03-20 06:42:36 UTC
AV detection:
18 of 47 (38.30%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=fjsxzgicluc3fro53qgxqclejuodmoexoqb44ywrnl4tepr4rbha._file
Verdict:
malicious
Similar samples:
0ebab35c1d6c8bdfc810aa740f9038ce35e578d294c70df70686a3a3082d8332
ArkeiStealer
4f42a3f5ab0feccba70fb3637052bb95359d2152f1b73d787b25ba0f75cec13a
ArkeiStealer
58813f984233cfb9eef1c9abefa7f58e96989dd9d6ebd903d40dc2cf3d56c5e8
ArkeiStealer
593f9422a79559ab792b98a272ebd5db883b8a85f34de6a6f05f1c900b221dc5
ArkeiStealer
67ce90c7798859c46617edbd82224a680cc203e7791822a20158ad70cb6eddf9
ArkeiStealer
6ef31a13d71d059d6e007fb2305c8e2d7615c3d468c9f2f4e023b45490b50787
ArkeiStealer
9f270ac39c512c05aeb9e502738dbbc438a6f95596ec041333b7ae7e334e9c2b
ArkeiStealer
ef9b7f99346ac5307323163c42c1c5d1e63143287677c551db77403165346d96
ArkeiStealer
f864c3ba8d40d3f461f21579a9e100f20ee15bea94a6d682b4154ebe22d6f0e4
ArkeiStealer
fc1c966dd0ac73c1e2aae4287b1480ba9d27d01accc069a9a69d2a4fc9f1a6a9
ArkeiStealer
+ 628 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:raccoon family:redline family:smokeloader family:vidar botnet:afefd33a49c7cbd55d417545269920f24c85aa37 botnet:c46f13f8aadc028907d65c627fd9163161661f6c backdoor discovery evasion infostealer persistence spyware stealer trojan upx vmprotect
Link:
https://tria.ge/reports/210322-jry46ckqcn/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Delays execution with timeout.exe
Enumerates system info in registry
Kills process with taskkill
Modifies Internet Explorer settings
Modifies registry class
Modifies system certificate store
Runs ping.exe
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious behavior: MapViewOfSection
Suspicious behavior: SetClipboardViewer
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Drops file in Windows directory
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Maps connected drives based on registry
Checks computer location settings
Drops startup file
Loads dropped DLL
Reads local data of messenger clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Sets service image path in registry
UPX packed file
VMProtect packed file
Executes dropped EXE
Checks for common network interception software
Raccoon
RedLine
RedLine Payload
SmokeLoader
Suspicious use of NtCreateProcessExOtherParentProcess
Vidar
Malware Config
C2 Extraction:
http://10022020newfolder1002002131-service1002.space/
http://10022020newfolder1002002231-service1002.space/
http://10022020newfolder3100231-service1002.space/
http://10022020newfolder1002002431-service1002.space/
http://10022020newfolder1002002531-service1002.space/
http://10022020newfolder33417-01242510022020.space/
http://10022020test125831-service1002012510022020.space/
http://10022020test136831-service1002012510022020.space/
http://10022020test147831-service1002012510022020.space/
http://10022020test146831-service1002012510022020.space/
http://10022020test134831-service1002012510022020.space/
http://10022020est213531-service100201242510022020.ru/
http://10022020yes1t3481-service1002012510022020.ru/
http://10022020test13561-service1002012510022020.su/
http://10022020test14781-service1002012510022020.info/
http://10022020test13461-service1002012510022020.net/
http://10022020test15671-service1002012510022020.tech/
http://10022020test12671-service1002012510022020.online/
http://10022020utest1341-service1002012510022020.ru/
http://10022020uest71-service100201dom2510022020.ru/
http://10022020test61-service1002012510022020.website/
http://10022020test51-service1002012510022020.xyz/
http://10022020test41-service100201pro2510022020.ru/
http://10022020yest31-service100201rus2510022020.ru/
http://10022020rest21-service1002012510022020.eu/
http://10022020test11-service1002012510022020.press/
http://10022020newfolder4561-service1002012510022020.ru/
http://10022020rustest213-service1002012510022020.ru/
http://10022020test281-service1002012510022020.ru/
http://10022020test261-service1002012510022020.space/
http://10022020yomtest251-service1002012510022020.ru/
http://10022020yirtest231-service1002012510022020.ru/
Unpacked files
SH256 hash:
2a657c99025d05b2c5dddc0d7809644d1c3638977403ce62d16af9323e3c884e
MD5 hash:
d6687321a99faf81d8a0e0df030fb8ce
SHA1 hash:
c1b6117afef721b5f798630031ee48a014033b0f
Link:
https://www.unpac.me/results/e25f1c86-0304-4276-a6f8-a567bb89f9b8/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Ransomware
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2a657c99025d05b2c5dddc0d7809644d1c3638977403ce62d16af9323e3c884e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:SUSP_XORed_Mozilla
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed keyword - Mozilla/5.0
Reference:Internal Research
Rule name:SUSP_XORed_URL_in_EXE
Create hunting rule
Author:Florian Roth
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ArkeiStealer

Executable exe 2a657c99025d05b2c5dddc0d7809644d1c3638977403ce62d16af9323e3c884e

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1082838/
  
Delivery method
Distributed via web download

Comments