MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2a95ce43c87b8a26be71a459eae796a572422bd99cf0b9a3580a3a68e7dbd1a2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2a95ce43c87b8a26be71a459eae796a572422bd99cf0b9a3580a3a68e7dbd1a2
SHA3-384 hash: 309576573c8f1fdb0d12517bf3d6ed6797df0ffeb204cd854c5ff6666e66804b8ce1285d9d4d71f48d386b12485ec30b
SHA1 hash: eb7f418b03aa9f21275de0393fcbf0d03b9719d5
MD5 hash: b4c503088928eef0e973a269f66a0dd2
humanhash: crazy-aspen-purple-freddie
File name:Fri051e1e7444.exe
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:412'672 bytes
First seen:2021-10-22 16:13:06 UTC
Last seen:2021-10-22 17:11:35 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 6256ca6fb1d33cce27dff272311e3072 (3 x Formbook, 2 x ArkeiStealer, 1 x DiamondFox)
ssdeep 6144:FjxzYPg/USg7WFugayIv1pE0EAPMrGWsWDWidF0HQszCZ2Ftppb9Y81+k7pq7FL7:RNYI/7FugaDS2zO
Threatray 728 similar samples on MalwareBazaar
TLSH T102947B2433D08C32C6AE4675A4A0C6718634ED2657728BD727C46FBB3C773C08A65BA7
File icon (PE):PE icon
dhash icon 0000000000000000 (872 x AgentTesla, 496 x Formbook, 296 x RedLineStealer)
Reporter Anonymous
Tags:ArkeiStealer exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
146
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
setup_x86_x64_install.exe
Verdict:
Malicious activity
Analysis date:
2021-10-20 19:24:36 UTC
Tags:
trojan rat redline loader stealer evasion
Link:
https://app.any.run/tasks/6c2f90a6-970f-46ad-8775-624e84db540f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/199412/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.47207757.12482.14627.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
80%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/6172e34ca9d585e6d53514eb/reports/b4c25ba9-c7ed-48f3-aed8-93a7628061cf/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a19ea34b-cb2c-441c-8b61-0b6f35402449
Result
Threat name:
Raccoon SmokeLoader Socelars Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/875632
Signature
.NET source code contains very large array initializations
Antivirus detection for dropped file
Antivirus detection for URL or domain
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to inject code into remote processes
Creates HTML files with .exe extension (expired dropper behavior)
Detected unpacking (creates a PE file in dynamic memory)
Disable Windows Defender real time protection (registry)
Drops PE files to the document folder of the user
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Sample uses process hollowing technique
Sigma detected: Copying Sensitive Files with Credential Data
Sigma detected: MSHTA Spawning Windows Shell
Sigma detected: Suspicious MSHTA Process Patterns
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Raccoon Stealer
Yara detected SmokeLoader
Yara detected Socelars
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 508059 Sample: Fri051e1e7444.exe Startdate: 23/10/2021 Architecture: WINDOWS Score: 100 55 208.95.112.1 TUT-ASUS United States 2->55 57 192.210.222.83 SERVER-MANIACA United States 2->57 59 13 other IPs or domains 2->59 79 Multi AV Scanner detection for domain / URL 2->79 81 Antivirus detection for URL or domain 2->81 83 Antivirus detection for dropped file 2->83 85 17 other signatures 2->85 8 Fri051e1e7444.exe 4 61 2->8         started        signatures3 process4 dnsIp5 61 45.142.182.152 XSSERVERNL Germany 8->61 63 62.113.113.199 VDSINA-ASRU Russian Federation 8->63 65 12 other IPs or domains 8->65 29 C:\Users\...\b6ELVTqeGy1ruB9WKG36JrJ6.exe, PE32 8->29 dropped 31 C:\Users\...\WUdGrToRHB36D6pJXYDeIZX8.exe, PE32 8->31 dropped 33 C:\Users\...\SE1F3zCK_jx1xWntZ9GYWt9m.exe, PE32 8->33 dropped 35 23 other files (12 malicious) 8->35 dropped 91 Detected unpacking (creates a PE file in dynamic memory) 8->91 93 Creates HTML files with .exe extension (expired dropper behavior) 8->93 95 Disable Windows Defender real time protection (registry) 8->95 13 8zUG0brUBlpFvDEuvVx2HgMf.exe 72 8->13         started        18 0B9sH06kWApTgIlQOY7LVsTN.exe 8->18         started        20 DWXG0BlcJcY3ugW9s02tQqpa.exe 14 8 8->20         started        22 7 other processes 8->22 file6 signatures7 process8 dnsIp9 67 88.99.75.82 HETZNER-ASDE Germany 13->67 69 65.108.80.190 ALABANZA-BALTUS United States 13->69 49 12 other files (none is malicious) 13->49 dropped 97 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 13->97 99 Tries to harvest and steal browser information (history, passwords, etc) 13->99 101 Tries to steal Crypto Currency Wallets 13->101 103 Injects a PE file into a foreign processes 18->103 24 0B9sH06kWApTgIlQOY7LVsTN.exe 18->24         started        71 172.67.221.103 CLOUDFLARENETUS United States 20->71 37 C:\Users\user\AppData\Roaming\7928898.exe, PE32 20->37 dropped 39 C:\Users\user\AppData\Roaming\7002256.exe, PE32 20->39 dropped 41 C:\Users\user\AppData\Roaming\4511472.exe, PE32 20->41 dropped 51 2 other files (none is malicious) 20->51 dropped 73 149.154.167.99 TELEGRAMRU United Kingdom 22->73 75 88.99.66.31 HETZNER-ASDE Germany 22->75 77 2 other IPs or domains 22->77 43 C:\Users\...\2rCrS7efq2pqz2S0LG0uaUEL.exe, PE32 22->43 dropped 45 C:\...\PowerControl_Svc.exe, PE32 22->45 dropped 47 C:\Users\...\pidHTSIGEi8DrAmaYu9K8ghN89.dll, PE32+ 22->47 dropped 53 2 other files (none is malicious) 22->53 dropped 105 Sample uses process hollowing technique 22->105 27 conhost.exe 22->27         started        file10 signatures11 process12 signatures13 87 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 24->87 89 Checks if the current machine is a virtual machine (disk enumeration) 24->89
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2a95ce43c87b8a26be71a459eae796a572422bd99cf0b9a3580a3a68e7dbd1a2/
Threat name:
Win32.Trojan.Chapak
Create hunting rule
Status:
Malicious
First seen:
2021-10-18 13:34:10 UTC
AV detection:
17 of 25 (68.00%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
05bb79760b2d993c39d526717da95aec99ad74d8fc23eb82d7bffe64595a9d70
ArkeiStealer
3153caf54366c0ddeddd293791b8f05eabd7343d9a73cc6444b769d0115dabf8
ArkeiStealer
4468428f16aeb36c8c1a53f40c68806473201d37d94b6ac8f1c0d324d1e17006
ArkeiStealer
44f3c573b5d6d77d97c2ebf5d4a235da5aed3a18eb5b76ea420d262df0f3a826
ArkeiStealer
aa5e9ff271143c3cd205988c3100f1bb844d70d2930f04a2b2002e9c0951a74e
ArkeiStealer
aa9830b26f9c0db4c3da3c04a96199550b57251b56f8c4ccb922b264a24e8de1
ArkeiStealer
ccfd37710068b3998537ac325e29555ba9375ebf1230cf90e9dcf133e06bcdf3
ArkeiStealer
d05cb3a734aaa9d090be20fbaeddf8069a829fa78c44dd8378a2350c1510e1fc
ArkeiStealer
d7b0380241e4d47fc00e72faa08831b51b0ae360d5ccc45717f39f3106c3020a
ArkeiStealer
ebe82a7d2f2f9989a5e4ef6a4602a8224abdff7aef5baa6beacb5977c02ac3e0
ArkeiStealer
+ 718 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:raccoon family:redline family:smokeloader family:socelars family:vidar botnet:7c9b4504a63ed23664e38808e65948379b790395 botnet:903 botnet:921 botnet:933 botnet:937 botnet:james222 backdoor evasion infostealer spyware stealer suricata themida trojan upx
Link:
https://tria.ge/reports/211022-tpmzgacgbr/
Behaviour
Creates scheduled task(s)
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
NSIS installer
Enumerates physical storage devices
Program crash
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks computer location settings
Identifies Wine through registry keys
Loads dropped DLL
Reads user/profile data of web browsers
Themida packer
Downloads MZ/PE file
Executes dropped EXE
Modifies Windows Firewall
UPX packed file
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Vidar Stealer
Modifies Windows Defender Real-time Protection settings
Process spawned unexpected child process
Raccoon
RedLine
RedLine Payload
SmokeLoader
Socelars
Socelars Payload
Vidar
suricata: ET MALWARE GCleaner Downloader Activity M5
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
suricata: ET MALWARE Win32/Kelihos.F exe Download 2
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
Malware Config
C2 Extraction:
205.185.119.191:60857
https://mas.to/@xeroxxx
http://gejajoo7.top/
http://sysaheu9.top/
135.181.129.119:4805
Unpacked files
SH256 hash:
2a95ce43c87b8a26be71a459eae796a572422bd99cf0b9a3580a3a68e7dbd1a2
MD5 hash:
b4c503088928eef0e973a269f66a0dd2
SHA1 hash:
eb7f418b03aa9f21275de0393fcbf0d03b9719d5
Link:
https://www.unpac.me/results/0520ddeb-9091-4f2e-9c20-9ec3440e8f27/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/2a95ce43c87b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2a95ce43c87b8a26be71a459eae796a572422bd99cf0b9a3580a3a68e7dbd1a2

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/199412/

Comments