MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3419cd3aa1836577742af73aefa4d0fd5a198cbc4474af670408e6752f0dd89e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3419cd3aa1836577742af73aefa4d0fd5a198cbc4474af670408e6752f0dd89e
SHA3-384 hash: ed48802baa224b520406c77e787f1486aa36c684ac75dd60cbfb5b1f2d7be59db9165987dea7cf7a31435245f69da40a
SHA1 hash: 9eddc3f78a070ce0eecb9d9091a7f4206cd00472
MD5 hash: 9c6fdeb2af716fee153488d8e2288b86
humanhash: vegan-william-minnesota-xray
File name:Data.bin
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:11'709'252 bytes
First seen:2020-10-10 23:14:53 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash ae9f6a32bb8b03dce37903edbc855ba1 (28 x CryptOne, 18 x RedLineStealer, 15 x njrat)
ssdeep 196608:JIUtl0sOY4e7ik+TuKKhIS0CuxjS81goG1XPZjjKKqaslMIz1kDaZ1//oq4nTf39:u8WQ7F9KKhN0J1goG1F0aslMIz1bZ13a
Threatray 203 similar samples on MalwareBazaar
TLSH 40C633B0B4D190B6E3315A3A9DAC337361787CA01B7D469BF3840D1D9D369C26A22FE5
Reporter vm001cn
Tags:ArkeiStealer Loader

Intelligence

File Origin
# of uploads :
1
# of downloads :
174
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Vidar
Create hunting rule
Link:
https://www.capesandbox.com/analysis/69772/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a file
Reading critical registry keys
Sending a UDP request
DNS request
Sending an HTTP POST request
Running batch commands
Launching a process
Sending a custom TCP request
Creating a process with a hidden window
Sending an HTTP GET request
Using the Windows Management Instrumentation requests
Deleting a recently created file
Enabling the 'hidden' option for recently created files
Creating a file in the %AppData% directory
Connection attempt
Delayed writing of the file
Unauthorized injection to a recently created process
Stealing user critical data
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Sending a TCP request to an infection source
Launching a tool to kill processes
Forced shutdown of a browser
Result
Threat name:
Vidar
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/487560
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Binary contains a suspicious time stamp
Detected Info Stealer Vidar
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 296222 Sample: Data.bin Startdate: 11/10/2020 Architecture: WINDOWS Score: 100 101 iplogger.org 2->101 123 Antivirus detection for URL or domain 2->123 125 Antivirus detection for dropped file 2->125 127 Antivirus / Scanner detection for submitted sample 2->127 129 9 other signatures 2->129 11 Data.exe 12 2->11         started        signatures3 process4 file5 73 C:\Users\user\AppData\Local\Temp\...\Data.exe, PE32 11->73 dropped 75 C:\Users\user\AppData\Local\...\Data Info.exe, PE32 11->75 dropped 77 C:\Users\user\AppData\...\Data Files.exe, PE32 11->77 dropped 79 C:\Users\user\...\Data Configuration.exe, PE32 11->79 dropped 14 Data Configuration.exe 11->14         started        17 Data.exe 3 11->17         started        21 Data Files.exe 15 5 11->21         started        process6 dnsIp7 81 C:\Users\user\AppData\Local\Temp\...\file.exe, PE32 14->81 dropped 83 C:\Users\user\AppData\Local\Temp\...\002.exe, PE32 14->83 dropped 85 C:\Users\user\AppData\Local\...\hjjgaa.exe, PE32 14->85 dropped 91 7 other files (none is malicious) 14->91 dropped 23 file.exe 14->23         started        93 www.wdsfw34erf93.com 17->93 95 wdsfw34erf93.com 139.180.202.218, 49730, 80 AS-CHOOPAUS United States 17->95 87 C:\Users\user\AppData\Local\...\Login Data1, SQLite 17->87 dropped 117 Antivirus detection for dropped file 17->117 119 Machine Learning detection for dropped file 17->119 121 Tries to harvest and steal browser information (history, passwords, etc) 17->121 28 cmd.exe 1 17->28         started        97 iplogger.org 88.99.66.31, 443, 49748, 49754 HETZNER-ASDE Germany 21->97 99 trading-solutions.xyz 104.27.165.180, 443, 49732 CLOUDFLARENETUS United States 21->99 89 C:\ProgramData\101466.exe, PE32 21->89 dropped 30 cmd.exe 1 21->30         started        32 WerFault.exe 9 21->32         started        file8 signatures9 process10 dnsIp11 111 www.rationalowl.com 211.239.150.87, 443, 49744 HOSTWAY-AS-KRHostwayIDCKR Korea Republic of 23->111 113 iplogger.org 23->113 69 C:\Users\user\AppData\Roaming\372.tmp.exe, PE32 23->69 dropped 71 C:\Users\user\AppData\Local\...\np1[1].exe, PE32 23->71 dropped 143 Detected unpacking (creates a PE file in dynamic memory) 23->143 34 372.tmp.exe 23->34         started        115 1.1.1.1 CLOUDFLARENETUS Australia 28->115 145 Uses ping.exe to sleep 28->145 39 conhost.exe 28->39         started        41 PING.EXE 1 28->41         started        43 101466.exe 14 18 30->43         started        45 conhost.exe 30->45         started        file12 signatures13 process14 dnsIp15 103 ip-api.com 208.95.112.1, 49750, 80 TUT-ASUS United States 34->103 105 flowerfarm.co.ug 198.98.57.54, 49749, 80 PONYNETUS United States 34->105 53 C:\ProgramData\...\screenshot.jpg, JPEG 34->53 dropped 55 C:\ProgramData\...\information.txt, ISO-8859 34->55 dropped 57 C:\Users\user\AppData\...\msvcp140[1].dll, PE32 34->57 dropped 65 11 other files (none is malicious) 34->65 dropped 131 Detected unpacking (changes PE section rights) 34->131 133 Detected Info Stealer Vidar 34->133 135 Detected unpacking (overwrites its own PE header) 34->135 141 5 other signatures 34->141 47 cmd.exe 34->47         started        107 t4p.xyz 104.24.102.175, 49734, 80 CLOUDFLARENETUS United States 43->107 109 192.168.2.1 unknown unknown 43->109 59 C:\Users\user\AppData\Local\...59ativePRo.dll, PE32 43->59 dropped 61 C:\ProgramData\49\vcruntime140.dll, PE32 43->61 dropped 63 C:\ProgramData\49\sqlite3.dll, PE32 43->63 dropped 67 5 other files (none is malicious) 43->67 dropped 137 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 43->137 139 Machine Learning detection for dropped file 43->139 file16 signatures17 process18 process19 49 conhost.exe 47->49         started        51 taskkill.exe 47->51         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3419cd3aa1836577742af73aefa4d0fd5a198cbc4474af670408e6752f0dd89e/
Threat name:
Win32.Spyware.Socelars
Create hunting rule
Status:
Malicious
First seen:
2020-10-10 21:56:26 UTC
AV detection:
26 of 29 (89.66%)
Threat level:
  2/5
Verdict:
malicious
Similar samples:
2c9538aaf6058783ac6e7c6676769ba3904a584b0bbc8c475852b11096c3c368
ArkeiStealer
341847d9c11face1487ab04072d6ddc5065a379011c6684e56e1f4fa8d8ab3f3
ArkeiStealer
3d8567fb3b55c792b8ba70e2172726ae80805f1a1c858db29e13a5cd02d8634a
ArkeiStealer
8598147a91005830b94021bf5bf401e1b10d55ff940244394e8fb3bb8f494539
ArkeiStealer
9617dc1938ef945ab37282b04d7d083412485c144dd60c96d68f508da8a1a7c1
ArkeiStealer
b912cef6a6c9d7e8f49a06d9178cc7c6d8b68a0e7f8948c3d6892f8e5fd11c74
ArkeiStealer
c1b06231624dd9cd446357211a63f8d27f2a7781123c0dff89f277f95e408192
ArkeiStealer
eaf272ccebdce006c18793bdbcd0b4729d6ac2eefa2ef900cee811d74d953825
ArkeiStealer
f1a10725589836a8b8959f7ceb298f84b1e5a9736fe97f32a816028aaff55001
ArkeiStealer
f4221efa93b3ce5d8c92ba911661c246111653dd178bc239349cdfde8b39f7f0
ArkeiStealer
+ 193 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  9/10
Tags:
upx persistence discovery evasion spyware stealer
Link:
https://tria.ge/reports/201010-vxd4jtftwx/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Kills process with taskkill
Modifies data under HKEY_USERS
Modifies system certificate store
Runs ping.exe
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of NtSetInformationThreadHideFromDebugger
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
JavaScript code in executable
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks BIOS information in registry
Drops startup file
Identifies Wine through registry keys
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Blacklisted process makes network request
Executes dropped EXE
UPX packed file
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Unpacked files
SH256 hash:
3419cd3aa1836577742af73aefa4d0fd5a198cbc4474af670408e6752f0dd89e
MD5 hash:
9c6fdeb2af716fee153488d8e2288b86
SHA1 hash:
9eddc3f78a070ce0eecb9d9091a7f4206cd00472
Link:
https://www.unpac.me/results/acb4ab7f-e685-4869-a3c6-4c1e68cd40bc/
SH256 hash:
c7281bfb5066500fdacadc3d54f2443d00f3477b048c57294bbce42a9f33b6be
MD5 hash:
62764950bb66c855440e2c6541b1b68a
SHA1 hash:
a6f1e09b5f1312ee3f7de8e75e78aa24f5a7c8aa
Link:
https://www.unpac.me/results/acb4ab7f-e685-4869-a3c6-4c1e68cd40bc/
SH256 hash:
df51ce7be028ac040420dd327ec3ab8eb8ee2e083106f8a38b869ad135c3308b
MD5 hash:
2069dea03d8ad1aa3642d1ed6c5ec33d
SHA1 hash:
5594873bf4766419c5f656531bb444d83aa26bb8
Link:
https://www.unpac.me/results/acb4ab7f-e685-4869-a3c6-4c1e68cd40bc/
SH256 hash:
8304a5760ca17a48f13b3c80aaf1ad7c88ac6aaeedbbce61c4d85f2f9faed2d0
MD5 hash:
48619c561ef3f9bcace19f3bb71ef258
SHA1 hash:
68e1e4b30b2ce8c2b4dd48634be49e2b46370901
Link:
https://www.unpac.me/results/acb4ab7f-e685-4869-a3c6-4c1e68cd40bc/
SH256 hash:
a2ece9718774fa672d283a78fcdeb09af2fb07655a13f3f123f6ef72268d3366
MD5 hash:
b8e9b171ea1cf0399a2c8ec1d7c67ba9
SHA1 hash:
a4743d1bea4ea77015e34af2ecc831ec16c64163
Link:
https://www.unpac.me/results/acb4ab7f-e685-4869-a3c6-4c1e68cd40bc/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Netpass
Score:
0.70
Link:
https://yomi.yoroi.company/submissions/3419cd3aa1836577742af73aefa4d0fd5a198cbc4474af670408e6752f0dd89e

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/69772/

Comments