MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 38936812027f8a25f120857b93a85fdf3561059c0e36b96e7b3b326d98037ca2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 16


Intelligence 16 IOCs YARA 20 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 38936812027f8a25f120857b93a85fdf3561059c0e36b96e7b3b326d98037ca2
SHA3-384 hash: d160927945730424b1eff98c60d0955bfe4ccba722c2ae695cc83333724c11425a8852cd2d562b5fbdc6d378188ea4f3
SHA1 hash: 716e5c1b39859939e96e2e2c9c22fc930c704f59
MD5 hash: fdb650f759c72c4d408a4da61096ac29
humanhash: alaska-mountain-carpet-harry
File name:fdb650f759c72c4d408a4da61096ac29
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:2'370'048 bytes
First seen:2023-08-13 02:05:10 UTC
Last seen:2023-08-24 15:50:53 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 24576:cB9+lvs4PExtXbcBQi14FgpydMuLusHmWNae6ETnQFz8sGA:Iv4PExtXboIBMuLJHJ6E7QFz8M
TLSH T185B5BF6139818031DCE310F502ECE736123FA1B49B1669D75EE65BEACE2D6C36B32E45
TrID 60.4% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.8% (.SCR) Windows screen saver (13097/50/3)
8.7% (.EXE) Win64 Executable (generic) (10523/12/4)
5.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
Reporter zbetcheckin
Tags:32 ArkeiStealer exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
380
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
smoke
Create hunting rule
ID:
1
File name:
c3ca44024b40807edabdece5567f9d49.exe
Verdict:
Malicious activity
Analysis date:
2023-08-12 09:33:15 UTC
Tags:
loader smoke trojan stealer redline vidar arkei zgrat
Link:
https://app.any.run/tasks/839288e8-366b-4b5a-9195-3b514d5863c9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/442416/
Detection(s):
Win.Packer.pkr_ce1a-9980177-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Сreating synchronization primitives
Creating a process from a recently created file
Creating a file
Launching a process
Launching the default Windows debugger (dwwin.exe)
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control greyware lolbin packed packed
Link:
https://www.filescan.io/uploads/64d83a8b6409f246e1411693/reports/e1ff9433-15ce-4fa6-b47d-95a56bcc557f/overview
Verdict:
Malicious
Labled as:
Razy.Generic
Link:
https://www.hybrid-analysis.com/sample/38936812027f8a25f120857b93a85fdf3561059c0e36b96e7b3b326d98037ca2
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
DarkBit
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/358cf389-4f7f-4d82-989f-6c59e5fe3f02
Result
Threat name:
MicroClip, RedLine, Vidar, Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1290561
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Detected Stratum mining protocol
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found hidden mapped module (file has been removed from disk)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
Searches for specific processes (likely to inject)
Snort IDS alert for network traffic
Suspicious powershell command line found
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses known network protocols on non-standard ports
Writes to foreign memory regions
Yara detected MicroClip
Yara detected RedLine Stealer
Yara detected Vidar stealer
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1290561 Sample: eE7ZgomseZ.exe Startdate: 13/08/2023 Architecture: WINDOWS Score: 100 115 Snort IDS alert for network traffic 2->115 117 Found malware configuration 2->117 119 Malicious sample detected (through community Yara rule) 2->119 121 17 other signatures 2->121 10 eE7ZgomseZ.exe 6 2->10         started        13 updater.exe 2->13         started        16 cmd.exe 2->16         started        18 8 other processes 2->18 process3 file4 89 C:\Users\user\AppData\Local\Temp\tmpFC6.exe, PE32 10->89 dropped 91 C:\Users\user\AppData\Local\Temp\tmpBDD.exe, PE32 10->91 dropped 20 tmpFC6.exe 23 10->20         started        25 tmpBDD.exe 10->25         started        93 C:\Users\user\AppData\Roaming\...\WR64.sys, PE32+ 13->93 dropped 95 C:\Users\user\AppData\...\uhlwpibxvsms.tmp, PE32+ 13->95 dropped 169 Multi AV Scanner detection for dropped file 13->169 171 Suspicious powershell command line found 13->171 173 Query firmware table information (likely to detect VMs) 13->173 175 9 other signatures 13->175 27 explorer.exe 13->27         started        29 conhost.exe 13->29         started        31 conhost.exe 16->31         started        33 choice.exe 16->33         started        35 WerFault.exe 18->35         started        37 conhost.exe 18->37         started        39 2 other processes 18->39 signatures5 process6 dnsIp7 99 159.69.198.239, 27015, 49725 HETZNER-ASDE Germany 20->99 101 t.me 149.154.167.99, 443, 49724 TELEGRAMRU United Kingdom 20->101 105 2 other IPs or domains 20->105 77 C:\Users\user\AppData\Local\...\soft[1].exe, MS-DOS 20->77 dropped 79 C:\Users\user\AppData\Local\...\pub[1].exe, PE32+ 20->79 dropped 81 C:\Users\user\AppData\Local\...\XMU[1].exe, PE32+ 20->81 dropped 83 3 other malicious files 20->83 dropped 123 Detected unpacking (changes PE section rights) 20->123 125 Detected unpacking (overwrites its own PE header) 20->125 127 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 20->127 145 4 other signatures 20->145 41 25164083778157448358.exe 4 20->41         started        45 51152980380095997091.exe 3 20->45         started        47 84532301049575160729.exe 20->47         started        49 cmd.exe 20->49         started        129 Multi AV Scanner detection for dropped file 25->129 131 Writes to foreign memory regions 25->131 133 Allocates memory in foreign processes 25->133 135 Injects a PE file into a foreign processes 25->135 51 AppLaunch.exe 5 25->51         started        54 WerFault.exe 21 9 25->54         started        103 cloudproxy.hs-bin.com 217.29.58.241 OKBPROGRESSMoscowRussiaRU Russian Federation 27->103 137 System process connects to network (likely due to code injection or exploit) 27->137 139 Query firmware table information (likely to detect VMs) 27->139 141 Tries to evade debugger and weak emulator (self modifying code) 27->141 143 Suspicious powershell command line found 29->143 file8 signatures9 process10 dnsIp11 85 C:\ProgramData\Win64\U.exe, MS-DOS 41->85 dropped 147 Multi AV Scanner detection for dropped file 41->147 149 Detected unpacking (changes PE section rights) 41->149 151 Query firmware table information (likely to detect VMs) 41->151 167 2 other signatures 41->167 56 cmd.exe 41->56         started        87 C:\Users\user\AppData\Roaming\...\updater.exe, PE32+ 45->87 dropped 153 Suspicious powershell command line found 45->153 155 Hides threads from debuggers 45->155 157 Tries to detect sandboxes / dynamic malware analysis system (registry check) 45->157 58 cmd.exe 47->58         started        60 conhost.exe 49->60         started        62 timeout.exe 49->62         started        97 176.123.9.85, 16482, 49723 ALEXHOSTMD Moldova Republic of 51->97 159 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 51->159 161 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 51->161 163 Tries to harvest and steal browser information (history, passwords, etc) 51->163 165 Tries to steal Crypto Currency Wallets 51->165 file12 signatures13 process14 process15 64 U.exe 56->64         started        67 conhost.exe 56->67         started        69 timeout.exe 56->69         started        71 conhost.exe 58->71         started        73 choice.exe 58->73         started        signatures16 107 Multi AV Scanner detection for dropped file 64->107 109 Detected unpacking (changes PE section rights) 64->109 111 Query firmware table information (likely to detect VMs) 64->111 113 4 other signatures 64->113 75 conhost.exe 71->75         started        process17
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/38936812027f8a25f120857b93a85fdf3561059c0e36b96e7b3b326d98037ca2/
Threat name:
Win32.Trojan.Smokeloader
Create hunting rule
Status:
Suspicious
First seen:
2023-08-12 15:20:49 UTC
AV detection:
17 of 24 (70.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hcjwqeqcp6fcl4jaqv5zhkc7342wcbm4by3ls3t3hmzg3gadpsra._file
Verdict:
malicious
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:redline family:vidar botnet:610187d7c34f2052f6989d8640129983 infostealer spyware stealer
Link:
https://tria.ge/reports/230813-cjebpsae8v/
Behaviour
Delays execution with timeout.exe
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
RedLine
RedLine payload
Vidar
Malware Config
C2 Extraction:
https://t.me/tatlimark
https://steamcommunity.com/profiles/76561199536605936
Unpacked files
SH256 hash:
b7217295b142a81147b070aca8b0a1fd2412a7ad4739c877a4fda79a09721aff
MD5 hash:
8603963a127ca5e69bbad699cfa68a64
SHA1 hash:
cf4a24f68b4ff8d26ff5ffad4f503fdfc7eb334f
Detections:
VidarStealer
Create hunting rule
Link:
https://www.unpac.me/results/cee9a66b-152b-4237-a7fe-ebbdd9c61d14/
SH256 hash:
0cc3a0f8b48ef8d8562b9cdf9c7cfe7f63faf43a5ac6dc6973dc8bf13b6c88cf
MD5 hash:
e57ea48172a6fe1b55ecb45f9bf659cf
SHA1 hash:
ad9f7fad57af3dfb6bad3d55828152aebf6ead34
Link:
https://www.unpac.me/results/cee9a66b-152b-4237-a7fe-ebbdd9c61d14/
SH256 hash:
e9ce545cb48ce44ca0855e3b2439b02e2c23086156a55193ce611ee8a15fb48c
MD5 hash:
b5804c7b0c6838ad43fda793984a1a96
SHA1 hash:
95e51629d9fc838211a7f52447053c5f5cd0cf06
Link:
https://www.unpac.me/results/cee9a66b-152b-4237-a7fe-ebbdd9c61d14/
SH256 hash:
c207f664b3f807f6639c5dbd0e3fc24dba025097aa40a4b8a40b6c988da4599b
MD5 hash:
9cb45aca895fc9e3d6451eee3bcef501
SHA1 hash:
119318ffad9c90e63731cedc5155e98dfcf2e091
Link:
https://www.unpac.me/results/cee9a66b-152b-4237-a7fe-ebbdd9c61d14/
SH256 hash:
38936812027f8a25f120857b93a85fdf3561059c0e36b96e7b3b326d98037ca2
MD5 hash:
fdb650f759c72c4d408a4da61096ac29
SHA1 hash:
716e5c1b39859939e96e2e2c9c22fc930c704f59
Link:
https://www.unpac.me/results/cee9a66b-152b-4237-a7fe-ebbdd9c61d14/
Malware family:
Vidar.A
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/38936812027f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/38936812027f8a25f120857b93a85fdf3561059c0e36b96e7b3b326d98037ca2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:grakate_stealer_nov_2021
Create hunting rule
Rule name:has_telegram_urls
Create hunting rule
Author:Aaron DeVera<aaron@backchannel.re>
Description:Detects Telegram URLs
Rule name:INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs
Create hunting rule
Author:ditekSHen
Description:Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.
Rule name:INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
Author:ditekSHen
Description:Detects Windows executables referencing non-Windows User-Agents
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Telegram_Links
Create hunting rule
Rule name:Vidar
Create hunting rule
Author:kevoreilly,rony
Description:Vidar Payload
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques
Rule name:Windows_Trojan_Smokeloader_3687686f
Create hunting rule
Author:Elastic Security
Rule name:win_vidar_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.vidar.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ArkeiStealer

Executable exe 38936812027f8a25f120857b93a85fdf3561059c0e36b96e7b3b326d98037ca2

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2704179/
Cape
Cape
https://www.capesandbox.com/analysis/442416/

Comments


Avatar
zbet commented on 2023-08-13 02:05:10 UTC

url : hxxps://bripst.com/32.exe