MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3e5b7cb8978e88eb98d9079326d7c929eb12701f0040e6e2ec29fb5470022cf0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 6


Intelligence 6 IOCs 1 YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3e5b7cb8978e88eb98d9079326d7c929eb12701f0040e6e2ec29fb5470022cf0
SHA3-384 hash: 111dfce0ae130b12fb1ddf4e3e2298b334d33973c8bcc39d3eec334424d9d0c926e08f905a6ce7361c8970794d7a16e8
SHA1 hash: df265685dfae28f149c48ac7c6a27ebb98d948a9
MD5 hash: 84320ddbbc8937bda5b17c8f20bada02
humanhash: tennessee-shade-spring-shade
File name:84320DDBBC8937BDA5B17C8F20BADA02.exe
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:1'851'936 bytes
First seen:2021-06-18 00:43:11 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 0047ffc8d91ee9a957961742504880d6 (1 x Adware.FileTour, 1 x ArkeiStealer)
ssdeep 24576:siBs1yrkEFAraq4PaMBm3mFFLo/0fZsi378kv8MKeXqEgqHPoUsp7mBk+6IsZUsU:LBsrE2gc3mDnYkQuPEN4g/erj8E0je
Threatray 4 similar samples on MalwareBazaar
TLSH 48851203F293D5B2D9A600B501259BB21F3ABC319774C4E7AFD47A6D9D313E0A73225A
Reporter abuse_ch
Tags:ArkeiStealer exe


Avatar
abuse_ch
ArkeiStealer C2:
http://159.69.20.131/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://159.69.20.131/ https://threatfox.abuse.ch/ioc/135617/

Intelligence

File Origin
# of uploads :
1
# of downloads :
141
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
84320DDBBC8937BDA5B17C8F20BADA02.exe
Verdict:
No threats detected
Analysis date:
2021-06-18 00:48:45 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/ac3a51e4-5a1e-4912-9cf4-9fdbc5efb6e0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/166691/
Detection(s):
PUA.Win.Packer.Upolyx-12
Create hunting rule

Win.Malware.Generic-9870726-0
Create hunting rule

MiscreantPunch.SingleXOR.EXE.7.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.GenericKD.34937207.13352.19557.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c25925e6-0caf-4283-aaee-39dc9c39f8b9
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/804013
Signature
.NET source code contains potential unpacker
Antivirus detection for dropped file
Antivirus detection for URL or domain
Detected unpacking (overwrites its own PE header)
Machine Learning detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect virtualization through RDTSC time measurements
Tries to evade analysis by execution special instruction which cause usermode exception
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 436428 Sample: kctD8brhzU.exe Startdate: 18/06/2021 Architecture: WINDOWS Score: 100 122 www.cloud-security.xyz 2->122 124 cloud-security.xyz 2->124 126 4 other IPs or domains 2->126 172 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->172 174 Antivirus detection for URL or domain 2->174 176 Antivirus detection for dropped file 2->176 178 6 other signatures 2->178 13 kctD8brhzU.exe 4 2->13         started        signatures3 process4 file5 104 C:\Users\user\AppData\Local\...\lua5.1.dll, PE32 13->104 dropped 106 C:\Users\user\AppData\Local\...\irsetup.exe, PE32 13->106 dropped 16 irsetup.exe 33 13->16         started        process6 dnsIp7 116 ip-api.com 208.95.112.1, 49678, 80 TUT-ASUS United States 16->116 118 www.findmemolite.com 46.101.214.246 DIGITALOCEAN-ASNUS Netherlands 16->118 120 4 other IPs or domains 16->120 70 C:\Users\user\AppData\Local\Temp\pLab.exe, PE32 16->70 dropped 72 C:\Users\user\AppData\Local\...\maskvpn.exe, PE32 16->72 dropped 74 C:\Users\user\AppData\...\installerapp.exe, PE32 16->74 dropped 76 C:\Users\user\AppData\...\WcInstaller.exe, PE32 16->76 dropped 20 pLab.exe 2 16->20         started        23 maskvpn.exe 16->23         started        file8 process9 file10 86 C:\Users\user\AppData\Local\Temp\...\pLab.tmp, PE32 20->86 dropped 25 pLab.tmp 3 19 20->25         started        88 C:\Users\user\AppData\Local\...\maskvpn.tmp, PE32 23->88 dropped process11 dnsIp12 150 superstationcity.com 5.196.8.173, 49680, 49688, 80 OVHFR France 25->150 96 C:\Users\user\AppData\Local\...\gucca.exe, PE32 25->96 dropped 98 C:\Users\user\AppData\Local\Temp\...\idp.dll, PE32 25->98 dropped 100 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 25->100 dropped 102 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 25->102 dropped 29 gucca.exe 20 20 25->29         started        file13 process14 dnsIp15 166 cor-tips.com 198.54.116.159, 49683, 80 NAMECHEAP-NETUS United States 29->166 168 iplogger.org 88.99.66.31, 443, 49693 HETZNER-ASDE Germany 29->168 170 6 other IPs or domains 29->170 108 C:\Users\user\AppData\...\Vygaelaehaeva.exe, PE32 29->108 dropped 110 C:\Program Files (x86)\...\Sybacolivu.exe, PE32 29->110 dropped 112 C:\Users\user\...\Vygaelaehaeva.exe.config, XML 29->112 dropped 114 3 other files (1 malicious) 29->114 dropped 182 Detected unpacking (overwrites its own PE header) 29->182 34 Vygaelaehaeva.exe 29->34         started        38 SHedalypusho.exe 29->38         started        41 prolab.exe 2 29->41         started        file16 signatures17 process18 dnsIp19 128 connectini.net 34->128 180 Detected unpacking (overwrites its own PE header) 34->180 43 iexplore.exe 34->43         started        46 iexplore.exe 34->46         started        48 iexplore.exe 34->48         started        53 12 other processes 34->53 130 jukaiop.pw 111.90.146.149 SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMY Malaysia 38->130 132 185.215.113.57 WHOLESALECONNECTIONSNL Portugal 38->132 134 14 other IPs or domains 38->134 90 C:\Users\user\AppData\Local\...\ebook.exe, PE32 38->90 dropped 92 C:\Users\user\AppData\Local\...\3fa123.exe, PE32 38->92 dropped 94 C:\Users\user\AppData\Local\...\prolab.tmp, PE32 41->94 dropped 50 prolab.tmp 27 26 41->50         started        file20 signatures21 process22 dnsIp23 152 www.cloud-security.xyz 43->152 154 cloud-security.xyz 43->154 55 iexplore.exe 43->55         started        156 www.profitabletrustednetwork.com 46->156 158 vexacion.com 46->158 58 iexplore.exe 46->58         started        60 iexplore.exe 46->60         started        160 vexacion.com 48->160 62 iexplore.exe 48->62         started        78 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 50->78 dropped 80 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 50->80 dropped 82 C:\Program Files (x86)\...\is-VBQCL.tmp, PE32 50->82 dropped 84 8 other files (none is malicious) 50->84 dropped 162 www.profitabletrustednetwork.com 53->162 164 4 other IPs or domains 53->164 64 iexplore.exe 53->64         started        66 iexplore.exe 53->66         started        68 iexplore.exe 53->68         started        file24 process25 dnsIp26 136 adsaro.net 161.35.179.108 DIGITALOCEAN-ASNUS United States 55->136 138 www.cloud-security.xyz 55->138 148 7 other IPs or domains 55->148 140 www.profitabletrustednetwork.com 192.243.59.20, 443, 49699, 49700 ADVANCEDHOSTERS-ASNL Dominica 58->140 142 vexacion.com 139.45.197.236, 49701, 49702, 49703 RETN-ASEU Netherlands 60->142 144 directdexchange.com 35.201.70.46 GOOGLEUS United States 64->144 146 www.directdexchange.com 64->146
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3e5b7cb8978e88eb98d9079326d7c929eb12701f0040e6e2ec29fb5470022cf0/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-06-15 08:28:16 UTC
AV detection:
15 of 29 (51.72%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=hznxzoexr2eoxggza6jsnv6jfhvre4a7abaonyxmfh5vi4acftya._file
Verdict:
unknown
Similar samples:
1d452b5f3e5d2b6623d0ca35793dfc051e1bf8b237e360906ed055e819235604
ArkeiStealer
47c57530b5b6de027182a6e4fed09bdae9e57cebc090fb52ce948d72e75ca663
ArkeiStealer
5c393e03afee6dff3591edb1b4461a4f0228cd1c8fe969f87d083a96406e85ee
ArkeiStealer
d3c87bbd2121958c5beb20738999cf1d6938237d92fd98d19ba0bda2effde25a
ArkeiStealer
Result
Malware family:
n/a
Score:
  8/10
Tags:
upx
Link:
https://tria.ge/reports/210618-g28x8z9fwe/
Behaviour
Modifies Internet Explorer settings
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Looks up external IP address via web service
Loads dropped DLL
Executes dropped EXE
UPX packed file
Unpacked files
SH256 hash:
acc02a2e37cdf781bb9b9f58936d49c8186ed51933f7047d734409ccde4ea332
MD5 hash:
c03dc03e5c76d0953e9f1b9754738e08
SHA1 hash:
204598324dddc71ae5e4a18cb89c3a26a7c12c90
Link:
https://www.unpac.me/results/189d8415-d9ba-4559-b269-b2c452332b11/
SH256 hash:
de6817621aa4a9f39a370d606b7aee3d9ebcb08cd0c277741a8cc8c052b24490
MD5 hash:
32a578e64846cbd75f5789732859e93b
SHA1 hash:
14adc43d30fc5dd51c6160aca86904999d6b91a4
Link:
https://www.unpac.me/results/189d8415-d9ba-4559-b269-b2c452332b11/
SH256 hash:
3e5b7cb8978e88eb98d9079326d7c929eb12701f0040e6e2ec29fb5470022cf0
MD5 hash:
84320ddbbc8937bda5b17c8f20bada02
SHA1 hash:
df265685dfae28f149c48ac7c6a27ebb98d948a9
Link:
https://www.unpac.me/results/189d8415-d9ba-4559-b269-b2c452332b11/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3e5b7cb8978e88eb98d9079326d7c929eb12701f0040e6e2ec29fb5470022cf0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/166691/

Comments