MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 401bbd8d6f3e957749b523d8e9477005eaa8c9ff20aea6c32bee59fdeaa2c766. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 11


Intelligence 11 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 401bbd8d6f3e957749b523d8e9477005eaa8c9ff20aea6c32bee59fdeaa2c766
SHA3-384 hash: 79ebcc934753d19d172266d31aeb9e0aa248e9db45c8964a6d8d89b9fa23da85def22c2766d67c6b1f7d904accaab946
SHA1 hash: b35bb700774988db326652fca0c6fba87c591a2f
MD5 hash: 80e226439349c4711b6eae5c45fd8e74
humanhash: table-tennis-november-mexico
File name:b35bb700774988db326652fca0c6fba87c591a2f.exe
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:1'633'280 bytes
First seen:2021-09-14 03:45:35 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 5593da1f9a01d8f98a484ea81b113ac8 (1 x Tofsee, 1 x ArkeiStealer, 1 x RaccoonStealer)
ssdeep 24576:s50u0wG8/tqb7xAkmijauMug/iyFzb2DfsPV8A4C2vNI1cPdf8xZLGNfav9Q2:sauFGMuxWiOuRg/iyFzb2QN83XfeYav
Threatray 170 similar samples on MalwareBazaar
TLSH T131754B31E200C279E8E725F556BD3A79356CAA71470439C72BC81EF89B222D97E3416F
dhash icon e8d959ccc866e6c3 (3 x RaccoonStealer, 2 x CoinMiner, 1 x Tofsee)
Reporter abuse_ch
Tags:ArkeiStealer exe


Avatar
abuse_ch
ArkeiStealer C2:
http://94.158.245.117/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://94.158.245.117/ https://threatfox.abuse.ch/ioc/221022/

Intelligence

File Origin
# of uploads :
1
# of downloads :
116
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Cube_WW2.exe
Verdict:
Malicious activity
Analysis date:
2021-09-08 11:08:27 UTC
Tags:
loader autoit evasion trojan rat redline stealer raccoon
Link:
https://app.any.run/tasks/52a01106-e6c5-4ed4-a46d-cd63f9df776d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/187623/
Detection(s):
Win.Malware.Zusy-9891357-0
Create hunting rule

Win.Malware.Zusy-9892604-0
Create hunting rule

Result
Verdict:
Clean
Maliciousness:
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-debug anti-vm greyware packed
Link:
https://www.filescan.io/uploads/617508fc9a5a1e91c5d1fec9/reports/8a5f1fc9-c6f0-4bba-9c52-532abc3d4d24/overview
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1d9b11e5-b7fc-493c-8a71-2b4ecec84b3a
Result
Threat name:
Cookie Stealer Glupteba Metasploit RedLi
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/850346
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code references suspicious native API functions
Antivirus detection for URL or domain
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Creates HTML files with .exe extension (expired dropper behavior)
Detected unpacking (changes PE section rights)
Disable Windows Defender real time protection (registry)
Drops PE files to the document folder of the user
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
PE file contains section with special chars
PE file has a writeable .text section
Query firmware table information (likely to detect VMs)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses ping.exe to check the status of other devices and networks
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Cookie Stealer
Yara detected Glupteba
Yara detected Metasploit Payload
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 482773 Sample: Terw9bPuiD.exe Startdate: 14/09/2021 Architecture: WINDOWS Score: 100 58 91.203.192.232 GARANT-PARK-INTERNETRU Russian Federation 2->58 60 186.2.171.3 DDOS-GUARDCORPBZ Belize 2->60 62 6 other IPs or domains 2->62 70 Antivirus detection for URL or domain 2->70 72 Multi AV Scanner detection for dropped file 2->72 74 Multi AV Scanner detection for submitted file 2->74 76 13 other signatures 2->76 8 Terw9bPuiD.exe 4 56 2->8         started        signatures3 process4 dnsIp5 64 37.0.10.214 WKD-ASIE Netherlands 8->64 66 81.177.23.10 RTCOMM-ASRU Russian Federation 8->66 68 6 other IPs or domains 8->68 42 C:\Users\...\xfVXgaK0m7fNRM4oGq9Cu6Ez.exe, PE32 8->42 dropped 44 C:\Users\...\wNFqBG1eA3pVRhOQHchlKQ_5.exe, PE32 8->44 dropped 46 C:\Users\...\uMrOM8PqUxqkxrDtCKrBq1WQ.exe, PE32 8->46 dropped 48 29 other files (23 malicious) 8->48 dropped 78 Drops PE files to the document folder of the user 8->78 80 Creates HTML files with .exe extension (expired dropper behavior) 8->80 82 Disable Windows Defender real time protection (registry) 8->82 13 dFTNBKeVii4BuhplN3bO4WDH.exe 8->13         started        16 8x_vY4jPhEw89y8mYwBQNtfY.exe 8->16         started        20 jQygIUHxV81MgZCnS91GebD5.exe 8->20         started        22 8 other processes 8->22 file6 signatures7 process8 dnsIp9 84 Detected unpacking (changes PE section rights) 13->84 86 Query firmware table information (likely to detect VMs) 13->86 88 Tries to detect sandboxes and other dynamic analysis tools (window names) 13->88 50 149.154.167.99 TELEGRAMRU United Kingdom 16->50 28 C:\Users\...\qT3dWYBP7ZsuOrwW4ZcUbjl6.exe, PE32 16->28 dropped 30 C:\Users\user\AppData\...\Cube_WW14[1].bmp, PE32 16->30 dropped 32 C:\...\PowerControl_Svc.exe, PE32 16->32 dropped 90 Drops PE files to the document folder of the user 16->90 92 Uses schtasks.exe or at.exe to add and modify task schedules 16->92 94 Hides threads from debuggers 20->94 96 Tries to detect sandboxes / dynamic malware analysis system (registry check) 20->96 52 208.95.112.1 TUT-ASUS United States 22->52 54 46.8.29.181 TEAM-HOSTASRU Russian Federation 22->54 56 3 other IPs or domains 22->56 34 C:\Program Files (x86)\...\md8_8eus.exe, PE32 22->34 dropped 36 C:\Program Files (x86)\...\inst001.exe, PE32 22->36 dropped 38 C:\Program Files (x86)\Company\...\cutm3.exe, PE32+ 22->38 dropped 40 13 other files (none is malicious) 22->40 dropped 98 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 22->98 100 Contains functionality to steal Chrome passwords or cookies 22->100 102 Contains functionality to inject code into remote processes 22->102 104 3 other signatures 22->104 24 conhost.exe 22->24         started        26 conhost.exe 22->26         started        file10 signatures11 process12
Detection:
glupteba
Create hunting rule
Link:
https://mwdb.cert.pl/sample/401bbd8d6f3e957749b523d8e9477005eaa8c9ff20aea6c32bee59fdeaa2c766/
Threat name:
Win32.Trojan.Tnega
Create hunting rule
Status:
Malicious
First seen:
2021-09-07 23:16:24 UTC
AV detection:
21 of 28 (75.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ian33dlph2kxosnvepmosr3qaxvkrsp7ecxknqzl5zm732vcy5ta._file
Verdict:
malicious
Similar samples:
1169aa40b39712cd78f3bba1509b3a5864752c534497431180eb752015d2d482
ArkeiStealer
11adb6fd4fbcb8fe68033ff2bc3b8cc45b980c573f7c58be291383d5b95d6e41
ArkeiStealer
2ff77816fa6b9e2fdbc630e06a003b09228f39887f8dfea7f8020d9346bd2324
ArkeiStealer
4468428f16aeb36c8c1a53f40c68806473201d37d94b6ac8f1c0d324d1e17006
ArkeiStealer
719838a1192ae6b53966159da56635e7a05754eb017f2538ca3f82c580543280
ArkeiStealer
935099f2160f2dd5fec6a63ea02c81d80c0b2cbf712b0e48b386a81078a627dd
ArkeiStealer
aa5e9ff271143c3cd205988c3100f1bb844d70d2930f04a2b2002e9c0951a74e
ArkeiStealer
c9371cc485825207fe107e6600c14cfd9049c34f74c8c7332f16a20afea88164
ArkeiStealer
+ 160 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:glupteba family:metasploit family:redline family:smokeloader family:vidar botnet:937 botnet:@big_tastyyy botnet:gaysex botnet:norman1 botnet:мощ backdoor discovery dropper evasion infostealer loader persistence stealer themida trojan
Link:
https://tria.ge/reports/210914-ebmn8aegb5/
Behaviour
Checks SCSI registry key(s)
Creates scheduled task(s)
Delays execution with timeout.exe
Kills process with taskkill
Modifies system certificate store
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Checks installed software on the system
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks BIOS information in registry
Checks computer location settings
Loads dropped DLL
Themida packer
Downloads MZ/PE file
Executes dropped EXE
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Vidar Stealer
Glupteba
Glupteba Payload
MetaSploit
Modifies Windows Defender Real-time Protection settings
Process spawned unexpected child process
RedLine
RedLine Payload
SmokeLoader
Vidar
Malware Config
C2 Extraction:
https://gheorghip.tumblr.com/
185.180.231.69:2796
87.251.71.44:80
45.14.49.184:60921
193.56.146.60:43408
http://fazanaharahe1.xyz/
http://xandelissane2.xyz/
http://ustiassosale3.xyz/
http://cytheriata4.xyz/
http://ggiergionard5.xyz/
http://rrelleynaniy6.store/
http://danniemusoa7.store/
http://nastanizab8.store/
http://onyokandis9.store/
http://dmunaavank10.store/
http://gilmandros11.site/
http://cusanthana12.site/
http://willietjeana13.site/
http://ximusokall14.site/
http://blodinetisha15.site/
http://urydiahadyss16.club/
http://glasamaddama17.club/
http://marlingarly18.club/
http://alluvianna19.club/
http://xandirkaniel20.club/
http://varmisende.com/upload/
http://fernandomayol.com/upload/
http://nextlytm.com/upload/
http://people4jan.com/upload/
http://asfaltwerk.com/upload/
Unpacked files
SH256 hash:
401bbd8d6f3e957749b523d8e9477005eaa8c9ff20aea6c32bee59fdeaa2c766
MD5 hash:
80e226439349c4711b6eae5c45fd8e74
SHA1 hash:
b35bb700774988db326652fca0c6fba87c591a2f
Link:
https://www.unpac.me/results/76363934-328e-40e4-8bb9-c1a58e5ac790/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/401bbd8d6f3e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/401bbd8d6f3e957749b523d8e9477005eaa8c9ff20aea6c32bee59fdeaa2c766

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/187623/

Comments