MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4ae0156d1ccca584c5ed35708b150e0649cd470f5b192653a578c215e5118c08. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 11


Intelligence 11 IOCs 1 YARA 11 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4ae0156d1ccca584c5ed35708b150e0649cd470f5b192653a578c215e5118c08
SHA3-384 hash: 04ac4ea624b4687f345863cc7825ca97b540ffa916fbb2e81c4b53b7467a469dc272b692f7d65c568a008310394388bc
SHA1 hash: 3327ba03c0fc25fc6a7f3c4fcbae40fde7ac0b07
MD5 hash: 7bf8cb17d39796d800e22388d23e9fd5
humanhash: cat-xray-xray-lion
File name:7bf8cb17d39796d800e22388d23e9fd5.exe
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:8'162'995 bytes
First seen:2021-03-29 21:15:50 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c9adc83b45e363b21cd6b11b5da0501f (82 x ArkeiStealer, 60 x RecordBreaker, 46 x RedLineStealer)
ssdeep 196608:itz+7MBr0wCCoxY85JzuXG03mB0ocqsgJ7inbth7MY4Uw:M+7MmdB5JzSwB02FIbfQY41
TLSH 0C863349718681B7E824183D544B63F1B433BF0C4139990E5BED0BEEA1373AE1E597AE
Reporter abuse_ch
Tags:ArkeiStealer exe


Avatar
abuse_ch
ArkeiStealer C2:
http://static.parafia-strumiany.pl/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://static.parafia-strumiany.pl/ https://threatfox.abuse.ch/ioc/5909/

Intelligence

File Origin
# of uploads :
1
# of downloads :
147
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/127823/
Detection(s):
Win.Malware.Fabookie-9797757-0
Create hunting rule

Win.Malware.Rasftuby-9841222-0
Create hunting rule

SecuriteInfo.com.PSW.Generic8.ISF.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Delayed reading of the file
Sending a custom TCP request
Creating a file in the %temp% subdirectories
Creating a file in the Program Files subdirectories
Deleting a recently created file
Creating a process from a recently created file
Creating a process with a hidden window
Sending a UDP request
Creating a file
Searching for the window
DNS request
Reading critical registry keys
Sending an HTTP GET request
Launching a process
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Sending an HTTP GET request to an infection source
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Vidar
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f422fb8b-9ee4-4c38-b10f-834171f0be99
Result
Threat name:
Socelars Vidar
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/657703
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
Creates a thread in another existing process (thread injection)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Detected VMProtect packer
Drops PE files to the document folder of the user
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has a writeable .text section
PE file has nameless sections
Sample uses process hollowing technique
Sigma detected: Suspicious Svchost Process
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect debuggers by setting the trap flag for special instructions
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Instant Messenger accounts or passwords
Uses known network protocols on non-standard ports
Writes to foreign memory regions
Yara detected Socelars
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 377784 Sample: cMOtS8JQVW.exe Startdate: 29/03/2021 Architecture: WINDOWS Score: 100 146 facebook.websmails.com 2->146 186 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->186 188 Antivirus detection for URL or domain 2->188 190 Antivirus detection for dropped file 2->190 192 19 other signatures 2->192 10 cMOtS8JQVW.exe 16 17 2->10         started        13 haleng.exe 2->13         started        signatures3 process4 file5 110 C:\Program Files (x86)\...\moSvKMEovuRx.exe, PE32 10->110 dropped 112 C:\Program Files (x86)\VR\...\jg7_7wjg.exe, PE32 10->112 dropped 114 C:\Program Files (x86)\VR\...\hjjgaa.exe, PE32 10->114 dropped 118 7 other files (5 malicious) 10->118 dropped 16 RunWW.exe 87 10->16         started        21 22.exe 10->21         started        23 lylal220.exe 10->23         started        27 6 other processes 10->27 116 C:\Users\user\AppData\...\jfiag3g_gg.exe, PE32 13->116 dropped 204 Tries to detect debuggers by setting the trap flag for special instructions 13->204 206 Tries to detect virtualization through RDTSC time measurements 13->206 25 jfiag3g_gg.exe 13->25         started        signatures6 process7 dnsIp8 136 static.parafia-strumiany.pl 104.244.76.207, 49716, 80 PONYNETUS United States 16->136 138 api.faceit.com 104.17.62.50, 443, 49715 CLOUDFLARENETUS United States 16->138 72 C:\Users\user\AppData\Local\...\nss3[1].dll, PE32 16->72 dropped 74 C:\Users\user\AppData\...\msvcp140[1].dll, PE32 16->74 dropped 76 C:\Users\user\AppData\...\softokn3[1].dll, PE32 16->76 dropped 86 9 other files (none is malicious) 16->86 dropped 174 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 16->174 176 Tries to steal Instant Messenger accounts or passwords 16->176 178 Tries to harvest and steal browser information (history, passwords, etc) 16->178 184 2 other signatures 16->184 29 cmd.exe 16->29         started        78 C:\Program Files\javcse\install.dll, PE32 21->78 dropped 31 wscript.exe 21->31         started        33 conhost.exe 21->33         started        35 lylal220.tmp 23->35         started        140 101.36.107.74, 49709, 80 UHGL-AS-APUCloudHKHoldingsGroupLimitedHK China 27->140 142 ip-api.com 208.95.112.1, 49707, 80 TUT-ASUS United States 27->142 144 5 other IPs or domains 27->144 80 C:\Users\user\Documents\...\jg7_7wjg.exe, PE32 27->80 dropped 82 C:\ProgramData\7835000.exe, PE32 27->82 dropped 84 C:\ProgramData\4577848.exe, PE32 27->84 dropped 88 3 other files (none is malicious) 27->88 dropped 180 Sample uses process hollowing technique 27->180 182 Injects a PE file into a foreign processes 27->182 39 LabPicV3.tmp 27->39         started        41 jfiag3g_gg.exe 27->41         started        44 main.exe 1 5 27->44         started        46 jfiag3g_gg.exe 27->46         started        file9 signatures10 process11 dnsIp12 48 conhost.exe 29->48         started        50 taskkill.exe 29->50         started        52 timeout.exe 29->52         started        54 rundll32.exe 31->54         started        148 s3-r-w.eu-west-1.amazonaws.com 52.218.106.184, 49717, 80 AMAZON-02US United States 35->148 150 i-record.s3-eu-west-1.amazonaws.com 35->150 90 C:\Users\user\AppData\Local\...\Microsoft.exe, PE32 35->90 dropped 92 C:\Users\user\AppData\Local\Temp\...\idp.dll, PE32 35->92 dropped 94 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 35->94 dropped 96 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 35->96 dropped 57 Microsoft.exe 35->57         started        152 s3-r-w.eu-north-1.amazonaws.com 52.95.171.72, 49713, 80 AMAZON-02US United States 39->152 154 labstation2.s3.eu-north-1.amazonaws.com 39->154 98 C:\Users\user\AppData\Local\...\ppppppfy.exe, PE32 39->98 dropped 100 C:\Users\user\AppData\Local\Temp\...\idp.dll, PE32 39->100 dropped 102 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 39->102 dropped 104 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 39->104 dropped 61 ppppppfy.exe 39->61         started        202 Tries to harvest and steal browser information (history, passwords, etc) 41->202 156 35.220.162.170 GOOGLEUS United States 44->156 158 35.220.235.49, 49708, 8070 GOOGLEUS United States 44->158 160 2 other IPs or domains 44->160 106 2 other files (none is malicious) 44->106 dropped file13 signatures14 process15 dnsIp16 194 Writes to foreign memory regions 54->194 196 Allocates memory in foreign processes 54->196 198 Creates a thread in another existing process (thread injection) 54->198 63 svchost.exe 54->63 injected 65 svchost.exe 54->65 injected 67 svchost.exe 54->67 injected 162 52.218.1.112 AMAZON-02US United States 57->162 164 52.95.169.48 AMAZON-02US United States 57->164 166 162.0.220.48 ACPCA Canada 57->166 120 C:\Program Files (x86)\...\Tadinusile.exe, PE32 57->120 dropped 122 C:\...\Tadinusile.exe.config, XML 57->122 dropped 124 C:\Users\user\AppData\...\Rywukaemapae.exe, PE32 57->124 dropped 132 2 other files (none is malicious) 57->132 dropped 200 Detected unpacking (overwrites its own PE header) 57->200 69 irecord.exe 57->69         started        168 52.95.169.64 AMAZON-02US United States 61->168 170 2.20.142.209 AKAMAI-ASN1EU European Union 61->170 172 162.0.210.44 ACPCA Canada 61->172 126 C:\Program Files (x86)\...\Fesewevivo.exe, PE32 61->126 dropped 128 C:\...\Fesewevivo.exe.config, XML 61->128 dropped 130 C:\Users\user\AppData\...\Pygezhetyja.exe, PE32 61->130 dropped 134 2 other files (none is malicious) 61->134 dropped file17 signatures18 process19 file20 108 C:\Users\user\AppData\Local\...\irecord.tmp, PE32 69->108 dropped
Detection:
redlinestealer
Create hunting rule
Link:
https://mwdb.cert.pl/sample/4ae0156d1ccca584c5ed35708b150e0649cd470f5b192653a578c215e5118c08/
Threat name:
Win32.Trojan.Fabookie
Create hunting rule
Status:
Malicious
First seen:
2021-03-28 17:29:44 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=jlqbk3i4zssyjrpngvyiwfioaze42ryplmmsmu5fpdbblzirrqea._file
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:dridex family:redline family:vidar botnet:10111 botnet discovery evasion infostealer loader persistence spyware stealer trojan upx vmprotect
Link:
https://tria.ge/reports/210329-y97jqcz32x/
Behaviour
Modifies Internet Explorer settings
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Checks processor information in registry
Delays execution with timeout.exe
Kills process with taskkill
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks computer location settings
Loads dropped DLL
Reads local data of messenger clients
Reads user/profile data of web browsers
Blocklisted process makes network request
Drops file in Drivers directory
Executes dropped EXE
UPX packed file
VMProtect packed file
Checks for common network interception software
Dridex Loader
Dridex
RedLine
Suspicious use of NtCreateUserProcessOtherParentProcess
Vidar
Malware Config
C2 Extraction:
188.165.17.91:8443
185.229.225.1:6601
Unpacked files
SH256 hash:
e427f8ef21691e3d8c2313d11129ad08ddef69a158eca2f77c170603478ff0c4
MD5 hash:
0dedd909aae9aa0a89b4422106310e9e
SHA1 hash:
271d36afa5b729ee590cf8066166ca5e9c9d0340
Link:
https://www.unpac.me/results/ebdb1ce8-e473-4bdc-a31e-5a2487acb9c1/
SH256 hash:
5e450adf356019a0ef810b3dde627bc55830a0f1ed0b3aa1db3136923bf99e29
MD5 hash:
09b14afe81897cc549a9dc15f7fa418d
SHA1 hash:
e1b6e7a4506d530ee19c8a0d902f4d35bc8abc7b
Link:
https://www.unpac.me/results/ebdb1ce8-e473-4bdc-a31e-5a2487acb9c1/
SH256 hash:
fc1c76c18adebd91d9d7478f3eb426b506bb5aaea0884e559e220920d3a1ce14
MD5 hash:
1dbf473671f386f8e2c3731ec1fef5c7
SHA1 hash:
00ce8e17678c40ecb5913da6e02842d684012d08
Link:
https://www.unpac.me/results/ebdb1ce8-e473-4bdc-a31e-5a2487acb9c1/
SH256 hash:
0a7e8a8ca5abd7a2598c8a04521b0cb5d006bc1fb212c0d94a9de7d7d579ffb8
MD5 hash:
460742790e2c251afc782a62c30d6f98
SHA1 hash:
a040d68ce94f48fa7b1e57f3d96ad76622fd40b7
Link:
https://www.unpac.me/results/ebdb1ce8-e473-4bdc-a31e-5a2487acb9c1/
SH256 hash:
428d84c3879d118c136c57673e800889a802549feeef83b3bf860e066de4921a
MD5 hash:
3528e0490efb8fd32946c497192d3df3
SHA1 hash:
7219cb99183815d947026b8b2dd99b2ae30e724a
Link:
https://www.unpac.me/results/ebdb1ce8-e473-4bdc-a31e-5a2487acb9c1/
SH256 hash:
b1e22b43ceb05c1b588029f2b4f47af41efb683baab39c805173fe0c1a0c8aab
MD5 hash:
02de795064ab81d5853e844113be2cd9
SHA1 hash:
54b89fee056abba7efa1efa54caa2f2e7db0e463
Link:
https://www.unpac.me/results/ebdb1ce8-e473-4bdc-a31e-5a2487acb9c1/
SH256 hash:
ec370246344eba77ba7475c81d7ab663f30b0c92c07ddb2124ed6f156881d66a
MD5 hash:
c0bd1a6f36890731f7f6e57e8d99479e
SHA1 hash:
3c11cd99c3615bf5cd1fae2bbedf7cc59f4cc17a
Link:
https://www.unpac.me/results/ebdb1ce8-e473-4bdc-a31e-5a2487acb9c1/
SH256 hash:
7641c1234ea497a045129e5b1998a189d66abc85336d5b696c2769a58e8e9d7f
MD5 hash:
96fddc9cd2ad7dd12f7c2cf39d7f69a0
SHA1 hash:
5fa75fa0dd318e3aea6d455071e43d93fe0d916c
Detections:
win_vidar_auto
Create hunting rule
Link:
https://www.unpac.me/results/ebdb1ce8-e473-4bdc-a31e-5a2487acb9c1/
Parent samples :
4ae0156d1ccca584c5ed35708b150e0649cd470f5b192653a578c215e5118c08
eb2b82c14b81523edd762536c3dcd308624821dd6840e8cabdf94327d55fcbf9
SH256 hash:
417c9b048550ef2a486c998f39e8d60918de839aa03e60bbdbc2cc6c90ba24be
MD5 hash:
d25a051d566dcdf7cbb81f164cfd2cb3
SHA1 hash:
f70eae9b42d540d1da015be50279ceb73ac9977d
Link:
https://www.unpac.me/results/ebdb1ce8-e473-4bdc-a31e-5a2487acb9c1/
SH256 hash:
4f26b1116009c0cf7c0399600cc6ebc7cce0b3d51e6c36fc5a5aaf561a0e5773
MD5 hash:
d9966bc71851ddf15845365f6c91e4cd
SHA1 hash:
657d6496e600927a598854be5ec1140ac284406f
Link:
https://www.unpac.me/results/ebdb1ce8-e473-4bdc-a31e-5a2487acb9c1/
SH256 hash:
5d65d4bf4607fa793cb2263db3cb57e6c275625afdb1cc673a2c2ac48c6ed1b0
MD5 hash:
0749f7869e1058fc19b8462b576623fe
SHA1 hash:
16581692a2958625e9d70c17feafd30442085137
Link:
https://www.unpac.me/results/ebdb1ce8-e473-4bdc-a31e-5a2487acb9c1/
SH256 hash:
27173eda4d02af0bad0ddbaa60cef5ecf9b6f75a888fd19dc9f645a7533c855a
MD5 hash:
eb93d6c4742de3d0028d2d94cc74d08e
SHA1 hash:
d2d701d3ee955daecada6f6960aa54f4d9b02684
Link:
https://www.unpac.me/results/ebdb1ce8-e473-4bdc-a31e-5a2487acb9c1/
SH256 hash:
b1cb83f588f7be152bf68c567cd2dd210ebf250882927b00cf4e93e6ab973b22
MD5 hash:
1df2bbc12fdfb9faae83cf299ceea391
SHA1 hash:
788e453c5a2a24524020338d485e64687baa4313
Link:
https://www.unpac.me/results/ebdb1ce8-e473-4bdc-a31e-5a2487acb9c1/
SH256 hash:
4ae0156d1ccca584c5ed35708b150e0649cd470f5b192653a578c215e5118c08
MD5 hash:
7bf8cb17d39796d800e22388d23e9fd5
SHA1 hash:
3327ba03c0fc25fc6a7f3c4fcbae40fde7ac0b07
Link:
https://www.unpac.me/results/ebdb1ce8-e473-4bdc-a31e-5a2487acb9c1/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4ae0156d1ccca584c5ed35708b150e0649cd470f5b192653a578c215e5118c08

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_References_CryptoWallets
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many cryptocurrency mining wallets or apps. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:IPPort_combo_mem
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:Ping_Del_method_bin_mem
Create hunting rule
Author:James_inthe_box
Description:cmd ping IP nul del
Rule name:Select_from_enumeration
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:Steam_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Steam in files like avemaria
Rule name:SUSP_XORed_MSDOS_Stub_Message
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed MSDOS stub message
Reference:https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
Rule name:win_vidar_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:with_sqlite
Create hunting rule
Author:Julian J. Gonzalez <info@seguridadparatodos.es>
Description:Rule to detect the presence of SQLite data in raw image
Reference:http://www.st2labs.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ArkeiStealer

Executable exe 4ae0156d1ccca584c5ed35708b150e0649cd470f5b192653a578c215e5118c08

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1095787/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/127823/

Comments