MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4f9f2d3789809c1f34877a5cd109aabeccea14c1cfe423ea271cc7cd0178b23a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



ArkeiStealer


Vendor detections: 14


Intelligence 14 IOCs 1 YARA File information Comments

SHA256 hash: 4f9f2d3789809c1f34877a5cd109aabeccea14c1cfe423ea271cc7cd0178b23a
SHA3-384 hash: df60f29de4b0579c6046c1890eb7c1a467fd547b6147b4a0fb18341081f5c9d1700c8670db6b703ea10fa42251731e68
SHA1 hash: 07ad8ba7432a6c1a92f63dba83ca1b64dca94184
MD5 hash: ca9543de32176130dd7c0691abe93d66
humanhash: equal-happy-bakerloo-saturn
File name:ca9543de32176130dd7c0691abe93d66.exe
Download: download sample
Signature ArkeiStealer
File size:340'480 bytes
First seen:2021-12-28 02:20:43 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 39de84e7a601fa8861e0e6a8c8b0a138 (4 x Smoke Loader, 3 x ArkeiStealer, 2 x RedLineStealer)
ssdeep 6144:g/+GzERrQfYAaRLiiG7svRiGKj3l6Hy1B//pzEQ:g/+90kLiiIsvEGKjsS1BGQ
Threatray 6'370 similar samples on MalwareBazaar
TLSH T16C747B10B7A0D035F2B3A6F44AB99275A52F7AE16B2491CB13D527EE9B355D0EC3030B
File icon (PE):PE icon
dhash icon e8f8e8e8aa66a499 (5 x RaccoonStealer, 4 x ArkeiStealer, 3 x RedLineStealer)
Reporter @abuse_ch
Tags:ArkeiStealer exe


Twitter
@abuse_ch
ArkeiStealer C2:
http://116.202.188.27/

Intelligence


File Origin
# of uploads :
1
# of downloads :
224
Origin country :
FR FR
Mail intelligence
No data
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
ca9543de32176130dd7c0691abe93d66.exe
Verdict:
Suspicious activity
Analysis date:
2021-12-28 02:22:32 UTC
Tags:
n/a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
DNS request
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Sending a custom TCP request
Creating a file in the %temp% directory
Creating a process from a recently created file
Launching a process
Sending an HTTP GET request
Creating a file
Reading critical registry keys
Query of malicious DNS domain
Stealing user critical data
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Unauthorized injection to a system process
Forced shutdown of a browser
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Behaviour
MalwareBazaar
MeasuringTime
SystemUptime
EvasionGetTickCount
CheckCmdLine
EvasionQueryPerformanceCounter
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Verdict:
Malicious
Result
Threat name:
RedLine SmokeLoader Tofsee Vidar
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Changes security center settings (notifications, updates, antivirus, firewall)
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to detect sleep reduction / modifications
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has nameless sections
Sigma detected: Copying Sensitive Files with Credential Data
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses dynamic DNS services
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Tofsee
Yara detected Vidar stealer
Behaviour
Behavior Graph:
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 545822 Sample: 4BfFNMA5mb.exe Startdate: 28/12/2021 Architecture: WINDOWS Score: 100 91 s3-w.us-east-1.amazonaws.com 2->91 93 s3-1-w.amazonaws.com 2->93 95 6 other IPs or domains 2->95 117 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->117 119 Multi AV Scanner detection for domain / URL 2->119 121 Found malware configuration 2->121 123 17 other signatures 2->123 11 4BfFNMA5mb.exe 2->11         started        13 svchost.exe 2->13         started        16 jutawrs 2->16         started        18 10 other processes 2->18 signatures3 process4 dnsIp5 21 4BfFNMA5mb.exe 11->21         started        145 Changes security center settings (notifications, updates, antivirus, firewall) 13->145 24 MpCmdRun.exe 1 13->24         started        147 Machine Learning detection for dropped file 16->147 26 jutawrs 16->26         started        97 192.168.2.1 unknown unknown 18->97 signatures6 process7 signatures8 125 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 21->125 127 Maps a DLL or memory area into another process 21->127 129 Checks if the current machine is a virtual machine (disk enumeration) 21->129 131 Creates a thread in another existing process (thread injection) 21->131 28 explorer.exe 10 21->28 injected 33 conhost.exe 24->33         started        process9 dnsIp10 103 185.233.81.115, 443, 49768 SUPERSERVERSDATACENTERRU Russian Federation 28->103 105 downloafilesaccess.ddns.net 155.248.231.246, 443, 49874 SUN-JAVAUS United States 28->105 107 16 other IPs or domains 28->107 83 C:\Users\user\AppData\Roaming\jutawrs, PE32 28->83 dropped 85 C:\Users\user\AppData\Local\Temp\F3F5.exe, PE32 28->85 dropped 87 C:\Users\user\AppData\Local\Temp936.exe, PE32 28->87 dropped 89 10 other files (9 malicious) 28->89 dropped 149 System process connects to network (likely due to code injection or exploit) 28->149 151 Benign windows process drops PE files 28->151 153 Deletes itself after installation 28->153 155 Hides that the sample has been downloaded from the Internet (zone.identifier) 28->155 35 E936.exe 127 28->35         started        40 2AA1.exe 28->40         started        42 A3D.exe 28->42         started        44 F3F5.exe 2 28->44         started        file11 signatures12 process13 dnsIp14 99 file-file-host4.com 35->99 75 C:\Users\user\AppData\...\sqlite3[1].dll, PE32 35->75 dropped 77 C:\ProgramData\sqlite3.dll, PE32 35->77 dropped 133 Detected unpacking (changes PE section rights) 35->133 135 Detected unpacking (overwrites its own PE header) 35->135 137 Machine Learning detection for dropped file 35->137 143 3 other signatures 35->143 46 cmd.exe 35->46         started        139 Multi AV Scanner detection for dropped file 40->139 48 2AA1.exe 40->48         started        141 Injects a PE file into a foreign processes 42->141 51 A3D.exe 42->51         started        79 C:\Users\user\AppData\Local\...\almerphs.exe, PE32 44->79 dropped 54 cmd.exe 44->54         started        57 cmd.exe 44->57         started        59 sc.exe 44->59         started        61 sc.exe 44->61         started        file15 signatures16 process17 dnsIp18 63 conhost.exe 46->63         started        65 timeout.exe 46->65         started        109 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 48->109 111 Maps a DLL or memory area into another process 48->111 113 Checks if the current machine is a virtual machine (disk enumeration) 48->113 115 Creates a thread in another existing process (thread injection) 48->115 101 86.107.197.138, 38133, 49851 MOD-EUNL Romania 51->101 81 C:\Windows\SysWOW64\...\almerphs.exe (copy), PE32 54->81 dropped 67 conhost.exe 54->67         started        69 conhost.exe 57->69         started        71 conhost.exe 59->71         started        73 conhost.exe 61->73         started        file19 signatures20 process21
Threat name:
Win32.Trojan.Raccrypt
Status:
Malicious
First seen:
2021-12-27 17:44:28 UTC
File Type:
PE (Exe)
Extracted files:
17
AV detection:
15 of 28 (53.57%)
Threat level:
  5/5
Result
Malware family:
Score:
  10/10
Tags:
family:arkei family:raccoon family:smokeloader family:tofsee family:vidar botnet:00b9ef74cc2da2804ff92130988ca7c6037e190d botnet:10da56e7e71e97bdc1f36eb76813bbc3231de7e4 botnet:408 backdoor discovery evasion persistence spyware stealer trojan vmprotect
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Delays execution with timeout.exe
Kills process with taskkill
Modifies data under HKEY_USERS
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Launches sc.exe
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Checks BIOS information in registry
Deletes itself
Drops startup file
Loads dropped DLL
Reads user/profile data of web browsers
Blocklisted process makes network request
Creates new service(s)
Downloads MZ/PE file
Executes dropped EXE
Modifies Windows Firewall
Sets service image path in registry
VMProtect packed file
Arkei Stealer Payload
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Vidar Stealer
Arkei
Raccoon
SmokeLoader
Tofsee
Vidar
Windows security bypass
Malware Config
C2 Extraction:
http://host-data-coin-11.com/
http://file-coin-host-12.com/
patmushta.info
parubey.info
https://noc.social/@kipriauk10
https://c.im/@kipriauk11
Dropper Extraction:
https://antivirf.ru/frome.exe
Unpacked files
SH256 hash:
196c516ea546fb935ac669681a74a4dc80da79d9088f464f6cc6f126ae934f4e
MD5 hash:
c36de8bc9668ec4eaafca4c349dca0d5
SHA1 hash:
ea2cadfada69b93ca3abeb8b2462c5c18891fabf
SH256 hash:
4f9f2d3789809c1f34877a5cd109aabeccea14c1cfe423ea271cc7cd0178b23a
MD5 hash:
ca9543de32176130dd7c0691abe93d66
SHA1 hash:
07ad8ba7432a6c1a92f63dba83ca1b64dca94184

Indicators Of Compromise (IOCs)


Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://116.202.188.27/ https://threatfox.abuse.ch/ioc/287975

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ArkeiStealer

Executable exe 4f9f2d3789809c1f34877a5cd109aabeccea14c1cfe423ea271cc7cd0178b23a

(this sample)

  
Delivery method
Distributed via web download

Comments