MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 52e86edaba718d1876ad5fb921a189e705cf3a72887c63db49ea9faf8e85ea7e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 52e86edaba718d1876ad5fb921a189e705cf3a72887c63db49ea9faf8e85ea7e
SHA3-384 hash: b1b64ee15cb233729ed6872a377d8237a5a680c4614631833aaac6408b60efc737323a2178012911e26388bef420be9a
SHA1 hash: 76c76c241717146fa9b7953a364b1035cac2ab5e
MD5 hash: 536b15211fef61937030b32ee9289e7a
humanhash: friend-stairway-solar-aspen
File name:igfxsvscss.exe
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:1'150'976 bytes
First seen:2020-08-27 05:34:31 UTC
Last seen:2020-08-27 08:30:40 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'599 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 24576:KP6ju/hD8Jsq4+477iJzQYOw6RaD7y1xZIPCC+:K9qtD7y1UPCC
Threatray 8 similar samples on MalwareBazaar
TLSH A2355C65E3991A65C2BE0AB6C4ADC904C3ECE1835FB7EBDE643465F9A8423070D4E347
Reporter abuse_ch
Tags:ArkeiStealer CrimsonRAT exe nVpn RAT


Avatar
abuse_ch
Malspam distributing CrimsonRAT:

HELO: mail.novatronica.com
Sending IP: 195.22.29.130
From: Diane Walker <rmiskoff@ewrzone.com>
Subject: PO009844132
Attachment: PO009844132.xlsm

CrimsonRAT C2:
185.140.53.221:3489

Hosted on nVpn:

% Information related to '185.140.53.0 - 185.140.53.255'

% Abuse contact for '185.140.53.0 - 185.140.53.255' is 'abuse@privacyfirst.sh'

inetnum: 185.140.53.0 - 185.140.53.255
remarks: This prefix is assigned to The PRIVACYFIRST Project, which
remarks: operates infrastructure jointly used by various VPN service
remarks: providers. We have a very strong focus on privacy and freedom.
remarks: In case of abuse, we encourage all international law enforcement
remarks: agencies to get in touch with our abuse contact. Due to the fact
remarks: that we keep no logs of user activities and only share data when
remarks: it is legally required under our jurisdiction, it is very unlikely
remarks: for a demand of user information to be successful. Still, that
remarks: should not deter you from reaching out.
netname: PRIVACYFIRST-EU3
country: EU
admin-c: TPP15-RIPE
tech-c: TPP15-RIPE
org: ORG-TPP6-RIPE
status: ASSIGNED PA
mnt-by: PRIVACYFIRST-MNT
created: 2016-10-17T23:24:00Z
last-modified: 2020-07-28T20:56:03Z
source: RIPE

Intelligence

File Origin
# of uploads :
2
# of downloads :
1'704
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/51580/
Detection(s):
SecuriteInfo.com.Trojan.MSIL.CrimsonRAT.BMTB.10999.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Sending a TCP request to an infection source
Result
Threat name:
Oski
Create hunting rule
Detection:
malicious
Classification:
troj
Score:
48 / 100
Link:
https://www.joesandbox.com/analysis/452259
Signature
a
c
d
e
i
k
l
O
r
s
t
Y
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/52e86edaba718d1876ad5fb921a189e705cf3a72887c63db49ea9faf8e85ea7e/
Threat name:
ByteCode-MSIL.Trojan.CrimsonRAT
Create hunting rule
Status:
Malicious
First seen:
2020-08-27 05:36:06 UTC
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
2eaf25d2c99eb49743060031a22428bb7c8e78a99869638cfe43b977dda57f22
ArkeiStealer
3e3ab416abadd9093b15f9dcce92f3530709aba8addff16a74e89bd3a7bfd8fd
ArkeiStealer
41eef1a870eaea8573585611d3fd3b9f0fb30ed20ffe94e7082b8925b12c329d
ArkeiStealer
bc742c33c446a25e6482c4209436088415d5c89a7f8ab66f37f16006d62344ac
ArkeiStealer
c9783969d5474b7035fab8eb6acfedd475ec7297cd8042f5a188b21c48b9491a
ArkeiStealer
ef72449dd56a1628cc56a50809c914fef2b5a59ca51b06e78e1c822d8938252d
ArkeiStealer
f32e731527a2a3fa24a75c8732c2e236dfb6dd4f09c50add479d6cf9e018d34c
ArkeiStealer
f9b7ef320dd7f76be9bdf12f14f0875a9f52165b989376cd1f2e2d23cdb52fe5
ArkeiStealer
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/200827-tzbrds13as/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/52e86edaba718d1876ad5fb921a189e705cf3a72887c63db49ea9faf8e85ea7e

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

CrimsonRAT

Excel file xlsm 2c85738faf54a7e87518c8b842cb632c1c2a8ceb80c209cbab3a9e552e05527d

ArkeiStealer

Executable exe 52e86edaba718d1876ad5fb921a189e705cf3a72887c63db49ea9faf8e85ea7e

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/444957/
  
Dropped by
MD5 5ef8659d83c6b936d3e72235620712b6
  
Dropped by
SHA256 2c85738faf54a7e87518c8b842cb632c1c2a8ceb80c209cbab3a9e552e05527d
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/51580/

Comments