MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 56a461a6cc8ad9c10cdc1d19a12d5deceb9ebefb0c871a3fc2eb83c466947a11. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 56a461a6cc8ad9c10cdc1d19a12d5deceb9ebefb0c871a3fc2eb83c466947a11
SHA3-384 hash: c171b76624be2faadc0c8a84e3dcb68e2b806c5ce826f5c6b082422f05007a9a0cb446ac64c5286146016058a8a05649
SHA1 hash: a4e1ada57e590c2df30fc26fad5f3ca57ad922b1
MD5 hash: 73491325fde5366b31c09da701d07dd6
humanhash: johnny-utah-north-winter
File name:setup_x86_x64_install.exe
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:4'214'660 bytes
First seen:2021-09-19 19:38:21 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c05041e01f84e1ccca9c4451f3b6a383 (141 x RedLineStealer, 101 x GuLoader, 64 x DiamondFox)
ssdeep 98304:yptnr0G0JYxx0zDo1bUGOrl1zfyl3zaW8+c:yLnr0L2xKObNAg5c
Threatray 556 similar samples on MalwareBazaar
TLSH T15F16332B27D810AACC4DD97030BDF32B3B1825BB1684546FC711BB9462753B69E4FB4A
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter Anonymous
Tags:ArkeiStealer exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
199
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Raccoon
Create hunting rule
Link:
https://www.capesandbox.com/analysis/189153/
Detection(s):
Win.Packed.Barys-9859531-0
Create hunting rule

Win.Malware.Generic-9863888-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a window
Malware family:
Socelars
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/15c14c01-5b18-4d07-8cdb-ef8f3a494d5a
Result
Threat name:
RedLine Socelars Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/853633
Signature
Adds a directory exclusion to Windows Defender
Antivirus detection for dropped file
Antivirus detection for URL or domain
Checks if the current machine is a virtual machine (disk enumeration)
Creates HTML files with .exe extension (expired dropper behavior)
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Disable Windows Defender real time protection (registry)
Drops PE files to the document folder of the user
Drops PE files with a suspicious file extension
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has a writeable .text section
PE file has nameless sections
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Script Execution From Temp Folder
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected Costura Assembly Loader
Yara detected RedLine Stealer
Yara detected Socelars
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 486064 Sample: setup_x86_x64_install.exe Startdate: 19/09/2021 Architecture: WINDOWS Score: 100 78 149.154.167.99 TELEGRAMRU United Kingdom 2->78 80 20.42.65.92 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 2->80 82 3 other IPs or domains 2->82 100 Multi AV Scanner detection for domain / URL 2->100 102 Antivirus detection for URL or domain 2->102 104 Antivirus detection for dropped file 2->104 106 15 other signatures 2->106 10 setup_x86_x64_install.exe 10 2->10         started        signatures3 process4 file5 46 C:\Users\user\AppData\...\setup_installer.exe, PE32 10->46 dropped 13 setup_installer.exe 20 10->13         started        process6 file7 48 C:\Users\user\AppData\...\setup_install.exe, PE32 13->48 dropped 50 C:\Users\user\AppData\...\Sun19eb40faaaa9.exe, PE32 13->50 dropped 52 C:\Users\user\AppData\...\Sun19e4ade31b2a.exe, PE32 13->52 dropped 54 15 other files (5 malicious) 13->54 dropped 16 setup_install.exe 1 13->16         started        process8 dnsIp9 74 172.67.142.91 CLOUDFLARENETUS United States 16->74 76 127.0.0.1 unknown unknown 16->76 98 Adds a directory exclusion to Windows Defender 16->98 20 cmd.exe 1 16->20         started        22 cmd.exe 16->22         started        24 cmd.exe 16->24         started        26 8 other processes 16->26 signatures10 process11 signatures12 29 Sun1917b8fb5f09db8.exe 4 65 20->29         started        34 Sun19eb40faaaa9.exe 22->34         started        36 Sun19e4ade31b2a.exe 24->36         started        108 Adds a directory exclusion to Windows Defender 26->108 38 Sun19de8ff4b6aefeb8.exe 26->38         started        40 Sun1908b94df837b3158.exe 26->40         started        42 Sun191101c1aaa.exe 26->42         started        44 3 other processes 26->44 process13 dnsIp14 84 37.0.10.214 WKD-ASIE Netherlands 29->84 92 11 other IPs or domains 29->92 56 C:\Users\...\ygvhMqDFuc1VyH0Du5NhGRV8.exe, PE32 29->56 dropped 58 C:\Users\...\xlojSmoch4ka3WGU44SCaOjD.exe, PE32 29->58 dropped 60 C:\Users\...\rg_V13qKtcsdKZYOF1EKeMnw.exe, PE32 29->60 dropped 70 45 other files (37 malicious) 29->70 dropped 110 Detected unpacking (creates a PE file in dynamic memory) 29->110 112 Drops PE files to the document folder of the user 29->112 114 Creates HTML files with .exe extension (expired dropper behavior) 29->114 116 Disable Windows Defender real time protection (registry) 29->116 94 2 other IPs or domains 34->94 72 12 other files (none is malicious) 34->72 dropped 118 Detected unpacking (changes PE section rights) 34->118 120 Detected unpacking (overwrites its own PE header) 34->120 122 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 34->122 130 2 other signatures 34->130 86 104.21.14.200 CLOUDFLARENETUS United States 36->86 62 C:\Users\user\AppData\Roaming\7017051.scr, PE32 36->62 dropped 64 C:\Users\user\AppData\Roaming\6568681.scr, PE32 36->64 dropped 66 C:\Users\user\AppData\Roaming\1738133.scr, PE32 36->66 dropped 124 Drops PE files with a suspicious file extension 36->124 88 194.87.138.125 MYLOC-ASIPBackboneofmyLocmanagedITAGDE Russian Federation 38->88 126 Found evasive API chain (trying to detect sleep duration tampering with parallel thread) 38->126 128 Checks if the current machine is a virtual machine (disk enumeration) 40->128 90 162.159.134.233 CLOUDFLARENETUS United States 42->90 68 C:\Users\user\AppData\Local\...\LzmwAqmV.exe, PE32 42->68 dropped 96 4 other IPs or domains 44->96 file15 signatures16
Detection:
raccoon
Create hunting rule
Link:
https://mwdb.cert.pl/sample/56a461a6cc8ad9c10cdc1d19a12d5deceb9ebefb0c871a3fc2eb83c466947a11/
Threat name:
Win32.Trojan.Fabookie
Create hunting rule
Status:
Malicious
First seen:
2021-09-19 19:39:07 UTC
AV detection:
30 of 45 (66.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=k2sgdjwmrlm4cdg4dum2clk55tvz5px3bsdrup6c5ob4izuupiiq._file
Verdict:
unknown
Similar samples:
1eb3574e7faa18d12759034dcc5a26ac90d79badef17cf1a744854d9a9e41cb0
ArkeiStealer
3cf08993fa4866df41dc37cec849e5a5e9d0bcb6ea6660c30130d9e2fd2f623d
ArkeiStealer
5248d778a816ffaed27e465deec140f4d79478a4aca7c5968d6eb926ac7c94f1
ArkeiStealer
547cc534323bdd58f2fb30611e0cae63dea9c2583cb8932ef5e6063b2a08fbcc
ArkeiStealer
7ec88d4baa0a97362a026cf6e0f46422379a99be6d9bfe19034152f3d47cc0ed
ArkeiStealer
8fe6c86b038ce91a991fe6eb8a9b323bb37b554ff6b4e5c18de3fe52d4aedf6d
ArkeiStealer
95070ee5eadc35fc22ec5818a4406261a776a28292576024bd58102126e2cb30
ArkeiStealer
a5f4eb3b915bcfdd72cb81b7d89c0c0fd6b190b637db6ffad25604d24985f9e8
ArkeiStealer
b566e04e4dde55640065fa942fcfa35ec3cb5f0c8b6057bfd0039ac4ebbc65f7
ArkeiStealer
+ 546 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:redline family:smokeloader family:socelars family:vidar botnet:706 botnet:janesam aspackv2 backdoor infostealer stealer themida trojan
Link:
https://tria.ge/reports/210919-ycyyescde7/
Behaviour
Checks SCSI registry key(s)
Creates scheduled task(s)
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Loads dropped DLL
Themida packer
ASPack v2.12-2.42
Downloads MZ/PE file
Executes dropped EXE
Vidar Stealer
Process spawned unexpected child process
RedLine
RedLine Payload
SmokeLoader
Socelars
Socelars Payload
Vidar
Malware Config
C2 Extraction:
https://petrenko96.tumblr.com/
http://varmisende.com/upload/
http://fernandomayol.com/upload/
http://nextlytm.com/upload/
http://people4jan.com/upload/
http://asfaltwerk.com/upload/
65.108.20.195:6774
Unpacked files
SH256 hash:
fea58ea431672f1c19c3188e2799febb7109562536c61891c5b09e9234b00606
MD5 hash:
a02fcf1984e958501da2ef4ac1565559
SHA1 hash:
b97003d8ce7c98c70a7a17a90b13f07046b9e129
Link:
https://www.unpac.me/results/ef34965a-01fc-4a1f-a9bc-3aa3112232a5/
SH256 hash:
e427f8ef21691e3d8c2313d11129ad08ddef69a158eca2f77c170603478ff0c4
MD5 hash:
0dedd909aae9aa0a89b4422106310e9e
SHA1 hash:
271d36afa5b729ee590cf8066166ca5e9c9d0340
Link:
https://www.unpac.me/results/ef34965a-01fc-4a1f-a9bc-3aa3112232a5/
SH256 hash:
03d079303a3164960677e57a587e86c3a5e7736fbde0ab7b9e60c4b8b2e50745
MD5 hash:
ae0bb0ef615f4606fbe1f050b6f08ca3
SHA1 hash:
f69b6d6496d8941ef53bca7c3578ad616cf5a4b1
Link:
https://www.unpac.me/results/ef34965a-01fc-4a1f-a9bc-3aa3112232a5/
SH256 hash:
beced4c3c8cccc27b66480d8a56eb900c9dd28572ad60468921dd4d78a1b364b
MD5 hash:
6e362e91b2c8f4c5484ef40b500d84f9
SHA1 hash:
ed0b8b13b0322749b52af12c5cbf905b4492ec25
Link:
https://www.unpac.me/results/ef34965a-01fc-4a1f-a9bc-3aa3112232a5/
SH256 hash:
7021f6eb468164afd5663d99d0acfd3f2d6f38562605dcb294e0088c5148712e
MD5 hash:
d7f7fcb202e9784f6a67b627eb0cd361
SHA1 hash:
b8bb8f17f671b7c28b7cb6047b2614dd7c7fc66e
Link:
https://www.unpac.me/results/ef34965a-01fc-4a1f-a9bc-3aa3112232a5/
SH256 hash:
d5d181fc66bff8f58d98af52a436db819a06e992c7791d6553b07f1b45fc280b
MD5 hash:
1e8f2a1903ddb13cf2947c490fc4cff6
SHA1 hash:
b3ca92219fd710a3eb31e4722ac68a32269d251a
Link:
https://www.unpac.me/results/ef34965a-01fc-4a1f-a9bc-3aa3112232a5/
SH256 hash:
1d04bbabdb6da4db379ca057ac0d63fb27d8891b01cf3ffcb94573be1853ecaf
MD5 hash:
d58b4be4f3dec4843801511def20ae7d
SHA1 hash:
90be9caf1efa58d6ea70ae6783bfc8e05bd9ea16
Link:
https://www.unpac.me/results/ef34965a-01fc-4a1f-a9bc-3aa3112232a5/
SH256 hash:
2786acd508f420bd2784a0d20908fd04c9fad26550f69907f41b8a06092047dc
MD5 hash:
67119e0db6641e1b3c46eaff40c8eb2c
SHA1 hash:
7114a71fc1113a82a449d57fe08b9ff60bec4da4
Link:
https://www.unpac.me/results/ef34965a-01fc-4a1f-a9bc-3aa3112232a5/
SH256 hash:
182434e255cf296571a5ba7d12a7e2b81debe18d0f30054cfce182c6205f56ff
MD5 hash:
78afba5ae90a314e879981b2c990af06
SHA1 hash:
3720c267afb066290ac57481c31ad03f39606990
Link:
https://www.unpac.me/results/ef34965a-01fc-4a1f-a9bc-3aa3112232a5/
SH256 hash:
660fabfa81b524950ed4ec9104659083adf3e3138fb9c01c058749244ba73494
MD5 hash:
26cd438e35fbc82bff99902a13fe9762
SHA1 hash:
2a1d2b2051c8acc1e2143c44df99021ce15ce9e1
Link:
https://www.unpac.me/results/ef34965a-01fc-4a1f-a9bc-3aa3112232a5/
SH256 hash:
cc4e7e253f0b1e33fd0e5c0401b96c80e9f90c73b4eac7809096f481dd24fd87
MD5 hash:
27d2e64464787e25443d013067bd5142
SHA1 hash:
28f650ff559aa0d5ad4fb9e70104b051af07331a
Link:
https://www.unpac.me/results/ef34965a-01fc-4a1f-a9bc-3aa3112232a5/
SH256 hash:
bbe7d6e50b7b2229d023aa7170b52d2fa3e63646c6232c25102fa121d1a4534e
MD5 hash:
9535f08bd5920f84ac344f8884fe155d
SHA1 hash:
05acf56d12840558ebc17a138d4390dad7a96d5a
Link:
https://www.unpac.me/results/ef34965a-01fc-4a1f-a9bc-3aa3112232a5/
SH256 hash:
e1cc6a9d780602fe6e789bf5c3a27e87e197a4e3bf7c8138ea2f9dfec70fb963
MD5 hash:
f707252b9c9579677fffb013e0cfc646
SHA1 hash:
8ab483023fa8773afb8c13464c39c5b8e687f126
Link:
https://www.unpac.me/results/ef34965a-01fc-4a1f-a9bc-3aa3112232a5/
SH256 hash:
0fbd853a669d4590b44cda0525f41aa99175133be439db7ca9cd575a2af2636b
MD5 hash:
bb4e4f419dbe419d5cdca7e8534ac023
SHA1 hash:
cdacd0ad82dcefa585734e751b1cea42161a9033
Link:
https://www.unpac.me/results/ef34965a-01fc-4a1f-a9bc-3aa3112232a5/
SH256 hash:
36d5afdcb0fa8d512656aa5a59f34018885bb1b9dd5cc0780766552809cfb45f
MD5 hash:
4f9c74430d72b9500a0d99cc28fc7a7e
SHA1 hash:
a67cf6a62a6cabec501aa2f14e97c48b71dbd97c
Link:
https://www.unpac.me/results/ef34965a-01fc-4a1f-a9bc-3aa3112232a5/
SH256 hash:
5f463952815ce4f763e9f4b3b72ed70ad82f74a69a271fc2b1588055c3fec4cc
MD5 hash:
21775ff041e7277d87aa8fdf1e09da6c
SHA1 hash:
6dd1d6716cb93adef6c9b39490a79e77fd5396c9
Link:
https://www.unpac.me/results/ef34965a-01fc-4a1f-a9bc-3aa3112232a5/
SH256 hash:
71493706e970b00dd10db3cfbbcaf24ea44a9a8cb675b96b34c8c0dcb221574b
MD5 hash:
ff159c746ac7fc9ae38909b1d1666d61
SHA1 hash:
6cc88a364b0f4456180039db7b049a65196929d0
Link:
https://www.unpac.me/results/ef34965a-01fc-4a1f-a9bc-3aa3112232a5/
SH256 hash:
38046382500f1739883d2c53639ffbc5756843da7574fe3e6820724f522958e2
MD5 hash:
33600475b2cc5445df2d3809c3798311
SHA1 hash:
3cb60432de30b82e87b8b607e0180a7843128b5a
Link:
https://www.unpac.me/results/ef34965a-01fc-4a1f-a9bc-3aa3112232a5/
Parent samples :
aa79b859945459fd6d1363c35e68c9d2674a78f1fdee02b8ddfab9a8fa011b48
e96f083ab18199d6a745b0fb3a8852b863b94a906664570198c8277abe4195c6
a412840c44db8bca039ce13176d7d6b9be9b2cbd1ef81eb85cd2f0c9180f6511
bf9714f60c2b4b43cc0383b3155d9c737271916032051df041fed54d34f7c765
2c3382e9eb5bbbfe86a88f9d8a75557c3f60707af088ce5f1283ee7a33cc3fbf
a3f0b643265e9895b3291658516ce2b34eb06d585bd8ea77fd61fda26917e0d9
5c97c35e6537283493bbfcd8fa178157898e6d266a36eadb9ab23bbcef613efc
SH256 hash:
cf3fc6b2153b5bbd18fc446ff34d20170d17c0c6585553859deb569411531386
MD5 hash:
eb7cae4c891f54b6886ce5b71fed7a92
SHA1 hash:
f5e0e0120ae08cf136bc1ecd0db6f9c7372a9a16
Detections:
win_socelars_auto
Create hunting rule
Link:
https://www.unpac.me/results/ef34965a-01fc-4a1f-a9bc-3aa3112232a5/
SH256 hash:
579dd4abc787f444e4d902449c3035863b3d081c65e421cc873a66ac19ae81c4
MD5 hash:
49ab3cdd8b3fa4ec40ec78deb610732a
SHA1 hash:
09a0d458d445fdf551262462385d6e5067793427
Link:
https://www.unpac.me/results/ef34965a-01fc-4a1f-a9bc-3aa3112232a5/
SH256 hash:
fbab1972d89a644f5e2971a02de9cecfd4189e9d1c9687c949180d794192eb97
MD5 hash:
5812468369fc3878debe081517610cd0
SHA1 hash:
faef8b7e3b204b26f7de2488d25c037fa4c4c421
Link:
https://www.unpac.me/results/ef34965a-01fc-4a1f-a9bc-3aa3112232a5/
SH256 hash:
d5ec6ffb64552def215f10b97347c40c0a88ef77cf226b5216b84a2b8f46eec5
MD5 hash:
30e665964690ad3b0bb3f366f0bfe5cf
SHA1 hash:
cce8903e2206f31117299f5b2b52b04e4e74f37d
Link:
https://www.unpac.me/results/ef34965a-01fc-4a1f-a9bc-3aa3112232a5/
SH256 hash:
e7b345d6e136418e3468cfb59a02280b97ab98b650d9155077630c6eb513d72a
MD5 hash:
7c47416f644806b63d87b2982d251ea2
SHA1 hash:
4354907772cfa6bbcf16e5a6e2901733bf5d76be
Link:
https://www.unpac.me/results/ef34965a-01fc-4a1f-a9bc-3aa3112232a5/
SH256 hash:
56a461a6cc8ad9c10cdc1d19a12d5deceb9ebefb0c871a3fc2eb83c466947a11
MD5 hash:
73491325fde5366b31c09da701d07dd6
SHA1 hash:
a4e1ada57e590c2df30fc26fad5f3ca57ad922b1
Link:
https://www.unpac.me/results/ef34965a-01fc-4a1f-a9bc-3aa3112232a5/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/56a461a6cc8ad9c10cdc1d19a12d5deceb9ebefb0c871a3fc2eb83c466947a11

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/189153/

Comments