MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 640df13e7605d0fd539eaac1474643d4e6ab2f3519cab2450f9b755778dfac6e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 640df13e7605d0fd539eaac1474643d4e6ab2f3519cab2450f9b755778dfac6e
SHA3-384 hash: 44304bebbb48384a4ac637a2976a940750bc54a451f7b8f5585d8f297eb693feb76bf790f3a776e0182bdc980054e7a9
SHA1 hash: d9ba132522803b81eb70ca81f7ff5922fab33527
MD5 hash: 94fed52e8630b37790927fc7cf29f71c
humanhash: wisconsin-december-kitten-stairway
File name:sonia_2.txt
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:242'688 bytes
First seen:2021-07-28 16:44:38 UTC
Last seen:2021-07-28 17:46:59 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 25027d61d8944eeff611c4ecc2e7c65c (3 x ArkeiStealer, 2 x Smoke Loader, 2 x GCleaner)
ssdeep 6144:95gqvqyT75d74jfQK3ZzZkgM1DBbPlcmyjxU:xqyf5d74j1pzqbFtPlFyW
Threatray 18 similar samples on MalwareBazaar
TLSH T168349E20B6E0C035F5F712FA49B99368792D7AB26F2451CF62D626EE06346E4DC31387
dhash icon ead8ac9cc6e68ee0 (118 x RaccoonStealer, 102 x RedLineStealer, 46 x Smoke Loader)
Reporter CholeVallabh
Tags:ArkeiStealer exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
112
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
sonia_2.txt
Verdict:
No threats detected
Analysis date:
2021-07-28 16:48:21 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/7f7a6884-87e5-43b9-b442-a9fa36e8d18f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/174729/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware1.10659.10263.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
DanaBot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a566a611-017f-435f-99e2-513743d97a76
Result
Threat name:
RedLine SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/823242
Signature
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses known network protocols on non-standard ports
Yara detected RedLine Stealer
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 455651 Sample: sonia_2.txt Startdate: 28/07/2021 Architecture: WINDOWS Score: 100 48 Found malware configuration 2->48 50 Antivirus detection for URL or domain 2->50 52 Multi AV Scanner detection for submitted file 2->52 54 8 other signatures 2->54 8 sonia_2.exe 2->8         started        11 iagthab 2->11         started        process3 signatures4 70 Detected unpacking (changes PE section rights) 8->70 72 Maps a DLL or memory area into another process 8->72 74 Checks if the current machine is a virtual machine (disk enumeration) 8->74 13 explorer.exe 6 8->13 injected 76 Multi AV Scanner detection for dropped file 11->76 78 Creates a thread in another existing process (thread injection) 11->78 process5 dnsIp6 42 152.89.247.174, 49741, 80 COMBAHTONcombahtonGmbHDE Germany 13->42 44 187.212.177.42, 49739, 49753, 80 UninetSAdeCVMX Mexico 13->44 46 4 other IPs or domains 13->46 26 C:\Users\user\AppData\Roaming\iagthab, PE32 13->26 dropped 28 C:\Users\user\AppData\Local\Temp\7051.exe, PE32 13->28 dropped 30 C:\Users\user\AppData\Local\Temp\6340.exe, PE32 13->30 dropped 32 C:\Users\user\...\iagthab:Zone.Identifier, ASCII 13->32 dropped 80 System process connects to network (likely due to code injection or exploit) 13->80 82 Benign windows process drops PE files 13->82 84 Deletes itself after installation 13->84 86 Hides that the sample has been downloaded from the Internet (zone.identifier) 13->86 18 7051.exe 14 32 13->18         started        22 6340.exe 15 25 13->22         started        file7 signatures8 process9 dnsIp10 34 ynetellyan.xyz 89.223.29.111, 49768, 49773, 80 TRADERSOFTRU Russian Federation 18->34 36 api.ip.sb 18->36 56 Detected unpacking (changes PE section rights) 18->56 58 Detected unpacking (overwrites its own PE header) 18->58 60 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 18->60 68 3 other signatures 18->68 24 conhost.exe 18->24         started        38 185.215.113.114, 49767, 49771, 49772 WHOLESALECONNECTIONSNL Portugal 22->38 40 api.ip.sb 22->40 62 Multi AV Scanner detection for dropped file 22->62 64 Machine Learning detection for dropped file 22->64 66 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 22->66 signatures11 process12
Gathering data
Threat name:
Win32.Trojan.Azorult
Create hunting rule
Status:
Malicious
First seen:
2021-07-28 16:45:07 UTC
AV detection:
18 of 46 (39.13%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
1c259208bdea5d896335c7a22d7a3048e4cfe0c7578a466f8faad880446f4e02
ArkeiStealer
2d80eb1f45fbbfa834211cb26597c463d3033217afa53cd9727f4030cf25e122
ArkeiStealer
36f56846e17922419f456453b3fe7e85ee95e0aed1fac5cdbfed9174e1523add
ArkeiStealer
461edbd6fb0c418598aeb3873c4bd4f7837ab93ea946324dfc88595f195f8ddf
ArkeiStealer
6b4d4a61ef4fbabcb304b9c5665cc3e6c2ea866fba7d848094fe93ee6580411f
ArkeiStealer
bac4a89d948dc9dce4b4b3c2a6bad222a052c6a3a5a4190e0a61cdf46b4c22c7
ArkeiStealer
bc80d1fb5849235c0a8f7938a972f1fae4cb52cbe418b7be6229512f3a3c1373
ArkeiStealer
d4e1c7562172f7e075f9c87630d6e4e363514157ef85b2cef463799354466d6f
ArkeiStealer
e91878bc507051fd594e422452cc31d4dc9f26af8f79b7499f6c04303ffbbcb2
ArkeiStealer
fb2e2174a3ec526861932043c1aa5b5e62e3abed0bb73e88e495eab66635e758
ArkeiStealer
+ 8 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:redline family:smokeloader family:vidar botnet:202 botnet:517 botnet:sewpalpadin backdoor discovery infostealer persistence spyware stealer suricata trojan
Link:
https://tria.ge/reports/210728-cyhm6568sj/
Behaviour
Checks SCSI registry key(s)
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Looks up external IP address via web service
Deletes itself
Loads dropped DLL
Modifies file permissions
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
Vidar Stealer
RedLine
RedLine Payload
SmokeLoader
Vidar
suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
Malware Config
C2 Extraction:
http://aucmoney.com/upload/
http://thegymmum.com/upload/
http://atvcampingtrips.com/upload/
http://kuapakualaman.com/upload/
http://renatazarazua.com/upload/
http://nasufmutlu.com/upload/
185.215.113.114:8887
ynetellyan.xyz:80
https://shpak125.tumblr.com/
Unpacked files
SH256 hash:
207056003b4b6e55dfe2557a2d1ca119c7785cfe626328a4a8c74323238933e9
MD5 hash:
4955a27a03f35933fdbd801f425b6c58
SHA1 hash:
97f3b8f33fd1a49cf9db5a246d996047beef3c12
Link:
https://www.unpac.me/results/4cce5d48-83ec-4908-b0fa-8c4ea6e13795/
Parent samples :
db50d646494970b78887d4d84f52147c4cdbaa0b23cb4eb330ffa2403735937c
f1e1b516a83f303659e53d513c9c3da9dfd466f40b96f8de86ca37ce9544d234
d3de52ec5e00eff831e15a2719c702f98fbcf95183849dea98d1483c6f171446
7140765cd0d5f61bb453f0511e24786e21d950c2cb3b30aa2945ba1846a4e0a5
280c314b18ddf2481c1173c653acf508262e0ad3dbf2dfa8b64f48d75bd10765
93ac84d519edb6350cf53736449330985fe1cb52eff043857daf6cca916d6fa3
dad9e695e9f592e48326dd349556f81987c115ad152bf3433f12d969135d943a
dc812fa1ae68dfa017cfde268e2ae523019308b102bce0acb1656c08b34dc818
SH256 hash:
640df13e7605d0fd539eaac1474643d4e6ab2f3519cab2450f9b755778dfac6e
MD5 hash:
94fed52e8630b37790927fc7cf29f71c
SHA1 hash:
d9ba132522803b81eb70ca81f7ff5922fab33527
Link:
https://www.unpac.me/results/4cce5d48-83ec-4908-b0fa-8c4ea6e13795/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/640df13e7605d0fd539eaac1474643d4e6ab2f3519cab2450f9b755778dfac6e

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/174729/

Comments