MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6552cf64c39a8bd219e97300c065290e11394898334a02f916f58566e2fbc7d7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6552cf64c39a8bd219e97300c065290e11394898334a02f916f58566e2fbc7d7
SHA3-384 hash: 5911c2e24c2cee32e44d28da69a1d58190cab95b0db81ff42d787b3c4a6719fb9b2686d405956333295ee06947d712df
SHA1 hash: 567e41a5259510443a063f001d7bfc25420269f9
MD5 hash: 9d5a41bd75da3d05b730222056eab244
humanhash: nineteen-alabama-lion-arkansas
File name:x86_x64_setup.exe
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:3'450'056 bytes
First seen:2021-05-14 14:33:17 UTC
Last seen:2021-05-14 15:01:32 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash be41bf7b8cc010b614bd36bbca606973 (195 x LummaStealer, 126 x DanaBot, 63 x Vidar)
ssdeep 98304:t22P3RbOBWvTrinjMUBlAat3HeqMVPnqHhYImN0BbAO:tJZbOUvToMElAat3eqMVQCMP
Threatray 1 similar samples on MalwareBazaar
TLSH 8BF53386D7500871F6C10EF458E59B3392BCE8D154F8FB29B9A25F4C5B3B924B22A707
Reporter LittleRedBean2
Tags:exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
169
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
x86_x64_setup.exe
Verdict:
No threats detected
Analysis date:
2021-05-14 14:49:26 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/00a79fc2-e9f1-4ed9-8a52-998eb7926f3f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Vidar
Create hunting rule
Link:
https://www.capesandbox.com/analysis/156742/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
DNS request
Searching for the window
Sending a custom TCP request
Sending an HTTP GET request
Sending a UDP request
Running batch commands
Deleting a recently created file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Socelars Vidar
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/781963
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Drops PE files to the document folder of the user
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Query firmware table information (likely to detect VMs)
Renames NTDLL to bypass HIPS
Sample is not signed and drops a device driver
Sample uses process hollowing technique
Sets debug register (to hijack the execution of another thread)
Sigma detected: Suspicious Double Extension
Sigma detected: Suspicious Svchost Process
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Instant Messenger accounts or passwords
Writes to foreign memory regions
Yara detected Socelars
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 414360 Sample: x86_x64_setup.exe Startdate: 14/05/2021 Architecture: WINDOWS Score: 100 181 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->181 183 Found malware configuration 2->183 185 Antivirus detection for URL or domain 2->185 187 12 other signatures 2->187 12 x86_x64_setup.exe 19 2->12         started        process3 file4 85 C:\Users\user\AppData\...\setup_installer.exe, PE32 12->85 dropped 87 C:\Users\user\AppData\Local\Temp\...\UAC.dll, PE32 12->87 dropped 89 C:\Users\user\AppData\Local\Temp\...89Act.dll, PE32 12->89 dropped 15 setup_installer.exe 15 12->15         started        process5 file6 91 C:\Users\user\AppData\...\setup_install.exe, PE32 15->91 dropped 93 C:\Users\user\AppData\Local\...\metina_7.exe, PE32 15->93 dropped 95 C:\Users\user\AppData\Local\...\metina_5.exe, PE32 15->95 dropped 97 10 other files (4 malicious) 15->97 dropped 18 setup_install.exe 1 15->18         started        process7 dnsIp8 135 estrix.xyz 104.21.57.186, 49722, 80 CLOUDFLARENETUS United States 18->135 137 127.0.0.1 unknown unknown 18->137 205 Detected unpacking (changes PE section rights) 18->205 207 Performs DNS queries to domains with low reputation 18->207 22 cmd.exe 18->22         started        24 cmd.exe 1 18->24         started        26 cmd.exe 1 18->26         started        28 8 other processes 18->28 signatures9 process10 process11 30 metina_7.exe 22->30         started        35 metina_1.exe 6 24->35         started        37 metina_3.exe 89 26->37         started        39 metina_2.exe 1 28->39         started        41 metina_5.exe 28->41         started        43 metina_4.exe 2 2 28->43         started        45 metina_6.exe 28->45         started        dnsIp12 145 kiff.store 30->145 147 www.turbosino.com 103.155.92.96, 49740, 80 TWIDC-AS-APTWIDCLimitedHK unknown 30->147 153 13 other IPs or domains 30->153 99 C:\Users\...\qCDRpkQwsfuXDBCQjW68oaGO.exe, PE32+ 30->99 dropped 101 C:\Users\...\osuUf4JIlbFF5TraFt1Ay3nA.exe, PE32 30->101 dropped 107 15 other files (3 malicious) 30->107 dropped 161 Performs DNS queries to domains with low reputation 30->161 47 pit8McJuFtquFYbe3OeYrZU0.exe 30->47         started        50 1IH5FfTp7Va4wr9TJpbza5EH.exe 30->50         started        53 osuUf4JIlbFF5TraFt1Ay3nA.exe 30->53         started        66 3 other processes 30->66 109 2 other files (1 malicious) 35->109 dropped 163 Machine Learning detection for dropped file 35->163 56 rundll32.exe 35->56         started        155 2 other IPs or domains 37->155 111 12 other files (none is malicious) 37->111 dropped 165 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 37->165 167 Tries to steal Instant Messenger accounts or passwords 37->167 169 Tries to harvest and steal browser information (history, passwords, etc) 37->169 177 2 other signatures 37->177 103 C:\Users\user\AppData\Local\Temp\CC4F.tmp, PE32 39->103 dropped 171 Renames NTDLL to bypass HIPS 39->171 173 Checks if the current machine is a virtual machine (disk enumeration) 39->173 58 explorer.exe 39->58 injected 105 C:\Users\user\AppData\Local\...\metina_5.tmp, PE32 41->105 dropped 60 metina_5.tmp 41->60         started        149 ip-api.com 208.95.112.1, 49723, 80 TUT-ASUS United States 43->149 157 4 other IPs or domains 43->157 113 2 other files (none is malicious) 43->113 dropped 175 May check the online IP address of the machine 43->175 62 jfiag3g_gg.exe 43->62         started        64 jfiag3g_gg.exe 43->64         started        151 104.21.33.129 CLOUDFLARENETUS United States 45->151 115 2 other files (none is malicious) 45->115 dropped file13 signatures14 process15 dnsIp16 117 C:\Program Files (x86)\...\wangjun.exe, PE32 47->117 dropped 119 C:\Program Files (x86)\Company\...\setup.exe, PE32 47->119 dropped 121 C:\Program Files (x86)\...\md8_8eus.exe, PE32 47->121 dropped 131 4 other files (3 malicious) 47->131 dropped 189 Sample uses process hollowing technique 50->189 191 Injects a PE file into a foreign processes 50->191 139 101.36.107.74 UHGL-AS-APUCloudHKHoldingsGroupLimitedHK China 53->139 123 C:\Users\...\osuUf4JIlbFF5TraFt1Ay3nA.exe, PE32 53->123 dropped 193 Drops PE files to the document folder of the user 53->193 195 Writes to foreign memory regions 56->195 197 Allocates memory in foreign processes 56->197 199 Creates a thread in another existing process (thread injection) 56->199 68 svchost.exe 56->68 injected 71 svchost.exe 56->71 injected 73 svchost.exe 56->73 injected 75 haleng.exe 58->75         started        141 limesfile.com 198.54.126.101, 49743, 80 NAMECHEAP-NETUS United States 60->141 125 C:\Users\user\AppData\Local\...\________.exe, PE32 60->125 dropped 133 3 other files (none is malicious) 60->133 dropped 77 ________.exe 60->77         started        143 45.76.53.14 AS-CHOOPAUS United States 66->143 127 C:\Users\user\AppData\Roaming\...\WR64.sys, PE32+ 66->127 dropped 129 C:\Users\user\AppData\Local\...\Login Data1, SQLite 66->129 dropped 201 Tries to harvest and steal browser information (history, passwords, etc) 66->201 203 Sample is not signed and drops a device driver 66->203 file17 signatures18 process19 signatures20 209 System process connects to network (likely due to code injection or exploit) 68->209 211 Sets debug register (to hijack the execution of another thread) 68->211 213 Modifies the context of a thread in another process (thread injection) 68->213 79 svchost.exe 68->79         started        83 jfiag3g_gg.exe 75->83         started        215 Detected unpacking (overwrites its own PE header) 77->215 process21 dnsIp22 159 email.yg9.me 198.13.62.186 AS-CHOOPAUS United States 79->159 179 Query firmware table information (likely to detect VMs) 79->179 signatures23
Detection:
isfb
Create hunting rule
Link:
https://mwdb.cert.pl/sample/6552cf64c39a8bd219e97300c065290e11394898334a02f916f58566e2fbc7d7/
Threat name:
Win32.Trojan.GenericML
Create hunting rule
Status:
Malicious
First seen:
2021-05-14 14:34:08 UTC
AV detection:
24 of 47 (51.06%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=mvjm6zgdtkf5egpjomamazjjbyitsseygnfaf6iw6wcwnyx3y7lq._file
Verdict:
unknown
Similar samples:
f1a553c411aaf180797dd27f75317ed6ab65e166c72845b913273d2bcae4f211
ArkeiStealer
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:cryptbot family:fickerstealer family:plugx family:redline family:smokeloader family:vidar family:xmrig aspackv2 backdoor infostealer miner persistence spyware stealer trojan vmprotect
Link:
https://tria.ge/reports/210514-1nfkbdnbde/
Behaviour
Delays execution with timeout.exe
Kills process with taskkill
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Loads dropped DLL
ASPack v2.12-2.42
Downloads MZ/PE file
Executes dropped EXE
VMProtect packed file
XMRig Miner Payload
CryptBot
CryptBot Payload
PlugX
RedLine
RedLine Payload
SmokeLoader
Vidar
fickerstealer
xmrig
Malware Config
C2 Extraction:
http://999080321newfolder1002002131-service1002.space/
http://999080321newfolder1002002231-service1002.space/
http://999080321newfolder3100231-service1002.space/
http://999080321newfolder1002002431-service1002.space/
http://999080321newfolder1002002531-service1002.space/
http://999080321newfolder33417-012425999080321.space/
http://999080321test125831-service10020125999080321.space/
http://999080321test136831-service10020125999080321.space/
http://999080321test147831-service10020125999080321.space/
http://999080321test146831-service10020125999080321.space/
http://999080321test134831-service10020125999080321.space/
http://999080321est213531-service1002012425999080321.ru/
http://999080321yes1t3481-service10020125999080321.ru/
http://999080321test13561-service10020125999080321.su/
http://999080321test14781-service10020125999080321.info/
http://999080321test13461-service10020125999080321.net/
http://999080321test15671-service10020125999080321.tech/
http://999080321test12671-service10020125999080321.online/
http://999080321utest1341-service10020125999080321.ru/
http://999080321uest71-service100201dom25999080321.ru/
http://999080321test61-service10020125999080321.website/
http://999080321test51-service10020125999080321.xyz/
http://999080321test41-service100201pro25999080321.ru/
http://999080321yest31-service100201rus25999080321.ru/
http://999080321rest21-service10020125999080321.eu/
http://999080321test11-service10020125999080321.press/
http://999080321newfolder4561-service10020125999080321.ru/
http://999080321rustest213-service10020125999080321.ru/
http://999080321test281-service10020125999080321.ru/
http://999080321test261-service10020125999080321.space/
http://999080321yomtest251-service10020125999080321.ru/
http://999080321yirtest231-service10020125999080321.ru/
truzen.best:80
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Cryptor
Score:
0.80
Link:
https://yomi.yoroi.company/submissions/6552cf64c39a8bd219e97300c065290e11394898334a02f916f58566e2fbc7d7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_ASPack
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ASPack
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ArkeiStealer

Executable exe 6552cf64c39a8bd219e97300c065290e11394898334a02f916f58566e2fbc7d7

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/156742/

Comments


Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-05-14 15:08:54 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [B0001.032] Anti-Behavioral Analysis::Timing/Delay Check GetTickCount
1) [F0002.002] Collection::Polling
2) [C0032.001] Data Micro-objective::CRC32::Checksum
3) [C0026.002] Data Micro-objective::XOR::Encode Data
6) [C0045] File System Micro-objective::Copy File
7) [C0046] File System Micro-objective::Create Directory
8) [C0048] File System Micro-objective::Delete Directory
9) [C0047] File System Micro-objective::Delete File
10) [C0049] File System Micro-objective::Get File Attributes
11) [C0051] File System Micro-objective::Read File
12) [C0050] File System Micro-objective::Set File Attributes
13) [C0052] File System Micro-objective::Writes File
14) [E1510] Impact::Clipboard Modification
15) [C0036.004] Operating System Micro-objective::Create Registry Key::Registry
16) [C0036.002] Operating System Micro-objective::Delete Registry Key::Registry
17) [C0036.007] Operating System Micro-objective::Delete Registry Value::Registry
18) [C0036.003] Operating System Micro-objective::Open Registry Key::Registry
19) [C0036.005] Operating System Micro-objective::Query Registry Key::Registry
20) [C0036.006] Operating System Micro-objective::Query Registry Value::Registry
21) [C0036.001] Operating System Micro-objective::Set Registry Key::Registry
22) [C0017] Process Micro-objective::Create Process
23) [C0038] Process Micro-objective::Create Thread
24) [C0018] Process Micro-objective::Terminate Process