MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 676f868fe044e51b3edcefeb79e1a37768c931c6231f31b28b8c6d5f593f9cd6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 7


Intelligence 7 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 676f868fe044e51b3edcefeb79e1a37768c931c6231f31b28b8c6d5f593f9cd6
SHA3-384 hash: 603a5750d831e18aab68d5b98608351072f8c579f497b3038154c5f47dad2363ff0b907b5ef87b7d100ba66cd4efedc4
SHA1 hash: d073e7e90f4dc8b550f8a60b2dc9c63c58964a5d
MD5 hash: 79aae34f2377e644cacc200aa7d8d4cc
humanhash: hawaii-oxygen-utah-bluebird
File name:676f868fe044e51b3edcefeb79e1a37768c931c6231f31b28b8c6d5f593f9cd6
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:734'208 bytes
First seen:2020-07-29 07:13:38 UTC
Last seen:2020-07-29 07:53:29 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash a63a2fada56a1103d06ab42a4cb5c15d (1 x ArkeiStealer)
ssdeep 12288:p6n4FnutdJrbwEU4pOWRLwPdMAnh2EVaGwHwiu2aa3GVI6ysicjH1Y/qz4xm:p6nUnGpBlJwllh2EVa5wigI69icRiE4E
TLSH 5AF4121035B2D072C17265B05205E73A8F3AB13062A6E9473B29EB3D5F352D1CBB7796
Reporter JAMESWT_WT
Tags:ArkeiStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
74
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/34323/
Detection(s):
PUA.Win.Downloader.Aiis-6803892-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a custom TCP request
Creating a file
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Creating a window
Creating a process from a recently created file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun with Startup directory
Sending an HTTP GET request to an infection source
Changing the hosts file
Result
Threat name:
Djvu Vidar
Create hunting rule
Detection:
malicious
Classification:
rans.phis.troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/401494
Signature
Bypasses PowerShell execution policy
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Disables the Windows task manager (taskmgr)
Found many strings related to Crypto-Wallets (likely being stolen)
Found ransom note / readme
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Modifies existing user documents (likely ransomware behavior)
Modifies the hosts file
Mutes Antivirus updates and installments via hosts file black listing
Removes signatures from Windows Defender
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Instant Messenger accounts or passwords
Writes many files with high entropy
Yara detected Djvu Ransomware
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 252989 Sample: ot2cz0OTdC Startdate: 29/07/2020 Architecture: WINDOWS Score: 100 93 api.2ip.ua 2->93 121 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->121 123 Found ransom note / readme 2->123 125 Yara detected Vidar stealer 2->125 127 9 other signatures 2->127 12 ot2cz0OTdC.exe 1 18 2->12         started        17 ot2cz0OTdC.exe 13 2->17         started        19 ot2cz0OTdC.exe 2->19         started        21 2 other processes 2->21 signatures3 process4 dnsIp5 99 api.2ip.ua 77.123.139.189, 443, 49708, 49709 VOLIA-ASUA Ukraine 12->99 79 C:\Users\user\AppData\...\ot2cz0OTdC.exe, PE32 12->79 dropped 81 C:\Users\...\ot2cz0OTdC.exe:Zone.Identifier, ASCII 12->81 dropped 137 Detected unpacking (changes PE section rights) 12->137 139 Detected unpacking (overwrites its own PE header) 12->139 141 Writes many files with high entropy 12->141 23 ot2cz0OTdC.exe 1 28 12->23         started        28 icacls.exe 12->28         started        101 192.168.2.1 unknown unknown 17->101 file6 signatures7 process8 dnsIp9 95 cjto.top 84.38.180.106, 49710, 49711, 49713 SELECTELRU Russian Federation 23->95 97 api.2ip.ua 23->97 69 C__Windows_SystemA...e_Desktop_20[1].txt, DOS 23->69 dropped 71 C__Windows_SystemA...e_Desktop_14[1].txt, DOS 23->71 dropped 73 C:\Users\user\AppData\Local\...\5[1].exe, PE32 23->73 dropped 75 121 other files (118 malicious) 23->75 dropped 129 Modifies existing user documents (likely ransomware behavior) 23->129 30 5.exe 23->30         started        35 updatewin1.exe 2 23->35         started        37 updatewin2.exe 23->37         started        file10 signatures11 process12 dnsIp13 103 sealorgames.com 169.239.128.70, 49718, 80 ZAPPIE-HOST-ASZappieHostGB Seychelles 30->103 105 ip-api.com 208.95.112.1, 49720, 80 TUT-ASUS United States 30->105 83 CH_d06ed635-68f6-4...57b9a5899495934.zip, Zip 30->83 dropped 85 C:\Users\user\AppData\...\msvcp140[1].dll, PE32 30->85 dropped 87 C:\Users\user\AppData\...\vcruntime140[1].dll, PE32 30->87 dropped 91 10 other files (none is malicious) 30->91 dropped 107 Detected unpacking (changes PE section rights) 30->107 109 Detected unpacking (overwrites its own PE header) 30->109 111 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 30->111 119 3 other signatures 30->119 39 cmd.exe 30->39         started        41 updatewin1.exe 35->41         started        89 C:\Windows\System32\drivers\etc\hosts, ASCII 37->89 dropped 113 Mutes Antivirus updates and installments via hosts file black listing 37->113 115 Machine Learning detection for dropped file 37->115 117 Modifies the hosts file 37->117 file14 signatures15 process16 file17 45 conhost.exe 39->45         started        47 taskkill.exe 39->47         started        77 C:\Users\user\AppData\Local\script.ps1, ASCII 41->77 dropped 131 Suspicious powershell command line found 41->131 133 Removes signatures from Windows Defender 41->133 135 Disables the Windows task manager (taskmgr) 41->135 49 powershell.exe 41->49         started        51 powershell.exe 41->51         started        53 MpCmdRun.exe 41->53         started        55 cmd.exe 41->55         started        signatures18 process19 process20 57 powershell.exe 49->57         started        59 conhost.exe 49->59         started        61 conhost.exe 51->61         started        63 conhost.exe 53->63         started        65 conhost.exe 55->65         started        process21 67 conhost.exe 57->67         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/676f868fe044e51b3edcefeb79e1a37768c931c6231f31b28b8c6d5f593f9cd6/
Threat name:
Win32.Ransomware.Stop
Create hunting rule
Status:
Malicious
First seen:
2020-07-28 01:32:00 UTC
File Type:
PE (Exe)
Extracted files:
18
AV detection:
40 of 48 (83.33%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=m5xynd7aitsrwpw457vxtyndo5umsmogemptdmulrrwv6wj7ttla._file
Verdict:
unknown
Result
Malware family:
djvu
Create hunting rule
Score:
  10/10
Tags:
ransomware spyware persistence discovery evasion family:djvu
Link:
https://tria.ge/reports/200729-4y1nj2vsga/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Checks processor information in registry
Suspicious use of WriteProcessMemory
Kills process with taskkill
Checks installed software on the system
Looks up external IP address via web service
JavaScript code in executable
Adds Run key to start application
Reads user/profile data of web browsers
Reads user/profile data of local email clients
Loads dropped DLL
Modifies file permissions
Executes dropped EXE
Drops file in Drivers directory
Disables Task Manager via registry modification
Modifies extensions of user files
Deletes Windows Defender Definitions
Djvu Ransomware
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/676f868fe044e51b3edcefeb79e1a37768c931c6231f31b28b8c6d5f593f9cd6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_stop_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/34323/

Comments