MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6ba535a8a1c78fd8848f083696ee0ca22f31b89e2c162f01994826a9e96efb29. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 9


Intelligence 9 IOCs 1 YARA 16 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6ba535a8a1c78fd8848f083696ee0ca22f31b89e2c162f01994826a9e96efb29
SHA3-384 hash: 727b23844ced7145be1bf18acd68012b40bd5910b74fcbbf7a973a36a6d91e0520efaea606b1dab994ed8c754fcadae2
SHA1 hash: d0a2d8ee2a271958e62abf9511afa75635b7dc8b
MD5 hash: c92f235056deb43a40e378ad95ca31dd
humanhash: illinois-twenty-connecticut-asparagus
File name:C92F235056DEB43A40E378AD95CA31DD.exe
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:21'368'878 bytes
First seen:2021-03-27 20:00:15 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c9adc83b45e363b21cd6b11b5da0501f (82 x ArkeiStealer, 60 x RecordBreaker, 46 x RedLineStealer)
ssdeep 393216:g+7o4oZQQpjFQuz8xV9N4EAW9gX3T+cNbwvxA0Hon+k8benNYhP64zXNjOus:boSduzK7NkW9gT+YiJK8bAsJls
Threatray 138 similar samples on MalwareBazaar
TLSH 58273376FA254CB1D2D49936C89F4B2839B7A508935CE82F79F6480FCDB27490D8839C
Reporter abuse_ch
Tags:ArkeiStealer exe


Avatar
abuse_ch
ArkeiStealer C2:
http://data.parafia-strumiany.pl/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://data.parafia-strumiany.pl/ https://threatfox.abuse.ch/ioc/5527/

Intelligence

File Origin
# of uploads :
1
# of downloads :
1'272
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Win.Malware.Rasftuby-9841222-0
Create hunting rule

SecuriteInfo.com.PSW.Generic8.ISF.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Delayed reading of the file
Creating a file in the %temp% subdirectories
Creating a file in the Program Files subdirectories
Deleting a recently created file
Sending a UDP request
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file
Searching for the window
Creating a file in the Windows subdirectories
DNS request
Sending an HTTP GET request
Reading critical registry keys
Sending a custom TCP request
Creating a file in the %AppData% directory
Using the Windows Management Instrumentation requests
Launching the default Windows debugger (dwwin.exe)
Replacing files
Delayed writing of the file
Launching a process
Running batch commands
Moving a file to the Program Files subdirectory
Connecting to a non-recommended domain
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Stealing user critical data
Launching a tool to kill processes
Sending an HTTP GET request to an infection source
Forced shutdown of a browser
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Vidar
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/655929
Signature
.NET source code contains potential unpacker
Antivirus detection for dropped file
Antivirus detection for URL or domain
Connects to a pastebin service (likely for C&C)
Creates multiple autostart registry keys
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
DNS related to crypt mining pools
Drops PE files to the document folder of the user
Drops PE files to the user root directory
Drops PE files with benign system names
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Sample uses process hollowing technique
Sigma detected: System File Execution Location Anomaly
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Uses known network protocols on non-standard ports
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 376900 Sample: 4FNTlzlu10.exe Startdate: 27/03/2021 Architecture: WINDOWS Score: 100 138 connect.facebook.net 2->138 140 www.investinae.com 2->140 142 56 other IPs or domains 2->142 192 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->192 194 Found malware configuration 2->194 196 Antivirus detection for URL or domain 2->196 200 17 other signatures 2->200 10 4FNTlzlu10.exe 14 18 2->10         started        13 MicrosoftUOzgAQSNyWnEf_q6qNb8kk9HUpdater.exe 2->13         started        17 haleng.exe 2->17         started        19 h6SOuMTDos9aNHnKzN8iAOcw.exe 2->19         started        signatures3 198 May check the online IP address of the machine 138->198 process4 dnsIp5 114 C:\Program Files (x86)\...\trSagPovgx6c.exe, PE32 10->114 dropped 116 C:\Program Files (x86)\...\hjjgaa.exe, PE32 10->116 dropped 118 C:\Program Files (x86)\...\RunWW.exe, PE32 10->118 dropped 126 6 other files (3 malicious) 10->126 dropped 21 RunWW.exe 86 10->21         started        26 LabPicV3.exe 10->26         started        28 PlayerUI4.exe 17 5 10->28         started        36 5 other processes 10->36 178 172.67.162.110 CLOUDFLARENETUS United States 13->178 180 www.investinae.com 13->180 188 10 other IPs or domains 13->188 120 C:\Users\...\Owd2vtXX8PKDNXUjcwrcZCuI.exe, PE32 13->120 dropped 122 Microsoftmp_ti4T2Z...7yGpHCPHUpdater.exe, PE32 13->122 dropped 218 Drops PE files to the document folder of the user 13->218 220 May check the online IP address of the machine 13->220 222 Creates multiple autostart registry keys 13->222 182 69.171.250.35 FACEBOOKUS United States 17->182 184 www.facebook.com 17->184 190 4 other IPs or domains 17->190 124 C:\Users\user\AppData\...\jfiag3g_gg.exe, PE32 17->124 dropped 30 jfiag3g_gg.exe 17->30         started        32 jfiag3g_gg.exe 17->32         started        186 pastebin.com 19->186 34 WerFault.exe 19->34         started        file6 signatures7 process8 dnsIp9 152 3 other IPs or domains 21->152 76 C:\Users\user\AppData\Local\...\nss3[1].dll, PE32 21->76 dropped 90 11 other files (none is malicious) 21->90 dropped 202 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 21->202 204 Tries to steal Instant Messenger accounts or passwords 21->204 206 Tries to steal Mail credentials (via file access) 21->206 216 2 other signatures 21->216 38 cmd.exe 21->38         started        78 C:\Users\user\AppData\Local\...\LabPicV3.tmp, PE32 26->78 dropped 40 LabPicV3.tmp 26->40         started        144 103.124.106.203, 49729, 80 DEDIPATH-LLCUS India 28->144 146 file.ekkggr3.com 104.21.66.169, 49733, 80 CLOUDFLARENETUS United States 28->146 154 12 other IPs or domains 28->154 80 C:\Users\...\h6SOuMTDos9aNHnKzN8iAOcw.exe, PE32 28->80 dropped 82 MicrosoftUOzgAQSNy...qNb8kk9HUpdater.exe, PE32 28->82 dropped 208 Creates multiple autostart registry keys 28->208 44 h6SOuMTDos9aNHnKzN8iAOcw.exe 28->44         started        148 101.36.107.74, 49713, 80 UHGL-AS-APUCloudHKHoldingsGroupLimitedHK China 36->148 150 ip-api.com 208.95.112.1, 49708, 49725, 80 TUT-ASUS United States 36->150 156 4 other IPs or domains 36->156 84 C:\Users\user\Services.exe, PE32+ 36->84 dropped 86 C:\Users\user\AppData\Local\Temp\haleng.exe, PE32 36->86 dropped 88 C:\Users\user\Documents\...\jg7_7wjg.exe, MS-DOS 36->88 dropped 92 2 other files (none is malicious) 36->92 dropped 210 Tries to harvest and steal browser information (history, passwords, etc) 36->210 212 Sample uses process hollowing technique 36->212 214 Injects a PE file into a foreign processes 36->214 46 jfiag3g_gg.exe 36->46         started        48 main.exe 36->48         started        50 jfiag3g_gg.exe 36->50         started        52 2 other processes 36->52 file10 signatures11 process12 dnsIp13 54 conhost.exe 38->54         started        56 taskkill.exe 38->56         started        58 timeout.exe 38->58         started        158 s3-r-w.eu-north-1.amazonaws.com 52.95.170.36, 49716, 80 AMAZON-02US United States 40->158 160 labstation2.s3.eu-north-1.amazonaws.com 40->160 94 C:\Users\user\AppData\Local\...\ppppppfy.exe, PE32 40->94 dropped 96 C:\Users\user\AppData\Local\Temp\...\idp.dll, PE32 40->96 dropped 98 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 40->98 dropped 100 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 40->100 dropped 60 ppppppfy.exe 40->60         started        162 104.23.98.190, 443, 49740 CLOUDFLARENETUS United States 44->162 164 pastebin.com 44->164 65 WerFault.exe 44->65         started        67 prolab.exe 46->67         started        69 Cylacegewu.exe 46->69         started        71 Molimigaeru.exe 46->71         started        166 www.plug-innotification.com 48->166 168 plug-innotification.com 35.220.162.170, 49739, 49755, 80 GOOGLEUS United States 48->168 170 2 other IPs or domains 48->170 102 C:\Users\user\AppData\Local\...\parse.exe, PE32+ 48->102 dropped 104 C:\Users\user\AppData\Local\Temp\...\curl.exe, PE32+ 48->104 dropped file14 process15 dnsIp16 172 vexacion.com 60->172 174 52.95.171.4, 443, 49748 AMAZON-02US United States 60->174 176 4 other IPs or domains 60->176 128 C:\Program Files (x86)\...\SHaefisaepeju.exe, PE32 60->128 dropped 130 C:\...\SHaefisaepeju.exe.config, XML 60->130 dropped 132 C:\Users\user\AppData\...\Cylacegewu.exe, PE32 60->132 dropped 136 2 other files (none is malicious) 60->136 dropped 224 Detected unpacking (overwrites its own PE header) 60->224 226 Creates multiple autostart registry keys 60->226 134 C:\Users\user\AppData\Local\...\prolab.tmp, PE32 67->134 dropped 73 prolab.tmp 67->73         started        file17 signatures18 process19 file20 106 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 73->106 dropped 108 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 73->108 dropped 110 C:\Program Files (x86)\...\is-QSMVK.tmp, PE32 73->110 dropped 112 8 other files (none is malicious) 73->112 dropped
Gathering data
Threat name:
Win32.Trojan.CookiesStealer
Create hunting rule
Status:
Malicious
First seen:
2021-03-22 23:58:19 UTC
AV detection:
18 of 48 (37.50%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=nostlkfby6h5rbepba3jn3qmuixtdoe6fqlc6amzjatkt2lo7muq._file
Verdict:
malicious
Similar samples:
12bbe24de7cb5efda944526935ce54a013d93d99b366b9f74a19828ddc987ebc
ArkeiStealer
170ddb2583efd2402e84a7eb2c48754d978c8862e5c033fef9b7df34eadceb52
ArkeiStealer
1ac6d1275df2a3c1c7331666e29259aaecc303f6be32f9248c3c6bc5d2638e55
ArkeiStealer
28f1bd1e02427a817d05c69884c5d5ccf3455859a2f1c3a6dce5e6da75141bcd
ArkeiStealer
4310e070b8ac0bb31d103b0b41c6e46a8b44b98dfcaabf8420aae23b73ac07c8
ArkeiStealer
89d15d3703f9b4084dc3dd41693d5337d2a19fa40c3c87e1cb7a0997d021c4e1
ArkeiStealer
97fe546f4790b24b92895fd102ab528c84187dde94b00e4efc16e78dba9f80a4
ArkeiStealer
a546a1f257585e2f4c093db2b7eeb6413a314ffb1296d97fd31d0363e827cc65
ArkeiStealer
d0d946651c56c06d9ca14c32608fe26da018ed117f7d196fb4aef17c63e1de6f
ArkeiStealer
e99107f51a615207824a28411b0355fba67cbda8dbd24d450a84cbe40aa8faf5
ArkeiStealer
+ 128 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:glupteba family:metasploit family:smokeloader family:vidar family:xmrig backdoor discovery dropper evasion loader miner persistence spyware stealer trojan upx
Link:
https://tria.ge/reports/210327-rfxz3dv9hj/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Creates scheduled task(s)
Delays execution with timeout.exe
Enumerates system info in registry
GoLang User-Agent
Kills process with taskkill
Modifies Internet Explorer settings
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks BIOS information in registry
Loads dropped DLL
Reads local data of messenger clients
Reads user/profile data of web browsers
Drops file in Drivers directory
Executes dropped EXE
UPX packed file
Checks for common network interception software
XMRig Miner Payload
Glupteba
Glupteba Payload
MetaSploit
SmokeLoader
Suspicious use of NtCreateUserProcessOtherParentProcess
Vidar
xmrig
Malware Config
C2 Extraction:
http://10022020newfolder1002002131-service1002.space/
http://10022020newfolder1002002231-service1002.space/
http://10022020newfolder3100231-service1002.space/
http://10022020newfolder1002002431-service1002.space/
http://10022020newfolder1002002531-service1002.space/
http://10022020newfolder33417-01242510022020.space/
http://10022020test125831-service1002012510022020.space/
http://10022020test136831-service1002012510022020.space/
http://10022020test147831-service1002012510022020.space/
http://10022020test146831-service1002012510022020.space/
http://10022020test134831-service1002012510022020.space/
http://10022020est213531-service100201242510022020.ru/
http://10022020yes1t3481-service1002012510022020.ru/
http://10022020test13561-service1002012510022020.su/
http://10022020test14781-service1002012510022020.info/
http://10022020test13461-service1002012510022020.net/
http://10022020test15671-service1002012510022020.tech/
http://10022020test12671-service1002012510022020.online/
http://10022020utest1341-service1002012510022020.ru/
http://10022020uest71-service100201dom2510022020.ru/
http://10022020test61-service1002012510022020.website/
http://10022020test51-service1002012510022020.xyz/
http://10022020test41-service100201pro2510022020.ru/
http://10022020yest31-service100201rus2510022020.ru/
http://10022020rest21-service1002012510022020.eu/
http://10022020test11-service1002012510022020.press/
http://10022020newfolder4561-service1002012510022020.ru/
http://10022020rustest213-service1002012510022020.ru/
http://10022020test281-service1002012510022020.ru/
http://10022020test261-service1002012510022020.space/
http://10022020yomtest251-service1002012510022020.ru/
http://10022020yirtest231-service1002012510022020.ru/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Ransomware
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6ba535a8a1c78fd8848f083696ee0ca22f31b89e2c162f01994826a9e96efb29

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Cryptocoin_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Steam in files like avemaria
Rule name:INDICATOR_EXE_Packed_MPress
Create hunting rule
Author:ditekSHen
Description:Detects executables built or packed with MPress PE compressor
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_References_CryptoWallets
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many cryptocurrency mining wallets or apps. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:IPPort_combo_mem
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:MAL_XMR_Miner_May19_1
Create hunting rule
Author:Florian Roth
Description:Detects Monero Crypto Coin Miner
Reference:https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Rule name:Ping_Del_method_bin_mem
Create hunting rule
Author:James_inthe_box
Description:cmd ping IP nul del
Rule name:Select_from_enumeration
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:Steam_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Steam in files like avemaria
Rule name:win_vidar_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:with_sqlite
Create hunting rule
Author:Julian J. Gonzalez <info@seguridadparatodos.es>
Description:Rule to detect the presence of SQLite data in raw image
Reference:http://www.st2labs.com
Rule name:XMRIG_Miner
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments