MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7a63dfdb3c679b747aadbd3855f97e9fb00a7cffdca72a937f63bb167dd52f20. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 9


Intelligence 9 IOCs 1 YARA 3 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7a63dfdb3c679b747aadbd3855f97e9fb00a7cffdca72a937f63bb167dd52f20
SHA3-384 hash: 17ce66501d26b62b709ddacb61eae374bb76101bf8637e75e1dd054e703a4d3de50883119d850cfc34428fd3a22ff412
SHA1 hash: 812808c718c8aa14775893ac9571e0f0dba04e66
MD5 hash: 1ceb51cfd72f59d9035ab2a78627d4f5
humanhash: oven-carbon-xray-black
File name:1CEB51CFD72F59D9035AB2A78627D4F5.exe
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:3'384'263 bytes
First seen:2021-05-23 17:00:29 UTC
Last seen:2021-05-23 18:02:28 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 32569d67dc210c5cb9a759b08da2bdb3 (122 x RedLineStealer, 42 x DiamondFox, 37 x RaccoonStealer)
ssdeep 98304:xICvLUBsg3quuv/XLiW+fHOgldl+jUVj1yuDEdu+zF:xVLUCganvvLB+fHRzl+gVj1ymkF
TLSH ABF533A072E280F6DA815031DE4CBF7694BCC3852B5D9D7B3BE2850E4D3E664D36B606
Reporter abuse_ch
Tags:ArkeiStealer exe


Avatar
abuse_ch
ArkeiStealer C2:
http://94.130.58.199/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://94.130.58.199/ https://threatfox.abuse.ch/ioc/57564/

Intelligence

File Origin
# of uploads :
2
# of downloads :
139
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
1CEB51CFD72F59D9035AB2A78627D4F5.exe
Verdict:
No threats detected
Analysis date:
2021-05-23 17:07:58 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/67f1299c-2911-4bee-94ba-80838f18a105

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Predatorthethief
Create hunting rule
Link:
https://www.capesandbox.com/analysis/160918/
Detection(s):
Win.Dropper.Pswtool-9857488-0
Create hunting rule

Win.Packed.Barys-9859531-0
Create hunting rule

Win.Malware.Barys-9859550-0
Create hunting rule

Win.Trojan.Jaik-9862229-0
Create hunting rule

Win.Packed.Jaik-9862233-0
Create hunting rule

Win.Malware.Generic-9863888-0
Create hunting rule

Win.Malware.Jaik-9863906-0
Create hunting rule

Win.Trojan.Jaik-9863907-0
Create hunting rule

Win.Trojan.Jaik-9863965-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Win.Trojan.Jaik-9863992-0
Create hunting rule

Win.Trojan.Jaik-9863995-0
Create hunting rule

Win.Trojan.Jaik-9864004-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Searching for the window
Sending a custom TCP request
DNS request
Sending an HTTP GET request
Running batch commands
Deleting a recently created file
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Vidar
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/789701
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Drops executable to a common third party application directory
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for dropped file
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Query firmware table information (likely to detect VMs)
Renames NTDLL to bypass HIPS
Searches for Windows Mail specific files
Sets debug register (to hijack the execution of another thread)
Sigma detected: Suspicious Svchost Process
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Instant Messenger accounts or passwords
Writes to foreign memory regions
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 422097 Sample: 8LIt333TCN.exe Startdate: 23/05/2021 Architecture: WINDOWS Score: 100 159 Multi AV Scanner detection for domain / URL 2->159 161 Found malware configuration 2->161 163 Antivirus detection for URL or domain 2->163 165 8 other signatures 2->165 11 8LIt333TCN.exe 15 2->11         started        process3 file4 77 C:\Users\user\AppData\...\setup_install.exe, PE32 11->77 dropped 79 C:\Users\user\AppData\Local\...\metina_7.exe, PE32 11->79 dropped 81 C:\Users\user\AppData\Local\...\metina_3.exe, PE32 11->81 dropped 83 10 other files (1 malicious) 11->83 dropped 14 setup_install.exe 1 11->14         started        process5 dnsIp6 137 8.8.8.8 GOOGLEUS United States 14->137 139 172.67.165.117 CLOUDFLARENETUS United States 14->139 141 127.0.0.1 unknown unknown 14->141 183 Detected unpacking (changes PE section rights) 14->183 18 cmd.exe 1 14->18         started        20 cmd.exe 1 14->20         started        22 cmd.exe 1 14->22         started        24 8 other processes 14->24 signatures7 process8 process9 26 metina_3.exe 92 18->26         started        31 metina_5.exe 2 20->31         started        33 metina_1.exe 7 22->33         started        35 metina_2.exe 1 24->35         started        37 metina_7.exe 24->37         started        39 metina_6.exe 24->39         started        41 metina_4.exe 1 24->41         started        dnsIp10 121 94.130.58.199 HETZNER-ASDE Germany 26->121 123 104.17.62.50 CLOUDFLARENETUS United States 26->123 101 12 other files (none is malicious) 26->101 dropped 169 Detected unpacking (changes PE section rights) 26->169 171 Detected unpacking (overwrites its own PE header) 26->171 173 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 26->173 181 4 other signatures 26->181 85 C:\Users\user\AppData\Local\...\metina_5.tmp, PE32 31->85 dropped 43 metina_5.tmp 31->43         started        87 C:\Users\user\...\logi_audio_conexant.dll, PE32+ 33->87 dropped 89 C:\Users\...\legacy_forcefeedback_x86.dll, PE32 33->89 dropped 91 C:\Users\user\AppData\Local\...\install.dll, PE32 33->91 dropped 47 rundll32.exe 33->47         started        93 C:\Users\user\AppData\Local\Temp\CC4F.tmp, PE32 35->93 dropped 175 Machine Learning detection for dropped file 35->175 177 Renames NTDLL to bypass HIPS 35->177 179 Checks if the current machine is a virtual machine (disk enumeration) 35->179 50 explorer.exe 35->50 injected 125 104.21.33.129 CLOUDFLARENETUS United States 37->125 95 C:\Users\user\AppData\Roaming\6042086.exe, PE32 37->95 dropped 97 C:\Users\user\AppData\Roaming\1095999.exe, PE32 37->97 dropped 127 88.218.92.148 ENZUINC-US Netherlands 39->127 99 C:\Users\user\AppData\...\jfiag3g_gg.exe, PE32 39->99 dropped 52 jfiag3g_gg.exe 39->52         started        54 jfiag3g_gg.exe 39->54         started        56 jfiag3g_gg.exe 39->56         started        129 208.95.112.1 TUT-ASUS United States 41->129 131 88.99.66.31 HETZNER-ASDE Germany 41->131 133 31.13.92.36 FACEBOOKUS Ireland 41->133 58 jfiag3g_gg.exe 41->58         started        60 jfiag3g_gg.exe 41->60         started        file11 signatures12 process13 dnsIp14 135 198.54.126.101 NAMECHEAP-NETUS United States 43->135 103 C:\Users\user\AppData\Local\...\MBap2.exe, PE32 43->103 dropped 105 C:\Users\user\AppData\Local\Temp\...\idp.dll, PE32 43->105 dropped 107 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 43->107 dropped 109 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 43->109 dropped 62 MBap2.exe 43->62         started        185 Writes to foreign memory regions 47->185 187 Allocates memory in foreign processes 47->187 189 Creates a thread in another existing process (thread injection) 47->189 67 svchost.exe 47->67         started        69 svchost.exe 47->69 injected 71 svchost.exe 47->71 injected 191 Searches for Windows Mail specific files 50->191 193 Tries to harvest and steal browser information (history, passwords, etc) 52->193 file15 signatures16 process17 dnsIp18 143 199.188.201.83 NAMECHEAP-NETUS United States 62->143 145 2.20.142.209 AKAMAI-ASN1EU European Union 62->145 149 3 other IPs or domains 62->149 111 C:\Users\user\AppData\...\Leladiresi.exe, PE32 62->111 dropped 113 C:\Users\user\AppData\...behaviorgrapheridadele.exe, PE32 62->113 dropped 115 C:\Program Files\...\ultramediaburner.exe, PE32 62->115 dropped 117 4 other malicious files 62->117 dropped 151 Detected unpacking (overwrites its own PE header) 62->151 153 Drops executable to a common third party application directory 62->153 147 184.30.24.56 AKAMAI-ASUS United States 67->147 155 Sets debug register (to hijack the execution of another thread) 67->155 157 Modifies the context of a thread in another process (thread injection) 67->157 73 svchost.exe 67->73         started        file19 signatures20 process21 dnsIp22 119 198.13.62.186 AS-CHOOPAUS United States 73->119 167 Query firmware table information (likely to detect VMs) 73->167 signatures23
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7a63dfdb3c679b747aadbd3855f97e9fb00a7cffdca72a937f63bb167dd52f20/
Threat name:
Win32.Trojan.CookiesStealer
Create hunting rule
Status:
Malicious
First seen:
2021-05-21 05:04:11 UTC
AV detection:
29 of 47 (61.70%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=pjr57wz4m6nxi6vnxu4fl6l6t6yau7h73stsve37mo5rm7ovf4qa._file
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:dcrat family:elysiumstealer family:plugx family:redline family:smokeloader family:vidar aspackv2 backdoor discovery evasion infostealer persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/210523-5pytnngge6/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Delays execution with timeout.exe
Kills process with taskkill
Modifies Internet Explorer settings
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
Runs ping.exe
Script User-Agent
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious behavior: SetClipboardViewer
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Enumerates connected drives
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Loads dropped DLL
Reads local data of messenger clients
Reads user/profile data of web browsers
ASPack v2.12-2.42
Blocklisted process makes network request
Downloads MZ/PE file
Drops file in Drivers directory
Executes dropped EXE
Checks for common network interception software
DcRat
ElysiumStealer
PlugX
RedLine
SmokeLoader
Suspicious use of NtCreateUserProcessOtherParentProcess
Vidar
Malware Config
C2 Extraction:
http://khaleelahmed.com/upload/
http://twvickiassociation.com/upload/
http://www20833.com/upload/
http://cocinasintonterias.com/upload/
http://masaofukunaga.com/upload/
http://gnckids.com/upload/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Azorult
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7a63dfdb3c679b747aadbd3855f97e9fb00a7cffdca72a937f63bb167dd52f20

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_ASPack
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ASPack
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/160918/

Comments


Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-05-23 18:09:56 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [B0001.032] Anti-Behavioral Analysis::Timing/Delay Check GetTickCount
1) [C0027.009] Cryptography Micro-objective::RC4::Encrypt Data
2) [C0021.004] Cryptography Micro-objective::RC4 PRGA::Generate Pseudo-random Sequence
3) [C0046] File System Micro-objective::Create Directory
4) [C0048] File System Micro-objective::Delete Directory
5) [C0047] File System Micro-objective::Delete File
6) [C0049] File System Micro-objective::Get File Attributes
7) [C0051] File System Micro-objective::Read File
8) [C0050] File System Micro-objective::Set File Attributes
9) [C0052] File System Micro-objective::Writes File
10) [C0017] Process Micro-objective::Create Process
11) [C0038] Process Micro-objective::Create Thread