MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7aa17be3b8a5d82c4ffcb0a88cf2a64339c59fceaea5201cf6c7b3c7c906cdc3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 9


Intelligence 9 IOCs 1 YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7aa17be3b8a5d82c4ffcb0a88cf2a64339c59fceaea5201cf6c7b3c7c906cdc3
SHA3-384 hash: 0a3094a7ff6dadd45d469d76bb195342751ced753bbae2fea317d6be55666c839e4a73061072fbd077e916b11e869e6a
SHA1 hash: d94cae37a722981385e0fc09ea8201ed8810a517
MD5 hash: 595f3bda67bee86af6b606daff3f9930
humanhash: oxygen-december-nevada-mars
File name:595f3bda67bee86af6b606daff3f9930.exe
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:7'063'040 bytes
First seen:2022-10-27 02:40:37 UTC
Last seen:2022-10-27 04:24:08 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 9cbefe68f395e67356e2a5d8d1b285c0 (58 x LummaStealer, 49 x AuroraStealer, 36 x Vidar)
ssdeep 196608:twFCQ2xNNDtJfHNpasZUqmNcgt2FEz8jZPA:WSNJJftQsZfI0wM2
TLSH T166660251FC9B54B6E602D2321A97D2DBE32078061B318BC7D540BE7AACF36E40D3E665
gimphash c0e99d633e8f1eba4aedefa7fc18176013256c4e3b77b9f6cb54eb04b150a623
TrID 40.3% (.EXE) Win64 Executable (generic) (10523/12/4)
19.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
17.2% (.EXE) Win32 Executable (generic) (4505/5/1)
7.7% (.EXE) OS/2 Executable (generic) (2029/13)
7.6% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter abuse_ch
Tags:ArkeiStealer exe


Avatar
abuse_ch
ArkeiStealer C2:
http://95.217.29.33/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://95.217.29.33/ https://threatfox.abuse.ch/ioc/950016/

Intelligence

File Origin
# of uploads :
2
# of downloads :
372
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
595f3bda67bee86af6b606daff3f9930.exe
Verdict:
Malicious activity
Analysis date:
2022-10-27 02:45:01 UTC
Tags:
trojan opendir loader
Link:
https://app.any.run/tasks/0c6e98a3-7c39-41ae-97d7-142e8ebdfa4d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/324648/
Detection(s):
SecuriteInfo.com.Trojan.PWS.StealerNET.125.17133.24610.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% directory
Unauthorized injection to a recently created process
Reading critical registry keys
Using the Windows Management Instrumentation requests
Sending a custom TCP request
Sending an HTTP GET request
Launching a process
Creating a process with a hidden window
Stealing user critical data
Forced shutdown of a browser
Result
Verdict:
MALICIOUS
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/1e749448-2f95-49f3-adc2-f6bdc8899df9
Result
Threat name:
000Stealer, MinerDownloader, Laplas Clip
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1098865
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
DNS related to crypt mining pools
Drops executables to the windows directory (C:\Windows) and starts them
Found many strings related to Crypto-Wallets (likely being stolen)
Found strings related to Crypto-Mining
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Queues an APC in another process (thread injection)
Snort IDS alert for network traffic
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected 000Stealer
Yara detected Generic MinerDownloader
Yara detected Laplas Clipper
Yara detected RedLine Stealer
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 731512 Sample: Ld2f3BHF1O.exe Startdate: 27/10/2022 Architecture: WINDOWS Score: 100 95 xmr-eu1.nanopool.org 2->95 97 gitcdn.link 2->97 99 2 other IPs or domains 2->99 131 Snort IDS alert for network traffic 2->131 133 Multi AV Scanner detection for domain / URL 2->133 135 Malicious sample detected (through community Yara rule) 2->135 137 19 other signatures 2->137 12 Ld2f3BHF1O.exe 1 2->12         started        15 RegVBS.exe.exe 2->15         started        signatures3 process4 signatures5 175 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 12->175 177 Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) 12->177 179 Queries memory information (via WMI often done to detect virtual machines) 12->179 181 Queues an APC in another process (thread injection) 12->181 17 Ld2f3BHF1O.exe 2 12->17         started        183 Antivirus detection for dropped file 15->183 185 Multi AV Scanner detection for dropped file 15->185 187 Machine Learning detection for dropped file 15->187 process6 dnsIp7 91 179.43.163.104, 49699, 49700, 49701 PLI-ASCH Panama 17->91 93 79.137.196.182, 49705, 49706, 80 PSKSET-ASRU Russian Federation 17->93 65 C:\Users\user\AppData\...\installer2.exe, PE32 17->65 dropped 67 C:\Users\user\AppData\Local\...\installer.exe, PE32 17->67 dropped 139 Tries to harvest and steal ftp login credentials 17->139 141 Tries to harvest and steal browser information (history, passwords, etc) 17->141 143 Tries to steal Crypto Currency Wallets 17->143 22 rundll32.exe 1 17->22         started        24 rundll32.exe 1 17->24         started        file8 signatures9 process10 process11 26 installer.exe 2 10 22->26         started        30 installer2.exe 24->30         started        file12 79 C:\Windows\SysWOW64\Updater.exe, PE32 26->79 dropped 81 C:\Windows\SysWOW64\Setup.exe, PE32 26->81 dropped 151 Antivirus detection for dropped file 26->151 153 Multi AV Scanner detection for dropped file 26->153 155 Query firmware table information (likely to detect VMs) 26->155 163 5 other signatures 26->163 32 Updater.exe 26->32         started        35 Setup.exe 26->35         started        157 Machine Learning detection for dropped file 30->157 159 Writes to foreign memory regions 30->159 161 Injects a PE file into a foreign processes 30->161 38 vbc.exe 8 30->38         started        signatures13 process14 dnsIp15 111 Machine Learning detection for dropped file 32->111 113 Contains functionality to inject code into remote processes 32->113 115 Writes to foreign memory regions 32->115 117 Injects a PE file into a foreign processes 32->117 41 vbc.exe 32->41         started        69 C:\Users\user\AppData\...\RegVBS.exe.exe, PE32 35->69 dropped 119 Antivirus detection for dropped file 35->119 121 Multi AV Scanner detection for dropped file 35->121 123 Uses schtasks.exe or at.exe to add and modify task schedules 35->123 46 schtasks.exe 35->46         started        48 ngentask.exe 35->48         started        101 185.215.113.83 WHOLESALECONNECTIONSNL Portugal 38->101 103 puskesmas-lubukbatang.com 203.175.9.22 FCCDCI-NET-PH4FPodiumRCBCPlazaTowerIPH Indonesia 38->103 105 gitcdn.link 104.21.234.85 CLOUDFLARENETUS United States 38->105 71 C:\Users\user\AppData\Local\...\Starter.exe, PE32 38->71 dropped 73 C:\Users\user\AppData\Local\...\ofg.exe, PE32 38->73 dropped 75 C:\Users\user\AppData\Local\...\chrome.exe, MS-DOS 38->75 dropped 77 2 other malicious files 38->77 dropped 125 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 38->125 127 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 38->127 129 Tries to steal Crypto Currency Wallets 38->129 50 brave.exe 38->50         started        52 chrome.exe 38->52         started        54 app.exe 38->54         started        file16 signatures17 process18 dnsIp19 107 185.215.113.69 WHOLESALECONNECTIONSNL Portugal 41->107 109 dl.uploadgram.me 176.9.247.226 HETZNER-ASDE Germany 41->109 83 C:\Users\user\AppData\Local\Temp\start.exe, PE32+ 41->83 dropped 85 C:\Users\user\AppData\Local\Temp\System.exe, PE32 41->85 dropped 165 Tries to harvest and steal browser information (history, passwords, etc) 41->165 167 Tries to steal Crypto Currency Wallets 41->167 56 System.exe 41->56         started        59 start.exe 41->59         started        61 conhost.exe 46->61         started        87 C:\ProgramData\Updater\VCXRYF.exe, PE32+ 50->87 dropped 169 Antivirus detection for dropped file 50->169 171 Multi AV Scanner detection for dropped file 50->171 173 Machine Learning detection for dropped file 50->173 89 C:\WindowsbehaviorgraphoogleUpdate.exe, PE32 52->89 dropped 63 conhost.exe 54->63         started        file20 signatures21 process22 signatures23 145 Antivirus detection for dropped file 56->145 147 Multi AV Scanner detection for dropped file 56->147 149 Machine Learning detection for dropped file 56->149
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7aa17be3b8a5d82c4ffcb0a88cf2a64339c59fceaea5201cf6c7b3c7c906cdc3/
Threat name:
Win32.Spyware.RedLine
Create hunting rule
Status:
Suspicious
First seen:
2022-10-18 01:27:36 UTC
File Type:
PE (Exe)
AV detection:
20 of 26 (76.92%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=pkqxxy5yuxmcyt74wcuiz4vgim44lh6ov2ssahhwy6z4psigzxbq._file
Verdict:
malicious
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:redline family:vidar family:xmrig botnet:1707 evasion infostealer miner persistence spyware stealer themida trojan upx
Link:
https://tria.ge/reports/221027-c6e7hsadam/
Behaviour
Creates scheduled task(s)
Delays execution with timeout.exe
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks whether UAC is enabled
Checks BIOS information in registry
Checks computer location settings
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Themida packer
Uses the VBS compiler for execution
Downloads MZ/PE file
Executes dropped EXE
Modifies Windows Firewall
UPX packed file
Identifies VirtualBox via ACPI registry values (likely anti-VM)
XMRig Miner payload
RedLine
RedLine payload
Vidar
xmrig
Malware Config
C2 Extraction:
185.215.113.83:60722
185.215.113.69:15544
https://t.me/slivetalks
https://c.im/@xinibin420
Unpacked files
SH256 hash:
7aa17be3b8a5d82c4ffcb0a88cf2a64339c59fceaea5201cf6c7b3c7c906cdc3
MD5 hash:
595f3bda67bee86af6b606daff3f9930
SHA1 hash:
d94cae37a722981385e0fc09ea8201ed8810a517
Link:
https://www.unpac.me/results/c09d15fc-ca58-4482-b62e-c90908de47f9/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.16
Link:
https://yomi.yoroi.company/submissions/7aa17be3b8a5d82c4ffcb0a88cf2a64339c59fceaea5201cf6c7b3c7c906cdc3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:command_and_control
Create hunting rule
Author:CD_R0M_
Description:This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group
Rule name:GoBinTest
Create hunting rule
Rule name:golang
Create hunting rule
Rule name:Golangmalware
Create hunting rule
Author:Dhanunjaya
Description:Malware in Golang
Rule name:HiveRansomware
Create hunting rule
Author:Dhanunjaya
Description:Yara Rule To Detect Hive V4 Ransomware
Rule name:identity_golang
Create hunting rule
Author:Eric Yocam
Description:find Golang malware
Rule name:methodology_golang_build_strings
Create hunting rule
Author:smiller
Description:Looks for PEs with a Golang build ID

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/324648/

Comments