MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 81a1bb24ae8a11ad1d5898b86f0a4f3b5b4905792fce596af3fc994272e4f66d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 81a1bb24ae8a11ad1d5898b86f0a4f3b5b4905792fce596af3fc994272e4f66d
SHA3-384 hash: 9898279e0edc6d81161c6826feac323c640a66aee53de21ed29337e62f4f80c8313d5005e5bb92e4f647304e91c7489a
SHA1 hash: 43a95c2b81f241a461df5e8bb5b8ef0135e118b8
MD5 hash: bdc561720c7e45e7ef35a665477a0a99
humanhash: coffee-lactose-romeo-tango
File name:bdc561720c7e45e7ef35a665477a0a99
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:345'088 bytes
First seen:2021-11-21 01:42:49 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f7eedae5348dd3cd8ddd4616ea535b55 (2 x ArkeiStealer, 1 x Smoke Loader)
ssdeep 6144:N0Rmz5ZKZbfA+siRHshhQJB1HGu/Bj1oKV+WDQCKX:N0Rm1E3HG2B1HGEF1l+WD+X
Threatray 5'510 similar samples on MalwareBazaar
TLSH T19F749E00A7A1C035F1B212F8597597ABB53F79A0AB2450CF52D52AEE76346E0EC31F1B
File icon (PE):PE icon
dhash icon 5012b0e068696c46 (8 x RaccoonStealer, 8 x RedLineStealer, 6 x Smoke Loader)
Reporter zbetcheckin
Tags:32 ArkeiStealer exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
156
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
bdc561720c7e45e7ef35a665477a0a99
Verdict:
Suspicious activity
Analysis date:
2021-11-21 01:46:13 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/8cad2501-e6ea-460a-ac2a-f81398486a16

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Gathering data
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
DNS request
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Sending an HTTP GET request
Creating a file in the %temp% directory
Creating a process from a recently created file
Searching for synchronization primitives
Running batch commands
Creating a process with a hidden window
Unauthorized injection to a recently created process
Query of malicious DNS domain
Sending a TCP request to an infection source
Unauthorized injection to a recently created process by context flags manipulation
Unauthorized injection to a system process
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Sending an HTTP GET request to an infection source
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware
Link:
https://www.filescan.io/uploads/6199a42894a88037d2fba7dc/reports/addc3a26-79da-4ca8-9155-f178549d2a84/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/407c07d6-1c50-4838-bf62-5f4173d908f7
Result
Threat name:
RedLine SmokeLoader Tofsee
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/893177
Signature
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Changes security center settings (notifications, updates, antivirus, firewall)
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sigma detected: Copying Sensitive Files with Credential Data
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Tofsee
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 525650 Sample: 7u0Gj7aYfG Startdate: 21/11/2021 Architecture: WINDOWS Score: 100 84 host-file-host6.com 2->84 86 file-file-host4.com 2->86 98 Multi AV Scanner detection for domain / URL 2->98 100 Found malware configuration 2->100 102 Antivirus detection for URL or domain 2->102 104 15 other signatures 2->104 11 7u0Gj7aYfG.exe 2->11         started        14 tujhgbt 2->14         started        16 svchost.exe 2->16         started        18 10 other processes 2->18 signatures3 process4 signatures5 132 Contains functionality to inject code into remote processes 11->132 134 Injects a PE file into a foreign processes 11->134 20 7u0Gj7aYfG.exe 11->20         started        136 Multi AV Scanner detection for dropped file 14->136 138 Machine Learning detection for dropped file 14->138 23 tujhgbt 14->23         started        140 Changes security center settings (notifications, updates, antivirus, firewall) 16->140 25 MpCmdRun.exe 16->25         started        process6 signatures7 124 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 20->124 126 Maps a DLL or memory area into another process 20->126 128 Checks if the current machine is a virtual machine (disk enumeration) 20->128 130 Creates a thread in another existing process (thread injection) 20->130 27 explorer.exe 10 20->27 injected 32 conhost.exe 25->32         started        process8 dnsIp9 92 192.162.246.70, 49766, 80 DATACHEAP-LLC-ASRU Russian Federation 27->92 94 file-file-host4.com 47.254.33.79, 49745, 49746, 49747 CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC United States 27->94 96 8 other IPs or domains 27->96 74 C:\Users\user\AppData\Roaming\tujhgbt, PE32 27->74 dropped 76 C:\Users\user\AppData\Local\Temp\F4CB.exe, PE32 27->76 dropped 78 C:\Users\user\AppData\Local\Temp\F28F.exe, PE32 27->78 dropped 80 6 other malicious files 27->80 dropped 142 System process connects to network (likely due to code injection or exploit) 27->142 144 Benign windows process drops PE files 27->144 146 Deletes itself after installation 27->146 148 Hides that the sample has been downloaded from the Internet (zone.identifier) 27->148 34 4118.exe 4 27->34         started        38 CDC0.exe 27->38         started        40 578F.exe 27->40         started        42 2 other processes 27->42 file10 signatures11 process12 dnsIp13 88 45.9.20.149, 10844, 49832 DEDIPATH-LLCUS Russian Federation 34->88 106 Multi AV Scanner detection for dropped file 34->106 108 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 34->108 110 Query firmware table information (likely to detect VMs) 34->110 122 6 other signatures 34->122 112 Machine Learning detection for dropped file 38->112 114 Injects a PE file into a foreign processes 38->114 45 CDC0.exe 38->45         started        116 Antivirus detection for dropped file 40->116 48 578F.exe 40->48         started        51 conhost.exe 40->51         started        90 cdn.discordapp.com 42->90 72 C:\Users\user\AppData\Local\Temp\sxhxlq.exe, PE32 42->72 dropped 118 Detected unpacking (changes PE section rights) 42->118 120 Detected unpacking (overwrites its own PE header) 42->120 53 cmd.exe 42->53         started        56 cmd.exe 42->56         started        58 sc.exe 42->58         started        60 sc.exe 42->60         started        file14 signatures15 process16 dnsIp17 150 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 45->150 152 Maps a DLL or memory area into another process 45->152 154 Checks if the current machine is a virtual machine (disk enumeration) 45->154 156 Creates a thread in another existing process (thread injection) 45->156 82 185.159.80.90, 38637, 49846 HOSTING-SOLUTIONSUS Netherlands 48->82 70 C:\Windows\SysWOW64\...\sxhxlq.exe (copy), PE32 53->70 dropped 62 conhost.exe 53->62         started        64 conhost.exe 56->64         started        66 conhost.exe 58->66         started        68 conhost.exe 60->68         started        file18 signatures19 process20
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/81a1bb24ae8a11ad1d5898b86f0a4f3b5b4905792fce596af3fc994272e4f66d/
Threat name:
Win32.Trojan.CrypterX
Create hunting rule
Status:
Malicious
First seen:
2021-11-21 01:43:05 UTC
AV detection:
16 of 44 (36.36%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qgq3wjforii22hkytc4g6csphnnusblzf7hfs2xt7smue4xe6zwq._file
Verdict:
malicious
Similar samples:
0237c14808827046551b86ea2057ddb42a7713ad138e950ae1b758586595263e
ArkeiStealer
0968b29bbd4b8fed0ac21df64fd5e7a0012fcb215f1e058549d8636d4a4af240
ArkeiStealer
43ddbe297c264c467ea83551244b4a78436bfbbe588602428183e3b966c7cc82
ArkeiStealer
709dbb88f530e7dd7eff23fefe75b8c42042bf78d373145473c89bf9afcf4423
ArkeiStealer
71eddcf286dd89c3ea96394d34661ade1f167164dcc4453c31a68cb583069bf3
ArkeiStealer
78eb62fcd7085f6e34ca30b112672ab1ddca5d98f81d85b6021621b98c43ee0f
ArkeiStealer
b42594aa8ab53db52f547b48916adb07d0f87b631e3297e3118ef3614ea9e2b3
ArkeiStealer
+ 5'500 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:arkei family:redline family:smokeloader family:tofsee family:vidar family:xmrig botnet:706 botnet:default botnet:easymoneydontshiny botnet:virus backdoor collection discovery evasion infostealer miner persistence spyware stealer suricata trojan
Link:
https://tria.ge/reports/211121-b49snsddcm/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Delays execution with timeout.exe
Kills process with taskkill
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Launches sc.exe
Drops file in System32 directory
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses Microsoft Outlook profiles
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Deletes itself
Loads dropped DLL
Reads user/profile data of web browsers
Creates new service(s)
Downloads MZ/PE file
Executes dropped EXE
Modifies Windows Firewall
Sets service image path in registry
Arkei Stealer Payload
Vidar Stealer
XMRig Miner Payload
Arkei
RedLine
RedLine Payload
SmokeLoader
Tofsee
Vidar
Windows security bypass
suricata: ET MALWARE DNS Query Sinkhole Domain Various Families (Possible Infected Host)
suricata: ET MALWARE Sharik/Smoke CnC Beacon 11
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil
xmrig
Malware Config
C2 Extraction:
http://host-file-host6.com/
http://host-host-file8.com/
http://srtuiyhuali.at/
http://fufuiloirtu.com/
http://amogohuigotuli.at/
http://novohudosovu.com/
http://brutuilionust.com/
http://bubushkalioua.com/
http://dumuilistrati.at/
http://verboliatsiaeeees.com/
quadoil.ru
lakeflex.ru
185.159.80.90:38637
http://file-file-host4.com/tratata.php
77.247.127.228:38823
https://mastodon.online/@valhalla
https://koyu.space/@valhalla
45.153.186.153:56675
Unpacked files
SH256 hash:
23554c8f1f1fd1e04a9c7053680f186fdbb61155942430095e76bb88552ad78b
MD5 hash:
5e2aad3c6e39abb50541d91e9591b22b
SHA1 hash:
97bb348f06b2ce6fdc5291420c537358e2259a9c
Link:
https://www.unpac.me/results/75d4193a-816b-430b-b9ba-3d2096aff790/
SH256 hash:
81a1bb24ae8a11ad1d5898b86f0a4f3b5b4905792fce596af3fc994272e4f66d
MD5 hash:
bdc561720c7e45e7ef35a665477a0a99
SHA1 hash:
43a95c2b81f241a461df5e8bb5b8ef0135e118b8
Link:
https://www.unpac.me/results/75d4193a-816b-430b-b9ba-3d2096aff790/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/81a1bb24ae8a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/81a1bb24ae8a11ad1d5898b86f0a4f3b5b4905792fce596af3fc994272e4f66d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ArkeiStealer

Executable exe 81a1bb24ae8a11ad1d5898b86f0a4f3b5b4905792fce596af3fc994272e4f66d

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1781418/
  
URLhaus
https://urlhaus.abuse.ch/url/1800988/
Cape
Cape
https://www.capesandbox.com/analysis/207837/

Comments


Avatar
zbet commented on 2021-11-21 01:42:50 UTC

url : hxxp://privacytoolzfor-you7000.top/downloads/toolspab2.exe