MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 823049f3cc1a45aa640b421ef451cdd250a6250bc2a9ac65051d631ed4262491. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 9


Intelligence 9 IOCs 5 YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 823049f3cc1a45aa640b421ef451cdd250a6250bc2a9ac65051d631ed4262491
SHA3-384 hash: 4924da4322e28c2687a59a6bc7d24a2322aa3eb3015b6351287e41685d3358d3da678510d23296e9b8d2b0d0cc142ebb
SHA1 hash: bacbb7897e756305e5236abe4d09d55105b2739e
MD5 hash: 7afd7cf62e26c6848c8223290cead458
humanhash: delaware-michigan-lion-carpet
File name:7AFD7CF62E26C6848C8223290CEAD458.exe
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:4'372'030 bytes
First seen:2021-06-01 07:35:21 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 32569d67dc210c5cb9a759b08da2bdb3 (122 x RedLineStealer, 42 x DiamondFox, 37 x RaccoonStealer)
ssdeep 98304:xpCvLUBsgDAFcgEYk7A/BBGuwvoZ1E74BCgVybcko+MqE4O:xCLUCgDAOgEYk0ZBGuwQZ1E74+o+xO
Threatray 28 similar samples on MalwareBazaar
TLSH FA1633C073E485BAD7829575ACECB7B6409683440F2D24D377B4E24DAF29822F927E5C
Reporter abuse_ch
Tags:ArkeiStealer exe


Avatar
abuse_ch
ArkeiStealer C2:
45.144.29.9:11355

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
45.144.29.9:11355 https://threatfox.abuse.ch/ioc/67914/
http://162.55.189.141/ https://threatfox.abuse.ch/ioc/67961/
http://193.203.203.233/ https://threatfox.abuse.ch/ioc/68025/
80.92.206.22:80 https://threatfox.abuse.ch/ioc/68028/
194.156.99.23:11895 https://threatfox.abuse.ch/ioc/68029/

Intelligence

File Origin
# of uploads :
1
# of downloads :
151
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
7AFD7CF62E26C6848C8223290CEAD458.exe
Verdict:
No threats detected
Analysis date:
2021-06-01 08:05:08 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/78d0e6f9-a470-4dc7-a883-b6336d4f20c5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Predatorthethief
Create hunting rule
Link:
https://www.capesandbox.com/analysis/163727/
Detection(s):
Win.Packed.Barys-9859531-0
Create hunting rule

Win.Malware.Barys-9859550-0
Create hunting rule

Win.Trojan.Jaik-9862229-0
Create hunting rule

Win.Ransomware.WannaCry-9863723-0
Create hunting rule

Win.Malware.Generic-9863888-0
Create hunting rule

Win.Trojan.Jaik-9863964-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Win.Malware.Jaik-9865288-0
Create hunting rule

Win.Malware.Jaik-9865552-0
Create hunting rule

Win.Malware.Jaik-9865606-0
Create hunting rule

Win.Malware.Jaik-9865607-0
Create hunting rule

Win.Trojan.Jaik-9865627-0
Create hunting rule

Win.Trojan.Jaik-9865779-0
Create hunting rule

Win.Malware.Jaik-9866071-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Searching for the window
Sending a custom TCP request
DNS request
Sending an HTTP GET request
Running batch commands
Deleting a recently created file
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Glupteba RedLine Vidar
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/795063
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Creates files with lurking names (e.g. Crack.exe)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
DLL reload attack detected
Drops PE files to the document folder of the user
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Found Tor onion address
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
May check the online IP address of the machine
May modify the system service descriptor table (often done to hook functions)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Performs DNS queries to domains with low reputation
Renames NTDLL to bypass HIPS
Sample uses process hollowing technique
Sigma detected: Suspicious Double Extension
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Instant Messenger accounts or passwords
Writes to foreign memory regions
Yara detected Glupteba
Yara detected RedLine Stealer
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 427465 Sample: M40tZoPsI6.exe Startdate: 01/06/2021 Architecture: WINDOWS Score: 100 112 email.yg9.me 2->112 114 limesfile.com 198.54.126.101 NAMECHEAP-NETUS United States 2->114 116 2 other IPs or domains 2->116 146 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->146 148 Found malware configuration 2->148 150 Antivirus detection for URL or domain 2->150 152 16 other signatures 2->152 11 M40tZoPsI6.exe 16 2->11         started        14 BackgroundTransferHost.exe 13 2->14         started        signatures3 process4 file5 82 C:\Users\user\AppData\...\setup_install.exe, PE32 11->82 dropped 84 C:\Users\user\AppData\Local\...\metina_8.exe, PE32 11->84 dropped 86 C:\Users\user\AppData\Local\...\metina_7.exe, PE32 11->86 dropped 88 11 other files (3 malicious) 11->88 dropped 16 setup_install.exe 1 11->16         started        process6 dnsIp7 108 estrix.xyz 172.67.165.117, 49717, 80 CLOUDFLARENETUS United States 16->108 110 127.0.0.1 unknown unknown 16->110 142 Detected unpacking (changes PE section rights) 16->142 144 Performs DNS queries to domains with low reputation 16->144 20 cmd.exe 16->20         started        22 cmd.exe 1 16->22         started        24 cmd.exe 1 16->24         started        26 8 other processes 16->26 signatures8 process9 process10 28 metina_7.exe 20->28         started        33 metina_3.exe 91 22->33         started        35 metina_2.exe 1 24->35         started        37 metina_4.exe 1 1 26->37         started        39 metina_8.exe 26->39         started        41 metina_1.exe 6 26->41         started        43 2 other processes 26->43 dnsIp11 118 moonlabmediacompany.com 89.221.213.3, 49732, 80 WEDOSCZ Czech Republic 28->118 120 privacytools.xyz 195.123.222.92, 49729, 80 ITLDC-NLUA Bulgaria 28->120 126 11 other IPs or domains 28->126 90 https___jom.direga...google-game.exe.exe, PE32 28->90 dropped 92 https___cdn.discor...0516_Setup2.exe.exe, PE32 28->92 dropped 94 https___cdn.discor...17556_jooyu.exe.exe, PE32 28->94 dropped 98 9 other malicious files 28->98 dropped 154 Drops PE files to the document folder of the user 28->154 156 Performs DNS queries to domains with low reputation 28->156 45 https___014a2835-e6dd-43e5-833c-a25b69a6bfd4.s3.amazonaws.com_BBQbrowser.exe.exe 28->45         started        49 http___212.192.241.136_files_file3.exe.exe 28->49         started        51 https___cdn.discordapp.com_attachments_846372010271703082_848137134849130516_Setup2.exe.exe 28->51         started        62 7 other processes 28->62 128 2 other IPs or domains 33->128 100 12 other files (none is malicious) 33->100 dropped 158 Detected unpacking (changes PE section rights) 33->158 160 Detected unpacking (overwrites its own PE header) 33->160 162 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 33->162 176 4 other signatures 33->176 96 C:\Users\user\AppData\Local\Temp\CC4F.tmp, PE32 35->96 dropped 164 DLL reload attack detected 35->164 166 Machine Learning detection for dropped file 35->166 168 Renames NTDLL to bypass HIPS 35->168 170 Checks if the current machine is a virtual machine (disk enumeration) 35->170 122 ip-api.com 208.95.112.1, 49723, 80 TUT-ASUS United States 37->122 130 5 other IPs or domains 37->130 172 May check the online IP address of the machine 37->172 54 jfiag3g_gg.exe 37->54         started        102 2 other files (1 malicious) 39->102 dropped 174 Creates files with lurking names (e.g. Crack.exe) 39->174 56 NMemo2Setp.exe 39->56         started        58 Crack.exe 39->58         started        104 2 other files (none is malicious) 41->104 dropped 60 rundll32.exe 41->60         started        124 104.21.33.129 CLOUDFLARENETUS United States 43->124 106 4 other files (1 malicious) 43->106 dropped file12 signatures13 process14 dnsIp15 132 jo.bitrhost.ru 217.107.34.191 RTCOMM-ASRU Russian Federation 45->132 178 Writes to foreign memory regions 45->178 180 Allocates memory in foreign processes 45->180 182 Sample uses process hollowing technique 45->182 134 v0o.bitrhost.ru 49->134 184 Injects a PE file into a foreign processes 49->184 66 C:\Program Files (x86)\...\md8_8eus.exe, PE32 51->66 dropped 68 C:\Program Files (x86)\Company\...\lij.exe, PE32 51->68 dropped 70 C:\Program Files (x86)\Company\...\file4.exe, PE32 51->70 dropped 80 2 other files (1 malicious) 51->80 dropped 186 Tries to harvest and steal browser information (history, passwords, etc) 54->186 72 C:\Users\user\AppData\Roaming\8961844.exe, PE32 56->72 dropped 74 C:\Users\user\AppData\Roaming\7545083.exe, PE32 56->74 dropped 76 C:\Users\user\AppData\Roaming\5279773.exe, PE32 56->76 dropped 64 conhost.exe 58->64         started        188 Creates a thread in another existing process (thread injection) 60->188 136 212.192.241.136, 49724, 49725, 80 RAPMSB-ASRU Russian Federation 62->136 138 g-partners.in 62->138 140 2 other IPs or domains 62->140 78 C:\Users\user\AppData\...\jfiag3g_gg.exe, PE32 62->78 dropped 190 Detected unpacking (changes PE section rights) 62->190 192 May check the online IP address of the machine 62->192 file16 signatures17 process18
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/823049f3cc1a45aa640b421ef451cdd250a6250bc2a9ac65051d631ed4262491/
Threat name:
Win32.Trojan.Vigorf
Create hunting rule
Status:
Malicious
First seen:
2021-05-29 13:19:48 UTC
AV detection:
20 of 28 (71.43%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qiyet46mdjc2uzaliippiuon2jikmjilyku2yzifdvrr5vbgesiq._file
Verdict:
unknown
Similar samples:
2cafa910950afa826e2e255ebe4c40a611bcb12c012a502a36efeb2f4effe320
ArkeiStealer
360ae682470c27ef1e4a70a89aed9d14bb6f6260a5609b391c0d67220f91a306
ArkeiStealer
46e99e70a21a9ecd28e61195f175bea9260eea38b1718f6750166688d955e91e
ArkeiStealer
59c98f1846f03efaa1a594b76b320e3f35ecd53e9ed640bb360bdcf0a41f3c2d
ArkeiStealer
5b73fe2b2388fcd2b0f2c71f8499221e5ccd1bcfc4e31d2140d5eca1c3a45414
ArkeiStealer
679d4240ec3562404c1222d91bb2594cb90843b5aec479ce75bd47d4a4e8b780
ArkeiStealer
df102108e8beb55334e3976e1cb7f389e8f9ecd23a12c4d71c22921626938c50
ArkeiStealer
e7c3cea59ec83faa8886c1a5d0b0eabd00cf68ae8491ad6a985f3b6e422c0d19
ArkeiStealer
ec606c6695e9c2716c8b3eb6c8b45d085caa03658274366a846ad37c452bd65f
ArkeiStealer
f3b3bf03f311300ba76f4de3376ff21b3b1971ccbc90e24638ab15c2b42ef79b
ArkeiStealer
+ 18 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:glupteba family:metasploit family:plugx family:redline family:smokeloader family:vidar botnet:31_5_ruzki botnet:servjason aspackv2 backdoor discovery dropper evasion infostealer loader persistence spyware stealer trojan upx
Link:
https://tria.ge/reports/210601-vtc9wz9nks/
Behaviour
Modifies registry class
Modifies system certificate store
Script User-Agent
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious behavior: SetClipboardViewer
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Checks SCSI registry key(s)
Checks processor information in registry
Delays execution with timeout.exe
Kills process with taskkill
Modifies Internet Explorer settings
Modifies data under HKEY_USERS
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Drops desktop.ini file(s)
Enumerates connected drives
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks computer location settings
Loads dropped DLL
Reads local data of messenger clients
Reads user/profile data of web browsers
ASPack v2.12-2.42
Blocklisted process makes network request
Downloads MZ/PE file
Drops file in Drivers directory
Executes dropped EXE
UPX packed file
Checks for common network interception software
Glupteba
Glupteba Payload
MetaSploit
PlugX
RedLine
RedLine Payload
SmokeLoader
Suspicious use of NtCreateUserProcessOtherParentProcess
Vidar
Malware Config
C2 Extraction:
http://ppcspb.com/upload/
http://mebbing.com/upload/
http://twcamel.com/upload/
http://howdycash.com/upload/
http://lahuertasonora.com/upload/
http://kpotiques.com/upload/
ergerge.top:80
quropaloar.xyz:80
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/823049f3cc1a45aa640b421ef451cdd250a6250bc2a9ac65051d631ed4262491

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_ASPack
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ASPack
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/163727/

Comments