MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9405f9084c8ec3eff442b83c20928fceb3e6372d504381b0527a7512a9889231. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 13


Intelligence 13 IOCs YARA 4 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9405f9084c8ec3eff442b83c20928fceb3e6372d504381b0527a7512a9889231
SHA3-384 hash: 27255e5696cf3cf4ccf4deaf384dac8405a535797e3c0d05c2315fc6e621708e50c38e03d13eb9652f239f04604e9161
SHA1 hash: c1bb75e17d525125a90ec690d5e62bed28f586a2
MD5 hash: 575dfecf7e2f126bd44b67256f066794
humanhash: missouri-september-july-sodium
File name:575dfecf7e2f126bd44b67256f066794
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:2'694'553 bytes
First seen:2021-10-25 13:38:34 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c9adc83b45e363b21cd6b11b5da0501f (82 x ArkeiStealer, 60 x RecordBreaker, 46 x RedLineStealer)
ssdeep 49152:pAI+VzsO7ffB0xr0VxVm2hX6UKUrC1xwfsBOZPFdMnUG9GAAyDy1BGKS:pAI+Z5rfB0xr0VF6U4xgsBKSG2DQGKS
Threatray 3'506 similar samples on MalwareBazaar
TLSH T132C52339B601057BC1610930184BD77B793AE640673E69CFB6C94F6C8D737CA2B982DA
File icon (PE):PE icon
dhash icon b298acbab2ca7a72 (2'327 x GCleaner, 1'631 x Socks5Systemz, 67 x RedLineStealer)
Reporter zbetcheckin
Tags:32 ArkeiStealer exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
281
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Vidar
Create hunting rule
Link:
https://www.capesandbox.com/analysis/199929/
Detection(s):
SecuriteInfo.com.PSW.Generic8.ISF.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Delayed reading of the file
Creating a file in the %temp% subdirectories
Creating a file in the Program Files subdirectories
Deleting a recently created file
Creating a process from a recently created file
Creating a process with a hidden window
Running batch commands
Launching a process
Using the Windows Management Instrumentation requests
Searching for the window
Connection attempt
Replacing files
Sending a custom TCP request
Launching a service
Connection attempt to an infection source
Sending a TCP request to an infection source
Launching the default Windows debugger (dwwin.exe)
DNS request
Connecting to a non-recommended domain
Sending an HTTP GET request
Reading critical registry keys
Creating a file
Enabling the 'hidden' option for files in the %temp% directory
Launching a tool to kill processes
Query of malicious DNS domain
Stealing user critical data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
evasive fingerprint greyware overlay packed razy
Link:
https://www.filescan.io/uploads/6176b378db358dd15ed95c13/reports/5b1a2a1a-7ee0-44ae-b499-70cea38dffed/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5d2db86c-0147-4ceb-bf6b-f0e88382f421
Result
Threat name:
RedLine Vidar
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/876333
Signature
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies Chrome's extension installation force list
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Opens network shares
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected RedLine Stealer
Yara detected Vidar
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 508763 Sample: TVav3U3TOf Startdate: 25/10/2021 Architecture: WINDOWS Score: 100 94 113.t.keepitpumpin.io 212.83.164.166, 49754, 8080 OnlineSASFR France 2->94 96 114.t.keepitpumpin.io 212.83.164.213, 49755, 8080 OnlineSASFR France 2->96 98 7 other IPs or domains 2->98 104 Found malware configuration 2->104 106 Antivirus detection for dropped file 2->106 108 Multi AV Scanner detection for dropped file 2->108 110 11 other signatures 2->110 9 TVav3U3TOf.exe 18 9 2->9         started        13 msiexec.exe 2->13         started        15 svchost.exe 1 2->15         started        signatures3 process4 file5 58 C:\Program Files (x86)\FastPc\...\Faster.exe, PE32 9->58 dropped 60 C:\Program Files (x86)\FastPc\...\Fast_.exe, PE32 9->60 dropped 62 C:\Program Files (x86)\FastPc\...\Fast.exe, PE32 9->62 dropped 64 C:\Users\user\AppData\Local\...\temp_0.tmp, Microsoft 9->64 dropped 124 Modifies Chrome's extension installation force list 9->124 17 Fast.exe 74 9->17         started        22 Faster.exe 14 5 9->22         started        24 Fast_.exe 5 9->24         started        28 2 other processes 9->28 66 C:\...\Windows Updater.exe, PE32 13->66 dropped 68 C:\...\AdvancedWindowsManager.exe, PE32+ 13->68 dropped 70 C:\Windows\Installer\MSIAE0D.tmp, PE32 13->70 dropped 72 13 other files (none is malicious) 13->72 dropped 26 msiexec.exe 13->26         started        signatures6 process7 dnsIp8 82 mas.to 88.99.75.82, 443, 49745 HETZNER-ASDE Germany 17->82 84 65.108.80.190, 49746, 80 ALABANZA-BALTUS United States 17->84 42 C:\Users\user\AppData\Local\...\nss3[1].dll, PE32 17->42 dropped 44 C:\Users\user\AppData\...\msvcp140[1].dll, PE32 17->44 dropped 46 C:\Users\user\AppData\...\freebl3[1].dll, PE32 17->46 dropped 56 9 other files (none is malicious) 17->56 dropped 112 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 17->112 114 Tries to harvest and steal browser information (history, passwords, etc) 17->114 116 Tries to steal Crypto Currency Wallets 17->116 86 source7.boys4dayz.com 172.67.148.61, 443, 49744 CLOUDFLARENETUS United States 22->86 88 duzlwewk2uk96.cloudfront.net 205.251.222.4, 49850, 80 AMAZON-02US United States 22->88 90 192.168.2.1 unknown unknown 22->90 48 C:\Users\user\AppData\Local\Temp\vpn.exe, PE32 22->48 dropped 50 C:\Users\user\AppData\Local\...\installer.exe, PE32 22->50 dropped 118 Hides that the sample has been downloaded from the Internet (zone.identifier) 22->118 30 installer.exe 22->30         started        92 3.17.66.208, 49747, 50383 AMAZON-02US United States 24->92 52 C:\Users\user\AppData\Local\Temp\shiF56.tmp, PE32 26->52 dropped 54 C:\Users\user\AppData\Local\Temp\shiD8F.tmp, PE32 26->54 dropped 120 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 26->120 122 Opens network shares 26->122 34 conhost.exe 28->34         started        36 conhost.exe 28->36         started        38 taskkill.exe 28->38         started        file9 signatures10 process11 dnsIp12 100 3.232.36.43, 443, 49849 AMAZON-AESUS United States 30->100 102 collect.installeranalytics.com 30->102 74 C:\Users\user\AppData\Roaming\...\decoder.dll, PE32 30->74 dropped 76 C:\Users\user\AppData\...\Windows Updater.exe, PE32 30->76 dropped 78 C:\Users\user\...\AdvancedWindowsManager.exe, PE32+ 30->78 dropped 80 4 other files (none is malicious) 30->80 dropped 40 msiexec.exe 30->40         started        file13 process14
Detection:
vidar
Create hunting rule
Link:
https://mwdb.cert.pl/sample/9405f9084c8ec3eff442b83c20928fceb3e6372d504381b0527a7512a9889231/
Threat name:
Win32.Trojan.Azorult
Create hunting rule
Status:
Malicious
First seen:
2021-10-25 13:39:06 UTC
AV detection:
21 of 28 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=sqc7sccmr3b675ccxa6cbeupz2z6mnznkbbydmcspj2rfkmisiyq._file
Verdict:
malicious
Similar samples:
111d1529eb5320465bc09a12146b321b0f4409372a8b73048b7798904082068c
ArkeiStealer
592dea4eea3a4fc6540a4c677253f3936822f9040add569257eb1878cbafecca
ArkeiStealer
80b6f4260035bf83f8cafbc80b8da3263d8ed022c96509aeaa6e4a0016c6eb42
ArkeiStealer
a4f95464eccef0c4da2d48481ef8b1006a6ed0918fb421db63c793e1001bbeda
ArkeiStealer
d7480662bc7ee6dc38227ea381978553b1774774e4a0a70ea3bf6aebbca48622
ArkeiStealer
df7049b8c4d704376be3920232b1ba6b2c8cf2ff0f9cf3bf22f6d89c1c9515dc
ArkeiStealer
e6447686ab68ede1a7b92ddc98b7e90ccf64d48876ace4b91cc45ea2437cc67c
ArkeiStealer
e6d90883fd0e3c7576c140d6f12e04e1e54c3789ec4b2bdea925c9bdb6aa1f43
ArkeiStealer
+ 3'496 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:redline family:vidar botnet:915 botnet:v4 discovery evasion infostealer spyware stealer trojan upx
Link:
https://tria.ge/reports/211025-qxyt6agca3/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Delays execution with timeout.exe
Kills process with taskkill
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks whether UAC is enabled
Enumerates connected drives
Legitimate hosting services abused for malware hosting/C2
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Blocklisted process makes network request
Downloads MZ/PE file
Drops file in Drivers directory
Executes dropped EXE
UPX packed file
ACProtect 1.3x - 1.4x DLL software
Vidar Stealer
RedLine
RedLine Payload
Vidar
Malware Config
C2 Extraction:
3.17.66.208:50383
https://mas.to/@xeroxxx
Unpacked files
SH256 hash:
8cac795f96c42128b6dfe3269f77d7bc1e42d60a8abe7899688e1592df473016
MD5 hash:
92d84033882b2d288f8b3d6dfa0e99a8
SHA1 hash:
289b2f83520472a06c90c5885a2253deab7dd2a2
Link:
https://www.unpac.me/results/cea4af27-671c-4de2-b0ca-ee68134d191a/
SH256 hash:
9405f9084c8ec3eff442b83c20928fceb3e6372d504381b0527a7512a9889231
MD5 hash:
575dfecf7e2f126bd44b67256f066794
SHA1 hash:
c1bb75e17d525125a90ec690d5e62bed28f586a2
Link:
https://www.unpac.me/results/cea4af27-671c-4de2-b0ca-ee68134d191a/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/9405f9084c8e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9405f9084c8ec3eff442b83c20928fceb3e6372d504381b0527a7512a9889231

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation
Create hunting rule
Author:ditekSHen
Description:Detects executables containing potential Windows Defender anti-emulation checks
Rule name:MALWARE_Win_Vidar
Create hunting rule
Author:ditekSHen
Description:Detects Vidar / ArkeiStealer
Rule name:Vidar
Create hunting rule
Author:kevoreilly
Description:Vidar Payload

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ArkeiStealer

Executable exe 9405f9084c8ec3eff442b83c20928fceb3e6372d504381b0527a7512a9889231

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/199929/
  
URLhaus
https://urlhaus.abuse.ch/url/1712512/

Comments


Avatar
zbet commented on 2021-10-25 13:38:35 UTC

url : hxxp://eddf698b-47bc-4450-a971-ca7fb739e8dd.s3.amazonaws.com/Download/FastPC.exe