MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a28956c03af41c83a80a84889bd4b2528c3842f14ca44d7c2d3362cbaa036b8d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 10


Intelligence 10 IOCs 2 YARA 8 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a28956c03af41c83a80a84889bd4b2528c3842f14ca44d7c2d3362cbaa036b8d
SHA3-384 hash: 538fd7a763420ad78f743feb445997c3764d73fa96834ef95f85b05dfca2d0d5b9dad8e44ce58320b5952ad03f41ad63
SHA1 hash: 8d42017b64c9d4060c56f5916bd70c6f42515d13
MD5 hash: 7268e57a354c49482b14d239632cfd73
humanhash: vermont-alabama-thirteen-wisconsin
File name:7268e57a354c49482b14d239632cfd73.exe
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:390'950 bytes
First seen:2021-05-22 18:25:24 UTC
Last seen:2021-05-22 19:01:55 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 884310b1928934402ea6fec1dbd3cf5e (3'725 x GCleaner, 3'446 x Socks5Systemz, 262 x RaccoonStealer)
ssdeep 6144:x/QiQXC6oL8+Ee0CYDTAsdRhLOGBfj/WUplm6zIOYQNd28pTXdAmpCLVRZoglM7f:pQi36oL8+iDNdRhLlL//plmW9bTXeVh8
Threatray 736 similar samples on MalwareBazaar
TLSH 39841203A6F10938E073CEF05CA5D4614A3F3D256D7C640476DCAD9E9F7BA82966A383
Reporter abuse_ch
Tags:ArkeiStealer exe


Avatar
abuse_ch
ArkeiStealer C2:
http://sogxjp62.top/index.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://sogxjp62.top/index.php https://threatfox.abuse.ch/ioc/57116/
http://morgyu06.top/index.php https://threatfox.abuse.ch/ioc/57117/

Intelligence

File Origin
# of uploads :
2
# of downloads :
124
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
60a536_Adobe-Animate-C.zip
Verdict:
Malicious activity
Analysis date:
2021-05-20 02:58:57 UTC
Tags:
evasion trojan stealer vidar rat redline ficker danabot phishing
Link:
https://app.any.run/tasks/488bb17c-641f-4441-ad06-c56b14ac506c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.PUA.OpenCandy.Gen-8.UNOFFICIAL
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

SecuriteInfo.com.Application.Agent.AIQ.2330.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
DNS request
Sending an HTTP GET request
Sending a custom TCP request
Sending a UDP request
Delayed reading of the file
Creating a file in the Program Files subdirectories
Deleting a recently created file
Creating a process with a hidden window
Creating a file in the Windows subdirectories
Searching for the window
Creating a file
Launching a process
Reading critical registry keys
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Unauthorized injection to a recently created process
Sending a TCP request to an infection source
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
RedLine Vidar
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/788806
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Creates a thread in another existing process (thread injection)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Detected VMProtect packer
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Query firmware table information (likely to detect VMs)
Sample uses process hollowing technique
Sets debug register (to hijack the execution of another thread)
Sigma detected: Suspicious Svchost Process
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Instant Messenger accounts or passwords
Writes to foreign memory regions
Yara detected RedLine Stealer
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 421202 Sample: 10Qy7p3slc.exe Startdate: 22/05/2021 Architecture: WINDOWS Score: 100 147 172.67.163.99 CLOUDFLARENETUS United States 2->147 149 172.67.188.69 CLOUDFLARENETUS United States 2->149 195 Multi AV Scanner detection for domain / URL 2->195 197 Antivirus detection for URL or domain 2->197 199 Antivirus detection for dropped file 2->199 201 13 other signatures 2->201 12 10Qy7p3slc.exe 2 2->12         started        signatures3 process4 file5 145 C:\Users\user\AppData\...\10Qy7p3slc.tmp, PE32 12->145 dropped 15 10Qy7p3slc.tmp 3 14 12->15         started        process6 dnsIp7 169 172.217.20.1 GOOGLEUS United States 15->169 171 172.217.20.14 GOOGLEUS United States 15->171 173 6 other IPs or domains 15->173 77 C:\Users\user\AppData\...\itdownload.dll, PE32 15->77 dropped 79 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 15->79 dropped 81 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 15->81 dropped 83 C:\Users\user\AppData\Local\...\Setup.exe, PE32 15->83 dropped 19 Setup.exe 14 15 15->19         started        file8 process9 file10 101 C:\Program Files (x86)\...\lylal220.exe, PE32 19->101 dropped 103 C:\Program Files (x86)\...\hjjgaa.exe, PE32 19->103 dropped 105 C:\Program Files (x86)\...\guihuali-game.exe, PE32 19->105 dropped 107 5 other files (4 malicious) 19->107 dropped 22 guihuali-game.exe 19->22         started        25 RunWW.exe 90 19->25         started        29 Versium.exe 19->29         started        31 4 other processes 19->31 process11 dnsIp12 109 C:\Users\user\AppData\Local\...\install.dll, PE32 22->109 dropped 111 C:\Users\user\AppData\...\adobe_caps.dll, PE32 22->111 dropped 33 rundll32.exe 22->33         started        36 conhost.exe 22->36         started        159 195.201.94.135 HETZNER-ASDE Germany 25->159 161 104.17.62.50 CLOUDFLARENETUS United States 25->161 113 C:\Users\user\AppData\...\softokn3[1].dll, PE32 25->113 dropped 123 11 other files (none is malicious) 25->123 dropped 219 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 25->219 221 Tries to steal Instant Messenger accounts or passwords 25->221 223 Tries to harvest and steal browser information (history, passwords, etc) 25->223 225 2 other signatures 25->225 38 cmd.exe 25->38         started        115 C:\Users\user\AppData\Local\...\Versium.tmp, PE32 29->115 dropped 40 Versium.tmp 29->40         started        163 208.95.112.1 TUT-ASUS United States 31->163 165 88.99.66.31 HETZNER-ASDE Germany 31->165 167 3 other IPs or domains 31->167 117 C:\Users\user\AppData\...\jfiag3g_gg.exe, PE32 31->117 dropped 119 C:\Users\user\AppData\Roaming\8724267.exe, PE32 31->119 dropped 121 C:\Users\user\AppData\Roaming\7101631.exe, PE32 31->121 dropped 125 3 other files (none is malicious) 31->125 dropped 44 LabPicV3.tmp 31->44         started        46 lylal220.tmp 31->46         started        48 jfiag3g_gg.exe 31->48         started        50 jfiag3g_gg.exe 31->50         started        file13 signatures14 process15 dnsIp16 187 Writes to foreign memory regions 33->187 189 Allocates memory in foreign processes 33->189 191 Creates a thread in another existing process (thread injection) 33->191 52 svchost.exe 33->52 injected 55 svchost.exe 33->55 injected 57 svchost.exe 33->57 injected 59 svchost.exe 33->59 injected 61 conhost.exe 38->61         started        153 104.26.2.60 CLOUDFLARENETUS United States 40->153 155 52.219.88.192 AMAZON-02US United States 40->155 127 C:\Users\user\AppData\Local\...\Setup.exe, PE32 40->127 dropped 129 C:\Users\user\AppData\...\itdownload.dll, PE32 40->129 dropped 131 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 40->131 dropped 133 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 40->133 dropped 63 Setup.exe 40->63         started        135 C:\Users\user\AppData\Local\...\3316505.exe, PE32 44->135 dropped 137 C:\Users\user\AppData\Local\Temp\...\idp.dll, PE32 44->137 dropped 139 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 44->139 dropped 141 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 44->141 dropped 66 3316505.exe 44->66         started        157 199.188.201.83 NAMECHEAP-NETUS United States 46->157 143 4 other files (none is malicious) 46->143 dropped 69 4_177039.exe 46->69         started        193 Tries to harvest and steal browser information (history, passwords, etc) 48->193 file17 signatures18 process19 dnsIp20 203 Sets debug register (to hijack the execution of another thread) 52->203 205 Modifies the context of a thread in another process (thread injection) 52->205 71 svchost.exe 52->71         started        175 217.107.34.191 RTCOMM-ASRU Russian Federation 63->175 207 Writes to foreign memory regions 63->207 209 Allocates memory in foreign processes 63->209 211 Sample uses process hollowing technique 63->211 213 Injects a PE file into a foreign processes 63->213 75 AddInProcess32.exe 63->75         started        177 205.185.216.42 HIGHWINDS3US United States 66->177 179 162.0.210.44 ACPCA Canada 66->179 181 162.0.220.187 ACPCA Canada 66->181 85 C:\Program Files (x86)\Java\Jericepycae.exe, PE32 66->85 dropped 87 C:\...\Jericepycae.exe.config, XML 66->87 dropped 89 C:\Users\user\AppData\...\Leqorakizhi.exe, PE32 66->89 dropped 97 2 other files (none is malicious) 66->97 dropped 215 Detected unpacking (overwrites its own PE header) 66->215 183 198.54.126.101 NAMECHEAP-NETUS United States 69->183 185 2.20.142.209 AKAMAI-ASN1EU European Union 69->185 91 C:\Program Files (x86)\...\Dusaewulaedi.exe, PE32 69->91 dropped 93 C:\...\Dusaewulaedi.exe.config, XML 69->93 dropped 95 C:\Users\user\AppData\...\Dyxapeluli.exe, PE32 69->95 dropped 99 2 other files (none is malicious) 69->99 dropped file21 signatures22 process23 dnsIp24 151 198.13.62.186 AS-CHOOPAUS United States 71->151 217 Query firmware table information (likely to detect VMs) 71->217 signatures25
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a28956c03af41c83a80a84889bd4b2528c3842f14ca44d7c2d3362cbaa036b8d/
Threat name:
Win32.Infostealer.Passteal
Create hunting rule
Status:
Malicious
First seen:
2021-05-19 20:28:05 UTC
AV detection:
18 of 29 (62.07%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ukevnqb26qoihkakqsejxvfskkgdqqxrjsse27bngnrmxkqdnogq._file
Verdict:
malicious
Similar samples:
0e63f296fdc309cb1e487cd1a549d029d2a9144b8a050db274901030dc6ec0f3
ArkeiStealer
2c44f7515715ebafdc7bb8cf40adf36adce1e1bf7fd2555d56427a6d73a850d8
ArkeiStealer
3ec8d6d1645881d59332953e0da03a3207d34f985dd88e975ca8bf65fb7cc3c1
ArkeiStealer
541ebfa6dd694728edd3cf536a13c739179edadcd880e7c28e074b60da1bcac8
ArkeiStealer
6e8a0a30744ed0130a2b32997e03ba5c07339ddf22e76c7ca64882d5d3f8cc4f
ArkeiStealer
87bce52ffa3eaa55981a2dd9af96ce156249a9bfcfd9b3930252cdeff9e8633d
ArkeiStealer
8aa1689d6acacf9f2eb2603db52dc5908e1ec5d80000deec13e2e038c2883413
ArkeiStealer
e13ba9f6e63e4013b75c3d45b012d8cbdda80913669bdd10942828b05d66e798
ArkeiStealer
f91c7c2e15b7343d97bc5c3961f43ebd659440102a4a9c3359d7a9e6e0aef9d3
ArkeiStealer
fab31b9c336ced2fe83d81198d3ccfa325ca4d4cab2464b72dcda37f34e2dd68
ArkeiStealer
+ 726 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:elysiumstealer family:plugx family:redline family:vidar botnet:bbs1 discovery evasion infostealer persistence spyware stealer trojan upx vmprotect
Link:
https://tria.ge/reports/210522-5gf61v8bn6/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Delays execution with timeout.exe
Kills process with taskkill
Modifies Internet Explorer settings
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
Runs ping.exe
Script User-Agent
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Launches sc.exe
Drops file in System32 directory
Suspicious use of SetThreadContext
Checks installed software on the system
Enumerates connected drives
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Program crash
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks computer location settings
Loads dropped DLL
Reads local data of messenger clients
Reads user/profile data of web browsers
Blocklisted process makes network request
Creates new service(s)
Downloads MZ/PE file
Drops file in Drivers directory
Executes dropped EXE
Modifies Windows Firewall
UPX packed file
VMProtect packed file
Checks for common network interception software
ElysiumStealer
PlugX
RedLine
RedLine Payload
Suspicious use of NtCreateUserProcessOtherParentProcess
Vidar
Malware Config
C2 Extraction:
87.251.71.193:80
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a28956c03af41c83a80a84889bd4b2528c3842f14ca44d7c2d3362cbaa036b8d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_References_CryptoWallets
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many cryptocurrency mining wallets or apps. Observed in information stealers
Rule name:MALWARE_Win_HyperPro03
Create hunting rule
Author:ditekSHen
Description:Hunt HyperPro IronTiger / LuckyMouse / APT27 malware
Rule name:MALWARE_Win_Vidar
Create hunting rule
Author:ditekSHen
Description:Detects Vidar / ArkeiStealer
Rule name:Ping_Del_method_bin_mem
Create hunting rule
Author:James_inthe_box
Description:cmd ping IP nul del
Rule name:SUSP_XORed_MSDOS_Stub_Message
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed MSDOS stub message
Reference:https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
Rule name:Vidar
Create hunting rule
Author:kevoreilly
Description:Vidar Payload
Rule name:win_vidar_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:with_sqlite
Create hunting rule
Author:Julian J. Gonzalez <info@seguridadparatodos.es>
Description:Rule to detect the presence of SQLite data in raw image
Reference:http://www.st2labs.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments


Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-05-22 19:02:32 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [B0009.029] Anti-Behavioral Analysis::Instruction Testing
1) [C0021] Cryptography Micro-objective::Generate Pseudo-random Sequence
2) [C0032.001] Data Micro-objective::CRC32::Checksum
3) [C0026.002] Data Micro-objective::XOR::Encode Data
5) [C0046] File System Micro-objective::Create Directory
6) [C0048] File System Micro-objective::Delete Directory
7) [C0047] File System Micro-objective::Delete File
8) [C0049] File System Micro-objective::Get File Attributes
9) [C0051] File System Micro-objective::Read File
10) [C0052] File System Micro-objective::Writes File
11) [C0007] Memory Micro-objective::Allocate Memory
12) [C0036.004] Operating System Micro-objective::Create Registry Key::Registry
13) [C0036.003] Operating System Micro-objective::Open Registry Key::Registry
14) [C0036.006] Operating System Micro-objective::Query Registry Value::Registry
15) [C0017.003] Process Micro-objective::Create Suspended Process::Create Process
16) [C0017] Process Micro-objective::Create Process
17) [C0041] Process Micro-objective::Set Thread Local Storage Value
18) [C0018] Process Micro-objective::Terminate Process