MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a8608c25f43dcab1c8501cb89b796d75b94a0abd260d3cee39a7e56e889326d6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 13


Intelligence 13 IOCs 3 YARA 10 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a8608c25f43dcab1c8501cb89b796d75b94a0abd260d3cee39a7e56e889326d6
SHA3-384 hash: 4d9984addadf78f70f41ca1b1a369d08e8fe36717fb0c580fabb522be82be21a5282f8b972f24a2f8ff368e76d10206b
SHA1 hash: b041d309bcb43b100d7f93a99ad43e8725413ceb
MD5 hash: a15fcb15ff8d0824099fe99986c3425f
humanhash: stairway-single-rugby-zebra
File name:a15fcb15ff8d0824099fe99986c3425f.exe
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:6'585'779 bytes
First seen:2021-12-26 06:26:02 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 32569d67dc210c5cb9a759b08da2bdb3 (122 x RedLineStealer, 42 x DiamondFox, 37 x RaccoonStealer)
ssdeep 196608:x5xoRnfqI0MQgjP0xa83+JpIux6u/xUPT6nBuqPvYToS:xUIXMQgjP0xaq+JtT/2TSxS
TLSH T19666333276C454F5F96F46372B8C3F54E5F86A842B20E92F574075582F6FBEA800D88A
File icon (PE):PE icon
dhash icon 848c5454baf47474 (2'088 x Adware.Neoreklami, 101 x RedLineStealer, 33 x DiamondFox)
Reporter abuse_ch
Tags:ArkeiStealer exe Smoke Loader


Avatar
abuse_ch
Smoke Loader C2:
45.9.20.253:11452

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
45.9.20.253:11452 https://threatfox.abuse.ch/ioc/287667/
147.135.248.206:22603 https://threatfox.abuse.ch/ioc/287770/
37.9.13.195:23036 https://threatfox.abuse.ch/ioc/287771/

Intelligence

File Origin
# of uploads :
1
# of downloads :
371
Origin country :
n/a
Vendor Threat Intelligence
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/216419/
Detection(s):
Win.Packed.Barys-9859531-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Сreating synchronization primitives
Creating a process from a recently created file
Searching for the window
Running batch commands
Sending a custom TCP request
DNS request
Sending an HTTP GET request
Launching a process
Creating a window
Searching for synchronization primitives
Creating a file
Creating a process with a hidden window
Launching the default Windows debugger (dwwin.exe)
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Launching a tool to kill processes
Sending an HTTP GET request to an infection source
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/3260/overview
Behaviour
MalwareBazaar
CheckCmdLine
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
barys overlay packed
Link:
https://www.filescan.io/uploads/61c80afd8991ba72b398ab6a/reports/cfcffd52-1e3a-4c49-9d6b-6083ea7850d5/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Gathering data
Result
Threat name:
RedLine SmokeLoader Socelars Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/912899
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Antivirus detection for dropped file
Antivirus detection for URL or domain
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates HTML files with .exe extension (expired dropper behavior)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Disable Windows Defender real time protection (registry)
Disables Windows Defender (via service or powershell)
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has a writeable .text section
PE file has nameless sections
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses process hollowing technique
Sigma detected: Copying Sensitive Files with Credential Data
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Script Execution From Temp Folder
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected Generic Downloader
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Socelars
Yara detected Vidar stealer
Yara detected WebBrowserPassView password recovery tool
Yara Genericmalware
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 545377 Sample: 3aqBu0K62x.exe Startdate: 26/12/2021 Architecture: WINDOWS Score: 100 72 208.95.112.1 TUT-ASUS United States 2->72 74 45.136.151.102 ENZUINC-US Latvia 2->74 76 172.67.143.210 CLOUDFLARENETUS United States 2->76 98 Multi AV Scanner detection for domain / URL 2->98 100 Antivirus detection for URL or domain 2->100 102 Antivirus detection for dropped file 2->102 104 19 other signatures 2->104 10 3aqBu0K62x.exe 26 2->10         started        signatures3 process4 file5 46 C:\Users\user\AppData\...\setup_install.exe, PE32 10->46 dropped 48 C:\Users\user\...\Thu11f7717aa35a4ea.exe, PE32 10->48 dropped 50 C:\Users\user\AppData\...\Thu11f281fb2df.exe, PE32+ 10->50 dropped 52 18 other files (7 malicious) 10->52 dropped 13 setup_install.exe 1 10->13         started        process6 dnsIp7 94 104.21.62.14 CLOUDFLARENETUS United States 13->94 96 127.0.0.1 unknown unknown 13->96 134 Adds a directory exclusion to Windows Defender 13->134 136 Disables Windows Defender (via service or powershell) 13->136 17 cmd.exe 13->17         started        19 cmd.exe 13->19         started        21 cmd.exe 1 13->21         started        24 14 other processes 13->24 signatures8 process9 signatures10 26 Thu1185ccb71be14d.exe 17->26         started        31 Thu11cf387a29397511.exe 19->31         started        106 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 21->106 108 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 21->108 110 Adds a directory exclusion to Windows Defender 21->110 112 Disables Windows Defender (via service or powershell) 21->112 33 powershell.exe 11 21->33         started        35 Thu11d4773c01d6f0.exe 24->35         started        37 Thu11f7717aa35a4ea.exe 24->37         started        39 Thu115efe21f1a89d5.exe 24->39         started        41 8 other processes 24->41 process11 dnsIp12 78 185.215.113.208 WHOLESALECONNECTIONSNL Portugal 26->78 80 185.112.83.8 SUPERSERVERSDATACENTERRU Russian Federation 26->80 86 10 other IPs or domains 26->86 54 C:\Users\...\I6mIQv9_jv0DhuvDtU9S3fKg.exe, PE32+ 26->54 dropped 56 C:\Users\user\AppData\Local\...\SFold1[1].exe, PE32 26->56 dropped 58 C:\Users\user\AppData\Local\...\HK2[1].exe, PE32 26->58 dropped 66 29 other files (5 malicious) 26->66 dropped 114 Creates HTML files with .exe extension (expired dropper behavior) 26->114 116 Tries to harvest and steal browser information (history, passwords, etc) 26->116 118 Disable Windows Defender real time protection (registry) 26->118 120 Detected unpacking (changes PE section rights) 31->120 122 Detected unpacking (overwrites its own PE header) 31->122 124 Injects a PE file into a foreign processes 31->124 126 Found evasive API chain (trying to detect sleep duration tampering with parallel thread) 31->126 43 Thu11cf387a29397511.exe 31->43         started        128 Sample uses process hollowing technique 35->128 130 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 37->130 132 Checks if the current machine is a virtual machine (disk enumeration) 37->132 82 116.202.14.219 HETZNER-ASDE Germany 39->82 88 2 other IPs or domains 39->88 68 12 other files (none is malicious) 39->68 dropped 84 148.251.234.83 HETZNER-ASDE Germany 41->84 90 3 other IPs or domains 41->90 60 1a601b29-8226-49fd-b19e-14373f1fae69.exe, PE32 41->60 dropped 62 7567a046-f431-485a-9b22-63c2834b19d8.exe, MS-DOS 41->62 dropped 64 e5117679-88aa-41ed-87c2-479d3b5bc456.exe, PE32 41->64 dropped 70 2 other files (none is malicious) 41->70 dropped file13 signatures14 process15 dnsIp16 92 31.41.45.43 ASRELINKRU Russian Federation 43->92
Detection:
vidar
Create hunting rule
Link:
https://mwdb.cert.pl/sample/a8608c25f43dcab1c8501cb89b796d75b94a0abd260d3cee39a7e56e889326d6/
Threat name:
Win32.Trojan.Antiloadr
Create hunting rule
Status:
Malicious
First seen:
2021-12-24 14:27:00 UTC
File Type:
PE (Exe)
Extracted files:
278
AV detection:
27 of 42 (64.29%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=vbqiyjpuhxfldscqds4jw6lnow4uucv5eygtz3rzu7sw5cete3la._file
Verdict:
malicious
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:redline family:smokeloader family:socelars family:vidar botnet:915 botnet:media22ns botnet:userv1 aspackv2 backdoor evasion infostealer stealer suricata trojan
Link:
https://tria.ge/reports/211226-g67zrahghk/
Behaviour
Creates scheduled task(s)
Delays execution with timeout.exe
Kills process with taskkill
Script User-Agent
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Looks up geolocation information via web service
Loads dropped DLL
ASPack v2.12-2.42
Downloads MZ/PE file
Executes dropped EXE
Modifies Windows Firewall
NirSoft WebBrowserPassView
Nirsoft
Vidar Stealer
Process spawned unexpected child process
RedLine
RedLine Payload
SmokeLoader
Socelars
Socelars Payload
Vidar
suricata: ET MALWARE GCleaner Downloader Activity M5
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
Malware Config
C2 Extraction:
http://www.biohazardgraphics.com/
https://mstdn.social/@kipriauk9
https://qoto.org/@kipriauk8
65.108.69.168:13293
159.69.246.184:13127
http://rcacademy.at/upload/
http://e-lanpengeonline.com/upload/
http://vjcmvz.cn/upload/
http://galala.ru/upload/
http://witra.ru/upload/
Unpacked files
SH256 hash:
f94a49f7e9098caec29318488c6ee905bcfb2a5bf6e987305e03576b0da5c595
MD5 hash:
294856fef3e5664d6c4ab77bbdd1f4d2
SHA1 hash:
255d454b5dd344ea29e92e0f0f0ba6908790a6a8
Link:
https://www.unpac.me/results/7db54b8b-c09c-40a0-aee3-cad0455b2555/
SH256 hash:
4f7016fb630595204b4cb47d03f4cdf9a75597d2586fa9bbd244a0407a567748
MD5 hash:
ec94b9dbbb8502ae096f9d7e1f33901c
SHA1 hash:
d5f73eaaa6df419e83bb2c58f30d28ba2e348b72
Link:
https://www.unpac.me/results/7db54b8b-c09c-40a0-aee3-cad0455b2555/
Parent samples :
e4fb57012d7a31e6511c4bac952323093e8bb51f138841f994f58259162dfd6e
24d4daedba9b8060bf0d09b4383849b69e8d1741c3ffaad8156ab8cfa56f8625
d6ec737d10afdaf38cafede9fde045dd3ce7bc72c6ee13df33e018f0e7149893
SH256 hash:
12f682423118581850910cddfb42e2ebb2851e4ec5c346c041f71a1dda51c057
MD5 hash:
029e5130789f584309502d7e23d6b3ec
SHA1 hash:
93f64300d51f9dbd6119c6aa4fdebecb44372758
Link:
https://www.unpac.me/results/7db54b8b-c09c-40a0-aee3-cad0455b2555/
SH256 hash:
a5cb08b5c9d66e3751795d06b6a15ccfe0f5c30519cd151ca46ba550696714d8
MD5 hash:
457ebf3cd64e9e5ee17e15b9ee7d3d52
SHA1 hash:
bd9ff2e210432a80635d8e777c40d39a150dbfa1
Link:
https://www.unpac.me/results/7db54b8b-c09c-40a0-aee3-cad0455b2555/
SH256 hash:
a7e37f5314834b163fa21557e61c13c0f202fd64d3c0e46e6c90d2d02e033aec
MD5 hash:
6faec01bf7a3d7f5c5dee2e6e3143a58
SHA1 hash:
603a36f817cab5574e58ab279379e5c112e5fb37
Link:
https://www.unpac.me/results/7db54b8b-c09c-40a0-aee3-cad0455b2555/
SH256 hash:
012c3d22b5374c4f595fcf1986bf2a67697f322f36e8bb6456809334f98f5781
MD5 hash:
8bacb64db8fb73308faefd14b863fd43
SHA1 hash:
c5bf54f8b9cc198d6d380f3ee7a74df2feadf32a
Link:
https://www.unpac.me/results/7db54b8b-c09c-40a0-aee3-cad0455b2555/
SH256 hash:
9dac78cf97a753e813b02cb654f076cdea03155bc9a98ed64ec248729ead52ec
MD5 hash:
29fa5c5ade39d4ae5a0f564949278923
SHA1 hash:
376051004220051779d97fcb44065a8724de370b
Link:
https://www.unpac.me/results/7db54b8b-c09c-40a0-aee3-cad0455b2555/
SH256 hash:
5219529e4da6b15cd182e79ced0ffc59422008b26c4c02213fb466960e5f609e
MD5 hash:
32b3c65204c29de9c8163c08a3772f01
SHA1 hash:
cd75c7aacdf55ff4c9502b12595b099aeaf924f2
Link:
https://www.unpac.me/results/7db54b8b-c09c-40a0-aee3-cad0455b2555/
SH256 hash:
cf1ed8957d4825743d39f19529138de7131ca8f506440ddc1774f4640dffc599
MD5 hash:
ded1c6e8c89148495fc19734e47b664d
SHA1 hash:
3a444aeacd154f8d66bca8a98615765c25eb3d41
Link:
https://www.unpac.me/results/7db54b8b-c09c-40a0-aee3-cad0455b2555/
Parent samples :
3f947f5a849f11be9079a5c2418240e2faf7e53b63662c85b92fad8f47ea4d09
6a42f7e5290bf7e40e1aa0c0e9ceda098a612d6dda9b7fa613e0c3a58b16b826
d6ec737d10afdaf38cafede9fde045dd3ce7bc72c6ee13df33e018f0e7149893
SH256 hash:
955fe9a07cdd64b5d0bfd7d49bd520554168a4e4f26a7f00dc55550fd419bb3c
MD5 hash:
9ba3093d2c300bb128cf6fc9957f1028
SHA1 hash:
f0a206521cde11eb9aee7b23b76a005a92f7f12b
Link:
https://www.unpac.me/results/7db54b8b-c09c-40a0-aee3-cad0455b2555/
SH256 hash:
fcb0510a13f994a202d916af5eb7f2fdec9f33077e6661c2c3e46fee6ded65b6
MD5 hash:
a7de6d6d0451d04f84166c21c40cd5df
SHA1 hash:
1eabe5f57730bd769c10d6ac1ca073b1b8f37f3c
Link:
https://www.unpac.me/results/7db54b8b-c09c-40a0-aee3-cad0455b2555/
SH256 hash:
2443ce82682e90a1246d8d8a4d1428a3756c915fa5bbe709d8c04916e408beea
MD5 hash:
a56e6f35d8a885e3119d3087248e0339
SHA1 hash:
0ec57bca363e3a4ff925cb5b2215899121ecf950
Link:
https://www.unpac.me/results/7db54b8b-c09c-40a0-aee3-cad0455b2555/
SH256 hash:
81c69a373123ab429cc9124996cf67a4da3d99932978b7fd63807a66b09cd283
MD5 hash:
0ee17a66c9459626f25b8c1a3c6f4af5
SHA1 hash:
dd39eb3c724aacade8744efc18d6707f34864bdd
Link:
https://www.unpac.me/results/7db54b8b-c09c-40a0-aee3-cad0455b2555/
SH256 hash:
0217d134429f7ad907ff6c7018fd0b701bd87253d9b3e87e32c7df45e5e8bc54
MD5 hash:
9e75545a27ee9db483cda235aca2edde
SHA1 hash:
6e3496ae8608d1c1b7d102e60fa41ca54506f849
Link:
https://www.unpac.me/results/7db54b8b-c09c-40a0-aee3-cad0455b2555/
SH256 hash:
d4c67ef0f2de5c9e91407ccc4c663257cef6c291f6bd35fbb4f5b47390beccbb
MD5 hash:
2d713aa85cd7ffca73f7e326df3b6512
SHA1 hash:
2b176e775095f4ba12260ba01b0d65cc2a2f0890
Link:
https://www.unpac.me/results/7db54b8b-c09c-40a0-aee3-cad0455b2555/
SH256 hash:
a8608c25f43dcab1c8501cb89b796d75b94a0abd260d3cee39a7e56e889326d6
MD5 hash:
a15fcb15ff8d0824099fe99986c3425f
SHA1 hash:
b041d309bcb43b100d7f93a99ad43e8725413ceb
Link:
https://www.unpac.me/results/7db54b8b-c09c-40a0-aee3-cad0455b2555/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a8608c25f43dcab1c8501cb89b796d75b94a0abd260d3cee39a7e56e889326d6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_ASPack
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ASPack
Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MALWARE_Win_DLInjector03
Create hunting rule
Author:ditekSHen
Description:Detects unknown loader / injector
Rule name:MALWARE_Win_DLInjector06
Create hunting rule
Author:ditekSHen
Description:Detects downloader / injector
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:MALWARE_Win_Vidar
Create hunting rule
Author:ditekSHen
Description:Detects Vidar / ArkeiStealer
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Vidar
Create hunting rule
Author:kevoreilly
Description:Vidar Payload

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/216419/

Comments