MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b35ef6b865bf13b12e702b62c7ee383d17094a6d91a1bbf0b0f0b9b7e80a50d4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b35ef6b865bf13b12e702b62c7ee383d17094a6d91a1bbf0b0f0b9b7e80a50d4
SHA3-384 hash: 5fe1dcf22752ac600b63099699a01c9c760e9bb7bcf1b5ce49f2e94451dd51bc110a0e61f3afacac43cd79c08a9da4d2
SHA1 hash: b399e762737210d96f1a198d42b4ea3f21ef413c
MD5 hash: c6329b58f43aabd2b9ea545afb22dda9
humanhash: tennessee-eight-fanta-cola
File name:c6329b58f43aabd2b9ea545afb22dda9.exe
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:347'136 bytes
First seen:2021-10-29 18:39:42 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash de06d9e059534704f287050011120a38 (9 x RaccoonStealer, 2 x ArkeiStealer, 1 x RedLineStealer)
ssdeep 6144:4BVSq0HEjw32LvyCqz8WfgWq0KRcLMgfDf:A8wjw32yCqz8WfgWq4Qa
Threatray 8'778 similar samples on MalwareBazaar
TLSH T1D9748C10A7A1C034F5F212F859BA9369B93E3AB1AB7490CF13D516EE4634AE1EC31317
File icon (PE):PE icon
dhash icon b2dacabecee6baa6 (148 x RedLineStealer, 145 x Stop, 100 x Smoke Loader)
Reporter abuse_ch
Tags:ArkeiStealer exe Smoke Loader

Intelligence

File Origin
# of uploads :
1
# of downloads :
216
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
c6329b58f43aabd2b9ea545afb22dda9.exe
Verdict:
No threats detected
Analysis date:
2021-10-29 18:47:08 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/0e8b8d79-19b5-4391-ae3c-875a4a58b2e9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware1.20109.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Launching the default Windows debugger (dwwin.exe)
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9e4e6c74-e8e2-4022-82ca-b34897622964
Result
Threat name:
RedLine SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/879565
Signature
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to infect the boot sector
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected RedLine Stealer
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 511999 Sample: 1E00ecAL2E.exe Startdate: 29/10/2021 Architecture: WINDOWS Score: 100 53 Multi AV Scanner detection for domain / URL 2->53 55 Found malware configuration 2->55 57 Antivirus detection for URL or domain 2->57 59 6 other signatures 2->59 7 1E00ecAL2E.exe 2->7         started        10 vchuuta 2->10         started        12 E84D.exe 2->12         started        process3 signatures4 77 Detected unpacking (changes PE section rights) 7->77 79 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 7->79 81 Maps a DLL or memory area into another process 7->81 83 Creates a thread in another existing process (thread injection) 7->83 14 explorer.exe 6 7->14 injected 85 Multi AV Scanner detection for dropped file 10->85 87 Machine Learning detection for dropped file 10->87 89 Checks if the current machine is a virtual machine (disk enumeration) 10->89 process5 dnsIp6 39 nutriescapa.com 194.40.243.133, 49814, 80 NTSERVICE-ASUA Netherlands 14->39 41 brandyjaggers.com 91.203.174.38, 49751, 49767, 49769 LITTEL-ASRU Uzbekistan 14->41 43 9 other IPs or domains 14->43 27 C:\Users\user\AppData\Roaming\vchuuta, PE32 14->27 dropped 29 C:\Users\user\AppData\Local\Temp84D.exe, PE32 14->29 dropped 31 C:\Users\user\AppData\Local\Temp\B729.exe, PE32 14->31 dropped 33 2 other malicious files 14->33 dropped 45 System process connects to network (likely due to code injection or exploit) 14->45 47 Benign windows process drops PE files 14->47 49 Deletes itself after installation 14->49 51 Hides that the sample has been downloaded from the Internet (zone.identifier) 14->51 19 232F.exe 5 14->19         started        23 B729.exe 2 14->23         started        25 E84D.exe 14->25         started        file7 signatures8 process9 dnsIp10 35 193.150.103.37, 29118, 49815 ASGENERALTELRU Russian Federation 19->35 61 Detected unpacking (changes PE section rights) 19->61 63 Detected unpacking (overwrites its own PE header) 19->63 65 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 19->65 67 Tries to steal Crypto Currency Wallets 19->67 37 185.215.113.29, 36224, 49846 WHOLESALECONNECTIONSNL Portugal 23->37 69 Machine Learning detection for dropped file 23->69 71 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 23->71 73 Tries to harvest and steal browser information (history, passwords, etc) 23->73 75 Contains functionality to infect the boot sector 25->75 signatures11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b35ef6b865bf13b12e702b62c7ee383d17094a6d91a1bbf0b0f0b9b7e80a50d4/
Threat name:
Win32.Trojan.Raccrypt
Create hunting rule
Status:
Malicious
First seen:
2021-10-29 17:39:11 UTC
AV detection:
18 of 28 (64.29%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
0c37d974d52e06ddf0b003694f1fe9f18475aa57592e639ae49fd840873646ff
ArkeiStealer
5a981120d186267256661c1e7a8f473be7eb285d09b0e77efb0223ea5eee2889
ArkeiStealer
605e57c5643a2292002481fee5fe3b7ba0243fc8e3ed6d423c814554cf6b4bba
ArkeiStealer
aed2ef2307581edfdc8ebb2342ff7b10e383a91b17512dcb4a2f49d1344af27d
ArkeiStealer
b06b803c1a654849e7b0310b0b590ca574568ab9eba41858e8caaff5dbbeacba
ArkeiStealer
f0bf1ff85a29dfb06cf83aeab4093d9bd9edfa5781fbb65fe8a31d32cc14f2bc
ArkeiStealer
+ 8'768 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:smokeloader family:vidar botnet:1050 backdoor stealer trojan
Link:
https://tria.ge/reports/211029-xa7l4sdhc6/
Behaviour
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Deletes itself
Downloads MZ/PE file
Executes dropped EXE
Vidar Stealer
SmokeLoader
Suspicious use of NtCreateProcessExOtherParentProcess
Vidar
Malware Config
C2 Extraction:
http://brandyjaggers.com/upload/
http://andbal.com/upload/
http://alotofquotes.com/upload/
http://szpnc.cn/upload/
http://uggeboots.com/upload/
http://100klv.com/upload/
http://rapmusic.at/upload/
https://mas.to/@lilocc
Unpacked files
SH256 hash:
f9b4b2e506fe88e1cd921a71c130a7e097bfb2dd1cfcec768b375c70ee6b800c
MD5 hash:
986d781d5e3181045ce6586b2b0af221
SHA1 hash:
8e21f86221892e43c95adfe05f385135fbf6886f
Link:
https://www.unpac.me/results/02d30b46-44b0-4b54-92d4-6ecec35dbb5b/
SH256 hash:
b35ef6b865bf13b12e702b62c7ee383d17094a6d91a1bbf0b0f0b9b7e80a50d4
MD5 hash:
c6329b58f43aabd2b9ea545afb22dda9
SHA1 hash:
b399e762737210d96f1a198d42b4ea3f21ef413c
Link:
https://www.unpac.me/results/02d30b46-44b0-4b54-92d4-6ecec35dbb5b/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/b35ef6b865bf/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b35ef6b865bf13b12e702b62c7ee383d17094a6d91a1bbf0b0f0b9b7e80a50d4

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ArkeiStealer

Executable exe b35ef6b865bf13b12e702b62c7ee383d17094a6d91a1bbf0b0f0b9b7e80a50d4

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1724609/
  
Delivery method
Distributed via web download

Comments