MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bc99b42680a19379e7030dc0871c143afd142ccb9b12efd2942a97e706f7dd59. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 9


Intelligence 9 IOCs YARA 3 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bc99b42680a19379e7030dc0871c143afd142ccb9b12efd2942a97e706f7dd59
SHA3-384 hash: 58f7ad93731dd18367a725b1c47481c6f8d20fa5b47581f33d5e8dc3dc3743daca4a2c6d0b52c1aac1c2aace6af7b5e4
SHA1 hash: 93a37faab4f76299b10cf4f3fa0379965942e152
MD5 hash: 02d5590fabba5fba6c36de045e144857
humanhash: london-nineteen-robert-robin
File name:02d5590fabba5fba6c36de045e144857
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:53'248 bytes
First seen:2021-08-25 19:03:24 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 768:9lNiIgb/wpivbLBvt6eLitlVaDVZwnyKCEVejKdgLhyBzH6yh3ayq8uF:+MpILMlVaInQEoKdCaR3M
Threatray 531 similar samples on MalwareBazaar
TLSH T18133E115C7848A6EFBB547BC5BB2410A6330EA13D69ECF6F30442E063C57AB1DAA125C
Reporter zbetcheckin
Tags:32 ArkeiStealer exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
173
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
b40b2474c4cc44f5545dec1b9ab4f4b2.exe
Verdict:
Malicious activity
Analysis date:
2021-08-25 15:32:23 UTC
Tags:
loader opendir stealer trojan
Link:
https://app.any.run/tasks/f38d85cb-bdbc-467e-aa19-fd61a4398ca8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/182406/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Enabling the 'hidden' option for files in the %temp% directory
Creating a process from a recently created file
Creating a file
Sending a UDP request
Connection attempt
Sending an HTTP GET request
Creating a file in the Windows subdirectories
Deleting a recently created file
Reading critical registry keys
Replacing files
Changing a file
Creating a file in the %AppData% subdirectories
Creating a window
Creating a file in the Program Files directory
Running batch commands
Creating a process with a hidden window
DNS request
Launching a process
Stealing user critical data
Unauthorized injection to a recently created process
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/09711977-a69c-456a-b989-1d0f4d56dbdf
Result
Threat name:
Vidar Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/839317
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Contains functionality to detect sleep reduction / modifications
Found strings related to Crypto-Mining
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
Sigma detected: Xmrig
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Vidar stealer
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 471748 Sample: hk74Rh7zD5 Startdate: 25/08/2021 Architecture: WINDOWS Score: 100 101 Sigma detected: Xmrig 2->101 103 Multi AV Scanner detection for domain / URL 2->103 105 Malicious sample detected (through community Yara rule) 2->105 107 11 other signatures 2->107 10 hk74Rh7zD5.exe 5 2->10         started        13 Runtlme.exe 2->13         started        17 svchost.exe 2->17         started        19 9 other processes 2->19 process3 dnsIp4 79 C:\Users\user\AppData\Local\Temp\Build.exe, PE32 10->79 dropped 81 C:\Users\user\AppData\...\hk74Rh7zD5.exe.log, ASCII 10->81 dropped 21 Build.exe 129 10->21         started        93 192.168.2.1 unknown unknown 13->93 137 Multi AV Scanner detection for dropped file 13->137 139 Machine Learning detection for dropped file 13->139 141 Injects code into the Windows Explorer (explorer.exe) 13->141 143 5 other signatures 13->143 26 explorer.exe 13->26         started        28 cmd.exe 13->28         started        95 127.0.0.1 unknown unknown 17->95 file5 signatures6 process7 dnsIp8 89 141.95.21.134, 49704, 80 DFNVereinzurFoerderungeinesDeutschenForschungsnetzese Germany 21->89 67 C:\Users\user\AppData\Local\...\fasd[1].exe, PE32 21->67 dropped 69 C:\Program Files\file.exe, PE32 21->69 dropped 71 C:\Users\user\AppData\...\sqlite3[1].dll, PE32 21->71 dropped 73 C:\ProgramData\sqlite3.dll, PE32 21->73 dropped 115 Antivirus detection for dropped file 21->115 117 Multi AV Scanner detection for dropped file 21->117 119 Machine Learning detection for dropped file 21->119 125 3 other signatures 21->125 30 file.exe 14 7 21->30         started        34 explorer.exe 21->34         started        37 sihost64.exe 21->37         started        43 2 other processes 21->43 91 xmr.2miners.com 26->91 121 System process connects to network (likely due to code injection or exploit) 26->121 123 Query firmware table information (likely to detect VMs) 26->123 39 conhost.exe 28->39         started        41 schtasks.exe 28->41         started        file9 signatures10 process11 dnsIp12 97 swretjhwrtj.gq 172.67.222.157, 49705, 80 CLOUDFLARENETUS United States 30->97 85 C:\Users\user\AppData\Local\Temp\xmr.exe, PE32+ 30->85 dropped 87 C:\Users\user\AppData\Local\Temp\...\.dll, PE32+ 30->87 dropped 45 xmr.exe 5 30->45         started        99 xmr.2miners.com 51.89.96.41, 12222, 49711, 49712 OVHFR France 34->99 109 System process connects to network (likely due to code injection or exploit) 34->109 111 Query firmware table information (likely to detect VMs) 34->111 113 Multi AV Scanner detection for dropped file 37->113 49 conhost.exe 43->49         started        51 timeout.exe 1 43->51         started        53 conhost.exe 43->53         started        55 schtasks.exe 43->55         started        file13 signatures14 process15 file16 83 C:\Users\user\AppData\Local\...\Runtlme.exe, PE32+ 45->83 dropped 145 Multi AV Scanner detection for dropped file 45->145 147 Machine Learning detection for dropped file 45->147 57 Runtlme.exe 45->57         started        61 cmd.exe 1 45->61         started        signatures17 process18 file19 75 C:\Users\user\AppData\...\sihost64.exe, PE32+ 57->75 dropped 77 C:\Users\user\AppData\Roaming\...\WR64.sys, PE32+ 57->77 dropped 127 Injects code into the Windows Explorer (explorer.exe) 57->127 129 Writes to foreign memory regions 57->129 131 Allocates memory in foreign processes 57->131 135 2 other signatures 57->135 133 Uses schtasks.exe or at.exe to add and modify task schedules 61->133 63 conhost.exe 61->63         started        65 schtasks.exe 61->65         started        signatures20 process21
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bc99b42680a19379e7030dc0871c143afd142ccb9b12efd2942a97e706f7dd59/
Threat name:
ByteCode-MSIL.Backdoor.Bladabhindi
Create hunting rule
Status:
Malicious
First seen:
2021-08-25 19:04:06 UTC
AV detection:
19 of 28 (67.86%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
02509150940d9d652f1f65aef43231c2bd30e5ff2816f02ecc3f93a63e11954e
ArkeiStealer
03eb4a70bc788ed9cd096d77502ef2f5788e4f3930c3bf5924cead278dc6872d
ArkeiStealer
2340f7976585cd113520b33eb51c6b57e37c6bad2fba29a48b8c7e8e784a2491
ArkeiStealer
a526e9dae9298bbd03ca2a8fc8a45809eac1543bbec4680182493c551d65f731
ArkeiStealer
b55bf0c98c34bb3ca46a7bb08598ffc1a97c9ad7bb47191cd1280b609322267f
ArkeiStealer
ca30c496c6e9e5f4bec63c03c70fbdb84327121bc2fdd5c8c086e76b0b6dcb1f
ArkeiStealer
ef25bb229ec8ca7d7b2e3d4e23036b74bdc8b9154bb4c5b532e7ea2a0a7c8ee6
ArkeiStealer
f43b25a5501033f574f0467cdf7534f50cdbec94c3d8a173a80ee9f54fce55eb
ArkeiStealer
f4ec629473fbe96fa82fe1c1e30e6784144163d662e1c977acf5bc1d62b20c0b
ArkeiStealer
+ 521 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:xmrig discovery miner spyware stealer
Link:
https://tria.ge/reports/210825-twff891lxx/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
XMRig Miner Payload
xmrig
Unpacked files
SH256 hash:
63b82873c82e85e01c4bcbae4636c5a366c6309111cada1330ed99079a1897c1
MD5 hash:
39f450a040012f3ca505ce0496c8c8bb
SHA1 hash:
3283ca09da5d8bc936a898d630e8f0628abe70f5
Link:
https://www.unpac.me/results/3d05222c-df2e-4f73-b243-7d45b5b0cf27/
SH256 hash:
bc99b42680a19379e7030dc0871c143afd142ccb9b12efd2942a97e706f7dd59
MD5 hash:
02d5590fabba5fba6c36de045e144857
SHA1 hash:
93a37faab4f76299b10cf4f3fa0379965942e152
Link:
https://www.unpac.me/results/3d05222c-df2e-4f73-b243-7d45b5b0cf27/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/bc99b42680a1/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/bc99b42680a19379e7030dc0871c143afd142ccb9b12efd2942a97e706f7dd59

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ArkeiStealer

Executable exe bc99b42680a19379e7030dc0871c143afd142ccb9b12efd2942a97e706f7dd59

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/182406/
  
URLhaus
https://urlhaus.abuse.ch/url/1564247/

Comments


Avatar
zbet commented on 2021-08-25 19:03:25 UTC

url : hxxp://swretjhwrtj.gq/B555uild.exe