MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c5a3d18a0bd8071a301dee8996a71293cf7d96ebdbdb15cc780e1b96f081eaf4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 10


Intelligence 10 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c5a3d18a0bd8071a301dee8996a71293cf7d96ebdbdb15cc780e1b96f081eaf4
SHA3-384 hash: 35962d835707d159b56e9f3b25d69f4a012aaf44a19849313a393ac11b8c5e0934b0498a12bc1e5d004cb863888e0a22
SHA1 hash: 96a22c7b5b8a7bb7012b29e3455a2ea0d49a4fe1
MD5 hash: 54f1655dee82cfacb6fc5182e0f0dd01
humanhash: whiskey-wyoming-black-mountain
File name:54f1655dee82cfacb6fc5182e0f0dd01.exe
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:239'616 bytes
First seen:2021-10-07 07:15:42 UTC
Last seen:2021-10-07 08:06:29 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 654aff1ee1bc89531bd3b96ebe76ae67 (5 x RaccoonStealer, 3 x ArkeiStealer, 1 x CoinMiner)
ssdeep 6144:UQ5hWbBln6ofioGGtxSzM7ZF58+ad5rwpBxlw0:UQ50bBoofigt954HGBc
Threatray 4'881 similar samples on MalwareBazaar
TLSH T1BD348D10ABE0C038F1B716F94979D3A8A93EBDB16B2490CF52C526EA56747E4EC70353
File icon (PE):PE icon
dhash icon e8e8e8e8aa62a499 (21 x RaccoonStealer, 11 x ArkeiStealer, 4 x RedLineStealer)
Reporter abuse_ch
Tags:ArkeiStealer exe RaccoonStealer


Avatar
abuse_ch
RaccoonStealer C2:
http://91.219.236.103/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://91.219.236.103/ https://threatfox.abuse.ch/ioc/231120/

Intelligence

File Origin
# of uploads :
2
# of downloads :
152
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
54f1655dee82cfacb6fc5182e0f0dd01.exe
Verdict:
Suspicious activity
Analysis date:
2021-10-07 07:21:55 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/9b8fd416-ab8f-4607-a448-9c43a39ef27e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/195649/
Detection(s):
SecuriteInfo.com.Trojan.Siggen15.18245.8742.30940.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/615e9ebcb95458900cdde39f/reports/d4248216-75e7-4adb-8423-5b696f05f1d4/overview
Result
Threat name:
Raccoon RedLine SmokeLoader Tofsee
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/866090
Signature
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Antivirus detection for dropped file
Benign windows process drops PE files
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Connects to many ports of the same IP (likely port scanning)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Query firmware table information (likely to detect VMs)
Sigma detected: Copying Sensitive Files with Credential Data
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Uses known network protocols on non-standard ports
Yara detected Raccoon Stealer
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Tofsee
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 498521 Sample: VJ1CIaMJSc.exe Startdate: 07/10/2021 Architecture: WINDOWS Score: 100 59 91.219.236.103, 49794, 80 SERVERASTRA-ASHU Hungary 2->59 61 teletop.top 172.67.176.216, 49793, 80 CLOUDFLARENETUS United States 2->61 63 3 other IPs or domains 2->63 73 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->73 75 Antivirus detection for dropped file 2->75 77 Multi AV Scanner detection for dropped file 2->77 79 14 other signatures 2->79 10 VJ1CIaMJSc.exe 2->10         started        13 tgihurb 2->13         started        15 svchost.exe 1 2->15         started        17 svchost.exe 1 2->17         started        signatures3 process4 signatures5 89 Detected unpacking (changes PE section rights) 10->89 91 Contains functionality to inject code into remote processes 10->91 93 Injects a PE file into a foreign processes 10->93 19 VJ1CIaMJSc.exe 10->19         started        95 Multi AV Scanner detection for dropped file 13->95 97 Machine Learning detection for dropped file 13->97 22 tgihurb 13->22         started        process6 signatures7 81 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 19->81 83 Maps a DLL or memory area into another process 19->83 85 Checks if the current machine is a virtual machine (disk enumeration) 19->85 24 explorer.exe 12 19->24 injected 87 Creates a thread in another existing process (thread injection) 22->87 process8 dnsIp9 65 193.56.146.41, 49769, 9080 LVLT-10753US unknown 24->65 67 paishancho17.top 94.142.140.28, 49751, 49752, 49755 IHOR-ASRU Russian Federation 24->67 69 3 other IPs or domains 24->69 49 C:\Users\user\AppData\Roaming\tgihurb, PE32 24->49 dropped 51 C:\Users\user\AppData\Local\Temp\F1B1.exe, PE32 24->51 dropped 53 C:\Users\user\AppData\Local\Temp20D.exe, PE32 24->53 dropped 55 4 other malicious files 24->55 dropped 99 System process connects to network (likely due to code injection or exploit) 24->99 101 Benign windows process drops PE files 24->101 103 Deletes itself after installation 24->103 105 Hides that the sample has been downloaded from the Internet (zone.identifier) 24->105 29 D04D.exe 3 24->29         started        32 CDB9.exe 3 24->32         started        35 E20D.exe 2 24->35         started        38 B907.exe 2 24->38         started        file10 signatures11 process12 dnsIp13 107 Multi AV Scanner detection for dropped file 29->107 109 Detected unpacking (changes PE section rights) 29->109 111 Query firmware table information (likely to detect VMs) 29->111 113 Tries to detect sandboxes and other dynamic analysis tools (window names) 29->113 57 190.2.145.108, 12608, 49858 WORLDSTREAMNL Curacao 32->57 115 Hides threads from debuggers 32->115 117 Tries to detect sandboxes / dynamic malware analysis system (registry check) 32->117 40 conhost.exe 32->40         started        47 C:\Users\user\AppData\Local\...\ecmkkajz.exe, PE32 35->47 dropped 119 Detected unpacking (overwrites its own PE header) 35->119 121 Machine Learning detection for dropped file 35->121 123 Antivirus detection for dropped file 38->123 42 B907.exe 2 38->42         started        45 conhost.exe 38->45         started        file14 signatures15 process16 dnsIp17 71 93.115.20.139, 28978, 49827 MVPShttpswwwmvpsnetEU Romania 42->71
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c5a3d18a0bd8071a301dee8996a71293cf7d96ebdbdb15cc780e1b96f081eaf4/
Threat name:
Win32.Trojan.MintZard
Create hunting rule
Status:
Malicious
First seen:
2021-10-07 07:16:13 UTC
AV detection:
23 of 45 (51.11%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ywr5dcql3adruma552eznjyssphx3fxl3pnrltdybynzn4eb5l2a._file
Verdict:
malicious
Similar samples:
44e29e5cd002e8d4d4f13432847f38fa79a1667b5fdef9b9f316c3501f3bb480
ArkeiStealer
4ba939154ee9df1004629da3aee541a36eb4faabe421190ddbbbf1ccd195e03a
ArkeiStealer
85450b08c8b089b5a642511b086c838e568dbc5a30174a398bb44eb62db6fdb6
ArkeiStealer
d14036b4ab78b2c6121138471582c33a4bf0dbd2076f4c9e640d34a994fce2d3
ArkeiStealer
d4bec541272c470bc24653ca13fe85d4011e300b79026b767c6bd3abcb93b637
ArkeiStealer
d852901bdc93f05c0dbb9692dfe08ca5465dadce441ef722b617314578fd5c0f
ArkeiStealer
d9d7046f7539fd97259759a51b02650790a961ddb0d8f0b9f31c76faf6d63a91
ArkeiStealer
e01749cfd587ae7029247ef900df2eb0e89e2fc594ca665d460a73bfa9564647
ArkeiStealer
ec078bf46a67bb519f2f15227a024af19356993f9b5b26bd16d9248f42fb373d
ArkeiStealer
f085d79b0b46ad9eda7f2191e2e668314553251ab5d0f4936f84cd2c1afa2564
ArkeiStealer
+ 4'871 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:raccoon family:redline family:smokeloader family:vidar botnet:2ea41939378a473cbe7002fd507389778c0f10e7 botnet:800 botnet:8d179b9e611eee525425544ee8c6d77360ab7cd9 backdoor discovery infostealer spyware stealer trojan
Link:
https://tria.ge/reports/211007-h3t46abhh9/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Delays execution with timeout.exe
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Deletes itself
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
Vidar Stealer
Raccoon
RedLine
RedLine Payload
SmokeLoader
Vidar
Malware Config
C2 Extraction:
http://fiskahlilian16.top/
http://paishancho17.top/
http://ydiannetter18.top/
http://azarehanelle19.top/
http://quericeriant20.top/
87.251.71.44:80
Unpacked files
SH256 hash:
592b089027938156e18387e4402b965a5f1ffc25e96d7efc3aa9331254587bdd
MD5 hash:
2dbb1eb8c40c88994738a736ad55c79b
SHA1 hash:
88e2fc9242606c7dfcd68d5da8c6d457837157a3
Link:
https://www.unpac.me/results/5f5168db-9fcd-4748-801b-87612c186850/
SH256 hash:
c5a3d18a0bd8071a301dee8996a71293cf7d96ebdbdb15cc780e1b96f081eaf4
MD5 hash:
54f1655dee82cfacb6fc5182e0f0dd01
SHA1 hash:
96a22c7b5b8a7bb7012b29e3455a2ea0d49a4fe1
Link:
https://www.unpac.me/results/5f5168db-9fcd-4748-801b-87612c186850/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/c5a3d18a0bd8/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c5a3d18a0bd8071a301dee8996a71293cf7d96ebdbdb15cc780e1b96f081eaf4

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ArkeiStealer

Executable exe c5a3d18a0bd8071a301dee8996a71293cf7d96ebdbdb15cc780e1b96f081eaf4

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1653238/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/195649/

Comments