MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cb2f50a2b53a3f415fb70e295a84f1452c91fb65fd555bbb86ac3ff077d6750c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

ArkeiStealer

Vendor detections: 7

Intelligence 7 IOCs YARA File information Comments

SHA256 hash:	cb2f50a2b53a3f415fb70e295a84f1452c91fb65fd555bbb86ac3ff077d6750c
SHA3-384 hash:	7656bb65fc69a980c56b062b3548568eea9869de64f7f65df37c0d5d6c9f6d50457e182c483a0b7b32ef8829d24c3e18
SHA1 hash:	f2611acb3755752e3f13fd020ae829c9b8a35ea9
MD5 hash:	6b75d06de464a7a9c1dcfb3de587aeef
humanhash:	uniform-orange-johnny-eleven
File name:	6b75d06de464a7a9c1dcfb3de587aeef.exe
Download:	download sample
Signature	ArkeiStealer Create hunting rule
File size:	166'400 bytes
First seen:	2021-08-18 14:32:29 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	6a9657dd2be807f14d297122d44062e6 (1 x RedLineStealer, 1 x ArkeiStealer)
ssdeep	3072:XB/TY9obwRA7N8zh/jBNsWR9TjS6WMOKT0yB3N:XXF8zxtXvVF
Threatray	3'479 similar samples on MalwareBazaar
TLSH	T12BF3CF127490C472C5D6053140E1FEA0EABBF83126A5457B77A82A6FEF307D1663B39B
dhash icon	1072c092b0381902 (9 x RedLineStealer, 9 x RaccoonStealer, 4 x CryptBot)
Reporter	abuse_ch
Tags:	ArkeiStealer exe

Intelligence

File Origin

# of uploads :

# of downloads :

129

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

6b75d06de464a7a9c1dcfb3de587aeef.exe

Verdict:

No threats detected

Analysis date:

2021-08-18 14:33:59 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/fe9f84f9-6ce4-4b87-849b-327534c17479

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/180365/

Detection(s):

Win.Malware.Generic-9886621-0

Result

Verdict:

Malware

Maliciousness:

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

DanaBot

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/bf5893b1-da6b-445c-9f59-f6b5b455fc51

Result

Threat name:

RedLine SmokeLoader

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/835185

Signature

Antivirus detection for URL or domain

Benign windows process drops PE files

C2 URLs / IPs found in malware configuration

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Checks if the current machine is a virtual machine (disk enumeration)

Creates a thread in another existing process (thread injection)

Deletes itself after installation

Detected unpacking (changes PE section rights)

Found malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Hides threads from debuggers

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Query firmware table information (likely to detect VMs)

System process connects to network (likely due to code injection or exploit)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to harvest and steal browser information (history, passwords, etc)

Uses known network protocols on non-standard ports

Yara detected RedLine Stealer

Yara detected SmokeLoader

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/cb2f50a2b53a3f415fb70e295a84f1452c91fb65fd555bbb86ac3ff077d6750c/

Threat name:

Win32.Trojan.Azorult

Status:

Malicious

First seen:

2021-08-18 14:33:04 UTC

AV detection:

20 of 28 (71.43%)

Threat level:

5/5

Verdict:

suspicious

ArkeiStealer

3b3a5a4dcb2a74053b9ef1514557ea3e19c14f818ff2dce8a06166b421b4c5a2

ArkeiStealer

3c6212ddbefc0ac8d886d5c9efd10cee871af389d56ec4f96fd9ff08e8592379

ArkeiStealer

3f511c7b45036ebc633cfc2d8ddd0f4fd97114f87bb1ea4228d880b9bcaafee9

ArkeiStealer

423563995910af04cb2c4136bf50607fc26977dfa043a84433e8bd64b3315110

ArkeiStealer

55841ee53c8625566be9b77526f490765cb5656ba617e54da636b2290753d597

ArkeiStealer

730d5cdac8d6180133eefb3433f835ef496f0a8a1eb80006536878fc638a17fa

ArkeiStealer

95d9e11ec01f83253ab4bd861de609f52b101c160214612d5ffa615f3c931a7c

ArkeiStealer

df0fb9e7bd0899c3d92f8b150a6e38f00940c2246f3d4591902af4fc28f9a569

ArkeiStealer

fb412e008d09b7ccfd249e3dcbdd7dcc44407775fdb2a8d001ca80890e232a9e

ArkeiStealer

+ 3'469 additional samples on MalwareBazaar

Result

Malware family:

vidar

Score:

10/10

Tags:

family:redline family:smokeloader family:vidar botnet:517 backdoor discovery evasion infostealer persistence spyware stealer themida trojan

Link:

https://tria.ge/reports/210818-131y7wp6be/

Behaviour

Checks SCSI registry key(s)

Creates scheduled task(s)

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

Adds Run key to start application

Checks installed software on the system

Checks whether UAC is enabled

Looks up external IP address via web service

Checks BIOS information in registry

Deletes itself

Loads dropped DLL

Modifies file permissions

Reads user/profile data of web browsers

Themida packer

Downloads MZ/PE file

Executes dropped EXE

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Vidar Stealer

RedLine

RedLine Payload

SmokeLoader

Vidar

Malware Config

C2 Extraction:

http://aucmoney.com/upload/
http://thegymmum.com/upload/
http://atvcampingtrips.com/upload/
http://kuapakualaman.com/upload/
http://renatazarazua.com/upload/
http://nasufmutlu.com/upload/
185.215.113.29:8889
https://lenak513.tumblr.com/

Unpacked files

SH256 hash:

18cd8e90fcd46329480f24d43baa489683b3ee2fcd274bf1714947ef307a6ab2

MD5 hash:

f2fecf6872ad4c61a3a506159fddd4fc

SHA1 hash:

28e039eb96dcf58841992280c66433a2bbab8e84

Link:

https://www.unpac.me/results/fc323131-ea98-4aea-9408-2fda5fdf5b9a/

SH256 hash:

cb2f50a2b53a3f415fb70e295a84f1452c91fb65fd555bbb86ac3ff077d6750c

MD5 hash:

6b75d06de464a7a9c1dcfb3de587aeef

SHA1 hash:

f2611acb3755752e3f13fd020ae829c9b8a35ea9

Link:

https://www.unpac.me/results/fc323131-ea98-4aea-9408-2fda5fdf5b9a/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/cb2f50a2b53a3f415fb70e295a84f1452c91fb65fd555bbb86ac3ff077d6750c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ArkeiStealer

exe cb2f50a2b53a3f415fb70e295a84f1452c91fb65fd555bbb86ac3ff077d6750c

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/1533747/

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/180365/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample