MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 cb7c7567aa9da41eadff19b56b75fd720229511d0c1b46bb73370dff2d671757. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
ArkeiStealer
Vendor detections: 7
| SHA256 hash: | cb7c7567aa9da41eadff19b56b75fd720229511d0c1b46bb73370dff2d671757 |
|---|---|
| SHA3-384 hash: | 4711275d6f45dcef3091884242f4900645166ffa463b9c78c8752939f5aca78c09ecba41d21fa841aabf4fb648abc422 |
| SHA1 hash: | f4fa3b6f129efd875dbd175affa057af45c7333b |
| MD5 hash: | 154f9e0c5e47ef8ad9d4a65d5269a706 |
| humanhash: | cola-kansas-mississippi-romeo |
| File name: | 154F9E0C5E47EF8AD9D4A65D5269A706.exe |
| Download: | download sample |
| Signature | ArkeiStealer |
| File size: | 390'113 bytes |
| First seen: | 2021-04-20 20:45:25 UTC |
| Last seen: | Never |
| File type: |  exe |
| MIME type: | application/x-dosexec |
| imphash | 884310b1928934402ea6fec1dbd3cf5e (3'725 x GCleaner, 3'503 x Socks5Systemz, 262 x RaccoonStealer) |
| ssdeep | 6144:x/QiQXCTkm+ksmpk3U9j0IZMOGBfj/WUplm6zIOYQNd28pTXdAmpCLVRZoglM7LT:pQi3TP6m6UR0IalL//plmW9bTXeVhDrE |
| TLSH | 31841243F3E15435E073CEB06CA0E962893B7D614DBC650836ECAD8E9F3B5829256793 |
| Reporter |  abuse_ch |
| Tags: | ArkeiStealer exe |
Indicators Of Compromise (IOCs)
Below is a list of indicators of compromise (IOCs) associated with this malware samples.
| IOC | ThreatFox Reference |
|---|---|
| 195.123.208.194:80 | https://threatfox.abuse.ch/ioc/9312/ |
| http://49.12.77.13/ | https://threatfox.abuse.ch/ioc/9313/ |
Intelligence
File Origin
# of uploads :
1
# of downloads :
89
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Result
Verdict:
Malware
Maliciousness:
Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
DNS request
Sending an HTTP GET request
Creating a process with a hidden window
Sending a UDP request
Sending a custom TCP request
Creating a file in the Program Files subdirectories
Sending an HTTP POST request
Creating a file
Deleting a recently created file
Moving a file to the Program Files subdirectory
Adding an access-denied ACE
Launching a process
Using the Windows Management Instrumentation requests
Launching cmd.exe command interpreter
Creating a file in the Program Files directory
Reading critical registry keys
Moving a recently created file
Unauthorized injection to a recently created process
Setting a single autorun event
Sending a TCP request to an infection source
Unauthorized injection to a recently created process by context flags manipulation
Connection attempt to an infection source
Sending an HTTP GET request to an infection source
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Threat name:
Win32.Trojan.DustySky
Status:
Malicious
First seen:
2021-04-17 19:07:00 UTC
AV detection:
13 of 29 (44.83%)
Threat level:
5/5
Detection(s):
Malicious file
Result
Malware family:
vidar
Score:
10/10
Tags:
family:glupteba family:metasploit family:raccoon family:redline family:smokeloader family:vidar botnet:9afb493c6f82d08075dbbfa7d93ce97f1dbf4733 backdoor discovery dropper evasion infostealer loader persistence spyware stealer trojan
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Delays execution with timeout.exe
Download via BitsAdmin
Kills process with taskkill
Modifies Internet Explorer settings
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: LoadsDriver
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
NSIS installer
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Drops file in System32 directory
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks for any installed AV software in registry
Checks installed software on the system
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Checks BIOS information in registry
Checks computer location settings
Loads dropped DLL
Reads local data of messenger clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Blocklisted process makes network request
Downloads MZ/PE file
Drops file in Drivers directory
Executes dropped EXE
Sets service image path in registry
Checks for common network interception software
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Glupteba
Glupteba Payload
MetaSploit
Raccoon
RedLine
RedLine Payload
SmokeLoader
Suspicious use of NtCreateUserProcessOtherParentProcess
Vidar
Malware Config
C2 Extraction:
http://999080321newfolder1002002131-service1002.space/
http://999080321newfolder1002002231-service1002.space/
http://999080321newfolder3100231-service1002.space/
http://999080321newfolder1002002431-service1002.space/
http://999080321newfolder1002002531-service1002.space/
http://999080321newfolder33417-012425999080321.space/
http://999080321test125831-service10020125999080321.space/
http://999080321test136831-service10020125999080321.space/
http://999080321test147831-service10020125999080321.space/
http://999080321test146831-service10020125999080321.space/
http://999080321test134831-service10020125999080321.space/
http://999080321est213531-service1002012425999080321.ru/
http://999080321yes1t3481-service10020125999080321.ru/
http://999080321test13561-service10020125999080321.su/
http://999080321test14781-service10020125999080321.info/
http://999080321test13461-service10020125999080321.net/
http://999080321test15671-service10020125999080321.tech/
http://999080321test12671-service10020125999080321.online/
http://999080321utest1341-service10020125999080321.ru/
http://999080321uest71-service100201dom25999080321.ru/
http://999080321test61-service10020125999080321.website/
http://999080321test51-service10020125999080321.xyz/
http://999080321test41-service100201pro25999080321.ru/
http://999080321yest31-service100201rus25999080321.ru/
http://999080321rest21-service10020125999080321.eu/
http://999080321test11-service10020125999080321.press/
http://999080321newfolder4561-service10020125999080321.ru/
http://999080321rustest213-service10020125999080321.ru/
http://999080321test281-service10020125999080321.ru/
http://999080321test261-service10020125999080321.space/
http://999080321yomtest251-service10020125999080321.ru/
http://999080321yirtest231-service10020125999080321.ru/
http://999080321newfolder1002002231-service1002.space/
http://999080321newfolder3100231-service1002.space/
http://999080321newfolder1002002431-service1002.space/
http://999080321newfolder1002002531-service1002.space/
http://999080321newfolder33417-012425999080321.space/
http://999080321test125831-service10020125999080321.space/
http://999080321test136831-service10020125999080321.space/
http://999080321test147831-service10020125999080321.space/
http://999080321test146831-service10020125999080321.space/
http://999080321test134831-service10020125999080321.space/
http://999080321est213531-service1002012425999080321.ru/
http://999080321yes1t3481-service10020125999080321.ru/
http://999080321test13561-service10020125999080321.su/
http://999080321test14781-service10020125999080321.info/
http://999080321test13461-service10020125999080321.net/
http://999080321test15671-service10020125999080321.tech/
http://999080321test12671-service10020125999080321.online/
http://999080321utest1341-service10020125999080321.ru/
http://999080321uest71-service100201dom25999080321.ru/
http://999080321test61-service10020125999080321.website/
http://999080321test51-service10020125999080321.xyz/
http://999080321test41-service100201pro25999080321.ru/
http://999080321yest31-service100201rus25999080321.ru/
http://999080321rest21-service10020125999080321.eu/
http://999080321test11-service10020125999080321.press/
http://999080321newfolder4561-service10020125999080321.ru/
http://999080321rustest213-service10020125999080321.ru/
http://999080321test281-service10020125999080321.ru/
http://999080321test261-service10020125999080321.space/
http://999080321yomtest251-service10020125999080321.ru/
http://999080321yirtest231-service10020125999080321.ru/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
YARA Signatures
MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.
| Rule name: | Chrome_stealer_bin_mem |
|---|---|
| Author: | James_inthe_box |
| Description: | Chrome in files like avemaria |
| Rule name: | Cryptocoin_bin_mem |
|---|---|
| Author: | James_inthe_box |
| Description: | Steam in files like avemaria |
| Rule name: | INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore |
|---|---|
| Author: | ditekSHen |
| Description: | Detects executables containing SQL queries to confidential data stores. Observed in infostealers |
| Rule name: | IPPort_combo_mem |
|---|---|
| Author: | James_inthe_box |
| Description: | IP and port combo |
| Rule name: | Keylog_bin_mem |
|---|---|
| Author: | James_inthe_box |
| Description: | Contains Keylog |
| Rule name: | Ping_Del_method_bin_mem |
|---|---|
| Author: | James_inthe_box |
| Description: | cmd ping IP nul del |
| Rule name: | SUSP_XORed_MSDOS_Stub_Message |
|---|---|
| Author: | Florian Roth |
| Description: | Detects suspicious XORed MSDOS stub message |
| Reference: | https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings |
| Rule name: | with_sqlite |
|---|---|
| Author: | Julian J. Gonzalez <info@seguridadparatodos.es> |
| Description: | Rule to detect the presence of SQLite data in raw image |
| Reference: | http://www.st2labs.com |
| Rule name: | XMRIG_Miner |
|---|
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [B0009.029] Anti-Behavioral Analysis::Instruction Testing
1) [C0021] Cryptography Micro-objective::Generate Pseudo-random Sequence
2) [C0032.001] Data Micro-objective::CRC32::Checksum
3) [C0026.002] Data Micro-objective::XOR::Encode Data
5) [C0046] File System Micro-objective::Create Directory
6) [C0048] File System Micro-objective::Delete Directory
7) [C0047] File System Micro-objective::Delete File
8) [C0049] File System Micro-objective::Get File Attributes
9) [C0051] File System Micro-objective::Read File
10) [C0052] File System Micro-objective::Writes File
11) [C0007] Memory Micro-objective::Allocate Memory
12) [C0036.004] Operating System Micro-objective::Create Registry Key::Registry
13) [C0036.003] Operating System Micro-objective::Open Registry Key::Registry
14) [C0036.006] Operating System Micro-objective::Query Registry Value::Registry
15) [C0017.003] Process Micro-objective::Create Suspended Process::Create Process
16) [C0017] Process Micro-objective::Create Process
17) [C0041] Process Micro-objective::Set Thread Local Storage Value
18) [C0018] Process Micro-objective::Terminate Process