MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cf1a8304da78b6286a412d33ef3e0390949eb83e5b08ad63c006ed578d5d4c95. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 11


Intelligence 11 IOCs 1 YARA 13 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cf1a8304da78b6286a412d33ef3e0390949eb83e5b08ad63c006ed578d5d4c95
SHA3-384 hash: 4a4ddcb4c9c216e46ae7f76307abe3de24bd8ba5d2bf2953d8d04eac7873430bf9c971660938fb1c8920bdbbece195be
SHA1 hash: 7e6320fa26dd41b212ed9fac3cf3c61919af5325
MD5 hash: 29dea0ba258723098a514297f4c4d0b7
humanhash: jupiter-lemon-bakerloo-lake
File name:29DEA0BA258723098A514297F4C4D0B7.exe
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:9'536'167 bytes
First seen:2021-04-04 21:35:26 UTC
Last seen:2021-04-04 22:13:01 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash c9adc83b45e363b21cd6b11b5da0501f (82 x ArkeiStealer, 60 x RecordBreaker, 46 x RedLineStealer)
ssdeep 196608:itUoSaeBgWfOyjpq3Tb+aUisKhfQKcPLKm5gXzDIycu:Too0Db+a75hfy+Mgrcu
Threatray 668 similar samples on MalwareBazaar
TLSH 9AA6333175811D39D03518359E8A4277343A7F91BB2E6CDFB8E8AA2C953B7413F2874A
Reporter abuse_ch
Tags:ArkeiStealer exe


Avatar
abuse_ch
ArkeiStealer C2:
http://cache.krishgarden.com/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://cache.krishgarden.com/ https://threatfox.abuse.ch/ioc/6764/

Intelligence

File Origin
# of uploads :
2
# of downloads :
220
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/132119/
Detection(s):
Win.Malware.Fabookie-9797757-0
Create hunting rule

Win.Malware.Ekstak-9842676-0
Create hunting rule

Win.Malware.Generic-9849070-0
Create hunting rule

SecuriteInfo.com.PSW.Generic8.ISF.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Delayed reading of the file
Creating a file in the %temp% subdirectories
Creating a file in the Program Files subdirectories
Deleting a recently created file
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file
Creating a file in the Program Files directory
Creating a file in the Windows subdirectories
Searching for the window
DNS request
Sending a UDP request
Sending a custom TCP request
Reading critical registry keys
Sending an HTTP GET request
Launching a process
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Sending an HTTP GET request to an infection source
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Vidar
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f282d097-b3dc-410f-b71c-f7722a1f860d
Result
Threat name:
Cyberduck Vidar
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/665665
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Antivirus detection for dropped file
Creates a thread in another existing process (thread injection)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Detected VMProtect packer
Drops PE files to the document folder of the user
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for dropped file
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Sets debug register (to hijack the execution of another thread)
Sigma detected: Suspicious Svchost Process
Tries to detect debuggers by setting the trap flag for special instructions
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Instant Messenger accounts or passwords
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Cyberduck
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 381761 Sample: nnrlOwKZlc.exe Startdate: 04/04/2021 Architecture: WINDOWS Score: 100 106 35.190.11.164 GOOGLEUS United States 2->106 108 138.197.53.157 DIGITALOCEAN-ASNUS United States 2->108 110 4 other IPs or domains 2->110 132 Antivirus detection for dropped file 2->132 134 Multi AV Scanner detection for dropped file 2->134 136 Multi AV Scanner detection for submitted file 2->136 138 16 other signatures 2->138 10 nnrlOwKZlc.exe 16 20 2->10         started        13 haleng.exe 2->13         started        16 svchost.exe 1 2->16         started        signatures3 process4 file5 96 C:\Program Files (x86)\...\jg7_7wjg.exe, PE32 10->96 dropped 98 C:\Program Files (x86)\...\hjjgaa.exe, PE32 10->98 dropped 100 C:\Program Files (x86)\...\guihuali-game.exe, PE32 10->100 dropped 104 9 other files (5 malicious) 10->104 dropped 18 guihuali-game.exe 10->18         started        21 RunWW.exe 81 10->21         started        25 22.exe 10->25         started        27 8 other processes 10->27 102 C:\Users\user\AppData\...\jfiag3g_gg.exe, PE32 13->102 dropped 154 Tries to detect debuggers by setting the trap flag for special instructions 13->154 156 Tries to detect virtualization through RDTSC time measurements 13->156 signatures6 process7 dnsIp8 60 C:\Program Files\unins0000.dll, PE32 18->60 dropped 74 5 other files (none is malicious) 18->74 dropped 29 wscript.exe 18->29         started        116 157.90.153.134 REDIRISRedIRISAutonomousSystemES United States 21->116 118 104.17.63.50 CLOUDFLARENETUS United States 21->118 62 C:\Users\user\AppData\...\msvcp140[1].dll, PE32 21->62 dropped 76 11 other files (none is malicious) 21->76 dropped 142 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 21->142 144 Tries to steal Instant Messenger accounts or passwords 21->144 146 Tries to harvest and steal browser information (history, passwords, etc) 21->146 148 2 other signatures 21->148 64 C:\Program Files\javcse\install.dll, PE32 25->64 dropped 31 wscript.exe 25->31         started        33 conhost.exe 25->33         started        120 101.36.107.74 UHGL-AS-APUCloudHKHoldingsGroupLimitedHK China 27->120 122 208.95.112.1 TUT-ASUS United States 27->122 124 7 other IPs or domains 27->124 66 C:\Users\user\Documents\...\jg7_7wjg.exe, PE32 27->66 dropped 68 C:\Users\user\AppData\Local\Temp\haleng.exe, PE32 27->68 dropped 70 C:\Users\user\AppData\Local\...\setups.exe, PE32 27->70 dropped 72 C:\Users\user\AppData\...\multitimer.exe, PE32 27->72 dropped 35 jfiag3g_gg.exe 27->35         started        38 LabPicV3.tmp 3 19 27->38         started        42 lylal220.tmp 27->42         started        44 2 other processes 27->44 file9 signatures10 process11 dnsIp12 46 rundll32.exe 29->46         started        49 rundll32.exe 31->49         started        140 Tries to harvest and steal browser information (history, passwords, etc) 35->140 126 52.95.169.44 AMAZON-02US United States 38->126 80 C:\Users\user\AppData\Local\...\ppppppfy.exe, PE32 38->80 dropped 82 C:\Users\user\AppData\Local\Temp\...\idp.dll, PE32 38->82 dropped 84 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 38->84 dropped 86 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 38->86 dropped 51 ppppppfy.exe 38->51         started        128 52.218.26.48 AMAZON-02US United States 42->128 88 C:\Users\user\AppData\Local\Temp\...\idp.dll, PE32 42->88 dropped 90 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 42->90 dropped 92 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 42->92 dropped 94 C:\Users\user\AppData\Local\...\Microsoft.exe, PE32 42->94 dropped 54 Microsoft.exe 42->54         started        130 104.248.119.44 DIGITALOCEAN-ASNUS United States 44->130 file13 signatures14 process15 dnsIp16 158 Writes to foreign memory regions 46->158 160 Allocates memory in foreign processes 46->160 162 Creates a thread in another existing process (thread injection) 46->162 57 svchost.exe 46->57 injected 112 2.20.142.210 AKAMAI-ASN1EU European Union 51->112 114 162.0.210.44 ACPCA Canada 51->114 78 C:\Program Files\windows nt\...\irecord.exe, PE32 54->78 dropped file17 signatures18 process19 signatures20 150 Sets debug register (to hijack the execution of another thread) 57->150 152 Modifies the context of a thread in another process (thread injection) 57->152
Gathering data
Threat name:
Win32.Trojan.Fabookie
Create hunting rule
Status:
Malicious
First seen:
2021-04-02 20:24:01 UTC
AV detection:
21 of 29 (72.41%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=z4nigbg2pc3cq2sbfuz66pqdsckj5ob6lmek2y6aa3wvpdk5jskq._file
Verdict:
malicious
Similar samples:
27c3f84dd3101c302afb523ee2c5b728c1fc34cfb8430c314d1f2df5ed79c28c
ArkeiStealer
4ae0156d1ccca584c5ed35708b150e0649cd470f5b192653a578c215e5118c08
ArkeiStealer
4e78c94a61e5d4837ce111de401ba3bd31da9d2db758456e57670a6d37b6009a
ArkeiStealer
6738bf02f3fa9f972eb4a9e6b8a45bcf1bfc34d9b97e94d0bf37a398a6acd90d
ArkeiStealer
89d15d3703f9b4084dc3dd41693d5337d2a19fa40c3c87e1cb7a0997d021c4e1
ArkeiStealer
a759e621f52b7cdfb3a747b20fcdc1235ef909125fbf50526dc4fbd72ffe0b1c
ArkeiStealer
aea1d064fb75706dd261f1097f91574050216410ce840e9c7523c46aca53c5f9
ArkeiStealer
db697e84e331ccd31105ebcf611dd15304dec7037457d70973fe099c41c53bd5
ArkeiStealer
eb2b82c14b81523edd762536c3dcd308624821dd6840e8cabdf94327d55fcbf9
ArkeiStealer
f867450741303e1776e4144cbc93b014251801bfd37d15de95d1992576346ba9
ArkeiStealer
+ 658 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:glupteba family:metasploit family:smokeloader family:vidar family:xmrig backdoor discovery dropper loader miner persistence spyware stealer trojan upx vmprotect
Link:
https://tria.ge/reports/210404-w1xfjjdnbx/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Kills process with taskkill
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
Runs ping.exe
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Suspicious use of SetThreadContext
Adds Run key to start application
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
UPX packed file
VMProtect packed file
XMRig Miner Payload
Glupteba
Glupteba Payload
MetaSploit
SmokeLoader
Vidar
xmrig
Malware Config
C2 Extraction:
http://999080321newfolder1002002131-service1002.space/
http://999080321newfolder1002002231-service1002.space/
http://999080321newfolder3100231-service1002.space/
http://999080321newfolder1002002431-service1002.space/
http://999080321newfolder1002002531-service1002.space/
http://999080321newfolder33417-012425999080321.space/
http://999080321test125831-service10020125999080321.space/
http://999080321test136831-service10020125999080321.space/
http://999080321test147831-service10020125999080321.space/
http://999080321test146831-service10020125999080321.space/
http://999080321test134831-service10020125999080321.space/
http://999080321est213531-service1002012425999080321.ru/
http://999080321yes1t3481-service10020125999080321.ru/
http://999080321test13561-service10020125999080321.su/
http://999080321test14781-service10020125999080321.info/
http://999080321test13461-service10020125999080321.net/
http://999080321test15671-service10020125999080321.tech/
http://999080321test12671-service10020125999080321.online/
http://999080321utest1341-service10020125999080321.ru/
http://999080321uest71-service100201dom25999080321.ru/
http://999080321test61-service10020125999080321.website/
http://999080321test51-service10020125999080321.xyz/
http://999080321test41-service100201pro25999080321.ru/
http://999080321yest31-service100201rus25999080321.ru/
http://999080321rest21-service10020125999080321.eu/
http://999080321test11-service10020125999080321.press/
http://999080321newfolder4561-service10020125999080321.ru/
http://999080321rustest213-service10020125999080321.ru/
http://999080321test281-service10020125999080321.ru/
http://999080321test261-service10020125999080321.space/
http://999080321yomtest251-service10020125999080321.ru/
http://999080321yirtest231-service10020125999080321.ru/
Unpacked files
SH256 hash:
682fe1b3ddd4e66e0c3d34c7f5e1193143a1db6d2b7f77bd7f9c918ad5116cc4
MD5 hash:
ad86a5fb6534da5adbc3090236cbaf55
SHA1 hash:
d74f0f196fdcbf79aec7b2b738f48efff6892810
Detections:
win_vidar_auto
Create hunting rule
Link:
https://www.unpac.me/results/0ab07593-45d0-4e16-a580-f6569ae797ef/
SH256 hash:
180f32ba3e29dc570330a28ef64361beafbb857b44cf04137e4dcd3cae38837a
MD5 hash:
e7448e60bfba3b4128ffb885f7fbeefe
SHA1 hash:
70ccffe51bccb6d8fa439293273bafeb2580d045
Link:
https://www.unpac.me/results/0ab07593-45d0-4e16-a580-f6569ae797ef/
SH256 hash:
fdccaed76f7279e6b8cc1579dadeed03fa1b8d1adcdfbcac585a68da168366d5
MD5 hash:
8b603b23caf00139206f293eb741a9f0
SHA1 hash:
1cc90aec7ce07b13930fe0c088fe3cd155b3ea07
Link:
https://www.unpac.me/results/0ab07593-45d0-4e16-a580-f6569ae797ef/
SH256 hash:
276a1a0800999b80d42105000217a70fb36f6ec451518c0fc179498c6700f389
MD5 hash:
a596b0e8f6f938943653dfa448a03bb1
SHA1 hash:
12508a85cdd84419e7122be37547fef716f0c40e
Link:
https://www.unpac.me/results/0ab07593-45d0-4e16-a580-f6569ae797ef/
SH256 hash:
e427f8ef21691e3d8c2313d11129ad08ddef69a158eca2f77c170603478ff0c4
MD5 hash:
0dedd909aae9aa0a89b4422106310e9e
SHA1 hash:
271d36afa5b729ee590cf8066166ca5e9c9d0340
Link:
https://www.unpac.me/results/0ab07593-45d0-4e16-a580-f6569ae797ef/
SH256 hash:
0ac9f1a83b7e0c91d633d14cfd299ac45634859af1b4234a547e7838d0b5a847
MD5 hash:
ea4cd9d7271dcb2072524da4b2f352ba
SHA1 hash:
e1a505a6d64458484164138e6b53226afac68616
Link:
https://www.unpac.me/results/0ab07593-45d0-4e16-a580-f6569ae797ef/
SH256 hash:
a98bc4c8fb14cf8716225f9c7ce030611ec8ef501062111ebea6cd6f8e47d1ef
MD5 hash:
f256bf7fecad9bd699fb873a599ccd4d
SHA1 hash:
cf0971ebec942b367eb39b041b8c9a2247cebaa4
Link:
https://www.unpac.me/results/0ab07593-45d0-4e16-a580-f6569ae797ef/
SH256 hash:
6ffc6fd1715ac796f07168faa08aa74bf3c5bfaf587b44298e26dccf449edcb2
MD5 hash:
600f85b9bfe30ea1e7f9aa286bf76f22
SHA1 hash:
be72a035d440202c44c3721a9c35bf9b8286894c
Link:
https://www.unpac.me/results/0ab07593-45d0-4e16-a580-f6569ae797ef/
SH256 hash:
dba96f50e641d24dac2477c1c723bf162a83621af59cef22cb8a9c159c6282c2
MD5 hash:
34a10b48b23104458b13c6c104b75bbf
SHA1 hash:
6ea0f7fb4b064f1840b8d626a3f5a6c2b052da67
Link:
https://www.unpac.me/results/0ab07593-45d0-4e16-a580-f6569ae797ef/
SH256 hash:
0a7e8a8ca5abd7a2598c8a04521b0cb5d006bc1fb212c0d94a9de7d7d579ffb8
MD5 hash:
460742790e2c251afc782a62c30d6f98
SHA1 hash:
a040d68ce94f48fa7b1e57f3d96ad76622fd40b7
Link:
https://www.unpac.me/results/0ab07593-45d0-4e16-a580-f6569ae797ef/
SH256 hash:
f65ed97396e1b3c6f7ef567de8876bd9d956b128175292dece2c5baaf5c96abf
MD5 hash:
7cda64e79e5b27b696a7a016d5ea520f
SHA1 hash:
6a34d533baf1535c1ab98d12c8c9680b74e9fee1
Link:
https://www.unpac.me/results/0ab07593-45d0-4e16-a580-f6569ae797ef/
SH256 hash:
4edfdee11c4b91a0ee230ddb157988aa5a9a7694fad20ce467073522a2ed668c
MD5 hash:
42461df30b7ccc43cfc9db9834a629b2
SHA1 hash:
7c1385edfd30b0ca41c1ce81b571940dc04ca3ad
Link:
https://www.unpac.me/results/0ab07593-45d0-4e16-a580-f6569ae797ef/
SH256 hash:
0c881eda0af9c5ed5c2bcd004cb501939c0424b61342aa2088197e81a2728f51
MD5 hash:
7560f99758257e0137a314e049e8df94
SHA1 hash:
17937535bfd464f69c768955840ff3025fda993e
Link:
https://www.unpac.me/results/0ab07593-45d0-4e16-a580-f6569ae797ef/
SH256 hash:
1aa8e6ebcf846b3ac848458e043950b5eb96ce20fa6d649e1888a5ec81bf6e9d
MD5 hash:
a7d4cb1da51b319e4cb6c818fd758ce1
SHA1 hash:
d4eb9f060e6c9ccdfdd460575834cb6d92b0b8bc
Link:
https://www.unpac.me/results/0ab07593-45d0-4e16-a580-f6569ae797ef/
SH256 hash:
cf1a8304da78b6286a412d33ef3e0390949eb83e5b08ad63c006ed578d5d4c95
MD5 hash:
29dea0ba258723098a514297f4c4d0b7
SHA1 hash:
7e6320fa26dd41b212ed9fac3cf3c61919af5325
Link:
https://www.unpac.me/results/0ab07593-45d0-4e16-a580-f6569ae797ef/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cf1a8304da78b6286a412d33ef3e0390949eb83e5b08ad63c006ed578d5d4c95

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Chrome_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Chrome in files like avemaria
Rule name:Cryptocoin_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Steam in files like avemaria
Rule name:INDICATOR_SUSPICIOUS_EXE_References_CryptoWallets
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many cryptocurrency mining wallets or apps. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:MALWARE_Win_Vidar
Create hunting rule
Author:ditekSHen
Description:Detects Vidar / ArkeiStealer
Rule name:MAL_XMR_Miner_May19_1
Create hunting rule
Author:Florian Roth
Description:Detects Monero Crypto Coin Miner
Reference:https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Rule name:Ping_Del_method_bin_mem
Create hunting rule
Author:James_inthe_box
Description:cmd ping IP nul del
Rule name:PUA_WIN_XMRIG_CryptoCoin_Miner_Dec20
Create hunting rule
Author:Florian Roth
Description:Detects XMRIG crypto coin miners
Reference:https://www.intezer.com/blog/research/new-golang-worm-drops-xmrig-miner-on-servers/
Rule name:SUSP_XORed_MSDOS_Stub_Message
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed MSDOS stub message
Reference:https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
Rule name:win_vidar_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:with_sqlite
Create hunting rule
Author:Julian J. Gonzalez <info@seguridadparatodos.es>
Description:Rule to detect the presence of SQLite data in raw image
Reference:http://www.st2labs.com
Rule name:XMRIG_Miner
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ArkeiStealer

Executable exe cf1a8304da78b6286a412d33ef3e0390949eb83e5b08ad63c006ed578d5d4c95

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1095787/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/132119/

Comments