MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e13ba9f6e63e4013b75c3d45b012d8cbdda80913669bdd10942828b05d66e798. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 8


Intelligence 8 IOCs 1 YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e13ba9f6e63e4013b75c3d45b012d8cbdda80913669bdd10942828b05d66e798
SHA3-384 hash: 9e78bced90fa72410f9aa3feefeab60bedd46fc4e190db419ae4ad9eb7400cbd915bceea84a8ac4bdf84660a3b946dc0
SHA1 hash: adf15a75070b1b74a37ab23ab5cb4fdb019090f5
MD5 hash: 390bd3e463727b5545de6f128c1596bf
humanhash: autumn-carpet-hotel-hydrogen
File name:390bd3e463727b5545de6f128c1596bf.exe
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:7'605'360 bytes
First seen:2021-05-20 19:05:14 UTC
Last seen:2021-05-20 20:50:31 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash c9adc83b45e363b21cd6b11b5da0501f (82 x ArkeiStealer, 60 x RecordBreaker, 46 x RedLineStealer)
ssdeep 196608:itXGOEUvRACbmRoeIr2RRe+kzng/B87HXdWtoPwRMO7l8LY9K:sjvRAue82Te3zngp87NWtMSh7lON
Threatray 718 similar samples on MalwareBazaar
TLSH FC76333A709D4972E05714748CC7E822F83D6E04876A2CCF1ACE1E1E6477396AA727D7
Reporter abuse_ch
Tags:ArkeiStealer exe


Avatar
abuse_ch
ArkeiStealer C2:
87.251.71.193:80

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
87.251.71.193:80 https://threatfox.abuse.ch/ioc/49472/

Intelligence

File Origin
# of uploads :
2
# of downloads :
101
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Win.Malware.Fabookie-9797757-0
Create hunting rule

Win.Malware.Generic-9849070-0
Create hunting rule

SecuriteInfo.com.PSW.Generic8.ISF.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Delayed reading of the file
Creating a file in the %temp% subdirectories
Creating a file in the Program Files subdirectories
Deleting a recently created file
Creating a process from a recently created file
Creating a process with a hidden window
Sending a UDP request
Searching for the window
Creating a file
Launching the default Windows debugger (dwwin.exe)
DNS request
Sending an HTTP GET request
Reading critical registry keys
Sending a custom TCP request
Launching a process
Running batch commands
Sending an HTTP POST request
Changing a file
Creating a file in the %AppData% directory
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Launching a tool to kill processes
Sending a TCP request to an infection source
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
RedLine Socelars Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/789270
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Antivirus detection for dropped file
Contains functionality to compare user and computer (likely to detect sandboxes)
Contains functionality to detect sleep reduction / modifications
Contains functionality to infect the boot sector
Contains functionality to inject code into remote processes
Contains functionality to inject threads in other processes
Creates a thread in another existing process (thread injection)
Creates multiple autostart registry keys
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Detected VMProtect packer
Drops executable to a common third party application directory
Drops PE files to the document folder of the user
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Query firmware table information (likely to detect VMs)
Sample is protected by VMProtect
Sample uses process hollowing technique
Sets debug register (to hijack the execution of another thread)
Sigma detected: Suspicious Svchost Process
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Yara detected RedLine Stealer
Yara detected Socelars
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 421666 Sample: vfjd7haojK.exe Startdate: 23/05/2021 Architecture: WINDOWS Score: 100 170 Multi AV Scanner detection for domain / URL 2->170 172 Found malware configuration 2->172 174 Antivirus detection for dropped file 2->174 176 13 other signatures 2->176 10 vfjd7haojK.exe 14 17 2->10         started        process3 file4 98 C:\Program Files (x86)\...\lylal220.exe, PE32 10->98 dropped 100 C:\Program Files (x86)\...\jg7_7wjg.exe, PE32 10->100 dropped 102 C:\Program Files (x86)\...\hjjgaa.exe, PE32 10->102 dropped 104 7 other files (6 malicious) 10->104 dropped 13 guihuali-game.exe 6 10->13         started        16 BarSetpFile.exe 15 7 10->16         started        19 LabPicV3.exe 10->19         started        21 6 other processes 10->21 process5 dnsIp6 106 C:\Users\user\AppData\Local\...\install.dll, PE32 13->106 dropped 108 C:\Users\user\AppData\...\adobe_caps.dll, PE32 13->108 dropped 24 rundll32.exe 13->24         started        27 conhost.exe 13->27         started        142 104.21.33.129 CLOUDFLARENETUS United States 16->142 110 C:\Users\user\AppData\Roaming\8607023.exe, PE32 16->110 dropped 112 C:\Users\user\AppData\Roaming\5727631.exe, PE32 16->112 dropped 114 C:\Users\user\AppData\Roaming\2639417.exe, PE32 16->114 dropped 29 5727631.exe 16->29         started        33 8607023.exe 16->33         started        35 2639417.exe 16->35         started        116 C:\Users\user\AppData\Local\...\LabPicV3.tmp, PE32 19->116 dropped 37 LabPicV3.tmp 19->37         started        144 101.36.107.74 UHGL-AS-APUCloudHKHoldingsGroupLimitedHK China 21->144 146 208.95.112.1 TUT-ASUS United States 21->146 148 7 other IPs or domains 21->148 118 C:\Users\user\Documents\...\jg7_7wjg.exe, PE32 21->118 dropped 120 C:\Users\user\AppData\...\jfiag3g_gg.exe, PE32 21->120 dropped 122 C:\Users\user\AppData\Local\...\lylal220.tmp, PE32 21->122 dropped 178 Tries to harvest and steal browser information (history, passwords, etc) 21->178 180 Sample uses process hollowing technique 21->180 182 Injects a PE file into a foreign processes 21->182 39 lylal220.tmp 21->39         started        41 jfiag3g_gg.exe 21->41         started        43 5 other processes 21->43 file7 signatures8 process9 dnsIp10 184 Contains functionality to infect the boot sector 24->184 186 Contains functionality to inject threads in other processes 24->186 188 Contains functionality to inject code into remote processes 24->188 198 5 other signatures 24->198 45 svchost.exe 24->45 injected 48 svchost.exe 24->48 injected 50 svchost.exe 24->50 injected 52 svchost.exe 24->52 injected 160 172.67.188.69 CLOUDFLARENETUS United States 29->160 136 7 other files (none is malicious) 29->136 dropped 190 Detected unpacking (changes PE section rights) 29->190 192 Detected unpacking (overwrites its own PE header) 29->192 162 104.21.81.186 CLOUDFLARENETUS United States 33->162 138 7 other files (none is malicious) 33->138 dropped 124 C:\ProgramData\...\Windows Host.exe, PE32 35->124 dropped 194 Creates multiple autostart registry keys 35->194 54 Windows Host.exe 35->54         started        126 C:\Users\user\AppData\Local\...\3316505.exe, PE32 37->126 dropped 140 3 other files (none is malicious) 37->140 dropped 56 3316505.exe 37->56         started        164 199.188.201.83 NAMECHEAP-NETUS United States 39->164 128 C:\Users\user\AppData\Local\...\4_177039.exe, PE32 39->128 dropped 130 C:\Users\user\AppData\Local\Temp\...\idp.dll, PE32 39->130 dropped 132 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 39->132 dropped 134 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 39->134 dropped 60 4_177039.exe 39->60         started        196 Tries to harvest and steal browser information (history, passwords, etc) 41->196 166 40.88.32.150 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 43->166 file11 signatures12 process13 dnsIp14 200 Sets debug register (to hijack the execution of another thread) 45->200 202 Modifies the context of a thread in another process (thread injection) 45->202 62 svchost.exe 45->62         started        150 198.54.126.101 NAMECHEAP-NETUS United States 56->150 152 162.0.220.187 ACPCA Canada 56->152 154 192.168.2.1 unknown unknown 56->154 82 C:\Program Files (x86)\...\Vysushudaqy.exe, PE32 56->82 dropped 84 C:\...\Vysushudaqy.exe.config, XML 56->84 dropped 86 C:\Users\user\AppData\...behaviorgraphozhaehixorae.exe, PE32 56->86 dropped 94 2 other files (none is malicious) 56->94 dropped 204 Detected unpacking (overwrites its own PE header) 56->204 206 Creates multiple autostart registry keys 56->206 66 prolab.exe 56->66         started        156 2.20.142.209 AKAMAI-ASN1EU European Union 60->156 158 162.0.210.44 ACPCA Canada 60->158 88 C:\Program Files (x86)\...\Jyhobybijo.exe, PE32 60->88 dropped 90 C:\...\Jyhobybijo.exe.config, XML 60->90 dropped 92 C:\Users\user\AppData\...\Vecaeridaki.exe, PE32 60->92 dropped 96 2 other files (none is malicious) 60->96 dropped 208 Drops executable to a common third party application directory 60->208 file15 signatures16 process17 dnsIp18 168 198.13.62.186 AS-CHOOPAUS United States 62->168 210 Query firmware table information (likely to detect VMs) 62->210 72 C:\Users\user\AppData\Local\...\prolab.tmp, PE32 66->72 dropped 69 prolab.tmp 66->69         started        file19 signatures20 process21 file22 74 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 69->74 dropped 76 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 69->76 dropped 78 C:\Program Files (x86)\...\is-RGMGE.tmp, PE32 69->78 dropped 80 8 other files (none is malicious) 69->80 dropped
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e13ba9f6e63e4013b75c3d45b012d8cbdda80913669bdd10942828b05d66e798/
Threat name:
Win32.Trojan.RanumBot
Create hunting rule
Status:
Malicious
First seen:
2021-05-19 19:43:32 UTC
AV detection:
27 of 46 (58.70%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=4e52t5xghzabhn24hvc3aewyzpo2qcitm2n52eeufaulaxlg46ma._file
Verdict:
malicious
Similar samples:
2c44f7515715ebafdc7bb8cf40adf36adce1e1bf7fd2555d56427a6d73a850d8
ArkeiStealer
3ec8d6d1645881d59332953e0da03a3207d34f985dd88e975ca8bf65fb7cc3c1
ArkeiStealer
4139739d5bfa8330e095a68c658040fb42c75cde651e3baa8afafb4fc557b202
ArkeiStealer
541ebfa6dd694728edd3cf536a13c739179edadcd880e7c28e074b60da1bcac8
ArkeiStealer
6e8a0a30744ed0130a2b32997e03ba5c07339ddf22e76c7ca64882d5d3f8cc4f
ArkeiStealer
87bce52ffa3eaa55981a2dd9af96ce156249a9bfcfd9b3930252cdeff9e8633d
ArkeiStealer
89d15d3703f9b4084dc3dd41693d5337d2a19fa40c3c87e1cb7a0997d021c4e1
ArkeiStealer
8aa1689d6acacf9f2eb2603db52dc5908e1ec5d80000deec13e2e038c2883413
ArkeiStealer
ea077019bc7eed24cd45cf0e7b78d8a90ee8a7b8e6a7c7e994d1f62954d00c39
ArkeiStealer
fab31b9c336ced2fe83d81198d3ccfa325ca4d4cab2464b72dcda37f34e2dd68
ArkeiStealer
+ 708 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:dcrat family:plugx family:redline family:vidar botnet:bbs1 discovery evasion infostealer persistence rat spyware stealer trojan upx vmprotect
Link:
https://tria.ge/reports/210520-ddkdhdved2/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Kills process with taskkill
Modifies Internet Explorer settings
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Program crash
Checks computer location settings
Loads dropped DLL
Reads local data of messenger clients
Reads user/profile data of web browsers
Downloads MZ/PE file
Drops file in Drivers directory
Executes dropped EXE
UPX packed file
VMProtect packed file
Checks for common network interception software
DcRat
PlugX
RedLine
RedLine Payload
Suspicious use of NtCreateUserProcessOtherParentProcess
Vidar
Malware Config
C2 Extraction:
87.251.71.193:80
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_References_CryptoWallets
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many cryptocurrency mining wallets or apps. Observed in information stealers
Rule name:MALWARE_Win_HyperPro03
Create hunting rule
Author:ditekSHen
Description:Hunt HyperPro IronTiger / LuckyMouse / APT27 malware
Rule name:MALWARE_Win_Vidar
Create hunting rule
Author:ditekSHen
Description:Detects Vidar / ArkeiStealer
Rule name:Ping_Del_method_bin_mem
Create hunting rule
Author:James_inthe_box
Description:cmd ping IP nul del
Rule name:SUSP_XORed_MSDOS_Stub_Message
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed MSDOS stub message
Reference:https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
Rule name:Vidar
Create hunting rule
Author:kevoreilly
Description:Vidar Payload
Rule name:win_vidar_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:with_sqlite
Create hunting rule
Author:Julian J. Gonzalez <info@seguridadparatodos.es>
Description:Rule to detect the presence of SQLite data in raw image
Reference:http://www.st2labs.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments