MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 eb2b82c14b81523edd762536c3dcd308624821dd6840e8cabdf94327d55fcbf9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 12


Intelligence 12 IOCs 1 YARA 13 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: eb2b82c14b81523edd762536c3dcd308624821dd6840e8cabdf94327d55fcbf9
SHA3-384 hash: f2cb6b2cf3d398f9b2933bb6fbbb08764b30ea92e98dca9486ec6dc6961601f628925862a731d79d86099473ad044948
SHA1 hash: 99bf0c70f44e7b795b4bd2349dd6d575080cbda9
MD5 hash: 50d41b7f128197f4c5fbaa59bae98c66
humanhash: charlie-london-tennis-neptune
File name:50d41b7f128197f4c5fbaa59bae98c66.exe
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:8'311'197 bytes
First seen:2021-03-29 21:30:51 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c9adc83b45e363b21cd6b11b5da0501f (82 x ArkeiStealer, 60 x RecordBreaker, 46 x RedLineStealer)
ssdeep 196608:itJ+7MBr0wCCoxY85JzuXG03mB0ocqskbaiziecOpwnO:q+7MmdB5JzSwB02RbaAlcE
TLSH D686338A756940F2E524293D064AD3F2B036BB0C063DA55FB7FE4E7F842375D28152AB
Reporter abuse_ch
Tags:ArkeiStealer exe


Avatar
abuse_ch
ArkeiStealer C2:
http://static.parafia-strumiany.pl/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://static.parafia-strumiany.pl/ https://threatfox.abuse.ch/ioc/5909/

Intelligence

File Origin
# of uploads :
1
# of downloads :
139
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
http://b4ad7b79-534a-4e83-953e-c36da8cf27d9.s3.amazonaws.com/WW/Setup.exe
Verdict:
Malicious activity
Analysis date:
2021-03-28 16:37:09 UTC
Tags:
installer evasion trojan stealer vidar loader adware
Link:
https://app.any.run/tasks/7632202d-00d2-4ddb-9f89-b89033da316f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/127824/
Detection(s):
Win.Malware.Fabookie-9797757-0
Create hunting rule

Win.Malware.Rasftuby-9841222-0
Create hunting rule

SecuriteInfo.com.PSW.Generic8.ISF.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Delayed reading of the file
Creating a file in the %temp% subdirectories
Creating a file in the Program Files subdirectories
Deleting a recently created file
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file
Searching for the window
Creating a file in the Windows subdirectories
DNS request
Sending a custom TCP request
Reading critical registry keys
Sending an HTTP GET request
Launching a process
Sending a UDP request
Enabling the 'hidden' option for recently created files
Connecting to a non-recommended domain
Sending an HTTP POST request
Moving a file to the Program Files subdirectory
Connection attempt
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Setting a single autorun event
Sending a TCP request to an infection source
Sending an HTTP GET request to an infection source
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Vidar
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e4c045ae-bdb4-4d28-b387-c68e03a6e9be
Result
Threat name:
Socelars Vidar
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/657720
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Creates a thread in another existing process (thread injection)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Detected VMProtect packer
Drops PE files to the document folder of the user
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has a writeable .text section
PE file has nameless sections
Query firmware table information (likely to detect VMs)
Sample uses process hollowing technique
Sigma detected: Suspicious Svchost Process
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect debuggers by setting the trap flag for special instructions
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Instant Messenger accounts or passwords
Uses known network protocols on non-standard ports
Writes to foreign memory regions
Yara detected Socelars
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 377791 Sample: hfGKHMTTDR.exe Startdate: 29/03/2021 Architecture: WINDOWS Score: 100 193 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->193 195 Antivirus detection for URL or domain 2->195 197 Antivirus detection for dropped file 2->197 199 20 other signatures 2->199 10 hfGKHMTTDR.exe 16 17 2->10         started        13 haleng.exe 2->13         started        process3 dnsIp4 119 C:\Program Files (x86)\VR\...\jg7_7wjg.exe, PE32 10->119 dropped 121 C:\Program Files (x86)\VR\...\hjjgaa.exe, PE32 10->121 dropped 123 C:\Program Files (x86)\VR\...\customer5.exe, PE32 10->123 dropped 125 7 other files (5 malicious) 10->125 dropped 17 22.exe 10->17         started        20 RunWW.exe 86 10->20         started        24 LabPicV3.exe 10->24         started        28 6 other processes 10->28 179 ip-api.com 13->179 215 May check the online IP address of the machine 13->215 217 Tries to detect debuggers by setting the trap flag for special instructions 13->217 219 Tries to detect virtualization through RDTSC time measurements 13->219 26 jfiag3g_gg.exe 13->26         started        file5 signatures6 process7 dnsIp8 81 C:\Program Files\javcse\install.dll, PE32 17->81 dropped 30 wscript.exe 17->30         started        32 conhost.exe 17->32         started        143 static.parafia-strumiany.pl 104.244.76.207, 49721, 80 PONYNETUS United States 20->143 145 api.faceit.com 104.17.63.50, 443, 49720 CLOUDFLARENETUS United States 20->145 83 C:\Users\user\AppData\Local\...\nss3[1].dll, PE32 20->83 dropped 85 C:\Users\user\AppData\...\msvcp140[1].dll, PE32 20->85 dropped 87 C:\Users\user\AppData\...\softokn3[1].dll, PE32 20->87 dropped 95 9 other files (none is malicious) 20->95 dropped 201 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 20->201 203 Tries to steal Instant Messenger accounts or passwords 20->203 205 Tries to harvest and steal browser information (history, passwords, etc) 20->205 211 2 other signatures 20->211 34 cmd.exe 20->34         started        36 LabPicV3.tmp 24->36         started        147 101.36.107.74, 49712, 80 UHGL-AS-APUCloudHKHoldingsGroupLimitedHK China 28->147 149 ip-api.com 208.95.112.1, 49711, 49730, 80 TUT-ASUS United States 28->149 151 6 other IPs or domains 28->151 89 C:\Users\user\Documents\...\jg7_7wjg.exe, PE32 28->89 dropped 91 C:\Users\user\AppData\...\jfiag3g_gg.exe, PE32 28->91 dropped 93 C:\Users\user\AppData\Local\Temp\haleng.exe, PE32 28->93 dropped 97 4 other files (2 malicious) 28->97 dropped 207 Sample uses process hollowing technique 28->207 209 Injects a PE file into a foreign processes 28->209 40 lylal220.tmp 28->40         started        42 jfiag3g_gg.exe 28->42         started        45 main.exe 1 4 28->45         started        47 jfiag3g_gg.exe 28->47         started        file9 signatures10 process11 dnsIp12 49 rundll32.exe 30->49         started        52 conhost.exe 34->52         started        54 taskkill.exe 34->54         started        56 timeout.exe 34->56         started        153 s3-r-w.eu-north-1.amazonaws.com 52.95.171.48, 49717, 80 AMAZON-02US United States 36->153 155 labstation2.s3.eu-north-1.amazonaws.com 36->155 99 C:\Users\user\AppData\Local\...\ppppppfy.exe, PE32 36->99 dropped 101 C:\Users\user\AppData\Local\Temp\...\idp.dll, PE32 36->101 dropped 103 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 36->103 dropped 105 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 36->105 dropped 58 ppppppfy.exe 36->58         started        157 s3-r-w.eu-west-1.amazonaws.com 52.218.37.96, 49718, 80 AMAZON-02US United States 40->157 159 i-record.s3-eu-west-1.amazonaws.com 40->159 107 C:\Users\user\AppData\Local\...\Microsoft.exe, PE32 40->107 dropped 109 C:\Users\user\AppData\Local\Temp\...\idp.dll, PE32 40->109 dropped 111 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 40->111 dropped 113 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 40->113 dropped 62 Microsoft.exe 40->62         started        213 Tries to harvest and steal browser information (history, passwords, etc) 42->213 161 35.220.162.170 GOOGLEUS United States 45->161 163 35.220.235.49, 49714, 8070 GOOGLEUS United States 45->163 165 get.geojs.io 104.26.1.100, 443, 49710 CLOUDFLARENETUS United States 45->165 115 C:\Users\user\AppData\Local\...\parse.exe, PE32+ 45->115 dropped file13 signatures14 process15 dnsIp16 185 Writes to foreign memory regions 49->185 187 Allocates memory in foreign processes 49->187 189 Creates a thread in another existing process (thread injection) 49->189 64 svchost.exe 49->64 injected 67 svchost.exe 49->67 injected 69 svchost.exe 49->69 injected 167 52.95.169.12 AMAZON-02US United States 58->167 169 162.0.220.48 ACPCA Canada 58->169 127 C:\Program Files (x86)\...\Liletodaery.exe, PE32 58->127 dropped 129 C:\...\Liletodaery.exe.config, XML 58->129 dropped 131 C:\Users\user\AppData\...\Sixybaehaele.exe, PE32 58->131 dropped 139 2 other files (none is malicious) 58->139 dropped 191 Detected unpacking (overwrites its own PE header) 58->191 71 prolab.exe 58->71         started        74 Letajagysha.exe 58->74         started        171 52.218.112.128 AMAZON-02US United States 62->171 173 52.95.169.20 AMAZON-02US United States 62->173 175 connectini.net 162.0.210.44, 443, 49725, 49727 ACPCA Canada 62->175 133 C:\Program Files (x86)\VR\Rijaegiwedu.exe, PE32 62->133 dropped 135 C:\...\Rijaegiwedu.exe.config, XML 62->135 dropped 137 C:\Users\user\AppData\...\Wotivaetunae.exe, PE32 62->137 dropped 141 2 other files (none is malicious) 62->141 dropped file17 signatures18 process19 dnsIp20 183 System process connects to network (likely due to code injection or exploit) 64->183 77 svchost.exe 64->77         started        117 C:\Users\user\AppData\Local\...\prolab.tmp, PE32 71->117 dropped 177 172.217.168.68 GOOGLEUS United States 74->177 file21 signatures22 process23 dnsIp24 181 facebook.websmails.com 167.179.89.78 AS-CHOOPAUS United States 77->181 221 Query firmware table information (likely to detect VMs) 77->221 signatures25
Detection:
redlinestealer
Create hunting rule
Link:
https://mwdb.cert.pl/sample/eb2b82c14b81523edd762536c3dcd308624821dd6840e8cabdf94327d55fcbf9/
Threat name:
Win32.Trojan.Fabookie
Create hunting rule
Status:
Malicious
First seen:
2021-03-28 19:01:00 UTC
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5mvyfqklqfjd5xlweu3mhxgtbbreqio5nbaorsv57fbspvk7zp4q._file
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:redline family:vidar discovery evasion infostealer persistence spyware stealer trojan upx vmprotect
Link:
https://tria.ge/reports/210329-vyzej3vhaj/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Kills process with taskkill
Modifies Internet Explorer settings
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks computer location settings
Loads dropped DLL
Reads local data of messenger clients
Reads user/profile data of web browsers
Drops file in Drivers directory
Executes dropped EXE
UPX packed file
VMProtect packed file
Checks for common network interception software
RedLine
Suspicious use of NtCreateUserProcessOtherParentProcess
Vidar
Unpacked files
SH256 hash:
e427f8ef21691e3d8c2313d11129ad08ddef69a158eca2f77c170603478ff0c4
MD5 hash:
0dedd909aae9aa0a89b4422106310e9e
SHA1 hash:
271d36afa5b729ee590cf8066166ca5e9c9d0340
Link:
https://www.unpac.me/results/024462f5-dd44-43d2-9f40-1d16532d8103/
SH256 hash:
d1f7d202cdec879bf9ed340dcc2ea531eaa72f30633125f003ff692b05e132f4
MD5 hash:
7c09971dde2cba7a7eb68e314412a15d
SHA1 hash:
b828ae68cf37862fc5866cfbbf8dedff43256720
Link:
https://www.unpac.me/results/024462f5-dd44-43d2-9f40-1d16532d8103/
SH256 hash:
fc1c76c18adebd91d9d7478f3eb426b506bb5aaea0884e559e220920d3a1ce14
MD5 hash:
1dbf473671f386f8e2c3731ec1fef5c7
SHA1 hash:
00ce8e17678c40ecb5913da6e02842d684012d08
Link:
https://www.unpac.me/results/024462f5-dd44-43d2-9f40-1d16532d8103/
SH256 hash:
0a7e8a8ca5abd7a2598c8a04521b0cb5d006bc1fb212c0d94a9de7d7d579ffb8
MD5 hash:
460742790e2c251afc782a62c30d6f98
SHA1 hash:
a040d68ce94f48fa7b1e57f3d96ad76622fd40b7
Link:
https://www.unpac.me/results/024462f5-dd44-43d2-9f40-1d16532d8103/
SH256 hash:
428d84c3879d118c136c57673e800889a802549feeef83b3bf860e066de4921a
MD5 hash:
3528e0490efb8fd32946c497192d3df3
SHA1 hash:
7219cb99183815d947026b8b2dd99b2ae30e724a
Link:
https://www.unpac.me/results/024462f5-dd44-43d2-9f40-1d16532d8103/
SH256 hash:
b1e22b43ceb05c1b588029f2b4f47af41efb683baab39c805173fe0c1a0c8aab
MD5 hash:
02de795064ab81d5853e844113be2cd9
SHA1 hash:
54b89fee056abba7efa1efa54caa2f2e7db0e463
Link:
https://www.unpac.me/results/024462f5-dd44-43d2-9f40-1d16532d8103/
SH256 hash:
ec370246344eba77ba7475c81d7ab663f30b0c92c07ddb2124ed6f156881d66a
MD5 hash:
c0bd1a6f36890731f7f6e57e8d99479e
SHA1 hash:
3c11cd99c3615bf5cd1fae2bbedf7cc59f4cc17a
Link:
https://www.unpac.me/results/024462f5-dd44-43d2-9f40-1d16532d8103/
SH256 hash:
7641c1234ea497a045129e5b1998a189d66abc85336d5b696c2769a58e8e9d7f
MD5 hash:
96fddc9cd2ad7dd12f7c2cf39d7f69a0
SHA1 hash:
5fa75fa0dd318e3aea6d455071e43d93fe0d916c
Detections:
win_vidar_auto
Create hunting rule
Link:
https://www.unpac.me/results/024462f5-dd44-43d2-9f40-1d16532d8103/
Parent samples :
4ae0156d1ccca584c5ed35708b150e0649cd470f5b192653a578c215e5118c08
eb2b82c14b81523edd762536c3dcd308624821dd6840e8cabdf94327d55fcbf9
SH256 hash:
417c9b048550ef2a486c998f39e8d60918de839aa03e60bbdbc2cc6c90ba24be
MD5 hash:
d25a051d566dcdf7cbb81f164cfd2cb3
SHA1 hash:
f70eae9b42d540d1da015be50279ceb73ac9977d
Link:
https://www.unpac.me/results/024462f5-dd44-43d2-9f40-1d16532d8103/
SH256 hash:
011331b6e3a683e135bb75e79ddc25acbb63e3e8a44ea01573f88c046827fdcd
MD5 hash:
4e3903139fb6c1d2362fea132dc5c0df
SHA1 hash:
170b6d02f87f0679af5aeb375e629921eb6b04f8
Link:
https://www.unpac.me/results/024462f5-dd44-43d2-9f40-1d16532d8103/
SH256 hash:
7357a308d108c3812fe07c2a079a3f415359a374fbdc64f68ce59f5faaca1095
MD5 hash:
19c504ae074ef03f3b55052b8350cdbc
SHA1 hash:
9983c351ea7e6ad8de6c3604f69ae57bdec6035c
Link:
https://www.unpac.me/results/024462f5-dd44-43d2-9f40-1d16532d8103/
SH256 hash:
df56c4033ed9e942811dfe8b87cce74e21821f52fe86b1b1f79d774c653415f8
MD5 hash:
1a255f6c09118899dc0f7558d1acca5e
SHA1 hash:
11c01e4377f2c602ebb4617b87f5d40e6f1b2d29
Link:
https://www.unpac.me/results/024462f5-dd44-43d2-9f40-1d16532d8103/
SH256 hash:
85ccaa35206efc36c8ea0c13d40861d5b4699ed39e61f314719fc54ccd7a1379
MD5 hash:
d350ca315ef9f4f2f706ac40803c72ab
SHA1 hash:
af906801c154d3bb61062a55192746f563003685
Link:
https://www.unpac.me/results/024462f5-dd44-43d2-9f40-1d16532d8103/
SH256 hash:
eb2b82c14b81523edd762536c3dcd308624821dd6840e8cabdf94327d55fcbf9
MD5 hash:
50d41b7f128197f4c5fbaa59bae98c66
SHA1 hash:
99bf0c70f44e7b795b4bd2349dd6d575080cbda9
Link:
https://www.unpac.me/results/024462f5-dd44-43d2-9f40-1d16532d8103/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/eb2b82c14b81523edd762536c3dcd308624821dd6840e8cabdf94327d55fcbf9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Chrome_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Chrome in files like avemaria
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_References_CryptoWallets
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many cryptocurrency mining wallets or apps. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:IPPort_combo_mem
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:Ping_Del_method_bin_mem
Create hunting rule
Author:James_inthe_box
Description:cmd ping IP nul del
Rule name:Select_from_enumeration
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:Steam_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Steam in files like avemaria
Rule name:SUSP_XORed_MSDOS_Stub_Message
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed MSDOS stub message
Reference:https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
Rule name:win_vidar_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:with_sqlite
Create hunting rule
Author:Julian J. Gonzalez <info@seguridadparatodos.es>
Description:Rule to detect the presence of SQLite data in raw image
Reference:http://www.st2labs.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ArkeiStealer

Executable exe eb2b82c14b81523edd762536c3dcd308624821dd6840e8cabdf94327d55fcbf9

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1095787/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/127824/

Comments