MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ecf100d294f5b6b63ebc4e1430f6a07b07e3899b0c447a536d7c53c51d711549. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 8


Intelligence 8 IOCs YARA 7 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ecf100d294f5b6b63ebc4e1430f6a07b07e3899b0c447a536d7c53c51d711549
SHA3-384 hash: b9f75a11182ce425f0a3c9d2fd5d6d347542586a641ea8f99a287511e2254fe5eded46cd3e0e3c5d76186fed8cf5f517
SHA1 hash: fab833416df470be0208d6c81142cfc1ceedfba8
MD5 hash: 78fec74ab13d666b840ddd6d1ed8153b
humanhash: pennsylvania-sierra-nebraska-quiet
File name:78fec74ab13d666b840ddd6d1ed8153b.exe
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:3'365'867 bytes
First seen:2021-04-18 13:01:18 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fcf1390e9ce472c7270447fc5c61a0c1 (863 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep 98304:Ubvx7gl6aeKrgZGJDpWWw6UX1Qqw2kvpDa:U1paeKrgZ0/B975a
Threatray 727 similar samples on MalwareBazaar
TLSH 51F53321BAC694B5E1720E321A7AE324A53C7C211F188FDF73E4655E59311C2EA31B7B
Reporter abuse_ch
Tags:ArkeiStealer exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
137
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
78fec74ab13d666b840ddd6d1ed8153b.exe
Verdict:
Malicious activity
Analysis date:
2021-04-18 13:06:04 UTC
Tags:
evasion trojan stealer vidar loader rat redline phishing
Link:
https://app.any.run/tasks/4c07aa46-b067-4ec5-b8e3-eb2ef2be078d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/137718/
Detection(s):
Win.Packed.Bulz-9840169-0
Create hunting rule

SecuriteInfo.com.Trojan.Rasftuby.Gen.14.10239.27368.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Creating a file in the Windows subdirectories
Creating a process from a recently created file
Creating a file
Creating a file in the Program Files directory
Launching a process
Creating a file in the %temp% directory
Sending a UDP request
DNS request
Sending a custom TCP request
Reading critical registry keys
Deleting a recently created file
Sending an HTTP GET request
Creating a process with a hidden window
Launching the default Windows debugger (dwwin.exe)
Running batch commands
Enabling the 'hidden' option for recently created files
Changing a file
Using the Windows Management Instrumentation requests
Modifying a system file
Creating a file in the %AppData% subdirectories
Replacing files
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Launching a tool to kill processes
Sending a TCP request to an infection source
Sending an HTTP GET request to an infection source
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Cyberduck Socelars Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/684986
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to compare user and computer (likely to detect sandboxes)
Contains functionality to detect sleep reduction / modifications
Contains functionality to infect the boot sector
Contains functionality to inject code into remote processes
Contains functionality to inject threads in other processes
Creates a thread in another existing process (thread injection)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Drops PE files to the document folder of the user
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Renames NTDLL to bypass HIPS
Sample uses process hollowing technique
Sets debug register (to hijack the execution of another thread)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Yara detected Cyberduck
Yara detected Socelars
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 391441 Sample: gSyJqxW85g.exe Startdate: 18/04/2021 Architecture: WINDOWS Score: 100 101 198.98.55.103 PONYNETUS United States 2->101 103 104.17.62.50 CLOUDFLARENETUS United States 2->103 105 2 other IPs or domains 2->105 123 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->123 125 Antivirus detection for dropped file 2->125 127 Multi AV Scanner detection for dropped file 2->127 129 7 other signatures 2->129 10 gSyJqxW85g.exe 1 13 2->10         started        13 iexplore.exe 2->13         started        signatures3 process4 file5 75 C:\Users\user\Desktop\pub2.exe, PE32 10->75 dropped 77 C:\Users\user\Desktop\jg4_4jaa.exe, PE32 10->77 dropped 79 C:\Users\user\Desktop\agdsk.exe, PE32 10->79 dropped 81 4 other files (1 malicious) 10->81 dropped 15 wf-game.exe 3 10->15         started        18 KRSetp.exe 15 9 10->18         started        22 pub2.exe 10->22         started        26 4 other processes 10->26 24 iexplore.exe 13->24         started        process6 dnsIp7 83 C:\Program Files\patch.dll, PE32 15->83 dropped 28 rundll32.exe 3 15->28         started        107 104.21.9.70 CLOUDFLARENETUS United States 18->107 85 C:\ProgramData\8630072.exe, PE32 18->85 dropped 87 C:\ProgramData\8433845.exe, PE32 18->87 dropped 99 3 other malicious files 18->99 dropped 131 Detected unpacking (changes PE section rights) 18->131 133 Detected unpacking (overwrites its own PE header) 18->133 31 5863342.exe 18->31         started        35 8433845.exe 18->35         started        89 C:\Users\user\AppData\Local\Temp\CC4F.tmp, PE32 22->89 dropped 135 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 22->135 137 Renames NTDLL to bypass HIPS 22->137 139 Maps a DLL or memory area into another process 22->139 145 2 other signatures 22->145 37 explorer.exe 22->37 injected 109 101.36.107.74, 49698, 80 UHGL-AS-APUCloudHKHoldingsGroupLimitedHK China 26->109 111 ip-api.com 208.95.112.1, 49704, 80 TUT-ASUS United States 26->111 113 4 other IPs or domains 26->113 91 C:\Users\user\Documents\...\jg4_4jaa.exe, PE32 26->91 dropped 93 C:\Users\user\AppData\Local\Temp\haleng.exe, PE32 26->93 dropped 95 C:\Users\user\AppData\Local\Temp\...\File.exe, PE32 26->95 dropped 97 C:\Users\user\AppData\...\jfiag3g_gg.exe, PE32 26->97 dropped 141 Drops PE files to the document folder of the user 26->141 143 Tries to harvest and steal browser information (history, passwords, etc) 26->143 39 File.exe 26->39         started        41 WerFault.exe 26->41         started        43 jfiag3g_gg.exe 26->43         started        45 jfiag3g_gg.exe 26->45         started        file8 signatures9 process10 dnsIp11 151 Contains functionality to infect the boot sector 28->151 153 Contains functionality to inject threads in other processes 28->153 155 Contains functionality to inject code into remote processes 28->155 169 5 other signatures 28->169 47 svchost.exe 28->47 injected 50 svchost.exe 28->50 injected 52 svchost.exe 28->52 injected 54 svchost.exe 28->54 injected 119 172.67.197.12 CLOUDFLARENETUS United States 31->119 61 C:\ProgramData\44\vcruntime140.dll, PE32 31->61 dropped 63 C:\ProgramData\44\sqlite3.dll, PE32 31->63 dropped 65 C:\ProgramData\44\softokn3.dll, PE32 31->65 dropped 69 4 other files (none is malicious) 31->69 dropped 157 Antivirus detection for dropped file 31->157 159 Detected unpacking (changes PE section rights) 31->159 161 Detected unpacking (overwrites its own PE header) 31->161 171 2 other signatures 31->171 67 C:\ProgramData\...\Windows Host.exe, PE32 35->67 dropped 163 Machine Learning detection for dropped file 35->163 165 Sample uses process hollowing technique 39->165 167 Injects a PE file into a foreign processes 39->167 121 192.168.2.1 unknown unknown 41->121 file12 signatures13 process14 signatures15 173 System process connects to network (likely due to code injection or exploit) 47->173 175 Contains functionality to inject threads in other processes 47->175 177 Sets debug register (to hijack the execution of another thread) 47->177 179 3 other signatures 47->179 56 svchost.exe 47->56         started        process16 dnsIp17 115 facebook.websmails.com 167.179.89.78 AS-CHOOPAUS United States 56->115 117 104.18.8.171 CLOUDFLARENETUS United States 56->117 71 C:\Users\user\AppData\...\Login Data.tmp, SQLite 56->71 dropped 73 C:\Users\user\AppData\Local\...\Cookies.tmp, SQLite 56->73 dropped 147 Query firmware table information (likely to detect VMs) 56->147 149 Tries to harvest and steal browser information (history, passwords, etc) 56->149 file18 signatures19
Detection:
raccoon
Create hunting rule
Link:
https://mwdb.cert.pl/sample/ecf100d294f5b6b63ebc4e1430f6a07b07e3899b0c447a536d7c53c51d711549/
Gathering data
Verdict:
malicious
Similar samples:
1dc057c9c8e23f10e6cb6cd957a412a06c78d24dbdeb93d6d4ac83b5d0c835e1
ArkeiStealer
3535884c0c8041b6f9e27e7e0cf4fbac9abb5f0ca89d793d29d3ffe01e677081
ArkeiStealer
4139739d5bfa8330e095a68c658040fb42c75cde651e3baa8afafb4fc557b202
ArkeiStealer
5114da99edb9632526115354fe8f2a052c84c5da406a923799539fc92df4c9c0
ArkeiStealer
51e48b45ee8d8d7ed18971b8f904f45e8b19b588f9291587f8933bcd8b5d1105
ArkeiStealer
8b6be03e0a14f193dd33c6dfdc1a1c27d3d59044ea246b3a12eb4a7d790dd4ed
ArkeiStealer
9f34d20254c87d8f9c732df75eb5b707c41fd6cd5153f5e4733a0126ed304f0d
ArkeiStealer
b11bd18587058601cde1be46ec722f2ddc96fddd976f3a263e4d0358e8e08865
ArkeiStealer
bc5e3b9e7638a68bbb36387281fedc1bedb12d67575b9242a47c0bf0c8f3c265
ArkeiStealer
ea077019bc7eed24cd45cf0e7b78d8a90ee8a7b8e6a7c7e994d1f62954d00c39
ArkeiStealer
+ 717 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:raccoon family:redline family:smokeloader family:vidar botnet:16992cd33145ccbb6feeacb4e84400a56448fa14 agilenet backdoor bootkit discovery evasion infostealer persistence spyware stealer trojan upx
Link:
https://tria.ge/reports/210418-6ftk872vys/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Delays execution with timeout.exe
Kills process with taskkill
Modifies Internet Explorer settings
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
NTFS ADS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Writes to the Master Boot Record (MBR)
Checks computer location settings
Loads dropped DLL
Modifies file permissions
Obfuscated with Agile.Net obfuscator
Reads local data of messenger clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Drops file in Drivers directory
Executes dropped EXE
UPX packed file
Raccoon
RedLine
SmokeLoader
Suspicious use of NtCreateUserProcessOtherParentProcess
Vidar
Malware Config
C2 Extraction:
http://perseus007.xyz/upload/
http://lambos1.xyz/upload/
http://cipluks.com/upload/
http://ragnar77.com/upload/
http://aslauk.com/upload/
http://qunersoo.xyz/upload /
http://hostunes.info/upload/
http://leonisdas.xyz/upload/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:IPPort_combo_mem
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:Select_from_enumeration
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:Steam_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Steam in files like avemaria
Rule name:SUSP_XORed_MSDOS_Stub_Message
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed MSDOS stub message
Reference:https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
Rule name:Telegram_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Telegram in files like avemaria

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/137718/

Comments


Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-04-18 14:11:37 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [C0029.002] Cryptography Micro-objective::SHA1::Cryptographic Hash
1) [C0029.003] Cryptography Micro-objective::SHA256::Cryptographic Hash
2) [C0031.001] Cryptography Micro-objective::AES::Decrypt Data
3) [C0032.001] Data Micro-objective::CRC32::Checksum
4) [C0026.002] Data Micro-objective::XOR::Encode Data
5) [C0030.001] Data Micro-objective::MurmurHash::Non-Cryptographic Hash
6) [F0004.007] Defense Evasion::Bypass Windows File Protection
8) [C0046] File System Micro-objective::Create Directory
9) [C0048] File System Micro-objective::Delete Directory
10) [C0047] File System Micro-objective::Delete File
11) [C0049] File System Micro-objective::Get File Attributes
12) [C0051] File System Micro-objective::Read File
13) [C0050] File System Micro-objective::Set File Attributes
14) [C0052] File System Micro-objective::Writes File
15) [C0034.001] Operating System Micro-objective::Set Variable::Environment Variable
16) [C0036.004] Operating System Micro-objective::Create Registry Key::Registry
17) [C0036.003] Operating System Micro-objective::Open Registry Key::Registry
18) [C0036.006] Operating System Micro-objective::Query Registry Value::Registry
19) [C0036.001] Operating System Micro-objective::Set Registry Key::Registry
20) [C0040] Process Micro-objective::Allocate Thread Local Storage
21) [C0017] Process Micro-objective::Create Process
22) [C0038] Process Micro-objective::Create Thread
23) [C0041] Process Micro-objective::Set Thread Local Storage Value
24) [C0018] Process Micro-objective::Terminate Process