MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ed76472a36f6d2b36c13b4ae7735c0ac51c20ca5e3f91220eb7e996b5279f038. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

ArkeiStealer

Vendor detections: 7

Intelligence 7 IOCs YARA File information Comments

SHA256 hash:	ed76472a36f6d2b36c13b4ae7735c0ac51c20ca5e3f91220eb7e996b5279f038
SHA3-384 hash:	bf3b14cfb89cef803c04cce71ac88f7a6fce90267069d3d42e86e36bbbcc3ad969521c021b6e69ecdf0b303aaa377b48
SHA1 hash:	01fd25c5fddc01230271b555979e7c7130fd5135
MD5 hash:	6d06af3e75fd04b8f5724e888a7986ae
humanhash:	grey-football-batman-mars
File name:	6d06af3e75fd04b8f5724e888a7986ae.exe
Download:	download sample
Signature	ArkeiStealer Create hunting rule
File size:	282'112 bytes
First seen:	2021-08-19 08:45:38 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	62fa754aafe9b531ba4be35dd30caae7 (5 x Amadey, 4 x Smoke Loader, 3 x RaccoonStealer)
ssdeep	6144:f0CpJwwQvitqNIp2SEem/SoYKy7aW6K0RM3c:Nmw8FNIBEemKAMajV5
Threatray	1'097 similar samples on MalwareBazaar
TLSH	T1C9548E10B691C035E0A613F458B983B8A72DBDB16B2450DF62D63BEE67386D49D3037B
dhash icon	ead8ac9cc6e68ea0 (38 x RaccoonStealer, 18 x RedLineStealer, 12 x Smoke Loader)
Reporter	abuse_ch
Tags:	ArkeiStealer exe

Intelligence

File Origin

# of uploads :

# of downloads :

125

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

6d06af3e75fd04b8f5724e888a7986ae.exe

Verdict:

No threats detected

Analysis date:

2021-08-19 08:48:36 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/acb75817-f54c-4a13-b9cc-7eb3ef512ac6

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/180605/

Detection(s):

SecuriteInfo.com.Trojan.DownLoader41.16114.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a custom TCP request

Creating a file in the %AppData% directory

Enabling the 'hidden' option for recently created files

DNS request

Sending a UDP request

Connection attempt

Sending an HTTP POST request

Deleting of the original file

Enabling autorun by creating a file

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

DanaBot

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/027fe414-da16-4660-9897-9127608135e9

Result

Threat name:

SmokeLoader

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/835644

Signature

Benign windows process drops PE files

C2 URLs / IPs found in malware configuration

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Checks if the current machine is a virtual machine (disk enumeration)

Creates a thread in another existing process (thread injection)

Deletes itself after installation

Detected unpacking (changes PE section rights)

Found malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

System process connects to network (likely due to code injection or exploit)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected SmokeLoader

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/ed76472a36f6d2b36c13b4ae7735c0ac51c20ca5e3f91220eb7e996b5279f038/

Threat name:

Win32.Trojan.Azorult

Status:

Malicious

First seen:

2021-08-19 08:38:33 UTC

AV detection:

19 of 46 (41.30%)

Threat level:

5/5

Verdict:

suspicious

ArkeiStealer

2ec6c6341ff83005a6515d942976d2092549312d419a29e59d0efb15d65749bf

ArkeiStealer

302945194f1ff6faa74375b03943a4474a1ba9baa33edb3264b83254acb0028a

ArkeiStealer

41ce43aa875bf977ec9eb039e5853ade1af522dd0dff4f19282f6c8038ae2dff

ArkeiStealer

4adfdb564682cb936b002c4740e589a698097618d04984287e67fcbcfa48a8bf

ArkeiStealer

5849cb66f97165b80e0ea4d049558bea07d1e98ebb820fe74ff450ee8acdbcd2

ArkeiStealer

82ea4b92bba11579425b53d383d10664eb0cea0d8ae307c81024d57d07b921b7

ArkeiStealer

cf8a60b5e39660a02d37d4d5f1d28e392427c1da05142d4a651cd1c267d07cc1

ArkeiStealer

+ 1'087 additional samples on MalwareBazaar

Result

Malware family:

vidar

Score:

10/10

Tags:

family:smokeloader family:vidar botnet:517 backdoor discovery persistence stealer suricata trojan

Link:

https://tria.ge/reports/210819-n3a5k7fzp2/

Behaviour

Checks SCSI registry key(s)

Creates scheduled task(s)

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Adds Run key to start application

Looks up external IP address via web service

Deletes itself

Loads dropped DLL

Modifies file permissions

Downloads MZ/PE file

Executes dropped EXE

Vidar Stealer

SmokeLoader

Vidar

suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request

Malware Config

C2 Extraction:

http://aucmoney.com/upload/
http://thegymmum.com/upload/
http://atvcampingtrips.com/upload/
http://kuapakualaman.com/upload/
http://renatazarazua.com/upload/
http://nasufmutlu.com/upload/
https://lenak513.tumblr.com/

Unpacked files

SH256 hash:

18cd8e90fcd46329480f24d43baa489683b3ee2fcd274bf1714947ef307a6ab2

MD5 hash:

f2fecf6872ad4c61a3a506159fddd4fc

SHA1 hash:

28e039eb96dcf58841992280c66433a2bbab8e84

Link:

https://www.unpac.me/results/1fc7d10f-cca0-413a-9a3c-b1747c676de7/

SH256 hash:

ed76472a36f6d2b36c13b4ae7735c0ac51c20ca5e3f91220eb7e996b5279f038

MD5 hash:

6d06af3e75fd04b8f5724e888a7986ae

SHA1 hash:

01fd25c5fddc01230271b555979e7c7130fd5135

Link:

https://www.unpac.me/results/1fc7d10f-cca0-413a-9a3c-b1747c676de7/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/ed76472a36f6d2b36c13b4ae7735c0ac51c20ca5e3f91220eb7e996b5279f038

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ArkeiStealer

exe ed76472a36f6d2b36c13b4ae7735c0ac51c20ca5e3f91220eb7e996b5279f038

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/1533747/

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/180605/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample