MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 eecea563147d007bc88b5baa2294e2a814c88975f82778454fb2a515dba401be. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: eecea563147d007bc88b5baa2294e2a814c88975f82778454fb2a515dba401be
SHA3-384 hash: 49da481e065e9936acd4a868c4865e5830cef37aa2204a4bae3298683fff5e7bc61d333ca2bf2e56f518dfc2dbbfd5e7
SHA1 hash: 8cd71270d8dabbf02c9169719229abf68a286fce
MD5 hash: 7c60906a6b21fbbe1e8134b9f3a59418
humanhash: white-foxtrot-seven-mississippi
File name:7c60906a6b21fbbe1e8134b9f3a59418.exe
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:350'208 bytes
First seen:2021-10-29 18:35:12 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b4e1899733b7c624a2bcad81ab4ebcf1 (10 x RaccoonStealer, 2 x Smoke Loader, 1 x ArkeiStealer)
ssdeep 6144:lYJUBXU3jSV/xW7JCAYtEleu902c2C0BfBQhb8:l+UBXUOV5W7gAYtElj902rlBQh
Threatray 2'342 similar samples on MalwareBazaar
TLSH T132749D10A6A1C434F1F212F849B6A369B93F7AA16B3494CF53D516EE4B786E0EC31317
File icon (PE):PE icon
dhash icon b2dacabecee6baa6 (148 x RedLineStealer, 145 x Stop, 100 x Smoke Loader)
Reporter abuse_ch
Tags:ArkeiStealer exe Smoke Loader

Intelligence

File Origin
# of uploads :
1
# of downloads :
207
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
7c60906a6b21fbbe1e8134b9f3a59418.exe
Verdict:
No threats detected
Analysis date:
2021-10-29 19:31:12 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/8fa9f7c3-4771-4f80-a3bd-c6669b9ae798

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.Win32.Save.a.27942.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Launching the default Windows debugger (dwwin.exe)
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/152964e3-b949-408b-9a6e-54ecc12b28cf
Result
Threat name:
RedLine SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/879576
Signature
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Suspicious Svchost Process
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected RedLine Stealer
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 512013 Sample: 5UYEUhuraV.exe Startdate: 29/10/2021 Architecture: WINDOWS Score: 100 45 Multi AV Scanner detection for domain / URL 2->45 47 Found malware configuration 2->47 49 Antivirus detection for URL or domain 2->49 51 7 other signatures 2->51 7 5UYEUhuraV.exe 2->7         started        10 dachdhr 2->10         started        process3 signatures4 67 Detected unpacking (changes PE section rights) 7->67 69 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 7->69 71 Maps a DLL or memory area into another process 7->71 73 Creates a thread in another existing process (thread injection) 7->73 12 explorer.exe 6 7->12 injected 75 Multi AV Scanner detection for dropped file 10->75 77 Machine Learning detection for dropped file 10->77 79 Checks if the current machine is a virtual machine (disk enumeration) 10->79 process5 dnsIp6 39 brandyjaggers.com 197.44.54.172, 49751, 80 TE-ASTE-ASEG Egypt 12->39 41 nutriescapa.com 194.40.243.133, 49814, 80 NTSERVICE-ASUA Netherlands 12->41 43 7 other IPs or domains 12->43 27 C:\Users\user\AppData\Roaming\dachdhr, PE32 12->27 dropped 29 C:\Users\user\AppData\Local\Temp\F1DE.exe, PE32 12->29 dropped 31 C:\Users\user\AppData\Local\TempDF4.exe, PE32 12->31 dropped 33 2 other malicious files 12->33 dropped 81 System process connects to network (likely due to code injection or exploit) 12->81 83 Benign windows process drops PE files 12->83 85 Deletes itself after installation 12->85 87 Hides that the sample has been downloaded from the Internet (zone.identifier) 12->87 17 EDF4.exe 5 12->17         started        21 F1DE.exe 12->21         started        23 C1D4.exe 2 12->23         started        25 svchost.exe 12->25         started        file7 signatures8 process9 dnsIp10 35 193.150.103.37, 29118, 49785 ASGENERALTELRU Russian Federation 17->35 53 Detected unpacking (changes PE section rights) 17->53 55 Detected unpacking (overwrites its own PE header) 17->55 57 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 17->57 65 2 other signatures 17->65 59 Multi AV Scanner detection for dropped file 21->59 61 Machine Learning detection for dropped file 21->61 37 185.215.113.29, 36224, 49839 WHOLESALECONNECTIONSNL Portugal 23->37 63 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 23->63 signatures11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/eecea563147d007bc88b5baa2294e2a814c88975f82778454fb2a515dba401be/
Threat name:
Win32.Ransomware.StopCrypt
Create hunting rule
Status:
Malicious
First seen:
2021-10-29 08:40:26 UTC
AV detection:
21 of 28 (75.00%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
0c4a2dc11b12ad8545e5397eff8bcde53238c2283905e7b49610f9cafa779800
ArkeiStealer
14279e34ce19812a529d3f1cea16e54d57a40322ba34b63a85784d4fc5672992
ArkeiStealer
378f7ddd4c6c6d9203f02fb422b5c156e5b541883c7a312133e4b0bfea21d64b
ArkeiStealer
605e57c5643a2292002481fee5fe3b7ba0243fc8e3ed6d423c814554cf6b4bba
ArkeiStealer
9efdd1358f8d37219f5a6b36ef82d03fa5612c5e54c72cd1507c7c2bcf71e2af
ArkeiStealer
dd3b7c750d4debae8a008400189657be324b956b23bcc781392b3b8548fe9ef8
ArkeiStealer
df2cda7268742a64ff9f639ea838b375b3a0d12bcf01afec13bccafb8abdefe1
ArkeiStealer
fd6dda6084f091726f7c0da3d319efa22e2f973a0aed1021725c304a9371ea8b
ArkeiStealer
+ 2'332 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:djvu family:redline family:smokeloader family:vidar botnet:517 botnet:paladin botnet:sewpal backdoor bootkit discovery infostealer persistence ransomware spyware stealer suricata trojan
Link:
https://tria.ge/reports/211029-w8w3laaeel/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Delays execution with timeout.exe
Kills process with taskkill
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Checks SCSI registry key(s)
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Looks up external IP address via web service
Writes to the Master Boot Record (MBR)
Deletes itself
Loads dropped DLL
Modifies file permissions
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
Vidar Stealer
Detected Djvu ransomware
Djvu Ransomware
RedLine
RedLine Payload
SmokeLoader
Vidar
suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
Malware Config
C2 Extraction:
http://brandyjaggers.com/upload/
http://andbal.com/upload/
http://alotofquotes.com/upload/
http://szpnc.cn/upload/
http://uggeboots.com/upload/
http://100klv.com/upload/
http://rapmusic.at/upload/
193.150.103.37:29118
185.215.113.29:36224
https://mas.to/@xeroxxx
http://rlrz.org/fhsgtsspen6
Unpacked files
SH256 hash:
f9b4b2e506fe88e1cd921a71c130a7e097bfb2dd1cfcec768b375c70ee6b800c
MD5 hash:
986d781d5e3181045ce6586b2b0af221
SHA1 hash:
8e21f86221892e43c95adfe05f385135fbf6886f
Link:
https://www.unpac.me/results/464c80c2-a866-48bd-ae22-6c59cf2342ed/
SH256 hash:
eecea563147d007bc88b5baa2294e2a814c88975f82778454fb2a515dba401be
MD5 hash:
7c60906a6b21fbbe1e8134b9f3a59418
SHA1 hash:
8cd71270d8dabbf02c9169719229abf68a286fce
Link:
https://www.unpac.me/results/464c80c2-a866-48bd-ae22-6c59cf2342ed/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/eecea563147d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/eecea563147d007bc88b5baa2294e2a814c88975f82778454fb2a515dba401be

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ArkeiStealer

Executable exe eecea563147d007bc88b5baa2294e2a814c88975f82778454fb2a515dba401be

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1724609/
  
Delivery method
Distributed via web download

Comments