MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f91c7c2e15b7343d97bc5c3961f43ebd659440102a4a9c3359d7a9e6e0aef9d3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 9


Intelligence 9 IOCs 1 YARA 10 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f91c7c2e15b7343d97bc5c3961f43ebd659440102a4a9c3359d7a9e6e0aef9d3
SHA3-384 hash: b3789cdbdeb0071954ad045ca10c447961a4077d58dedb13dec3fa80b0d7adb55915e2334b2be0ab7377fe25193b3cf6
SHA1 hash: 6702db2931b8b706f5c6e9e69bc8b744093fea02
MD5 hash: 01fee65d7f349e61aacc246c73214668
humanhash: burger-hamper-jupiter-orange
File name:01fee65d7f349e61aacc246c73214668.exe
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:20'004'165 bytes
First seen:2021-05-22 18:00:19 UTC
Last seen:2021-05-22 19:03:00 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash c9adc83b45e363b21cd6b11b5da0501f (82 x ArkeiStealer, 60 x RecordBreaker, 46 x RedLineStealer)
ssdeep 393216:Mt78Fqt1p8J7WgjuYckA1xSbDfHjh36COaplQVIqJZO1d:MyEe7Ws9U1xSnrh36Clplu/O1d
Threatray 918 similar samples on MalwareBazaar
TLSH A1173362973D42B1D29341714CC6C222F9B93F51A938A84D9EE5EE09DB3307B4B9D09F
Reporter abuse_ch
Tags:ArkeiStealer exe


Avatar
abuse_ch
ArkeiStealer C2:
195.93.173.160:80

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
195.93.173.160:80 https://threatfox.abuse.ch/ioc/57164/

Intelligence

File Origin
# of uploads :
2
# of downloads :
135
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
01fee65d7f349e61aacc246c73214668.exe
Verdict:
No threats detected
Analysis date:
2021-05-22 18:27:16 UTC
Tags:
installer
Link:
https://app.any.run/tasks/37f7256d-2a55-408f-adb0-4ba2f0e1b94f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Malware.Generic-9849070-0
Create hunting rule

SecuriteInfo.com.PSW.Generic8.ISF.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Delayed reading of the file
Creating a file in the %temp% subdirectories
Creating a file in the Program Files subdirectories
Deleting a recently created file
Sending a UDP request
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file in the Windows subdirectories
Creating a file
DNS request
Sending an HTTP GET request
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Creating a file in the %AppData% directory
Launching a process
Enabling the 'hidden' option for recently created files
Unauthorized injection to a recently created process
Sending a TCP request to an infection source
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
RedLine Vidar Xmrig
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/788800
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
DLL side loading technique detected
DNS related to crypt mining pools
Drops PE files with benign system names
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Modifies Chrome's extension installation force list
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Sample uses process hollowing technique
Sigma detected: System File Execution Location Anomaly
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Instant Messenger accounts or passwords
Uses ipconfig to lookup or modify the Windows network settings
Writes or reads registry keys via WMI
Writes to foreign memory regions
Yara detected RedLine Stealer
Yara detected Vidar stealer
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 421196 Sample: Lma2EzVvAK.exe Startdate: 22/05/2021 Architecture: WINDOWS Score: 100 139 lllwyerxedo.xyz 2->139 141 iphonemoney.xyz 2->141 143 4 other IPs or domains 2->143 185 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->185 187 Multi AV Scanner detection for domain / URL 2->187 189 Found malware configuration 2->189 191 18 other signatures 2->191 10 Lma2EzVvAK.exe 16 17 2->10         started        13 svchost.exe 1 2->13         started        signatures3 process4 file5 119 C:\Program Files (x86)\VR\...\vlcplayer.exe, PE32+ 10->119 dropped 121 C:\Program Files (x86)\VR\...\Versium.exe, PE32 10->121 dropped 123 C:\Program Files (x86)\VR\...\Updater.exe, PE32 10->123 dropped 125 5 other files (4 malicious) 10->125 dropped 15 Setup_Win32.exe 4 49 10->15         started        20 Versium.exe 10->20         started        22 RunWW.exe 90 10->22         started        24 4 other processes 10->24 process6 dnsIp7 161 apps.extensionmedia.net 172.67.220.121, 443, 49747 CLOUDFLARENETUS United States 15->161 163 apps.extensionoutlet.net 172.67.214.129, 443, 49744, 49760 CLOUDFLARENETUS United States 15->163 75 C:\Users\user\AppData\Local\...\version.dll, PE32 15->75 dropped 77 C:\Users\user\AppData\Local\...\nsExec.dll, PE32 15->77 dropped 87 4 other files (none is malicious) 15->87 dropped 175 Modifies Chrome's extension installation force list 15->175 26 cmd.exe 15->26         started        28 cmd.exe 15->28         started        30 cmd.exe 15->30         started        43 2 other processes 15->43 79 C:\Users\user\AppData\Local\...\Versium.tmp, PE32 20->79 dropped 33 Versium.tmp 20->33         started        165 195.201.94.135, 49734, 49812, 80 HETZNER-ASDE Germany 22->165 167 api.faceit.com 104.17.63.50, 443, 49733 CLOUDFLARENETUS United States 22->167 89 12 other files (none is malicious) 22->89 dropped 177 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 22->177 179 Tries to steal Instant Messenger accounts or passwords 22->179 181 Tries to harvest and steal browser information (history, passwords, etc) 22->181 183 2 other signatures 22->183 37 cmd.exe 22->37         started        169 geeto.space 23.108.57.115, 49802, 80 LEASEWEB-USA-MIA-11US United States 24->169 171 youtubdonwloader4k.xyz 185.180.198.250, 49746, 80 HOSTING-SOLUTIONSUS Netherlands 24->171 173 6 other IPs or domains 24->173 81 C:\Users\user\AppData\Local\...\Second.tmp, PE32 24->81 dropped 83 C:\Users\user\AppData\Local\...\Services.exe, PE32+ 24->83 dropped 85 C:\Users\user\AppData\Roaming\8076211.exe, PE32 24->85 dropped 91 7 other files (none is malicious) 24->91 dropped 39 Second.tmp 3 14 24->39         started        41 Services.exe 24->41         started        file8 signatures9 process10 dnsIp11 45 WMIC.exe 26->45         started        48 conhost.exe 26->48         started        50 chrome.exe 28->50         started        54 conhost.exe 28->54         started        221 Uses ipconfig to lookup or modify the Windows network settings 30->221 60 2 other processes 30->60 127 104.26.2.60, 443, 49741 CLOUDFLARENETUS United States 33->127 129 s3-r-w.us-east-2.amazonaws.com 52.219.100.0, 49742, 80 AMAZON-02US United States 33->129 135 2 other IPs or domains 33->135 93 C:\Users\user\AppData\Local\...\Setup.exe, PE32 33->93 dropped 95 C:\Users\user\AppData\...\itdownload.dll, PE32 33->95 dropped 97 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 33->97 dropped 99 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 33->99 dropped 56 Setup.exe 33->56         started        62 3 other processes 37->62 131 download-serv-314432.xyz 172.67.153.118, 49727, 49728, 80 CLOUDFLARENETUS United States 39->131 133 googlehosted.l.googleusercontent.com 172.217.20.1, 443, 49731, 49735 GOOGLEUS United States 39->133 137 3 other IPs or domains 39->137 101 C:\Users\user\AppData\Local\...\Setup.exe, PE32 39->101 dropped 103 C:\Users\user\AppData\...\itdownload.dll, PE32 39->103 dropped 105 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 39->105 dropped 107 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 39->107 dropped 223 Performs DNS queries to domains with low reputation 39->223 58 Setup.exe 39->58         started        109 C:\Users\user\AppData\Roaming\...\WR64.sys, PE32+ 41->109 dropped 64 4 other processes 43->64 file12 signatures13 process14 dnsIp15 201 Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) 45->201 203 DLL side loading technique detected 45->203 205 Queries memory information (via WMI often done to detect virtual machines) 45->205 66 conhost.exe 48->66         started        145 192.168.2.1 unknown unknown 50->145 147 239.255.255.250 unknown Reserved 50->147 111 C:\Users\user\AppData\Local\...\History, SQLite 50->111 dropped 68 chrome.exe 50->68         started        149 jk.magicnow24.ru 217.107.34.191, 443, 49748 RTCOMM-ASRU Russian Federation 56->149 207 Writes to foreign memory regions 56->207 209 Allocates memory in foreign processes 56->209 211 Sample uses process hollowing technique 56->211 213 Injects a PE file into a foreign processes 56->213 72 AddInProcess32.exe 56->72         started        151 news-systems.xyz 172.67.145.48, 443, 49749, 49786 CLOUDFLARENETUS United States 58->151 153 iplogger.org 88.99.66.31, 443, 49752, 49753 HETZNER-ASDE Germany 58->153 113 C:\Users\user\AppData\Roaming\6302523.exe, PE32 58->113 dropped 115 C:\Users\user\AppData\Roaming\2045752.exe, PE32 58->115 dropped 215 Detected unpacking (changes PE section rights) 58->215 217 Detected unpacking (overwrites its own PE header) 58->217 219 Performs DNS queries to domains with low reputation 58->219 file16 signatures17 process18 dnsIp19 155 api.tabexplorer.net 172.67.189.34, 443, 49774 CLOUDFLARENETUS United States 68->155 157 googlehosted.l.googleusercontent.com 68->157 159 3 other IPs or domains 68->159 117 C:\Users\user\AppData\Local\...\Cookies, SQLite 68->117 dropped 193 Tries to harvest and steal browser information (history, passwords, etc) 72->193 195 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 72->195 197 DLL side loading technique detected 72->197 199 Tries to steal Crypto Currency Wallets 72->199 file20 signatures21
Gathering data
Threat name:
Win32.Infostealer.ClipBanker
Create hunting rule
Status:
Malicious
First seen:
2021-05-22 03:08:49 UTC
AV detection:
23 of 47 (48.94%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=7eohylqvw42d3f54lq4wd5b6xvsziqaqfjfjym2z26u6nyfo7hjq._file
Verdict:
malicious
Similar samples:
04db0b6b37fcd16563eaeb06996b2ab0c676f53cb1445d9b40eb46fa2c38c641
ArkeiStealer
2c44f7515715ebafdc7bb8cf40adf36adce1e1bf7fd2555d56427a6d73a850d8
ArkeiStealer
4139739d5bfa8330e095a68c658040fb42c75cde651e3baa8afafb4fc557b202
ArkeiStealer
5940fd97a28d3ee232155231fe70af70be462aa144d0b625470fe46a01a3bd1b
ArkeiStealer
6e8a0a30744ed0130a2b32997e03ba5c07339ddf22e76c7ca64882d5d3f8cc4f
ArkeiStealer
87bce52ffa3eaa55981a2dd9af96ce156249a9bfcfd9b3930252cdeff9e8633d
ArkeiStealer
89d15d3703f9b4084dc3dd41693d5337d2a19fa40c3c87e1cb7a0997d021c4e1
ArkeiStealer
e13ba9f6e63e4013b75c3d45b012d8cbdda80913669bdd10942828b05d66e798
ArkeiStealer
ea077019bc7eed24cd45cf0e7b78d8a90ee8a7b8e6a7c7e994d1f62954d00c39
ArkeiStealer
fab31b9c336ced2fe83d81198d3ccfa325ca4d4cab2464b72dcda37f34e2dd68
ArkeiStealer
+ 908 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:redline family:vidar family:xmrig botnet:bbs1 discovery infostealer miner persistence spyware stealer upx
Link:
https://tria.ge/reports/210522-k5y91qgaxj/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Enumerates system info in registry
Gathers network information
Kills process with taskkill
Modifies data under HKEY_USERS
Modifies registry key
Runs net.exe
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: LoadsDriver
Suspicious behavior: SetClipboardViewer
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
NSIS installer
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Drops file in Windows directory
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Loads dropped DLL
Reads local data of messenger clients
Reads user/profile data of web browsers
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
Modifies RDP port number used by Windows
Sets DLL path for service in the registry
UPX packed file
ACProtect 1.3x - 1.4x DLL software
Grants admin privileges
XMRig Miner Payload
RedLine
RedLine Payload
Suspicious use of NtCreateProcessExOtherParentProcess
Vidar
xmrig
Malware Config
C2 Extraction:
87.251.71.193:80
Dropper Extraction:
https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f91c7c2e15b7343d97bc5c3961f43ebd659440102a4a9c3359d7a9e6e0aef9d3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Cryptocoin_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Steam in files like avemaria
Rule name:INDICATOR_SUSPICIOUS_EXE_References_CryptoWallets
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many cryptocurrency mining wallets or apps. Observed in information stealers
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:MALWARE_Win_Vidar
Create hunting rule
Author:ditekSHen
Description:Detects Vidar / ArkeiStealer
Rule name:MAL_XMR_Miner_May19_1
Create hunting rule
Author:Florian Roth
Description:Detects Monero Crypto Coin Miner
Reference:https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Rule name:Ping_Del_method_bin_mem
Create hunting rule
Author:James_inthe_box
Description:cmd ping IP nul del
Rule name:Vidar
Create hunting rule
Author:kevoreilly
Description:Vidar Payload
Rule name:win_vidar_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:with_sqlite
Create hunting rule
Author:Julian J. Gonzalez <info@seguridadparatodos.es>
Description:Rule to detect the presence of SQLite data in raw image
Reference:http://www.st2labs.com
Rule name:XMRIG_Miner
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ArkeiStealer

Executable exe f91c7c2e15b7343d97bc5c3961f43ebd659440102a4a9c3359d7a9e6e0aef9d3

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1268992/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1269088/

Comments


Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-05-22 19:15:44 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [B0009.029] Anti-Behavioral Analysis::Instruction Testing
1) [B0009] Anti-Behavioral Analysis::Virtual Machine Detection
2) [F0002.002] Collection::Polling
4) [C0027.009] Cryptography Micro-objective::RC4::Encrypt Data
5) [C0021.004] Cryptography Micro-objective::RC4 PRGA::Generate Pseudo-random Sequence
6) [C0032.001] Data Micro-objective::CRC32::Checksum
7) [C0060] Data Micro-objective::Compression Library
8) [C0026.002] Data Micro-objective::XOR::Encode Data
10) [C0046] File System Micro-objective::Create Directory
11) [C0048] File System Micro-objective::Delete Directory
12) [C0047] File System Micro-objective::Delete File
13) [C0049] File System Micro-objective::Get File Attributes
14) [C0051] File System Micro-objective::Read File
15) [C0050] File System Micro-objective::Set File Attributes
16) [C0052] File System Micro-objective::Writes File
17) [C0036.004] Operating System Micro-objective::Create Registry Key::Registry
18) [C0036.003] Operating System Micro-objective::Open Registry Key::Registry
19) [C0036.005] Operating System Micro-objective::Query Registry Key::Registry
20) [C0036.006] Operating System Micro-objective::Query Registry Value::Registry
21) [C0036.001] Operating System Micro-objective::Set Registry Key::Registry
22) [C0017] Process Micro-objective::Create Process
23) [C0041] Process Micro-objective::Set Thread Local Storage Value
24) [C0018] Process Micro-objective::Terminate Process