MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fc80f7f615d4130160c30ec1c8e4cd885a7f42978ead2509cfdd350ad3547882. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fc80f7f615d4130160c30ec1c8e4cd885a7f42978ead2509cfdd350ad3547882
SHA3-384 hash: 0173b75c2397d2f596a3885c8629acdbc37eb07f8d957b6788f2c0eab7a5863749ee55f8a7e3bfd486b0bbe6e9688b95
SHA1 hash: 3f0c0c5555707a52247b91452c75692c1f30c8b6
MD5 hash: a04d8167d9f4313b9f1e6ba38900306c
humanhash: pennsylvania-angel-zulu-friend
File name:a04d8167d9f4313b9f1e6ba38900306c
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:662'016 bytes
First seen:2022-02-02 18:09:55 UTC
Last seen:2022-02-02 22:32:16 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash be710ba34b048ab0098050ccf62e369c (18 x Formbook, 14 x Dridex, 9 x AgentTesla)
ssdeep 12288:E0Ws7IMtR4yVld8bzbBSreTcgFK/UqWm:E0bdkX1OcL
Threatray 19 similar samples on MalwareBazaar
TLSH T1F4E46C55BECA6EA1EFBF47BB8361D62D0226735D03A1A6CF760305993951FC2443EA03
Reporter zbetcheckin
Tags:32 ArkeiStealer dll exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
138
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/230512/
Detection(s):
SecuriteInfo.com.Trojan.MSIL.ExcelAddin.4c.10768.16414.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Creating a file
DNS request
Sending a custom TCP request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm greyware packed wacatac
Link:
https://www.filescan.io/uploads/61fac90318d1bfdde4ec27d6/reports/e63d49f9-9ae8-443e-b0e1-864ae4f87af5/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/5829b705-7ad4-4313-bee7-2d88af088cfc
Result
Threat name:
SystemBC Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/932910
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
Creates files in alternative data streams (ADS)
Document exploit detected (creates forbidden files)
Document exploit detected (drops PE files)
Document exploit detected (process start blacklist hit)
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Office document connecting to suspicious TLD
Office process drops PE file
Performs DNS queries to domains with low reputation
Potential document exploit detected (performs DNS queries with low reputation score)
Query firmware table information (likely to detect VMs)
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Sigma detected: MS Office Product Spawning Exe in User Dir
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to evade analysis by execution special instruction which cause usermode exception
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Yara detected Generic Downloader
Yara detected SystemBC
Yara detected Vidar
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 565387 Sample: 8eDbJXHJD9.xll Startdate: 03/02/2022 Architecture: WINDOWS Score: 100 67 Found malware configuration 2->67 69 Malicious sample detected (through community Yara rule) 2->69 71 Antivirus detection for URL or domain 2->71 73 16 other signatures 2->73 10 cmd.exe 7 2 2->10         started        12 5NV4AMI59MO3S6Q6.exe 2->12         started        process3 dnsIp4 16 EXCEL.EXE 37 15 10->16         started        21 conhost.exe 10->21         started        65 mainscpnl.xyz 5.61.62.144, 4207, 49849 M247GB United Kingdom 12->65 87 Query firmware table information (likely to detect VMs) 12->87 89 Hides threads from debuggers 12->89 91 Tries to detect sandboxes / dynamic malware analysis system (registry check) 12->91 signatures5 process6 dnsIp7 55 uploaditem.xyz 45.139.186.93, 49776, 49822, 80 HostingvpsvilleruRU Russian Federation 16->55 45 C:\Users\user\AppData\Local\Temp\sse.exe, PE32 16->45 dropped 75 Document exploit detected (creates forbidden files) 16->75 23 sse.exe 14 3 16->23         started        file8 signatures9 process10 dnsIp11 57 cdn.discordapp.com 162.159.130.233, 443, 49779 CLOUDFLARENETUS United States 23->57 85 Machine Learning detection for dropped file 23->85 27 RegAsm.exe 159 23->27         started        32 RegAsm.exe 23->32         started        signatures12 process13 dnsIp14 59 mastodon.social 136.243.102.156, 443, 49781 HETZNER-ASDE Germany 27->59 61 95.216.183.78, 49782, 80 HETZNER-ASDE Germany 27->61 63 uploaditem.xyz 27->63 47 C:\ProgramData\5NV4AMI59MO3S6Q6.exe, PE32 27->47 dropped 49 C:\...\5NV4AMI59MO3S6Q6.exe:Zone.Identifier, ASCII 27->49 dropped 51 C:\Users\user\AppData\Local\...\nss3[1].dll, PE32 27->51 dropped 53 12 other files (none is malicious) 27->53 dropped 93 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 27->93 95 Creates files in alternative data streams (ADS) 27->95 97 Tries to steal Mail credentials (via file / registry access) 27->97 103 2 other signatures 27->103 34 5NV4AMI59MO3S6Q6.exe 1 27->34         started        37 cmd.exe 1 27->37         started        99 Performs DNS queries to domains with low reputation 32->99 101 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 32->101 file15 signatures16 process17 signatures18 77 Query firmware table information (likely to detect VMs) 34->77 79 Tries to detect sandboxes and other dynamic analysis tools (window names) 34->79 81 Performs DNS queries to domains with low reputation 34->81 83 3 other signatures 34->83 39 conhost.exe 37->39         started        41 taskkill.exe 37->41         started        43 timeout.exe 37->43         started        process19
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fc80f7f615d4130160c30ec1c8e4cd885a7f42978ead2509cfdd350ad3547882/
Threat name:
ByteCode-MSIL.Trojan.ExcelAddin
Create hunting rule
Status:
Malicious
First seen:
2022-02-02 18:10:12 UTC
File Type:
PE (Dll)
Extracted files:
2
AV detection:
18 of 28 (64.29%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
02f05760666bda9018b95e442486c504cb67f02f5603406be55effc6dbf5c592
ArkeiStealer
1c7e66126306537a453d7a792978464aa8ad5ac2f34bd1fccfffe7e0b9c6d85c
ArkeiStealer
1cbc8581430d4a524a0805f30ce5368340fc943635c76de083527446508027b1
ArkeiStealer
3cd28f853fc7116ece78fbd0be25344d3831c89feba1658412a7dbce529ebab7
ArkeiStealer
876b4427b613ceebe5a4fa5a8d15e2d9473756c697db0c526dc84eb9bc7a3149
ArkeiStealer
994f20ffe53c72f3831982fdf62f5404459306f2afb42a495db19920d5e579e8
ArkeiStealer
bac03f9b60b043b72ae8548b8915dd6058c71b6beae23652389b0cb9310af91d
ArkeiStealer
c4379796b35d65d0589710688f14e01c1c59658299c8e85912ad6bbe17cd9a7b
ArkeiStealer
e01271da5d003c2c0c47314e9bf83fc66e2329c27e7febd768db1a4ecc45aedb
ArkeiStealer
e8ec7dcf12edf07c6099157c32557f41ebd74ddee6b125d1e34dcc4259dc10a7
ArkeiStealer
+ 9 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:systembc family:vidar discovery evasion persistence spyware stealer suricata trojan
Link:
https://tria.ge/reports/220202-wr28aaadgj/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Enumerates system info in registry
Kills process with taskkill
Modifies Internet Explorer settings
Modifies data under HKEY_USERS
Modifies registry class
NTFS ADS
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks whether UAC is enabled
Checks BIOS information in registry
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
Sets service image path in registry
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Vidar Stealer
SystemBC
Vidar
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt) M2
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
Unpacked files
SH256 hash:
eac5f84f57148036844ade6a207cc199ae41a56dbf11e3f7f7001378a62d40a6
MD5 hash:
3b7af87d06e8d851bde29148e587108f
SHA1 hash:
fbbd4cc87d793e3a3b669951e7920bcbe5ef5533
Link:
https://www.unpac.me/results/c7b9701e-9c42-43dd-9f13-48768897f27d/
SH256 hash:
3f18194190b2ee9400c09cdea45e81a151f9787f24f200cacfc9e5fb885896fd
MD5 hash:
d18f09e3c610c0c01785bc7f5c1142f9
SHA1 hash:
267a353a4314fde5b16b59a0a622dc1f6652b766
Link:
https://www.unpac.me/results/c7b9701e-9c42-43dd-9f13-48768897f27d/
SH256 hash:
fc80f7f615d4130160c30ec1c8e4cd885a7f42978ead2509cfdd350ad3547882
MD5 hash:
a04d8167d9f4313b9f1e6ba38900306c
SHA1 hash:
3f0c0c5555707a52247b91452c75692c1f30c8b6
Link:
https://www.unpac.me/results/c7b9701e-9c42-43dd-9f13-48768897f27d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/fc80f7f615d4130160c30ec1c8e4cd885a7f42978ead2509cfdd350ad3547882

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ArkeiStealer

DLL dll fc80f7f615d4130160c30ec1c8e4cd885a7f42978ead2509cfdd350ad3547882

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/230512/
  
URLhaus
https://urlhaus.abuse.ch/url/2024762/

Comments


Avatar
zbet commented on 2022-02-02 18:09:56 UTC

url : hxxp://c1r.at/AF1CEEQ1/