MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ff61d680efc0206c1e90570dd0ec53a0d69eb4a2a7c7e1239d4d38a0541e6646. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ff61d680efc0206c1e90570dd0ec53a0d69eb4a2a7c7e1239d4d38a0541e6646
SHA3-384 hash: b3283cc6808fc28a9d9dcd2b87b1d91c9288c84f29965904032c21fb98fccf74ae5a2930edf6600ed2b118fc2d255587
SHA1 hash: f92883ad268229de289063f85e695a557a0b9f04
MD5 hash: 4c6f21e21d11d8192c3ee91634253f25
humanhash: papa-bulldog-yankee-carpet
File name:file
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:244'736 bytes
First seen:2022-10-14 14:02:27 UTC
Last seen:2022-10-14 15:17:34 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash fd7383d124809205994ec607e4f7aa8b (1 x ArkeiStealer)
ssdeep 3072:NJ5GfABjzBzxKtfIqJIVY2KKEUVsy+vZpMf0EiGOG6/4h1Y/+:NznBjzNxWtWVY2pEUVT+vZpAzy+
Threatray 11'497 similar samples on MalwareBazaar
TLSH T12734188C5981E748D86D68F1CAF2FF68F83A93CC0C5E6D3957A698ED682D307548841F
TrID 37.3% (.EXE) Win64 Executable (generic) (10523/12/4)
17.9% (.EXE) Win16 NE executable (generic) (5038/12/1)
16.0% (.EXE) Win32 Executable (generic) (4505/5/1)
7.2% (.EXE) OS/2 Executable (generic) (2029/13)
7.1% (.EXE) Clipper DOS Executable (2018/12)
Reporter andretavare5
Tags:ArkeiStealer exe


Avatar
andretavare5
Sample downloaded from https://ladejobi.com/12/TrdngAnlzr472032.exe

Intelligence

File Origin
# of uploads :
6
# of downloads :
252
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/320379/
Detection(s):
SecuriteInfo.com.Trojan.Siggen18.48565.25446.7512.UNOFFICIAL
Create hunting rule

MiscreantPunch.SingleXOR.EXE.249.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Unauthorized injection to a recently created process
Creating a file
Sending a custom TCP request
Creating a file in the system32 subdirectories
Query of malicious DNS domain
Sending a TCP request to an infection source
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm obfuscated
Link:
https://www.filescan.io/uploads/63496c18898b0652a4b78db8/reports/996e8a6f-67a4-4582-91cb-7ea529cc16d4/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/23656c99-41fe-4ae2-90f4-c77115453752
Result
Threat name:
RedLine, Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1090781
Signature
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Creates multiple autostart registry keys
Detected VMProtect packer
Drops PE files with benign system names
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected RedLine Stealer
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 723391 Sample: file.exe Startdate: 14/10/2022 Architecture: WINDOWS Score: 100 68 iplogger.org 2->68 86 Malicious sample detected (through community Yara rule) 2->86 88 Antivirus detection for dropped file 2->88 90 Multi AV Scanner detection for dropped file 2->90 92 8 other signatures 2->92 10 file.exe 2 2->10         started        14 explorer.exe 2->14         started        16 explorer.exe 2->16         started        signatures3 process4 file5 64 C:\Users\user\AppData\Local\...\file.exe.log, ASCII 10->64 dropped 112 Contains functionality to inject code into remote processes 10->112 114 Drops PE files with benign system names 10->114 116 Injects a PE file into a foreign processes 10->116 18 file.exe 2 9 10->18         started        23 conhost.exe 10->23         started        118 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 14->118 25 WerFault.exe 14->25         started        27 WerFault.exe 14->27         started        29 WerFault.exe 16->29         started        signatures6 process7 dnsIp8 70 solapurcancer.com 116.206.105.72 PUBLIC-DOMAIN-REGISTRYUS Seychelles 18->70 72 94.26.226.51, 49678, 80 PTC-YEMENNETYE Russian Federation 18->72 74 blackhk1.beget.tech 5.101.153.227, 49679, 80 BEGET-ASRU Russian Federation 18->74 54 C:\Users\user\AppData\Roaming\...\svchost.exe, PE32+ 18->54 dropped 56 C:\Users\user\AppData\...\explorer.exe, PE32+ 18->56 dropped 58 C:\Users\user\AppData\...\DEA9BLG660CBHGD.exe, PE32 18->58 dropped 60 4 other malicious files 18->60 dropped 94 Creates multiple autostart registry keys 18->94 31 DEA9BLG660CBHGD.exe 2 18->31         started        34 cmd.exe 1 18->34         started        36 D0CG6EJ33CC0EE1.exe 2 18->36         started        38 3 other processes 18->38 file9 signatures10 process11 file12 120 Multi AV Scanner detection for dropped file 31->120 122 Machine Learning detection for dropped file 31->122 124 Injects a PE file into a foreign processes 31->124 41 DEA9BLG660CBHGD.exe 19 31->41         started        45 explorer.exe 34->45         started        47 D0CG6EJ33CC0EE1.exe 36->47         started        62 C:\Users\user\AppData\Local\Temp\0cTk.CjN, PE32 38->62 dropped 126 Antivirus detection for dropped file 38->126 50 4JK8I7I9HIHA833.exe 2 38->50         started        signatures13 process14 dnsIp15 76 t.me 149.154.167.99 TELEGRAMRU United Kingdom 41->76 78 116.202.186.42 HETZNER-ASDE Germany 41->78 80 192.168.2.1 unknown unknown 41->80 96 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 41->96 98 Tries to harvest and steal browser information (history, passwords, etc) 41->98 100 Tries to steal Crypto Currency Wallets 41->100 102 Antivirus detection for dropped file 45->102 104 Multi AV Scanner detection for dropped file 45->104 106 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 45->106 110 2 other signatures 45->110 52 WerFault.exe 20 9 45->52         started        82 yandex.ru 77.88.55.70 YANDEXRU Russian Federation 47->82 66 C:\Users\user\AppData\Roaming\...\dllhost.exe, PE32 47->66 dropped 108 Creates multiple autostart registry keys 47->108 84 185.215.113.216 WHOLESALECONNECTIONSNL Portugal 50->84 file16 signatures17 process18
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ff61d680efc0206c1e90570dd0ec53a0d69eb4a2a7c7e1239d4d38a0541e6646/
Threat name:
Win32.Trojan.Privateloader
Create hunting rule
Status:
Malicious
First seen:
2022-10-14 14:03:10 UTC
File Type:
PE (.Net Exe)
Extracted files:
5
AV detection:
19 of 26 (73.08%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=75q5nahpyaqgyhuqk4g5b3ctudlj5nfcu7d6ci45ju4kava6mzda._file
Verdict:
malicious
Similar samples:
45a7548caefdaba416661503999d6f303b34df6ff1986dea142fcc59649888f8
ArkeiStealer
9ad275ee92086bd7851865d47f89253b32da528bd8e9b8df7797070291ea90d3
ArkeiStealer
af60abc8f32a47fe154e7f5a9e6910200f944524f437f45686f53ad4c49b0098
ArkeiStealer
c992ef827d88ae7a24a9ae36ab7406ad9366f4783d258c8ac3957a2ab54c3d83
ArkeiStealer
cac59279f0105fd7c477abf07944c910a02735517efc7e4d10ae0669c336daeb
ArkeiStealer
e1c1ddf6eb34c6be593f5a46848af10dedaaf5917f55023b26d918e61709e8bb
ArkeiStealer
f460aba4130701652e226e6059f5501065b6e6673ffb72aea0a1918af1c6a922
ArkeiStealer
+ 11'487 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:redline family:vidar botnet:1680 botnet:lyla5.09.10 discovery infostealer miner persistence spyware stealer vmprotect
Link:
https://tria.ge/reports/221014-rcplesdfcq/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Kills process with taskkill
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
VMProtect packed file
Detectes Phoenix Miner Payload
RedLine
Vidar
Malware Config
C2 Extraction:
185.215.113.216:21921
https://t.me/truewallets
https://mas.to/@zara99
http://116.203.10.3:80
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/ec7557d4-d600-4dfe-bcd2-af6c68aa4cf4
Unpacked files
SH256 hash:
d53fb9b36ec37a0db213707e2f92bc2faa747831547367e1636b144daf935cf3
MD5 hash:
7c85911067b49bec81d35d88aef78a1e
SHA1 hash:
2b8f14bd4130d96b81a1671dbe380869f8070db6
Link:
https://www.unpac.me/results/494a89c5-ad49-4cb1-9119-c6f486ba16b3/
SH256 hash:
ff61d680efc0206c1e90570dd0ec53a0d69eb4a2a7c7e1239d4d38a0541e6646
MD5 hash:
4c6f21e21d11d8192c3ee91634253f25
SHA1 hash:
f92883ad268229de289063f85e695a557a0b9f04
Link:
https://www.unpac.me/results/494a89c5-ad49-4cb1-9119-c6f486ba16b3/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ff61d680efc0206c1e90570dd0ec53a0d69eb4a2a7c7e1239d4d38a0541e6646

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:SUSP_XORed_MSDOS_Stub_Message
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed MSDOS stub message
Reference:https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
  
URLhaus
https://urlhaus.abuse.ch/url/2374719/
Cape
Cape
https://www.capesandbox.com/analysis/320379/

Comments