MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0b1f6297e8bfa8fc9ff8a7ad85487ff456c0d66ef2d908588cd27345fba5f4e6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 15


Intelligence 15 IOCs 1 YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0b1f6297e8bfa8fc9ff8a7ad85487ff456c0d66ef2d908588cd27345fba5f4e6
SHA3-384 hash: 1bfa86e1cdace14ee059398953aa5ea6b1e3e347a28863ec03af4fd3c8c4f5e651324d2e6a33cbd77927b3d9485dc806
SHA1 hash: 25b50efad77cebcabf2969a97f31db993286d066
MD5 hash: 76f35ccb9dc8b2342d34237d041d16de
humanhash: twelve-comet-golf-ceiling
File name:0B1F6297E8BFA8FC9FF8A7AD85487FF456C0D66EF2D90.exe
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:1'216'928 bytes
First seen:2022-10-24 16:50:41 UTC
Last seen:2022-10-24 18:21:42 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash b19a059d8269ea8d79811bc3a86adbb1 (2 x ArkeiStealer, 1 x RedLineStealer, 1 x DCRat)
ssdeep 12288:Z6xsbHodJWWMvNlg+ijLraGFdhJhVTqzEfaH/jVCLzcmI+Sec3IpCT:Z6xsbfWsXylvaEfa7wEb6MT
TLSH T165458031A976281EC7CD0B78FF9C6252A1AF07D06E4056A7B1BC137958D28DC87FB294
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter abuse_ch
Tags:ArkeiStealer exe


Avatar
abuse_ch
ArkeiStealer C2:
http://78.47.204.168/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://78.47.204.168/ https://threatfox.abuse.ch/ioc/891320/

Intelligence

File Origin
# of uploads :
2
# of downloads :
183
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
0B1F6297E8BFA8FC9FF8A7AD85487FF456C0D66EF2D90.exe
Verdict:
Malicious activity
Analysis date:
2022-10-24 16:51:41 UTC
Tags:
trojan rat redline loader stealer vidar
Link:
https://app.any.run/tasks/ddd55049-b0ba-4332-b225-97e372dd561d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/323518/
Detection(s):
SecuriteInfo.com.Trojan.Siggen18.62848.28655.12241.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Creating a window
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Reading critical registry keys
Сreating synchronization primitives
DNS request
Sending an HTTP GET request
Creating a file
Creating a process from a recently created file
Creating a file in the %AppData% subdirectories
Running batch commands
Sending a TCP request to an infection source
Stealing user critical data
Unauthorized injection to a recently created process
Launching the process to change the firewall settings
Unauthorized injection to a system process
Enabling autorun by creating a file
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/45080/overview
Behaviour
MalwareBazaar
CallSleep
MeasuringTime
CheckCmdLine
EvasionQueryPerformanceCounter
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3cb7b7dd-b350-4987-b69a-708e56cbea87
Result
Threat name:
RedLine, Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1096754
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Contains functionality to inject code into remote processes
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Drops executables to the windows directory (C:\Windows) and starts them
Found hidden mapped module (file has been removed from disk)
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies power options to not sleep / hibernate
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
PE file has nameless sections
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses process hollowing technique
Sigma detected: Stop multiple services
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses cmd line tools excessively to alter registry or file data
Uses powercfg.exe to modify the power settings
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected RedLine Stealer
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 729392 Sample: 0B1F6297E8BFA8FC9FF8A7AD854... Startdate: 24/10/2022 Architecture: WINDOWS Score: 100 102 Snort IDS alert for network traffic 2->102 104 Malicious sample detected (through community Yara rule) 2->104 106 Antivirus detection for dropped file 2->106 108 13 other signatures 2->108 9 0B1F6297E8BFA8FC9FF8A7AD85487FF456C0D66EF2D90.exe 1 2->9         started        12 chrome.exe 2->12         started        14 chrome.exe 2->14         started        16 svcupdater.exe 14 2 2->16         started        process3 dnsIp4 118 Contains functionality to inject code into remote processes 9->118 120 Writes to foreign memory regions 9->120 122 Allocates memory in foreign processes 9->122 19 AppLaunch.exe 15 10 9->19         started        24 conhost.exe 9->24         started        124 Sample uses process hollowing technique 12->124 126 Injects a PE file into a foreign processes 12->126 90 clipper.guru 45.159.189.115, 49709, 49786, 49963 HOSTING-SOLUTIONSUS Netherlands 16->90 128 Machine Learning detection for dropped file 16->128 signatures5 process6 dnsIp7 92 62.204.41.141, 24758, 49705 TNNET-ASTNNetOyMainnetworkFI United Kingdom 19->92 94 adigitalshop.com 151.106.122.215, 443, 49707 PLUSSERVER-ASN1DE Germany 19->94 96 gitcdn.link 104.21.234.85, 49706, 49708, 80 CLOUDFLARENETUS United States 19->96 74 C:\Users\user\AppData\Local\...\test.exe, PE32 19->74 dropped 76 C:\Users\user\AppData\Local\...\ofg.exe, PE32 19->76 dropped 78 C:\Users\user\AppData\Local\...\chrome.exe, MS-DOS 19->78 dropped 80 C:\Users\user\AppData\Local\...\brave.exe, PE32+ 19->80 dropped 110 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 19->110 112 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 19->112 114 Tries to harvest and steal browser information (history, passwords, etc) 19->114 116 Tries to steal Crypto Currency Wallets 19->116 26 chrome.exe 19->26         started        30 brave.exe 2 19->30         started        32 ofg.exe 5 19->32         started        34 test.exe 1 19->34         started        file8 signatures9 process10 file11 82 C:\WindowsbehaviorgraphoogleUpdate.exe, PE32 26->82 dropped 138 Multi AV Scanner detection for dropped file 26->138 140 Detected unpacking (changes PE section rights) 26->140 142 Detected unpacking (creates a PE file in dynamic memory) 26->142 158 3 other signatures 26->158 36 GoogleUpdate.exe 26->36         started        39 powershell.exe 26->39         started        52 4 other processes 26->52 84 C:\Users\user\AppData\Local\Temp\F0FE.tmp, PE32+ 30->84 dropped 86 C:\Program Filesbehaviorgraphoogle\Chrome\updater.exe, PE32+ 30->86 dropped 144 Writes to foreign memory regions 30->144 146 Modifies the context of a thread in another process (thread injection) 30->146 148 Found hidden mapped module (file has been removed from disk) 30->148 150 Maps a DLL or memory area into another process 30->150 41 cmd.exe 30->41         started        44 cmd.exe 30->44         started        46 powershell.exe 19 30->46         started        48 powershell.exe 30->48         started        88 C:\Users\user\AppData\...\svcupdater.exe, PE32 32->88 dropped 152 Machine Learning detection for dropped file 32->152 50 cmd.exe 1 32->50         started        154 Allocates memory in foreign processes 34->154 156 Injects a PE file into a foreign processes 34->156 54 2 other processes 34->54 signatures12 process13 dnsIp14 98 51.195.77.248, 443, 49712, 49714 OVHFR France 36->98 100 api.peer2profit.com 172.66.43.60, 443, 49710, 49711 CLOUDFLARENETUS United States 36->100 56 conhost.exe 39->56         started        70 8 other processes 41->70 130 Modifies power options to not sleep / hibernate 44->130 72 5 other processes 44->72 58 conhost.exe 46->58         started        60 conhost.exe 48->60         started        132 Uses cmd line tools excessively to alter registry or file data 50->132 134 Uses schtasks.exe or at.exe to add and modify task schedules 50->134 136 Uses powercfg.exe to modify the power settings 50->136 62 conhost.exe 50->62         started        64 schtasks.exe 1 50->64         started        66 conhost.exe 52->66         started        68 conhost.exe 52->68         started        signatures15 process16
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0b1f6297e8bfa8fc9ff8a7ad85487ff456c0d66ef2d908588cd27345fba5f4e6/
Threat name:
Win32.Spyware.RedLine
Create hunting rule
Status:
Malicious
First seen:
2022-09-13 00:22:35 UTC
File Type:
PE (Exe)
AV detection:
25 of 26 (96.15%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=bmpwff7ix6upzh7yu6wyksd76rlmbvto6lmqqwem2jzul65f6tta._file
Verdict:
malicious
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:redline family:vidar botnet:1707 evasion infostealer spyware stealer upx
Link:
https://tria.ge/reports/221024-vctf6ahgar/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Delays execution with timeout.exe
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Drops file in Program Files directory
Drops file in Windows directory
Launches sc.exe
Drops file in System32 directory
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Loads dropped DLL
Uses the VBS compiler for execution
Downloads MZ/PE file
Executes dropped EXE
Modifies Windows Firewall
Stops running service(s)
UPX packed file
Modifies security service
RedLine
RedLine payload
Vidar
Malware Config
C2 Extraction:
62.204.41.141:24758
https://t.me/slivetalks
https://c.im/@xinibin420
Unpacked files
SH256 hash:
941dcdd589d6326955754acb43793da3748eeeb601a0155a3b74e21a5f6c3eee
MD5 hash:
8f587b3e0a02d89f52326a6e0dc4d67e
SHA1 hash:
4a4dee3aad84e76a922e7f5d4cbe6be4571594e0
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/37a9755f-5faa-4f72-be7a-2d2f5a530f57/
SH256 hash:
0b1f6297e8bfa8fc9ff8a7ad85487ff456c0d66ef2d908588cd27345fba5f4e6
MD5 hash:
76f35ccb9dc8b2342d34237d041d16de
SHA1 hash:
25b50efad77cebcabf2969a97f31db993286d066
Link:
https://www.unpac.me/results/37a9755f-5faa-4f72-be7a-2d2f5a530f57/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0b1f6297e8bfa8fc9ff8a7ad85487ff456c0d66ef2d908588cd27345fba5f4e6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Sectigo_Code_Signed
Create hunting rule
Description:Detects code signed by the Sectigo RSA Code Signing CA
Reference:https://bazaar.abuse.ch/export/csv/cscb/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/323518/

Comments