MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0dea9964c6e2ad110ad9a26a2e25417afa7b2ed990362faa746fa81cb8a303cd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 14


Intelligence 14 IOCs 1 YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0dea9964c6e2ad110ad9a26a2e25417afa7b2ed990362faa746fa81cb8a303cd
SHA3-384 hash: aab7d5e0e58f8a274293aa7d18c0f0cc9f0354fffafb1b6446bf51ce30b8576d7dc10cb816f1bb9ff97f0038a33c6b9b
SHA1 hash: 3ffb14da794c7e50f1cb1b2efa757eb0291e98d8
MD5 hash: 97f688358552bb8b81f51984f01b1897
humanhash: mango-comet-golf-lion
File name:0DEA9964C6E2AD110AD9A26A2E25417AFA7B2ED990362.exe
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:1'333'248 bytes
First seen:2022-10-25 01:45:45 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash e5fb44131b18bc2538c1611ac718dbe5 (15 x RedLineStealer, 1 x ArkeiStealer)
ssdeep 24576:02CeZswR8wmEYzYUipSL72MjzdkICyasS3Ckc:02CsR8VohDsSSk
TLSH T13F554D3AD70A14B4D76352B1C18EFE7B9B54B63480269E3FBF4ADA0CA8335127CC5256
TrID 44.6% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
23.6% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
9.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.4% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter abuse_ch
Tags:ArkeiStealer exe


Avatar
abuse_ch
ArkeiStealer C2:
http://78.47.204.168/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://78.47.204.168/ https://threatfox.abuse.ch/ioc/891320/

Intelligence

File Origin
# of uploads :
1
# of downloads :
253
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
0DEA9964C6E2AD110AD9A26A2E25417AFA7B2ED990362.exe
Verdict:
Malicious activity
Analysis date:
2022-10-25 01:47:27 UTC
Tags:
trojan rat redline loader stealer vidar
Link:
https://app.any.run/tasks/2e531d67-177c-40c5-9716-5888e023ae78

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/323725/
Detection(s):
SecuriteInfo.com.Trojan.PWS.Siggen3.22329.30064.17674.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Sending a custom TCP request
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/45214/overview
Behaviour
MalwareBazaar
MeasuringTime
SystemUptime
EvasionGetTickCount
EvasionQueryPerformanceCounter
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c06ba617-0148-49f0-bf18-ca6dfc9e5fa4
Result
Threat name:
RedLine, Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1097146
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
DLL side loading technique detected
Drops executables to the windows directory (C:\Windows) and starts them
Found hidden mapped module (file has been removed from disk)
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies power options to not sleep / hibernate
Modifies the context of a thread in another process (thread injection)
Modifies the windows firewall
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has nameless sections
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses process hollowing technique
Sigma detected: Stop multiple services
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses cmd line tools excessively to alter registry or file data
Uses netsh to modify the Windows network and firewall settings
Uses powercfg.exe to modify the power settings
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected RedLine Stealer
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 729787 Sample: 0DEA9964C6E2AD110AD9A26A2E2... Startdate: 25/10/2022 Architecture: WINDOWS Score: 100 116 Snort IDS alert for network traffic 2->116 118 Malicious sample detected (through community Yara rule) 2->118 120 Antivirus detection for dropped file 2->120 122 11 other signatures 2->122 10 0DEA9964C6E2AD110AD9A26A2E25417AFA7B2ED990362.exe 1 2->10         started        13 svcupdater.exe 14 2 2->13         started        16 chrome.exe 2->16         started        18 chrome.exe 2->18         started        process3 dnsIp4 152 Writes to foreign memory regions 10->152 154 Injects a PE file into a foreign processes 10->154 20 AppLaunch.exe 15 10 10->20         started        25 conhost.exe 10->25         started        114 clipper.guru 45.159.189.115, 49703, 49819, 80 HOSTING-SOLUTIONSUS Netherlands 13->114 156 Multi AV Scanner detection for dropped file 13->156 158 Machine Learning detection for dropped file 13->158 signatures5 process6 dnsIp7 100 79.137.192.7, 39946, 49699 PSKSET-ASRU Russian Federation 20->100 102 adigitalshop.com 151.106.122.215, 443, 49701 PLUSSERVER-ASN1DE Germany 20->102 104 gitcdn.link 104.21.234.84, 49700, 49702, 80 CLOUDFLARENETUS United States 20->104 84 C:\Users\user\AppData\Local\...\test.exe, PE32 20->84 dropped 86 C:\Users\user\AppData\Local\...\ofg.exe, PE32 20->86 dropped 88 C:\Users\user\AppData\Local\...\chrome.exe, MS-DOS 20->88 dropped 90 C:\Users\user\AppData\Local\...\brave.exe, PE32+ 20->90 dropped 124 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 20->124 126 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 20->126 128 Tries to harvest and steal browser information (history, passwords, etc) 20->128 130 Tries to steal Crypto Currency Wallets 20->130 27 chrome.exe 20->27         started        31 brave.exe 20->31         started        33 test.exe 1 20->33         started        35 ofg.exe 5 20->35         started        file8 signatures9 process10 file11 92 C:\WindowsbehaviorgraphoogleUpdate.exe, PE32 27->92 dropped 160 Multi AV Scanner detection for dropped file 27->160 162 Detected unpacking (changes PE section rights) 27->162 164 Machine Learning detection for dropped file 27->164 178 3 other signatures 27->178 37 GoogleUpdate.exe 27->37         started        54 3 other processes 27->54 94 C:\Users\user\AppData\Local\Temp\7967.tmp, PE32+ 31->94 dropped 96 C:\Program Filesbehaviorgraphoogle\Chrome\updater.exe, PE32+ 31->96 dropped 166 Writes to foreign memory regions 31->166 168 Modifies the context of a thread in another process (thread injection) 31->168 170 Found hidden mapped module (file has been removed from disk) 31->170 172 Maps a DLL or memory area into another process 31->172 41 cmd.exe 31->41         started        43 cmd.exe 31->43         started        45 powershell.exe 31->45         started        47 powershell.exe 31->47         started        174 Allocates memory in foreign processes 33->174 176 Injects a PE file into a foreign processes 33->176 49 vbc.exe 33->49         started        56 2 other processes 33->56 98 C:\Users\user\AppData\...\svcupdater.exe, PE32 35->98 dropped 52 cmd.exe 1 35->52         started        signatures12 process13 dnsIp14 106 141.95.93.188, 443, 49705, 49707 DFNVereinzurFoerderungeinesDeutschenForschungsnetzese Germany 37->106 108 api.peer2profit.com 172.66.43.60, 443, 49704, 49706 CLOUDFLARENETUS United States 37->108 132 Uses netsh to modify the Windows network and firewall settings 37->132 134 Modifies the windows firewall 37->134 58 netsh.exe 37->58         started        60 netsh.exe 37->60         started        62 netsh.exe 37->62         started        68 9 other processes 41->68 136 Modifies power options to not sleep / hibernate 43->136 70 5 other processes 43->70 64 conhost.exe 45->64         started        66 conhost.exe 47->66         started        110 t.me 149.154.167.99, 443, 49743 TELEGRAMRU United Kingdom 49->110 112 78.47.204.168, 49743, 49761, 80 HETZNER-ASDE Germany 49->112 82 C:\ProgramData\sqlite3.dll, PE32 49->82 dropped 138 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 49->138 140 Tries to harvest and steal browser information (history, passwords, etc) 49->140 142 DLL side loading technique detected 49->142 144 Tries to steal Crypto Currency Wallets 49->144 146 Uses cmd line tools excessively to alter registry or file data 52->146 148 Uses schtasks.exe or at.exe to add and modify task schedules 52->148 150 Uses powercfg.exe to modify the power settings 52->150 72 2 other processes 52->72 74 3 other processes 54->74 file15 signatures16 process17 process18 76 conhost.exe 58->76         started        78 conhost.exe 60->78         started        80 conhost.exe 62->80         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0dea9964c6e2ad110ad9a26a2e25417afa7b2ed990362faa746fa81cb8a303cd/
Threat name:
Win32.Trojan.RedLine
Create hunting rule
Status:
Malicious
First seen:
2022-09-14 14:58:12 UTC
File Type:
PE (Exe)
AV detection:
22 of 26 (84.62%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=bxvjszgg4kwrccwzujvc4jkbpl5hwlwzsa3c7ktun6ubzofdapgq._file
Verdict:
malicious
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:redline family:vidar botnet:1707 evasion infostealer spyware stealer upx
Link:
https://tria.ge/reports/221025-b61msabcbn/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Delays execution with timeout.exe
Enumerates system info in registry
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Drops file in Program Files directory
Drops file in Windows directory
Launches sc.exe
Drops file in System32 directory
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Loads dropped DLL
Uses the VBS compiler for execution
Downloads MZ/PE file
Executes dropped EXE
Modifies Windows Firewall
Stops running service(s)
UPX packed file
Vidar
Modifies security service
RedLine
RedLine payload
Suspicious use of NtCreateProcessExOtherParentProcess
Suspicious use of NtCreateUserProcessOtherParentProcess
Malware Config
C2 Extraction:
79.137.192.7:39946
https://t.me/slivetalks
https://c.im/@xinibin420
Unpacked files
SH256 hash:
f3e59facdce7757dff9b2bb8b648e4f8d73541cebe0c1b79607cc313d57b2095
MD5 hash:
fccece0f672b96657c288530c8b3f531
SHA1 hash:
9c4699837cc83cabf57a54ae2c6cca843ab54457
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/ea6307e5-9ee2-4d66-9ae5-7f7bd3c4d8ff/
SH256 hash:
0dea9964c6e2ad110ad9a26a2e25417afa7b2ed990362faa746fa81cb8a303cd
MD5 hash:
97f688358552bb8b81f51984f01b1897
SHA1 hash:
3ffb14da794c7e50f1cb1b2efa757eb0291e98d8
Link:
https://www.unpac.me/results/ea6307e5-9ee2-4d66-9ae5-7f7bd3c4d8ff/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/0dea9964c6e2/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0dea9964c6e2ad110ad9a26a2e25417afa7b2ed990362faa746fa81cb8a303cd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/323725/

Comments