MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 10c8242c6a5d98f805dbafc6f19e4673067010f967cc5bb47203f8680e6eb6cd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 15


Intelligence 15 IOCs 1 YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 10c8242c6a5d98f805dbafc6f19e4673067010f967cc5bb47203f8680e6eb6cd
SHA3-384 hash: 545c4e3a0ae0fb3a8b2c35765fa444c39bacdf40a2b2f4f1761b5525793eda0547dfe8205dc069b0dad8d3774a44876a
SHA1 hash: 134888da9b4675833df40a850cbd0047a72ad0bc
MD5 hash: 9b2fa61c3e7cbcbbbbb01ff566919fe0
humanhash: may-victor-tennessee-wyoming
File name:10C8242C6A5D98F805DBAFC6F19E4673067010F967CC5.exe
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:467'456 bytes
First seen:2022-10-25 03:25:49 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 6bb2c4160499398644bdc09443276294 (1 x RedLineStealer, 1 x ArkeiStealer)
ssdeep 6144:vAKvPk3RtodJ/guPT/KiVpuTIAJpMKza9dG6adw9bPeuciBypnzuuUK8UdJHAO+a:Vv2RgYIuTnJ2kJiBFuQULH3GS
Threatray 5'729 similar samples on MalwareBazaar
TLSH T15CA49E06B5B2C0B3C56386718D6EC7596836B5110F225AEBABC41DB81EB03C16E72F77
TrID 32.2% (.EXE) Win64 Executable (generic) (10523/12/4)
20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
13.7% (.EXE) Win32 Executable (generic) (4505/5/1)
6.2% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter abuse_ch
Tags:ArkeiStealer exe


Avatar
abuse_ch
ArkeiStealer C2:
http://78.47.204.168/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://78.47.204.168/ https://threatfox.abuse.ch/ioc/891320/

Intelligence

File Origin
# of uploads :
1
# of downloads :
241
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
10C8242C6A5D98F805DBAFC6F19E4673067010F967CC5.exe
Verdict:
Malicious activity
Analysis date:
2022-10-25 03:28:59 UTC
Tags:
trojan rat redline loader stealer vidar
Link:
https://app.any.run/tasks/e9b78ae9-b357-4b89-bc44-dcf35f953a39

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/323751/
Detection(s):
Win.Malware.Exploitx-9967823-0
Create hunting rule

Win.Malware.Exploitx-9967825-0
Create hunting rule

Win.Malware.Exploitx-9967939-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Sending a custom TCP request
Launching a process
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Creating a process with a hidden window
Creating a window
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/45233/overview
Behaviour
MalwareBazaar
CallSleep
MeasuringTime
CheckCmdLine
EvasionQueryPerformanceCounter
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/cd975396-1184-4494-b3de-801fdf51dfe5
Result
Threat name:
RedLine, Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1097187
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Contains functionality to inject code into remote processes
Creates files in the system32 config directory
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Drops executables to the windows directory (C:\Windows) and starts them
Found hidden mapped module (file has been removed from disk)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies power options to not sleep / hibernate
Modifies the context of a thread in another process (thread injection)
Modifies the windows firewall
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
PE file has nameless sections
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses process hollowing technique
Sigma detected: Stop multiple services
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses cmd line tools excessively to alter registry or file data
Uses netsh to modify the Windows network and firewall settings
Uses powercfg.exe to modify the power settings
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected RedLine Stealer
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 729828 Sample: 10C8242C6A5D98F805DBAFC6F19... Startdate: 25/10/2022 Architecture: WINDOWS Score: 100 109 t.me 2->109 125 Snort IDS alert for network traffic 2->125 127 Malicious sample detected (through community Yara rule) 2->127 129 Antivirus detection for dropped file 2->129 131 12 other signatures 2->131 11 10C8242C6A5D98F805DBAFC6F19E4673067010F967CC5.exe 1 2->11         started        14 svcupdater.exe 2->14         started        17 powershell.exe 2->17         started        19 3 other processes 2->19 signatures3 process4 dnsIp5 161 Contains functionality to inject code into remote processes 11->161 163 Writes to foreign memory regions 11->163 165 Allocates memory in foreign processes 11->165 167 Injects a PE file into a foreign processes 11->167 21 AppLaunch.exe 15 10 11->21         started        26 WerFault.exe 23 9 11->26         started        28 conhost.exe 11->28         started        30 WerFault.exe 11->30         started        117 clipper.guru 45.159.189.115, 49701, 49780, 80 HOSTING-SOLUTIONSUS Netherlands 14->117 169 Multi AV Scanner detection for dropped file 14->169 171 Machine Learning detection for dropped file 14->171 173 Creates files in the system32 config directory 17->173 32 conhost.exe 17->32         started        34 conhost.exe 19->34         started        signatures6 process7 dnsIp8 111 62.204.41.141, 24758, 49695 TNNET-ASTNNetOyMainnetworkFI United Kingdom 21->111 113 adigitalshop.com 151.106.122.215, 443, 49699 PLUSSERVER-ASN1DE Germany 21->113 115 gitcdn.link 104.21.234.84, 49698, 49700, 80 CLOUDFLARENETUS United States 21->115 99 C:\Users\user\AppData\Local\...\test.exe, PE32 21->99 dropped 101 C:\Users\user\AppData\Local\...\ofg.exe, PE32 21->101 dropped 103 C:\Users\user\AppData\Local\...\chrome.exe, MS-DOS 21->103 dropped 105 C:\Users\user\AppData\Local\...\brave.exe, PE32+ 21->105 dropped 153 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 21->153 155 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 21->155 157 Tries to harvest and steal browser information (history, passwords, etc) 21->157 159 Tries to steal Crypto Currency Wallets 21->159 36 chrome.exe 21->36         started        40 brave.exe 21->40         started        42 ofg.exe 21->42         started        44 test.exe 21->44         started        file9 signatures10 process11 file12 91 C:\WindowsbehaviorgraphoogleUpdate.exe, PE32 36->91 dropped 133 Multi AV Scanner detection for dropped file 36->133 135 Detected unpacking (changes PE section rights) 36->135 137 Machine Learning detection for dropped file 36->137 151 3 other signatures 36->151 46 GoogleUpdate.exe 36->46         started        61 3 other processes 36->61 93 C:\Users\user\AppData\Local\Temp\2CCC.tmp, PE32+ 40->93 dropped 95 C:\Program Filesbehaviorgraphoogle\Chrome\updater.exe, PE32+ 40->95 dropped 139 Writes to foreign memory regions 40->139 141 Modifies the context of a thread in another process (thread injection) 40->141 143 Found hidden mapped module (file has been removed from disk) 40->143 145 Maps a DLL or memory area into another process 40->145 50 cmd.exe 40->50         started        52 cmd.exe 40->52         started        54 powershell.exe 40->54         started        63 3 other processes 40->63 97 C:\Users\user\AppData\...\svcupdater.exe, PE32 42->97 dropped 56 cmd.exe 42->56         started        147 Allocates memory in foreign processes 44->147 149 Injects a PE file into a foreign processes 44->149 58 vbc.exe 44->58         started        65 2 other processes 44->65 signatures13 process14 dnsIp15 119 141.95.93.175, 443, 49703, 49705 DFNVereinzurFoerderungeinesDeutschenForschungsnetzese Germany 46->119 121 api.peer2profit.com 172.66.43.60, 443, 49702, 49704 CLOUDFLARENETUS United States 46->121 123 192.168.2.1 unknown unknown 46->123 175 Detected unpacking (changes PE section rights) 46->175 177 Detected unpacking (overwrites its own PE header) 46->177 179 Uses netsh to modify the Windows network and firewall settings 46->179 181 Modifies the windows firewall 46->181 67 netsh.exe 46->67         started        69 netsh.exe 46->69         started        71 netsh.exe 46->71         started        75 11 other processes 50->75 183 Modifies power options to not sleep / hibernate 52->183 77 5 other processes 52->77 73 conhost.exe 54->73         started        185 Uses cmd line tools excessively to alter registry or file data 56->185 187 Uses schtasks.exe or at.exe to add and modify task schedules 56->187 189 Uses powercfg.exe to modify the power settings 56->189 79 2 other processes 56->79 107 C:\ProgramData\sqlite3.dll, PE32 58->107 dropped 81 3 other processes 61->81 83 2 other processes 63->83 file16 signatures17 process18 process19 85 conhost.exe 67->85         started        87 conhost.exe 69->87         started        89 conhost.exe 71->89         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/10c8242c6a5d98f805dbafc6f19e4673067010f967cc5bb47203f8680e6eb6cd/
Threat name:
Win32.Trojan.RedLine
Create hunting rule
Status:
Malicious
First seen:
2022-09-07 04:35:40 UTC
File Type:
PE (Exe)
AV detection:
22 of 26 (84.62%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=cdecildklwmpqbo3v7dpdhsgomdhaehzm7gfxndsap4gqdtow3gq._file
Verdict:
malicious
Similar samples:
02c1c4241e1211580f078778611ae7c11d6f7a5bdef75cf01cbb6a5185f1c3a8
ArkeiStealer
0b1f6297e8bfa8fc9ff8a7ad85487ff456c0d66ef2d908588cd27345fba5f4e6
ArkeiStealer
4a75a23c13301872f46f4530b071bc4534a211435d5a8d8534b1455735c571b1
ArkeiStealer
4c0003c3a45e94129cd5b6771200feebc7c4f53f0d5b110276d8dc7ae29c9e8c
ArkeiStealer
9846c72d006674133ad1d580eae89b5bebd06017c69f635dd5d961b7f2627be6
ArkeiStealer
d51b59d11c7ce7a34f7568b108f253a337c19b2cbfa8778f5f5bf7ab8d0a439b
ArkeiStealer
ee08608492383853c0cf59e355f9721f413d83f18d3e4a2c344f5b90407caf4a
ArkeiStealer
+ 5'719 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:redline family:vidar botnet:1707 evasion infostealer persistence spyware stealer upx
Link:
https://tria.ge/reports/221025-dy7ggabdfp/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Delays execution with timeout.exe
Enumerates system info in registry
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Program crash
Drops file in Program Files directory
Drops file in Windows directory
Launches sc.exe
Drops file in System32 directory
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Loads dropped DLL
Uses the VBS compiler for execution
Downloads MZ/PE file
Executes dropped EXE
Modifies Windows Firewall
Sets service image path in registry
Stops running service(s)
UPX packed file
Modifies security service
RedLine
RedLine payload
Suspicious use of NtCreateProcessExOtherParentProcess
Suspicious use of NtCreateUserProcessOtherParentProcess
Vidar
Malware Config
C2 Extraction:
62.204.41.141:24758
https://t.me/slivetalks
https://c.im/@xinibin420
Unpacked files
SH256 hash:
4ff1f8924b840043ccec9a04e8c1501e00b6dc76f134f706393d5f1f4e915afc
MD5 hash:
afc14afa794ba36fead2e426cd066a33
SHA1 hash:
554a18209154ec2cdc631721ccc5e03c2daef606
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/8fa4779a-be8f-41e1-a3e6-9bba8ed72d97/
SH256 hash:
10c8242c6a5d98f805dbafc6f19e4673067010f967cc5bb47203f8680e6eb6cd
MD5 hash:
9b2fa61c3e7cbcbbbbb01ff566919fe0
SHA1 hash:
134888da9b4675833df40a850cbd0047a72ad0bc
Link:
https://www.unpac.me/results/8fa4779a-be8f-41e1-a3e6-9bba8ed72d97/
Malware family:
RedLine.D
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/10c8242c6a5d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/10c8242c6a5d98f805dbafc6f19e4673067010f967cc5bb47203f8680e6eb6cd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/323751/

Comments