MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1385c3d747eed12e6e8712a8e32820f6dce44531423d81e2e5763c16f7eb38ff. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 8


Intelligence 8 IOCs 2 YARA 16 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1385c3d747eed12e6e8712a8e32820f6dce44531423d81e2e5763c16f7eb38ff
SHA3-384 hash: 20b0a30d006d5701830c4ff0e03e539e3ddc14f55625fa1ed7c14a5adb78e6bd9b51c5d7422d09d14716e17912b7046d
SHA1 hash: f57f5562cb33f0dfaaae43d05684b12309c93fda
MD5 hash: abfc37485ad217c9d6f352c66dae53d2
humanhash: steak-foxtrot-friend-illinois
File name:abfc37485ad217c9d6f352c66dae53d2.exe
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:2'831'744 bytes
First seen:2021-07-17 11:35:57 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 32569d67dc210c5cb9a759b08da2bdb3 (122 x RedLineStealer, 42 x DiamondFox, 37 x RaccoonStealer)
ssdeep 49152:xcByPkZVi7iKiF8cUvFyPj0TfrHMLSQDCku55YnGEwJ84vLRaBtIl9mTchEAkkmD:xQri7ixZUvFyPjgQLSQDCr55YVCvLUBj
Threatray 173 similar samples on MalwareBazaar
TLSH T1E9D53321BBEBC0B7D5034032A9442FB762F9C7890F3845D777A0D91D5736D6AC03AA9A
Reporter abuse_ch
Tags:ArkeiStealer exe


Avatar
abuse_ch
ArkeiStealer C2:
193.110.3.32:80

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
193.110.3.32:80 https://threatfox.abuse.ch/ioc/160858/
http://a343345.me/ https://threatfox.abuse.ch/ioc/160892/

Intelligence

File Origin
# of uploads :
1
# of downloads :
181
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
abfc37485ad217c9d6f352c66dae53d2.exe
Verdict:
No threats detected
Analysis date:
2021-07-17 11:40:31 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/dca3a928-5f5c-4c70-bfcd-a187bba29237

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/172332/
Detection(s):
Win.Packed.Barys-9859531-0
Create hunting rule

Win.Malware.Generic-9863888-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Win.Packed.SmokeLoader-9873637-1
Create hunting rule

Win.Dropper.Cookiesstealer-9875148-0
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5ce7b351-e2d0-447d-9b4f-32be197d7deb
Result
Threat name:
Backstage Stealer Cookie Stealer Oski Re
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/817809
Signature
.NET source code contains potential unpacker
.NET source code contains very large strings
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Creates processes via WMI
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Disable Windows Defender real time protection (registry)
DLL reload attack detected
Drops PE files to the document folder of the user
Drops PE files with benign system names
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Performs DNS queries to domains with low reputation
Query firmware table information (likely to detect VMs)
Renames NTDLL to bypass HIPS
Sample uses process hollowing technique
Sigma detected: Regsvr32 Anomaly
Sigma detected: Suspect Svchost Activity
Sigma detected: Suspicious Svchost Process
Sigma detected: System File Execution Location Anomaly
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected Backstage Stealer
Yara detected Cookie Stealer
Yara detected Oski Stealer
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 450220 Sample: WR0MTpWkYC.exe Startdate: 17/07/2021 Architecture: WINDOWS Score: 100 170 google.vrthcobj.com 2->170 202 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->202 204 Multi AV Scanner detection for domain / URL 2->204 206 Found malware configuration 2->206 208 19 other signatures 2->208 13 WR0MTpWkYC.exe 16 2->13         started        signatures3 process4 file5 118 C:\Users\user\AppData\...\setup_install.exe, PE32 13->118 dropped 120 C:\Users\user\AppData\...\libwinpthread-1.dll, PE32 13->120 dropped 122 C:\Users\user\AppData\...\libstdc++-6.dll, PE32 13->122 dropped 124 11 other files (none is malicious) 13->124 dropped 16 setup_install.exe 1 13->16         started        process6 dnsIp7 162 motiwa.xyz 172.67.193.180, 49718, 80 CLOUDFLARENETUS United States 16->162 164 127.0.0.1 unknown unknown 16->164 190 Detected unpacking (changes PE section rights) 16->190 192 Performs DNS queries to domains with low reputation 16->192 20 cmd.exe 1 16->20         started        22 cmd.exe 1 16->22         started        24 cmd.exe 1 16->24         started        26 6 other processes 16->26 signatures8 process9 process10 28 arnatic_4.exe 14 5 20->28         started        33 arnatic_5.exe 22->33         started        35 arnatic_2.exe 1 24->35         started        37 arnatic_6.exe 26->37         started        39 arnatic_3.exe 89 26->39         started        41 arnatic_8.exe 26->41         started        43 2 other processes 26->43 dnsIp11 176 cdn.discordapp.com 162.159.134.233, 443, 49712 CLOUDFLARENETUS United States 28->176 126 C:\Users\user\AppData\Local\...\LzmwAqmV.exe, PE32 28->126 dropped 228 Detected unpacking (overwrites its own PE header) 28->228 45 LzmwAqmV.exe 28->45         started        182 9 other IPs or domains 33->182 128 C:\Users\...\xhv4UFStzzrRlD3mBRiE1g9H.exe, PE32 33->128 dropped 130 C:\Users\...\x_ZDPHwUIFiXDKndOEj4dIxq.exe, PE32 33->130 dropped 132 C:\Users\...\oaOq4i9aXzdGnKkVTd1qkHml.exe, PE32 33->132 dropped 136 15 other files (8 malicious) 33->136 dropped 230 Drops PE files to the document folder of the user 33->230 232 May check the online IP address of the machine 33->232 234 Disable Windows Defender real time protection (registry) 33->234 134 C:\Users\user\AppData\Local\Temp\CC4F.tmp, PE32 35->134 dropped 236 DLL reload attack detected 35->236 238 Detected unpacking (changes PE section rights) 35->238 240 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 35->240 250 4 other signatures 35->250 48 explorer.exe 35->48 injected 184 2 other IPs or domains 37->184 138 4 other files (1 malicious) 37->138 dropped 50 7750783.exe 37->50         started        53 8797024.exe 37->53         started        56 4932548.exe 37->56         started        186 2 other IPs or domains 39->186 140 6 other files (none is malicious) 39->140 dropped 242 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 39->242 244 Tries to harvest and steal browser information (history, passwords, etc) 39->244 246 Tries to steal Crypto Currency Wallets 39->246 58 cmd.exe 39->58         started        178 176.111.174.254 WILWAWPL Russian Federation 41->178 180 s.lletlee.com 104.21.17.130, 443, 49722 CLOUDFLARENETUS United States 43->180 188 4 other IPs or domains 43->188 142 4 other files (none is malicious) 43->142 dropped 248 Creates processes via WMI 43->248 60 arnatic_1.exe 43->60         started        62 11111.exe 43->62         started        64 22222.exe 43->64         started        file12 signatures13 process14 dnsIp15 144 C:\Users\user\AppData\Local\...\playfile.exe, PE32 45->144 dropped 146 C:\Users\user\AppData\...\OLKbrowser.exe, PE32 45->146 dropped 148 C:\Users\user\AppData\Local\Temp\setup.exe, PE32 45->148 dropped 158 2 other files (none is malicious) 45->158 dropped 66 playfile.exe 45->66         started        70 OLKbrowser.exe 45->70         started        72 chenh.exe 45->72         started        80 2 other processes 45->80 194 Detected unpacking (changes PE section rights) 50->194 196 Query firmware table information (likely to detect VMs) 50->196 198 Tries to detect sandboxes and other dynamic analysis tools (window names) 50->198 200 2 other signatures 50->200 174 172.67.190.51 CLOUDFLARENETUS United States 53->174 150 C:\ProgramData\69\vcruntime140.dll, PE32 53->150 dropped 152 C:\ProgramData\69\sqlite3.dll, PE32 53->152 dropped 160 5 other files (none is malicious) 53->160 dropped 154 C:\Users\user\AppData\...\WinHoster.exe, PE32 56->154 dropped 74 conhost.exe 58->74         started        76 taskkill.exe 58->76         started        156 C:\Users\user\AppData\Local\Temp\axhub.dll, PE32 60->156 dropped 78 conhost.exe 60->78         started        file16 signatures17 process18 dnsIp19 100 C:\Users\user\AppData\Local\...\svchost.exe, PE32 66->100 dropped 210 Writes to foreign memory regions 66->210 212 Allocates memory in foreign processes 66->212 214 Sample uses process hollowing technique 66->214 216 Drops PE files with benign system names 66->216 83 svchost.exe 66->83         started        218 Injects a PE file into a foreign processes 70->218 88 conhost.exe 70->88         started        90 chenh.exe 72->90         started        92 conhost.exe 72->92         started        166 176.113.115.136 SELECTELRU Russian Federation 80->166 168 91.241.19.180 REDBYTES-ASRU Russian Federation 80->168 102 C:\Users\user\AppData\...\jfiag3g_gg.exe, PE32 80->102 dropped 104 C:\Users\user\AppData\Local\Temp\haleng.exe, PE32 80->104 dropped 94 jfiag3g_gg.exe 80->94         started        96 jfiag3g_gg.exe 80->96         started        file20 signatures21 process22 dnsIp23 172 198.54.114.131 NAMECHEAP-NETUS United States 83->172 106 C:\ProgramData\vcruntime140.dll, PE32 83->106 dropped 108 C:\ProgramData\sqlite3.dll, PE32 83->108 dropped 110 C:\ProgramData\softokn3.dll, PE32 83->110 dropped 116 4 other files (none is malicious) 83->116 dropped 220 System process connects to network (likely due to code injection or exploit) 83->220 222 Detected unpacking (changes PE section rights) 83->222 224 Detected unpacking (overwrites its own PE header) 83->224 226 Tries to harvest and steal browser information (history, passwords, etc) 83->226 112 C:\...\api-ms-win-core-string-l1-1-0.dll, PE32 90->112 dropped 114 C:\...\api-ms-win-core-namedpipe-l1-1-0.dll, PE32 90->114 dropped 98 conhost.exe 90->98         started        file24 signatures25 process26
Detection:
raccoon
Create hunting rule
Link:
https://mwdb.cert.pl/sample/1385c3d747eed12e6e8712a8e32820f6dce44531423d81e2e5763c16f7eb38ff/
Threat name:
Win32.Trojan.Azorult
Create hunting rule
Status:
Malicious
First seen:
2021-07-15 12:39:06 UTC
AV detection:
19 of 27 (70.37%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=coc4hv2h53is43uhckuogkba63ooirjrii6ydyxfoy6bn57lhd7q._file
Verdict:
unknown
Similar samples:
30c2f230e5401b4b1ea8fb425dadf4e453575884303b9fa2066e6a91859f016e
ArkeiStealer
3c167530a131f9dc899b73b9eac971b38e44d41cf291893fde8e575602c2b846
ArkeiStealer
40d21df73b2df09dc5485a019259063c7efbeb0d965a392e6c8cbe80b7ea5626
ArkeiStealer
48643d9ccc694960fb84f505524d0f148a0331a7e2569171ff3999dd60bc7154
ArkeiStealer
5ee314a1b864135945e39b2f0e3d3e10ae603256e0e152a159650f2ad142fcca
ArkeiStealer
885c540ea597bed7e1d4b8fd3670bc66e821368ba0df789c53a5fd2cb96ed33f
ArkeiStealer
ab8d377d550ebae841ab75d2d6257fb38960efc049037bbd2468483871897e5d
ArkeiStealer
b035ee9ead48cdfdfa1d7110cc84204df3571d6843aedc4c44edc73f59b013c0
ArkeiStealer
efea5e4af45434b028bbb6f0f45e57d74cc37a0d46ba85921f456806d48bc97c
ArkeiStealer
f3c2f58838f82805e8b2fad088523958db89bc6c34b1e27760f881d8d1bcc36e
ArkeiStealer
+ 163 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:glupteba family:metasploit family:oski family:raccoon family:redline family:smokeloader family:vidar botnet:865 botnet:933 botnet:aninew botnet:cana01 aspackv2 backdoor discovery dropper evasion infostealer loader persistence spyware stealer themida trojan upx
Link:
https://tria.ge/reports/210717-q6fav8rqr2/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Delays execution with timeout.exe
Kills process with taskkill
Modifies Internet Explorer settings
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks BIOS information in registry
Checks computer location settings
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Themida packer
ASPack v2.12-2.42
Downloads MZ/PE file
Executes dropped EXE
UPX packed file
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Nirsoft
Vidar Stealer
Glupteba
Glupteba Payload
MetaSploit
Modifies Windows Defender Real-time Protection settings
Oski
Process spawned unexpected child process
Raccoon
RedLine
RedLine Payload
SmokeLoader
Suspicious use of NtCreateProcessExOtherParentProcess
Suspicious use of NtCreateUserProcessOtherParentProcess
Vidar
Malware Config
C2 Extraction:
https://sslamlssa1.tumblr.com/
176.111.174.254:56328
http://conceitosseg.com/upload/
http://integrasidata.com/upload/
http://ozentekstil.com/upload/
http://finbelportal.com/upload/
http://telanganadigital.com/upload/
akedauiver.xyz:80
a343345.me
Unpacked files
SH256 hash:
5a580d590efe50a4072580e030ff03a2bdc9cb5bb6424c8167e6cdc106662d80
MD5 hash:
9b8888a96bb81b13d824f42811dd73e4
SHA1 hash:
7a15193d26b0e2fb5f1894fee476aeb6987b2d5f
Link:
https://www.unpac.me/results/56515477-e7fd-4361-b551-339e337a63fa/
SH256 hash:
65e857b77577451c4894c0e9b8f3acc64906472b9bf980d76cb209b5b17a6e04
MD5 hash:
385b2e02d14579a16a0f73d48d266191
SHA1 hash:
248abbcee3367b48a98002560f521472b78d51e4
Link:
https://www.unpac.me/results/56515477-e7fd-4361-b551-339e337a63fa/
SH256 hash:
140687c607a8adee38572a2b5b5b12dcf4c5eecfa5d2428d34f09b627a71e6bd
MD5 hash:
0b1df2ab5308c2e8927f9adeac08c657
SHA1 hash:
10212be3c4b01016525039786e3f28909be1b96a
Link:
https://www.unpac.me/results/56515477-e7fd-4361-b551-339e337a63fa/
SH256 hash:
42ca6e15a792e7d81a2f0211392fcf29623f1dfda3159325b9ce8e2cef6e640b
MD5 hash:
dcb89de182013699d3a559b9d85053b4
SHA1 hash:
b4433c6aa54a7d3ce4956ca1f49378857da19ccb
Link:
https://www.unpac.me/results/56515477-e7fd-4361-b551-339e337a63fa/
SH256 hash:
0e5b7261da6bf316e2b84530027356e038e78b25c2d86a108db65bf348059763
MD5 hash:
b6acd0bab75d614405a3ec3e9750cc19
SHA1 hash:
aafe902736ec80d904165853f077d3520ebd2876
Link:
https://www.unpac.me/results/56515477-e7fd-4361-b551-339e337a63fa/
SH256 hash:
9432641ffc06c783ff8a7cd55f33948730f7e00bb2782564f580ba104c817ee2
MD5 hash:
975d1be4341522d562c0a6effde08e2f
SHA1 hash:
8aff3e0abc92a9f01e9aefd1b1fc421bfd82e4f9
Link:
https://www.unpac.me/results/56515477-e7fd-4361-b551-339e337a63fa/
SH256 hash:
fef028c6eca2d0addeb19dacedcc97cd34f73a4ab8056ddc287dd86551b5c707
MD5 hash:
cfcd04cb50a5d48b368c76a353a8b58a
SHA1 hash:
7d76e8474b4b70d4f8e62653361c7b451a8f2fd2
Link:
https://www.unpac.me/results/56515477-e7fd-4361-b551-339e337a63fa/
Parent samples :
0ca57f85e88001edd67dff84428375de282f0f92e5bef2daed1c03ad2fa7612e
70e50de48c85c25259cf5247205792b0eb339ca700867c2a9a3ecfa7c4fca156
6f6585d3df024c6e411a075d856c79cc7a70e5509006e53dcaafeb8fc418fdf8
67cd381d1702cb66cc450e13b1e8a27a3ff8c6713af8a925945b1cb449247578
ca6b067a980f478a2829c6d326936c449f284e93bf64201bfecf0015937b09e9
afac7896cf21983233c533eeaec870610856969d98218b0ffdfa11c6f57a8420
deaf22c4cadd171ef59fc8e6299d26bd4679b965d24097a48e1cf8f283a0eb89
cbe35192c04f83d4d3b179a8c229047ade740aac3785e198cd0fdb00c2bf91e5
e52e6bbf7705f9b90e4a20f2935cb86ee6078035f14d873d1c126c6ba9ccc551
00c0934af824603bef01ce8a5d9fcbd0e97432c877d40cade42fdffdfb5175e0
27425ab21814acdc92665957ce92f326a46ea99131ef32df83ccaeaaa5228c20
55f22aa33b837e543e8a58408ed843e41515292dead43b57b2ae42b735c34f11
20e1bc5813941642186774cd0aa40989c3d119d7a70b7a6be5d3d8df6185c020
cd53d44c68b4b58f88aa945ca38dd18e0a66c3f0854f5868fbea4345f7819fb4
SH256 hash:
5da0d850941091855ce3a6f48447d2873452443282751fe376c104ef65a45efa
MD5 hash:
5df4d842ec44f8e63168ecb7cafd7e42
SHA1 hash:
cba084a866650d9a06d7dd1873f26ad3ba483163
Link:
https://www.unpac.me/results/56515477-e7fd-4361-b551-339e337a63fa/
Parent samples :
cbe35192c04f83d4d3b179a8c229047ade740aac3785e198cd0fdb00c2bf91e5
00c0934af824603bef01ce8a5d9fcbd0e97432c877d40cade42fdffdfb5175e0
e6ea98b046b11a35efa0ac1243f6190ff4d4247a35784e65a9feaaf4918ae779
c82a55fdd3caeb95db17754e3ba270ec93a7eb3c9997f9f9c6f02de0e17bacec
SH256 hash:
8c1e7138d98e67014f48b3961226a5f31426a045bd88e88254402ca590b4f2ef
MD5 hash:
b21ba4bba1d4ac8373ce220e9b3f4434
SHA1 hash:
69fe40d1f78d51a433be939ca5b80993904fd8fd
Link:
https://www.unpac.me/results/56515477-e7fd-4361-b551-339e337a63fa/
SH256 hash:
8d063d3aef4de69722e7dd08b9bda5fdf20da6d80a157d3f07fa0c3d5407e49d
MD5 hash:
559948db5816ae7ab26eb2eb533887ed
SHA1 hash:
e60442c6fb35239d298b01b0f4558264c01b2e7f
Link:
https://www.unpac.me/results/56515477-e7fd-4361-b551-339e337a63fa/
SH256 hash:
3c33e130ffc0a583909982f29c38bffb518ae0fd0ef7397855906beef3cd993d
MD5 hash:
4a1a271c67b98c9cfc4c6efa7411b1dd
SHA1 hash:
e2325cb6f55d5fea29ce0d31cad487f2b4e6f891
Link:
https://www.unpac.me/results/56515477-e7fd-4361-b551-339e337a63fa/
SH256 hash:
8206b4b3897ca45b9e083273f616902966e57091516844906e6ae2aefe63cef1
MD5 hash:
1c7be730bdc4833afb7117d48c3fd513
SHA1 hash:
dc7e38cfe2ae4a117922306aead5a7544af646b8
Link:
https://www.unpac.me/results/56515477-e7fd-4361-b551-339e337a63fa/
SH256 hash:
d90a03e850735fa12f2209a57191524ffc9c2f321a65ee7f3b51e083eb59b80f
MD5 hash:
f5ba66ed9cc96376d02e02bbfc59f460
SHA1 hash:
9d6393ea4739724156dd0cfacc5cb8db2e52f32c
Link:
https://www.unpac.me/results/56515477-e7fd-4361-b551-339e337a63fa/
SH256 hash:
14f4aac647633049977b71b4cebce224a400b175352591d5b6267d19a9b88135
MD5 hash:
cfd5bf006f5efc51046796c64a7cb609
SHA1 hash:
3986e827277402e2e902b971d2a6899f0c093246
Link:
https://www.unpac.me/results/56515477-e7fd-4361-b551-339e337a63fa/
SH256 hash:
4d4ad145431ee356221914f2908ff9b4a4a56f90b9409ec752f7be1a978e7435
MD5 hash:
ae7c477ce9bd98d13ccff5fc4a0d190e
SHA1 hash:
249ff902f66c3d0cee6656802b14a9c34807bc8f
Link:
https://www.unpac.me/results/56515477-e7fd-4361-b551-339e337a63fa/
SH256 hash:
4b0a8d47fbf2cb54e282b4191d0d2c7f3d9dd8881a82fddde4e7a2525c5aacf0
MD5 hash:
d4ea1dd564f75839df9fd15dee1c6acc
SHA1 hash:
1a2958f5ca73048e768056049e85a9a8af1828bf
Link:
https://www.unpac.me/results/56515477-e7fd-4361-b551-339e337a63fa/
SH256 hash:
9717f526bf9c56a5d06ccd0fb71eef0579d26b7100d01665b76d8fdd211b48bd
MD5 hash:
dbc3e1e93fe6f9e1806448cd19e703f7
SHA1 hash:
061119a118197ca93f69045abd657aa3627fc2c5
Link:
https://www.unpac.me/results/56515477-e7fd-4361-b551-339e337a63fa/
SH256 hash:
5a68d9b26e499a79de63506522f205e72f064ddf7087b78aa5fb8684a7ae011d
MD5 hash:
9f614074f808f45ab03de06305f33428
SHA1 hash:
d0b51cf02b01582df13e603a41b614049ae0ed2c
Link:
https://www.unpac.me/results/56515477-e7fd-4361-b551-339e337a63fa/
SH256 hash:
1385c3d747eed12e6e8712a8e32820f6dce44531423d81e2e5763c16f7eb38ff
MD5 hash:
abfc37485ad217c9d6f352c66dae53d2
SHA1 hash:
f57f5562cb33f0dfaaae43d05684b12309c93fda
Link:
https://www.unpac.me/results/56515477-e7fd-4361-b551-339e337a63fa/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
RedLine Stealer
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1385c3d747eed12e6e8712a8e32820f6dce44531423d81e2e5763c16f7eb38ff

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_VMProtect
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with VMProtect.
Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:INDICATOR_SUSPICOIUS_EXE_WindDefender_AntiEmaulation
Create hunting rule
Author:ditekSHen
Description:Detects executables containing potential Windows Defender anti-emulation checks
Rule name:MALWARE_Win_HyperBro03
Create hunting rule
Author:ditekSHen
Description:Hunt HyperBro IronTiger / LuckyMouse / APT27 malware
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:MALWARE_Win_Vidar
Create hunting rule
Author:ditekSHen
Description:Detects Vidar / ArkeiStealer
Rule name:pe_imphash
Create hunting rule
Rule name:RedLine
Create hunting rule
Author:@bartblaze
Description:Identifies RedLine stealer.
Rule name:redline_new_bin
Create hunting rule
Author:James_inthe_box
Description:Redline stealer
Reference:https://app.any.run/tasks/4921d1fe-1a14-4bf2-9d27-c443353362a8
Rule name:redline_stealer
Create hunting rule
Author:jeFF0Falltrades
Description:This rule matches unpacked RedLine Stealer samples and derivatives (as of APR2021)
Rule name:RedOctoberPluginCollectInfo
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:SUSP_XORed_Mozilla
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed keyword - Mozilla/5.0
Reference:Internal Research
Rule name:SUSP_XORed_MSDOS_Stub_Message
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed MSDOS stub message
Reference:https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
Rule name:Vidar
Create hunting rule
Author:kevoreilly
Description:Vidar Payload

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/172332/

Comments