MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1a292cc8da0dbdc4608018679f60e2eeb070c06374fdd57d42d93c35b6944ac0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 15


Intelligence 15 IOCs 1 YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1a292cc8da0dbdc4608018679f60e2eeb070c06374fdd57d42d93c35b6944ac0
SHA3-384 hash: e24c2480de54213911cd213c8d3fc43dddb3ae0b495bf040a037c827471a88998584d95452c772672837efa5d06e0a62
SHA1 hash: d81350e7c42b93abc3a7b219769c78ad94b04556
MD5 hash: a538a1b161b104cde483c720bd238d8a
humanhash: lima-juliet-fanta-edward
File name:1A292CC8DA0DBDC4608018679F60E2EEB070C06374FDD.exe
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:2'700'792 bytes
First seen:2022-10-25 09:41:09 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 1e33718404ffbe0d91b536c10bf053f8 (80 x RedLineStealer, 7 x RecordBreaker, 4 x N-W0rm)
ssdeep 24576:5NCaiqIyyRHYQYeaM8c/2MxcZo8YdCW2oNA44yOCzLmGS+Ti7QdLQwUl3RuQ553o:5NCaxIyyqYV4eVS+Ti7QdE9l3s
Threatray 2'131 similar samples on MalwareBazaar
TLSH T103C51A039A9B0E75DDD23BB461CB633FA734FD30CA2A9B7BB608C53559532C5681A702
TrID 33.5% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
21.3% (.EXE) Win64 Executable (generic) (10523/12/4)
13.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
10.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.1% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter abuse_ch
Tags:ArkeiStealer exe


Avatar
abuse_ch
ArkeiStealer C2:
http://78.47.204.168/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://78.47.204.168/ https://threatfox.abuse.ch/ioc/891320/

Intelligence

File Origin
# of uploads :
1
# of downloads :
210
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
1A292CC8DA0DBDC4608018679F60E2EEB070C06374FDD.exe
Verdict:
Malicious activity
Analysis date:
2022-10-25 09:43:11 UTC
Tags:
trojan rat redline loader
Link:
https://app.any.run/tasks/50a1e794-4d56-40ab-a9dd-d72c7232bf16

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/323903/
Detection(s):
Win.Packed.Babar-9970327-0
Create hunting rule

Win.Packed.Fragtor-9970330-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/45339/overview
Behaviour
MalwareBazaar
MeasuringTime
SystemUptime
EvasionGetTickCount
EvasionQueryPerformanceCounter
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e809c167-5573-463b-b239-9f2126958b1e
Result
Threat name:
Laplas Clipper, RedLine, Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1097416
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Creates files in the system32 config directory
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Drops executables to the windows directory (C:\Windows) and starts them
Found hidden mapped module (file has been removed from disk)
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies power options to not sleep / hibernate
Modifies the context of a thread in another process (thread injection)
Modifies the windows firewall
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
PE file has nameless sections
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses process hollowing technique
Sigma detected: Stop multiple services
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses cmd line tools excessively to alter registry or file data
Uses netsh to modify the Windows network and firewall settings
Uses powercfg.exe to modify the power settings
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Laplas Clipper
Yara detected RedLine Stealer
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 730069 Sample: 1A292CC8DA0DBDC4608018679F6... Startdate: 25/10/2022 Architecture: WINDOWS Score: 100 102 t.me 2->102 134 Snort IDS alert for network traffic 2->134 136 Malicious sample detected (through community Yara rule) 2->136 138 Antivirus detection for URL or domain 2->138 140 13 other signatures 2->140 11 1A292CC8DA0DBDC4608018679F60E2EEB070C06374FDD.exe 1 2->11         started        14 svcupdater.exe 14 2 2->14         started        17 powershell.exe 2->17         started        19 3 other processes 2->19 signatures3 process4 dnsIp5 150 Writes to foreign memory regions 11->150 152 Allocates memory in foreign processes 11->152 154 Injects a PE file into a foreign processes 11->154 21 AppLaunch.exe 15 10 11->21         started        26 conhost.exe 11->26         started        114 clipper.guru 45.159.189.115, 49712, 49923, 80 HOSTING-SOLUTIONSUS Netherlands 14->114 116 192.168.2.1 unknown unknown 14->116 156 Multi AV Scanner detection for dropped file 14->156 158 Machine Learning detection for dropped file 14->158 160 Creates files in the system32 config directory 17->160 28 conhost.exe 17->28         started        30 conhost.exe 19->30         started        signatures6 process7 dnsIp8 104 77.73.134.24, 49695, 80 FIBEROPTIXDE Kazakhstan 21->104 106 api.ip.sb 21->106 108 3 other IPs or domains 21->108 94 C:\Users\user\AppData\Local\...\test.exe, PE32 21->94 dropped 96 C:\Users\user\AppData\Local\...\ofg.exe, PE32 21->96 dropped 98 C:\Users\user\AppData\Local\...\chrome.exe, MS-DOS 21->98 dropped 100 C:\Users\user\AppData\Local\...\brave.exe, PE32+ 21->100 dropped 142 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 21->142 144 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 21->144 146 Tries to harvest and steal browser information (history, passwords, etc) 21->146 148 Tries to steal Crypto Currency Wallets 21->148 32 chrome.exe 21->32         started        36 brave.exe 21->36         started        38 ofg.exe 5 21->38         started        40 test.exe 1 21->40         started        file9 signatures10 process11 file12 86 C:\WindowsbehaviorgraphoogleUpdate.exe, PE32 32->86 dropped 118 Multi AV Scanner detection for dropped file 32->118 120 Detected unpacking (changes PE section rights) 32->120 122 Machine Learning detection for dropped file 32->122 132 5 other signatures 32->132 42 GoogleUpdate.exe 32->42         started        46 powershell.exe 32->46         started        56 2 other processes 32->56 88 C:\Users\user\AppData\Local\Temp\1EF3.tmp, PE32+ 36->88 dropped 90 C:\Program Filesbehaviorgraphoogle\Chrome\updater.exe, PE32+ 36->90 dropped 124 Writes to foreign memory regions 36->124 126 Modifies the context of a thread in another process (thread injection) 36->126 128 Found hidden mapped module (file has been removed from disk) 36->128 130 Maps a DLL or memory area into another process 36->130 48 cmd.exe 36->48         started        50 cmd.exe 36->50         started        52 powershell.exe 36->52         started        58 3 other processes 36->58 92 C:\Users\user\AppData\...\svcupdater.exe, PE32 38->92 dropped 54 cmd.exe 1 38->54         started        60 2 other processes 40->60 signatures13 process14 dnsIp15 110 51.195.77.252, 443, 49702, 49704 OVHFR France 42->110 112 api.peer2profit.com 172.66.43.60, 443, 49701, 49703 CLOUDFLARENETUS United States 42->112 162 Detected unpacking (changes PE section rights) 42->162 164 Detected unpacking (overwrites its own PE header) 42->164 166 Uses netsh to modify the Windows network and firewall settings 42->166 168 Modifies the windows firewall 42->168 62 netsh.exe 42->62         started        68 2 other processes 42->68 64 conhost.exe 46->64         started        70 11 other processes 48->70 170 Modifies power options to not sleep / hibernate 50->170 72 5 other processes 50->72 66 conhost.exe 52->66         started        172 Uses cmd line tools excessively to alter registry or file data 54->172 174 Uses schtasks.exe or at.exe to add and modify task schedules 54->174 176 Uses powercfg.exe to modify the power settings 54->176 74 2 other processes 54->74 76 2 other processes 56->76 78 2 other processes 58->78 signatures16 process17 process18 80 conhost.exe 62->80         started        82 conhost.exe 68->82         started        84 conhost.exe 68->84         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1a292cc8da0dbdc4608018679f60e2eeb070c06374fdd57d42d93c35b6944ac0/
Threat name:
Win32.Trojan.LoaderMulti
Create hunting rule
Status:
Malicious
First seen:
2022-09-20 13:45:00 UTC
File Type:
PE (Exe)
AV detection:
23 of 26 (88.46%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=diuszsg2bw64iyeadbtz6yhc52yhbqddot65k7kc3e6dlnuujlaa._file
Verdict:
malicious
Similar samples:
0dea9964c6e2ad110ad9a26a2e25417afa7b2ed990362faa746fa81cb8a303cd
ArkeiStealer
10c8242c6a5d98f805dbafc6f19e4673067010f967cc5bb47203f8680e6eb6cd
ArkeiStealer
1d1bce6c4a6cdb2b2db0aa80629110db005a108d02127bcc3876f28c93ef7e4d
ArkeiStealer
4c0003c3a45e94129cd5b6771200feebc7c4f53f0d5b110276d8dc7ae29c9e8c
ArkeiStealer
6c56b6a178c64adef96a65fab45b58a7378b17262420a31addd0ec239e12e7c7
ArkeiStealer
a334fa92fab1199f16a272b0f2f63465750f98bed946d23f8f7ae498206ca553
ArkeiStealer
d1fcb1177d60a0380fdb0ae55a078abde009e81bd09017a9ce07ff99a1c3fb0c
ArkeiStealer
+ 2'121 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:redline family:vidar botnet:1707 botnet:@qwhira evasion infostealer spyware stealer upx
Link:
https://tria.ge/reports/221025-lpb8zacbh9/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Drops file in Program Files directory
Drops file in Windows directory
Launches sc.exe
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Loads dropped DLL
Uses the VBS compiler for execution
Downloads MZ/PE file
Executes dropped EXE
Modifies Windows Firewall
Stops running service(s)
UPX packed file
Modifies security service
RedLine
RedLine payload
Vidar
Malware Config
C2 Extraction:
77.73.134.24:80
https://t.me/slivetalks
https://c.im/@xinibin420
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/5489490b-a587-496c-9714-9a3bdf1f586b
Unpacked files
SH256 hash:
7d0a1d1ad1d22a6d4e50e72e62a7cb314efe488db001a004e45114d8415400a3
MD5 hash:
eca1a92fa395e09838dda33fbbaf1d6a
SHA1 hash:
b9e05df0aed1addeac7d5b23b2eac87980eeb91b
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/ee409cb4-000c-49cb-b533-0f71a4ec6944/
SH256 hash:
1a292cc8da0dbdc4608018679f60e2eeb070c06374fdd57d42d93c35b6944ac0
MD5 hash:
a538a1b161b104cde483c720bd238d8a
SHA1 hash:
d81350e7c42b93abc3a7b219769c78ad94b04556
Link:
https://www.unpac.me/results/ee409cb4-000c-49cb-b533-0f71a4ec6944/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1a292cc8da0dbdc4608018679f60e2eeb070c06374fdd57d42d93c35b6944ac0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AppLaunch
Create hunting rule
Author:iam-py-test
Description:Detect files referencing .Net AppLaunch.exe
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/323903/

Comments