MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1eb3befdf4978a7899e2b7ca8297d0a3abf2b1fcba64e761abbff8aebace0818. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 14


Intelligence 14 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1eb3befdf4978a7899e2b7ca8297d0a3abf2b1fcba64e761abbff8aebace0818
SHA3-384 hash: 29fbf5b0f88ffaad12842b315a33ddf3e0bb4c9699edef56c12bc7ace2e2c599f3bd54d8d91cd2488abd28659718d08c
SHA1 hash: d2daa8e53292e9f3d47236cebfd5767aba69ee57
MD5 hash: 87c987194120a2c704cd8a047fce9b79
humanhash: magazine-hydrogen-four-chicken
File name:1EB3BEFDF4978A7899E2B7CA8297D0A3ABF2B1FCBA64E.exe
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:2'376'747 bytes
First seen:2022-10-24 23:40:46 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash edfbe68f7bef8503c0900cdb25c277ab (4 x RedLineStealer, 1 x ArkeiStealer)
ssdeep 49152:ldPYWkHTbhMidR1RiqtZxwylS8RjJWwOp9wE:ldPYWkHTbhMidR1RiqtAylSjp9D
TLSH T121B5F8039A8B0E75DDC33BB461CB633A9734EE30CA269B7FF609C53559532C5681AB42
TrID 33.5% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
21.3% (.EXE) Win64 Executable (generic) (10523/12/4)
13.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
10.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.1% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter abuse_ch
Tags:ArkeiStealer exe


Avatar
abuse_ch
ArkeiStealer C2:
http://78.47.204.168/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://78.47.204.168/ https://threatfox.abuse.ch/ioc/891320/

Intelligence

File Origin
# of uploads :
1
# of downloads :
248
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
1EB3BEFDF4978A7899E2B7CA8297D0A3ABF2B1FCBA64E.exe
Verdict:
Malicious activity
Analysis date:
2022-10-24 23:42:54 UTC
Tags:
trojan rat redline loader stealer
Link:
https://app.any.run/tasks/6b2762f3-fedb-4261-9154-f16b886c1267

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/323690/
Detection(s):
Win.Malware.Jaik-9952806-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Using the Windows Management Instrumentation requests
Creating a window
Sending a TCP request to an infection source
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/45184/overview
Behaviour
MalwareBazaar
CPUID_Instruction
CheckCmdLine
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/876d403c-d251-442e-81bd-26105936df8d
Result
Threat name:
RedLine, Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1097107
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Detected unpacking (changes PE section rights)
DLL side loading technique detected
Drops executables to the windows directory (C:\Windows) and starts them
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies power options to not sleep / hibernate
Modifies the context of a thread in another process (thread injection)
Modifies the windows firewall
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has nameless sections
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses process hollowing technique
Sigma detected: Stop multiple services
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses cmd line tools excessively to alter registry or file data
Uses netsh to modify the Windows network and firewall settings
Uses powercfg.exe to modify the power settings
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected RedLine Stealer
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 729748 Sample: 1EB3BEFDF4978A7899E2B7CA829... Startdate: 25/10/2022 Architecture: WINDOWS Score: 100 122 Malicious sample detected (through community Yara rule) 2->122 124 Antivirus detection for dropped file 2->124 126 Antivirus / Scanner detection for submitted sample 2->126 128 10 other signatures 2->128 10 1EB3BEFDF4978A7899E2B7CA8297D0A3ABF2B1FCBA64E.exe 1 2->10         started        13 svcupdater.exe 2->13         started        16 chrome.exe 2->16         started        18 chrome.exe 2->18         started        process3 dnsIp4 158 Contains functionality to inject code into remote processes 10->158 160 Writes to foreign memory regions 10->160 162 Injects a PE file into a foreign processes 10->162 20 AppLaunch.exe 15 10 10->20         started        25 WerFault.exe 23 9 10->25         started        27 conhost.exe 10->27         started        120 clipper.guru 45.159.189.115, 49760, 50103, 80 HOSTING-SOLUTIONSUS Netherlands 13->120 164 Multi AV Scanner detection for dropped file 13->164 166 Machine Learning detection for dropped file 13->166 signatures5 process6 dnsIp7 106 185.215.113.83, 49699, 60722 WHOLESALECONNECTIONSNL Portugal 20->106 108 adigitalshop.com 151.106.122.215, 443, 49701 PLUSSERVER-ASN1DE Germany 20->108 110 2 other IPs or domains 20->110 88 C:\Users\user\AppData\Local\...\test.exe, PE32 20->88 dropped 90 C:\Users\user\AppData\Local\...\ofg.exe, PE32 20->90 dropped 92 C:\Users\user\AppData\Local\...\chrome.exe, MS-DOS 20->92 dropped 94 C:\Users\user\AppData\Local\...\brave.exe, PE32+ 20->94 dropped 130 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 20->130 132 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 20->132 134 Tries to harvest and steal browser information (history, passwords, etc) 20->134 136 Tries to steal Crypto Currency Wallets 20->136 29 chrome.exe 20->29         started        33 test.exe 20->33         started        35 brave.exe 20->35         started        37 ofg.exe 20->37         started        file8 signatures9 process10 file11 98 C:\WindowsbehaviorgraphoogleUpdate.exe, PE32 29->98 dropped 168 Multi AV Scanner detection for dropped file 29->168 170 Detected unpacking (changes PE section rights) 29->170 172 Machine Learning detection for dropped file 29->172 184 2 other signatures 29->184 39 GoogleUpdate.exe 29->39         started        54 3 other processes 29->54 174 Writes to foreign memory regions 33->174 176 Allocates memory in foreign processes 33->176 178 Injects a PE file into a foreign processes 33->178 43 vbc.exe 33->43         started        56 3 other processes 33->56 100 C:\Users\user\AppData\Local\Temp\C1BC.tmp, PE32+ 35->100 dropped 102 C:\Program Filesbehaviorgraphoogle\Chrome\updater.exe, PE32+ 35->102 dropped 180 Modifies the context of a thread in another process (thread injection) 35->180 182 Adds a directory exclusion to Windows Defender 35->182 46 cmd.exe 35->46         started        48 cmd.exe 35->48         started        50 powershell.exe 35->50         started        58 2 other processes 35->58 104 C:\Users\user\AppData\...\svcupdater.exe, PE32 37->104 dropped 52 cmd.exe 37->52         started        signatures12 process13 dnsIp14 112 141.95.93.183, 443, 49705, 49707 DFNVereinzurFoerderungeinesDeutschenForschungsnetzese Germany 39->112 114 api.peer2profit.com 172.66.40.196, 443, 49704, 49706 CLOUDFLARENETUS United States 39->114 138 Uses netsh to modify the Windows network and firewall settings 39->138 140 Modifies the windows firewall 39->140 60 netsh.exe 39->60         started        68 2 other processes 39->68 116 t.me 149.154.167.99, 443, 49708 TELEGRAMRU United Kingdom 43->116 118 78.47.204.168, 49721, 80 HETZNER-ASDE Germany 43->118 96 C:\ProgramData\sqlite3.dll, PE32 43->96 dropped 142 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 43->142 144 Tries to harvest and steal browser information (history, passwords, etc) 43->144 146 DLL side loading technique detected 43->146 148 Tries to steal Crypto Currency Wallets 43->148 62 cmd.exe 43->62         started        70 11 other processes 46->70 150 Modifies power options to not sleep / hibernate 48->150 72 5 other processes 48->72 64 conhost.exe 50->64         started        152 Uses cmd line tools excessively to alter registry or file data 52->152 154 Uses schtasks.exe or at.exe to add and modify task schedules 52->154 156 Uses powercfg.exe to modify the power settings 52->156 74 2 other processes 52->74 76 3 other processes 54->76 66 conhost.exe 58->66         started        file15 signatures16 process17 process18 78 conhost.exe 60->78         started        80 conhost.exe 62->80         started        82 timeout.exe 62->82         started        84 conhost.exe 68->84         started        86 conhost.exe 68->86         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1eb3befdf4978a7899e2b7ca8297d0a3abf2b1fcba64e761abbff8aebace0818/
Threat name:
Win32.Trojan.Jaik
Create hunting rule
Status:
Malicious
First seen:
2022-10-21 23:07:00 UTC
File Type:
PE (Exe)
AV detection:
22 of 26 (84.62%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=d2z357pus6fhrgpcw7fiff6quov7fmp4xjsooynlx74k5owobama._file
Verdict:
malicious
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:redline family:vidar botnet:1707 evasion infostealer persistence spyware stealer upx
Link:
https://tria.ge/reports/221024-3pfd3abacl/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Delays execution with timeout.exe
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Drops file in Program Files directory
Drops file in Windows directory
Launches sc.exe
Drops file in System32 directory
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Loads dropped DLL
Uses the VBS compiler for execution
Downloads MZ/PE file
Executes dropped EXE
Modifies Windows Firewall
Sets service image path in registry
Stops running service(s)
UPX packed file
Modifies security service
RedLine
RedLine payload
Suspicious use of NtCreateUserProcessOtherParentProcess
Vidar
Malware Config
C2 Extraction:
185.215.113.83:60722
https://t.me/slivetalks
https://c.im/@xinibin420
Unpacked files
SH256 hash:
cc618811998d33f46acf6ad324dceb30901ed90c0902a38713bc6c6889505232
MD5 hash:
3f23e7dd9e1c84a078032460f8bea448
SHA1 hash:
08ec98ea5915e26b05921f3c9fbb58b0a885e522
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/49af823a-c9f8-4666-b37a-5f5652b6d4a0/
SH256 hash:
1eb3befdf4978a7899e2b7ca8297d0a3abf2b1fcba64e761abbff8aebace0818
MD5 hash:
87c987194120a2c704cd8a047fce9b79
SHA1 hash:
d2daa8e53292e9f3d47236cebfd5767aba69ee57
Link:
https://www.unpac.me/results/49af823a-c9f8-4666-b37a-5f5652b6d4a0/
Malware family:
RedLine.D
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/1eb3befdf497/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1eb3befdf4978a7899e2b7ca8297d0a3abf2b1fcba64e761abbff8aebace0818

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/323690/

Comments