MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 49deb035d46391e414506e10e5d394a9c371e61299fb5539e71e7bd830099f52. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 15


Intelligence 15 IOCs 1 YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 49deb035d46391e414506e10e5d394a9c371e61299fb5539e71e7bd830099f52
SHA3-384 hash: 5c48cc642b843c5512177b53e7251f071344983a91da63515620916f22a1d071813d1f3cd901a098599b8c3c9fcf23a2
SHA1 hash: 1cd56f8a27c8913e1d8c4dd0c97acdeb0f2242ab
MD5 hash: 9ee68713f2a7cffe160e3fc1b446f61e
humanhash: spaghetti-delaware-fix-pennsylvania
File name:49DEB035D46391E414506E10E5D394A9C371E61299FB5.exe
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:455'680 bytes
First seen:2022-10-25 06:26:01 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 49080033381428e3a131ff5659276d1a (4 x RedLineStealer, 1 x ArkeiStealer)
ssdeep 6144:AnKmSDahq196R5aa7OuWigFV5zGlPAMTZSNiicyB7wbtLd4Fr351azS/PIAOr/Tu:FDL6Pv6zrzGlIMTZ+6taB3LazwPIV90
Threatray 2'171 similar samples on MalwareBazaar
TLSH T174A4AD01B5B2C0B3C6638AB2987DD31965367A141F2149EBBFC45DB86FA43C16930F67
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter abuse_ch
Tags:ArkeiStealer exe


Avatar
abuse_ch
ArkeiStealer C2:
http://78.47.204.168/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://78.47.204.168/ https://threatfox.abuse.ch/ioc/891320/

Intelligence

File Origin
# of uploads :
1
# of downloads :
209
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
49DEB035D46391E414506E10E5D394A9C371E61299FB5.exe
Verdict:
Malicious activity
Analysis date:
2022-10-25 06:29:05 UTC
Tags:
trojan rat redline loader stealer vidar
Link:
https://app.any.run/tasks/70320b2e-b3d4-4c0a-ae44-d0d5971a8d4d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/323798/
Detection(s):
Win.Malware.Exploitx-9967939-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Searching for synchronization primitives
Creating a window
Launching the default Windows debugger (dwwin.exe)
Sending a TCP request to an infection source
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/45270/overview
Behaviour
MalwareBazaar
MeasuringTime
CallSleep
CheckCmdLine
EvasionQueryPerformanceCounter
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9630e6eb-fee2-456e-9ca3-96578a1ce4eb
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1097266
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Contains functionality to inject code into remote processes
Detected unpacking (changes PE section rights)
Drops executables to the windows directory (C:\Windows) and starts them
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies power options to not sleep / hibernate
Modifies the windows firewall
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has nameless sections
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses process hollowing technique
Sigma detected: Stop multiple services
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses cmd line tools excessively to alter registry or file data
Uses netsh to modify the Windows network and firewall settings
Uses powercfg.exe to modify the power settings
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 729906 Sample: 49DEB035D46391E414506E10E5D... Startdate: 25/10/2022 Architecture: WINDOWS Score: 100 103 t.me 2->103 129 Snort IDS alert for network traffic 2->129 131 Malicious sample detected (through community Yara rule) 2->131 133 Antivirus detection for dropped file 2->133 135 10 other signatures 2->135 11 49DEB035D46391E414506E10E5D394A9C371E61299FB5.exe 1 2->11         started        14 svcupdater.exe 2->14         started        17 chrome.exe 2->17         started        19 chrome.exe 2->19         started        signatures3 process4 dnsIp5 145 Contains functionality to inject code into remote processes 11->145 147 Writes to foreign memory regions 11->147 149 Allocates memory in foreign processes 11->149 151 Injects a PE file into a foreign processes 11->151 21 AppLaunch.exe 15 10 11->21         started        26 WerFault.exe 23 9 11->26         started        28 conhost.exe 11->28         started        30 WerFault.exe 11->30         started        115 clipper.guru 45.159.189.115, 49755, 80 HOSTING-SOLUTIONSUS Netherlands 14->115 153 Multi AV Scanner detection for dropped file 14->153 155 Machine Learning detection for dropped file 14->155 signatures6 process7 dnsIp8 105 62.204.41.141, 24758, 49698 TNNET-ASTNNetOyMainnetworkFI United Kingdom 21->105 107 adigitalshop.com 151.106.122.215, 443, 49701 PLUSSERVER-ASN1DE Germany 21->107 109 gitcdn.link 104.21.234.84, 49700, 49702, 49703 CLOUDFLARENETUS United States 21->109 95 C:\Users\user\AppData\Local\...\test.exe, PE32 21->95 dropped 97 C:\Users\user\AppData\Local\...\ofg.exe, PE32 21->97 dropped 99 C:\Users\user\AppData\Local\...\chrome.exe, MS-DOS 21->99 dropped 101 C:\Users\user\AppData\Local\...\brave.exe, PE32+ 21->101 dropped 137 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 21->137 139 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 21->139 141 Tries to harvest and steal browser information (history, passwords, etc) 21->141 143 Tries to steal Crypto Currency Wallets 21->143 32 chrome.exe 21->32         started        36 ofg.exe 21->36         started        38 brave.exe 21->38         started        40 test.exe 21->40         started        file9 signatures10 process11 file12 87 C:\WindowsbehaviorgraphoogleUpdate.exe, PE32 32->87 dropped 119 Multi AV Scanner detection for dropped file 32->119 121 Detected unpacking (changes PE section rights) 32->121 123 Machine Learning detection for dropped file 32->123 127 5 other signatures 32->127 42 GoogleUpdate.exe 32->42         started        46 powershell.exe 32->46         started        58 2 other processes 32->58 89 C:\Users\user\AppData\...\svcupdater.exe, PE32 36->89 dropped 48 cmd.exe 36->48         started        91 C:\Users\user\AppData\Local\Temp\CC80.tmp, PE32+ 38->91 dropped 93 C:\Program Filesbehaviorgraphoogle\Chrome\updater.exe, PE32+ 38->93 dropped 125 Adds a directory exclusion to Windows Defender 38->125 50 cmd.exe 38->50         started        52 cmd.exe 38->52         started        54 powershell.exe 38->54         started        56 powershell.exe 38->56         started        60 2 other processes 40->60 signatures13 process14 dnsIp15 111 api.peer2profit.com 172.66.40.196, 443, 49704, 49706 CLOUDFLARENETUS United States 42->111 113 162.19.175.139, 443, 49705, 49707 CENTURYLINK-US-LEGACY-QWESTUS United States 42->113 157 Uses netsh to modify the Windows network and firewall settings 42->157 159 Modifies the windows firewall 42->159 62 netsh.exe 42->62         started        71 2 other processes 42->71 65 conhost.exe 46->65         started        161 Uses cmd line tools excessively to alter registry or file data 48->161 163 Uses schtasks.exe or at.exe to add and modify task schedules 48->163 165 Uses powercfg.exe to modify the power settings 48->165 73 2 other processes 48->73 167 Modifies power options to not sleep / hibernate 50->167 75 5 other processes 50->75 77 9 other processes 52->77 67 conhost.exe 54->67         started        69 conhost.exe 56->69         started        79 2 other processes 58->79 signatures16 process17 dnsIp18 117 192.168.2.1 unknown unknown 62->117 81 conhost.exe 62->81         started        83 conhost.exe 71->83         started        85 conhost.exe 71->85         started        process19
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/49deb035d46391e414506e10e5d394a9c371e61299fb5539e71e7bd830099f52/
Threat name:
Win32.Trojan.RedLine
Create hunting rule
Status:
Malicious
First seen:
2022-09-09 19:00:55 UTC
File Type:
PE (Exe)
AV detection:
23 of 26 (88.46%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=jhplanoumoi6ifcqnyiolu4uvhbxdzqsth5vkophdz55qmajt5ja._file
Verdict:
malicious
Similar samples:
0b1f6297e8bfa8fc9ff8a7ad85487ff456c0d66ef2d908588cd27345fba5f4e6
ArkeiStealer
3c755dda9245f3bf25d22e5564c6224239ab3d698a5cc8faadaa4db4709b5656
ArkeiStealer
5d48f8503446780ca198fb5a5c7ccebc7a8ca729f9a0cad78a2fc5f381500d13
ArkeiStealer
6a057c152abb59ec3c2327352401f03fe611e1b52d5507b144e39fc4b393b804
ArkeiStealer
ee08608492383853c0cf59e355f9721f413d83f18d3e4a2c344f5b90407caf4a
ArkeiStealer
f6d7c5513d746eac1534713e99099c09fef34b16c9060f03e4345116c4e6c9bb
ArkeiStealer
fd4f3959acec139b27223a7d47ce8c5c00ff02e60d34ea3c7a8d8d466c831f74
ArkeiStealer
+ 2'161 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:redline family:vidar botnet:1707 discovery evasion infostealer persistence spyware stealer upx
Link:
https://tria.ge/reports/221025-g67zrabgbm/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Delays execution with timeout.exe
Enumerates system info in registry
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Drops file in Windows directory
Launches sc.exe
Drops file in System32 directory
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Loads dropped DLL
Reads user/profile data of web browsers
Uses the VBS compiler for execution
Downloads MZ/PE file
Executes dropped EXE
Modifies Windows Firewall
Sets service image path in registry
Stops running service(s)
UPX packed file
Modifies security service
RedLine
RedLine payload
Suspicious use of NtCreateProcessExOtherParentProcess
Suspicious use of NtCreateUserProcessOtherParentProcess
Vidar
Malware Config
C2 Extraction:
62.204.41.141:24758
https://t.me/slivetalks
https://c.im/@xinibin420
Unpacked files
SH256 hash:
2b037db64b378e032a5af1dd5ae94a76e25786d7b57997cf1e4ad43471dbd670
MD5 hash:
7277cdd79305b5fbb4dcf6f5081e0ccf
SHA1 hash:
9adbe55cf220b733a99d91f934d8c37c03cfb99e
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/bebc3acb-45db-4f70-a54d-9ea3adb928c9/
SH256 hash:
49deb035d46391e414506e10e5d394a9c371e61299fb5539e71e7bd830099f52
MD5 hash:
9ee68713f2a7cffe160e3fc1b446f61e
SHA1 hash:
1cd56f8a27c8913e1d8c4dd0c97acdeb0f2242ab
Link:
https://www.unpac.me/results/bebc3acb-45db-4f70-a54d-9ea3adb928c9/
Malware family:
RedLine.D
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/49deb035d463/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/49deb035d46391e414506e10e5d394a9c371e61299fb5539e71e7bd830099f52

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/323798/

Comments