MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4a75a23c13301872f46f4530b071bc4534a211435d5a8d8534b1455735c571b1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 14


Intelligence 14 IOCs 1 YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4a75a23c13301872f46f4530b071bc4534a211435d5a8d8534b1455735c571b1
SHA3-384 hash: a5f8436b1b20ef772fa1fe096f7a6e4c5184388b0174e4555346e19e90a6b08ee64396802f504bd6bff7baa214151894
SHA1 hash: b1bc6a7cb9c5f8655591b5a7f7259e2756ce4a4b
MD5 hash: 8bf044065761510e67e039ef001c5c3c
humanhash: uranus-summer-snake-oregon
File name:4A75A23C13301872F46F4530B071BC4534A211435D5A8.exe
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:1'187'840 bytes
First seen:2022-10-25 00:20:50 UTC
Last seen:2022-10-25 01:20:24 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 1b62f5ec48faa08ab096dfae72734859 (36 x RedLineStealer, 5 x ArkeiStealer, 1 x PandaStealer)
ssdeep 24576:JTQ1qYkYRuwPqdjM9ilpBwfu/i7eEcRtxKg:FQmjUcxK
TLSH T1C3454B29EF0719F4DD635672855ED77B9B18BA148022EE7FFF4BDA08B433012384A166
TrID 44.6% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
23.6% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
9.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.4% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter abuse_ch
Tags:ArkeiStealer exe


Avatar
abuse_ch
ArkeiStealer C2:
http://78.47.204.168/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://78.47.204.168/ https://threatfox.abuse.ch/ioc/891320/

Intelligence

File Origin
# of uploads :
2
# of downloads :
248
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
4A75A23C13301872F46F4530B071BC4534A211435D5A8.exe
Verdict:
Malicious activity
Analysis date:
2022-10-25 00:22:25 UTC
Tags:
trojan rat redline loader
Link:
https://app.any.run/tasks/f2761308-b030-4157-b187-9be0cbb773e3

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/323702/
Detection(s):
SecuriteInfo.com.Trojan.PWS.Stealer.32450.25610.10426.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/45194/overview
Behaviour
MalwareBazaar
MeasuringTime
SystemUptime
EvasionQueryPerformanceCounter
EvasionGetTickCount
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2dfc2e54-466a-4872-ba20-dd138e4b17ad
Result
Threat name:
RedLine, Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1097125
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Contain functionality to detect virtual machines
Contains functionality to inject code into remote processes
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
DLL side loading technique detected
Drops executables to the windows directory (C:\Windows) and starts them
Found hidden mapped module (file has been removed from disk)
Found many strings related to Crypto-Wallets (likely being stolen)
Hooks files or directories query functions (used to hide files and directories)
Hooks processes query functions (used to hide processes)
Hooks registry keys query functions (used to hide registry keys)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies power options to not sleep / hibernate
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Modifies the windows firewall
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
PE file has nameless sections
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses process hollowing technique
Sigma detected: Stop multiple services
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses cmd line tools excessively to alter registry or file data
Uses netsh to modify the Windows network and firewall settings
Uses powercfg.exe to modify the power settings
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected RedLine Stealer
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 729767 Sample: 4A75A23C13301872F46F4530B07... Startdate: 25/10/2022 Architecture: WINDOWS Score: 100 144 Snort IDS alert for network traffic 2->144 146 Malicious sample detected (through community Yara rule) 2->146 148 Antivirus detection for dropped file 2->148 150 16 other signatures 2->150 10 4A75A23C13301872F46F4530B071BC4534A211435D5A8.exe 1 2->10         started        13 svcupdater.exe 14 2 2->13         started        16 powershell.exe 2->16         started        18 3 other processes 2->18 process3 dnsIp4 160 Contain functionality to detect virtual machines 10->160 162 Contains functionality to inject code into remote processes 10->162 164 Writes to foreign memory regions 10->164 170 2 other signatures 10->170 20 AppLaunch.exe 15 10 10->20         started        25 conhost.exe 10->25         started        122 clipper.guru 45.159.189.115, 49790, 80 HOSTING-SOLUTIONSUS Netherlands 13->122 166 Multi AV Scanner detection for dropped file 13->166 168 Machine Learning detection for dropped file 13->168 27 conhost.exe 16->27         started        29 conhost.exe 18->29         started        signatures5 process6 dnsIp7 108 62.204.41.141, 24758, 49695 TNNET-ASTNNetOyMainnetworkFI United Kingdom 20->108 110 adigitalshop.com 151.106.122.215, 443, 49697 PLUSSERVER-ASN1DE Germany 20->110 112 2 other IPs or domains 20->112 92 C:\Users\user\AppData\Local\...\test.exe, PE32 20->92 dropped 94 C:\Users\user\AppData\Local\...\ofg.exe, PE32 20->94 dropped 96 C:\Users\user\AppData\Local\...\chrome.exe, MS-DOS 20->96 dropped 98 C:\Users\user\AppData\Local\...\brave.exe, PE32+ 20->98 dropped 152 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 20->152 154 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 20->154 156 Tries to harvest and steal browser information (history, passwords, etc) 20->156 158 Tries to steal Crypto Currency Wallets 20->158 31 chrome.exe 20->31         started        35 brave.exe 20->35         started        37 test.exe 1 20->37         started        39 ofg.exe 5 20->39         started        file8 signatures9 process10 file11 100 C:\WindowsbehaviorgraphoogleUpdate.exe, PE32 31->100 dropped 124 Multi AV Scanner detection for dropped file 31->124 126 Detected unpacking (changes PE section rights) 31->126 128 Machine Learning detection for dropped file 31->128 142 3 other signatures 31->142 41 GoogleUpdate.exe 31->41         started        56 3 other processes 31->56 102 C:\Users\user\AppData\Local\Temp\8330.tmp, PE32+ 35->102 dropped 104 C:\Program Filesbehaviorgraphoogle\Chrome\updater.exe, PE32+ 35->104 dropped 130 Writes to foreign memory regions 35->130 132 Modifies the context of a thread in another process (thread injection) 35->132 134 Found hidden mapped module (file has been removed from disk) 35->134 136 Maps a DLL or memory area into another process 35->136 45 cmd.exe 35->45         started        47 cmd.exe 35->47         started        49 powershell.exe 35->49         started        58 3 other processes 35->58 138 Allocates memory in foreign processes 37->138 140 Injects a PE file into a foreign processes 37->140 51 vbc.exe 37->51         started        60 3 other processes 37->60 106 C:\Users\user\AppData\...\svcupdater.exe, PE32 39->106 dropped 54 cmd.exe 1 39->54         started        signatures12 process13 dnsIp14 114 141.95.93.175, 443, 49702, 49703 DFNVereinzurFoerderungeinesDeutschenForschungsnetzese Germany 41->114 116 api.peer2profit.com 172.66.43.60, 443, 49700, 49701 CLOUDFLARENETUS United States 41->116 172 Detected unpacking (changes PE section rights) 41->172 174 Detected unpacking (creates a PE file in dynamic memory) 41->174 176 Detected unpacking (overwrites its own PE header) 41->176 194 2 other signatures 41->194 62 netsh.exe 41->62         started        68 2 other processes 41->68 70 11 other processes 45->70 178 Modifies power options to not sleep / hibernate 47->178 72 5 other processes 47->72 64 conhost.exe 49->64         started        118 t.me 149.154.167.99, 443, 49706 TELEGRAMRU United Kingdom 51->118 120 78.47.204.168, 49726, 80 HETZNER-ASDE Germany 51->120 90 C:\ProgramData\sqlite3.dll, PE32 51->90 dropped 180 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 51->180 182 Tries to harvest and steal browser information (history, passwords, etc) 51->182 184 DLL side loading technique detected 51->184 186 Tries to steal Crypto Currency Wallets 51->186 66 cmd.exe 51->66         started        188 Uses cmd line tools excessively to alter registry or file data 54->188 190 Uses schtasks.exe or at.exe to add and modify task schedules 54->190 192 Uses powercfg.exe to modify the power settings 54->192 74 2 other processes 54->74 76 3 other processes 56->76 78 2 other processes 58->78 file15 signatures16 process17 process18 80 conhost.exe 62->80         started        82 conhost.exe 66->82         started        84 timeout.exe 66->84         started        86 conhost.exe 68->86         started        88 conhost.exe 68->88         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4a75a23c13301872f46f4530b071bc4534a211435d5a8d8534b1455735c571b1/
Threat name:
Win32.Trojan.RedLine
Create hunting rule
Status:
Malicious
First seen:
2022-09-16 00:40:43 UTC
File Type:
PE (Exe)
AV detection:
22 of 26 (84.62%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=jj22epatgamhf5dpiuyla4n4iu2keekdlvni3bjuwfcvonofogyq._file
Verdict:
malicious
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:redline family:vidar botnet:1707 evasion infostealer spyware stealer upx
Link:
https://tria.ge/reports/221025-anbp9sbah2/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Delays execution with timeout.exe
Enumerates system info in registry
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Drops file in Program Files directory
Drops file in Windows directory
Launches sc.exe
Drops file in System32 directory
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Loads dropped DLL
Uses the VBS compiler for execution
Downloads MZ/PE file
Executes dropped EXE
Modifies Windows Firewall
Stops running service(s)
UPX packed file
Modifies security service
RedLine
RedLine payload
Suspicious use of NtCreateProcessExOtherParentProcess
Suspicious use of NtCreateUserProcessOtherParentProcess
Vidar
Malware Config
C2 Extraction:
62.204.41.141:24758
https://t.me/slivetalks
https://c.im/@xinibin420
Unpacked files
SH256 hash:
774b5de983aba4f985fd4850cce96e2b04070c88a6c3d2fd52557024615d670e
MD5 hash:
6d2d1a27cece31ecd2e7cb80ce861052
SHA1 hash:
27e1078d3b45db24a7ada27cec85dc8fc4aab8ff
Link:
https://www.unpac.me/results/6db80afb-7e17-4064-93c7-5d07a7ea9466/
SH256 hash:
4a75a23c13301872f46f4530b071bc4534a211435d5a8d8534b1455735c571b1
MD5 hash:
8bf044065761510e67e039ef001c5c3c
SHA1 hash:
b1bc6a7cb9c5f8655591b5a7f7259e2756ce4a4b
Link:
https://www.unpac.me/results/6db80afb-7e17-4064-93c7-5d07a7ea9466/
Malware family:
RedLine.D
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/4a75a23c1330/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4a75a23c13301872f46f4530b071bc4534a211435d5a8d8534b1455735c571b1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AppLaunch
Create hunting rule
Author:iam-py-test
Description:Detect files referencing .Net AppLaunch.exe

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/323702/

Comments