MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 582bd655f491fe76a95b9c8900a3051d379dcbb86036f273b2a7bc6cdd928e9b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 16


Intelligence 16 IOCs 1 YARA 16 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 582bd655f491fe76a95b9c8900a3051d379dcbb86036f273b2a7bc6cdd928e9b
SHA3-384 hash: 258f7a1ca505eaa28e6fa6b304677ac8a16d06f1eb103d14d2b21568e69d9dacfc289df65925fca1b904cda6c9bbf5bc
SHA1 hash: 160dc676ce1696daa20f3c2d56cf41d84481d628
MD5 hash: b968dfca2c74f26c008abffa22c74581
humanhash: butter-helium-autumn-november
File name:582BD655F491FE76A95B9C8900A3051D379DCBB86036F.exe
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:4'028'984 bytes
First seen:2022-10-25 15:21:44 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 32569d67dc210c5cb9a759b08da2bdb3 (122 x RedLineStealer, 42 x DiamondFox, 37 x RaccoonStealer)
ssdeep 98304:xuCvLUBsgNljaa5vDFVkA2jYsVn3QWQjC78LF4EZCm:xnLUCgjaaDj2xFQhjCSHZCm
TLSH T17B1633007EE258FAFD4115789F597FB529FE83AD18118E8F33A85A4B6E72605C31E24C
TrID 33.5% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
21.3% (.EXE) Win64 Executable (generic) (10523/12/4)
13.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
10.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.1% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 848c5454baf47474 (2'088 x Adware.Neoreklami, 101 x RedLineStealer, 33 x DiamondFox)
Reporter abuse_ch
Tags:ArkeiStealer exe


Avatar
abuse_ch
ArkeiStealer C2:
193.106.191.19:47242

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
193.106.191.19:47242 https://threatfox.abuse.ch/ioc/948768/

Intelligence

File Origin
# of uploads :
1
# of downloads :
235
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
91c43b63ed3549c521e4166ab7358e29ce19f8087c9053a8c6b6e4f17ddeb4c5
Verdict:
Malicious activity
Analysis date:
2021-10-11 12:49:08 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/f2df17d2-9651-43a7-a7aa-39a59c2b8f6c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
onlyLogger Loader
Create hunting rule
Link:
https://www.capesandbox.com/analysis/324068/
Detection(s):
Win.Packed.Barys-9859531-0
Create hunting rule

Win.Malware.Generic-9863888-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Win.Malware.Socelars-9901327-1
Create hunting rule

Win.Malware.Socelars-9901374-1
Create hunting rule

Win.Malware.Socelars-9901388-1
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Сreating synchronization primitives
Creating a process from a recently created file
Searching for the window
Running batch commands
Sending a custom TCP request
Searching for synchronization primitives
Launching a process
Launching the default Windows debugger (dwwin.exe)
Creating a process with a hidden window
Creating a window
Query of malicious DNS domain
Unauthorized injection to a recently created process
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/45432/overview
Behaviour
MalwareBazaar
CheckCmdLine
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Socelars
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9aacc308-8a4d-44ac-bfcd-176d9a3e2f9c
Result
Threat name:
Nymaim, RedLine, Socelars, onlyLogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1097717
Signature
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Antivirus detection for dropped file
Antivirus detection for URL or domain
Connects to a pastebin service (likely for C&C)
Contains functionality to steal Chrome passwords or cookies
Creates HTML files with .exe extension (expired dropper behavior)
Detected VMProtect packer
Disable Windows Defender real time protection (registry)
Found C&C like URL pattern
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has a writeable .text section
PE file has nameless sections
Performs DNS queries to domains with low reputation
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Uses known network protocols on non-standard ports
Yara detected Generic Downloader
Yara detected Nymaim
Yara detected onlyLogger
Yara detected RedLine Stealer
Yara detected Socelars
Yara detected UAC Bypass using CMSTP
Yara Genericmalware
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 730368 Sample: 582BD655F491FE76A95B9C8900A... Startdate: 25/10/2022 Architecture: WINDOWS Score: 100 111 xv.yxzgamen.com 2->111 113 www.facebook.com 2->113 115 24 other IPs or domains 2->115 141 Snort IDS alert for network traffic 2->141 143 Multi AV Scanner detection for domain / URL 2->143 145 Malicious sample detected (through community Yara rule) 2->145 147 24 other signatures 2->147 15 582BD655F491FE76A95B9C8900A3051D379DCBB86036F.exe 19 2->15         started        signatures3 process4 file5 89 C:\Users\user\AppData\...\setup_install.exe, PE32 15->89 dropped 91 C:\Users\user\AppData\...\libwinpthread-1.dll, PE32 15->91 dropped 93 C:\Users\user\AppData\...\libstdc++-6.dll, PE32 15->93 dropped 95 14 other files (13 malicious) 15->95 dropped 18 setup_install.exe 1 15->18         started        process6 dnsIp7 117 127.0.0.1 unknown unknown 18->117 149 Multi AV Scanner detection for dropped file 18->149 151 Adds a directory exclusion to Windows Defender 18->151 22 cmd.exe 18->22         started        24 cmd.exe 1 18->24         started        26 cmd.exe 18->26         started        28 11 other processes 18->28 signatures8 process9 dnsIp10 32 Sun12b075b343272c8.exe 22->32         started        37 Sun1215e751f01d.exe 7 24->37         started        39 Sun125ca7899a38c4.exe 26->39         started        119 192.168.2.1 unknown unknown 28->119 153 Adds a directory exclusion to Windows Defender 28->153 41 Sun12d1c7c93af0.exe 28->41         started        43 Sun12e078fe45525.exe 28->43         started        45 Sun125d119c415ff55f3.exe 28->45         started        47 6 other processes 28->47 signatures11 process12 dnsIp13 97 212.193.30.115, 49725, 49732, 80 SPD-NETTR Russian Federation 32->97 99 vk.com 87.240.132.67, 443, 49743, 49744 VKONTAKTE-SPB-AShttpvkcomRU Russian Federation 32->99 105 20 other IPs or domains 32->105 79 C:\Users\...\ziVH4KhvHOejd5bsvV6Pw8ZJ.exe, PE32 32->79 dropped 81 C:\Users\...\sRvVElR7WlW9IVGGcvBqJsxl.exe, PE32 32->81 dropped 83 C:\Users\...\r0ZSdZ6D7uNfOIjEMecMu1hK.exe, PE32 32->83 dropped 85 18 other malicious files 32->85 dropped 127 Antivirus detection for dropped file 32->127 129 Multi AV Scanner detection for dropped file 32->129 131 May check the online IP address of the machine 32->131 139 3 other signatures 32->139 133 Machine Learning detection for dropped file 37->133 49 mshta.exe 37->49         started        107 2 other IPs or domains 39->107 51 WerFault.exe 39->51         started        53 WerFault.exe 39->53         started        101 ip-api.com 208.95.112.1, 49707, 80 TUT-ASUS United States 41->101 135 Contains functionality to steal Chrome passwords or cookies 41->135 137 Injects a PE file into a foreign processes 43->137 55 Sun12e078fe45525.exe 43->55         started        103 ggg-cl.biz 45->103 57 WerFault.exe 45->57         started        109 4 other IPs or domains 47->109 59 explorer.exe 47->59 injected file14 signatures15 process16 process17 61 cmd.exe 49->61         started        file18 87 C:\Users\user\AppData\Local\Temp\09xU.exE, PE32 61->87 dropped 64 09xU.exE 61->64         started        67 conhost.exe 61->67         started        69 taskkill.exe 61->69         started        process19 signatures20 121 Antivirus detection for dropped file 64->121 123 Multi AV Scanner detection for dropped file 64->123 125 Machine Learning detection for dropped file 64->125 71 mshta.exe 64->71         started        73 mshta.exe 64->73         started        process21 process22 75 cmd.exe 71->75         started        process23 77 conhost.exe 75->77         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/582bd655f491fe76a95b9c8900a3051d379dcbb86036f273b2a7bc6cdd928e9b/
Threat name:
Win32.Trojan.Redlinestealer
Create hunting rule
Status:
Malicious
First seen:
2021-10-10 19:56:44 UTC
File Type:
PE (Exe)
Extracted files:
116
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=lav5mvpush7hnkk3tseqbiyfdu3z3s5yma3pe45su66gzxmsr2nq._file
Verdict:
malicious
Result
Malware family:
socelars
Create hunting rule
Score:
  10/10
Tags:
family:fabookie family:nullmixer family:onlylogger family:privateloader family:redline family:smokeloader family:socelars botnet:ani botnet:she aspackv2 backdoor discovery dropper evasion infostealer loader main spyware stealer trojan
Link:
https://tria.ge/reports/221025-srwtqadae7/
Behaviour
Checks SCSI registry key(s)
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Looks up geolocation information via web service
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
ASPack v2.12-2.42
Downloads MZ/PE file
Executes dropped EXE
OnlyLogger payload
Detect Fabookie payload
Detects Smokeloader packer
Fabookie
Modifies Windows Defender Real-time Protection settings
NullMixer
OnlyLogger
PrivateLoader
RedLine
RedLine payload
SmokeLoader
Socelars
Socelars payload
Malware Config
C2 Extraction:
http://hsiens.xyz/
http://www.iyiqian.com/
http://www.hbgents.top/
http://www.rsnzhy.com/
http://www.znsjis.top/
135.181.129.119:4805
45.142.215.47:27643
http://91.241.19.125/pub.php?pub=one
http://sarfoods.com/index.php
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/370acf84-b291-4434-a2a4-d2dbe431d436
Unpacked files
SH256 hash:
51083f1071cc6c67bc643417a0be92c3190a044f6cb0d913bb8afb01adc08f3f
MD5 hash:
59073d016866002414aa2c915f8d1f6e
SHA1 hash:
dc285bc11154c5d4b932514934bd16c71b2a3938
Link:
https://www.unpac.me/results/bac75c8a-4c7b-4a16-8aae-c003178dd249/
SH256 hash:
d95b8e2d8bf52369a369cf6ee5366297a8984380210d7eea29a82cf53b8501fa
MD5 hash:
4da644a647b164089629ff894110d9cf
SHA1 hash:
8f29d97853790d852203c0921c39609ee8c6b27e
Link:
https://www.unpac.me/results/bac75c8a-4c7b-4a16-8aae-c003178dd249/
SH256 hash:
642f5d31e9797e4509429807009ee2871ac9826b5b513ff229956a3d87ed1f8e
MD5 hash:
488029d7287523022a3a3c0fad808e36
SHA1 hash:
1f28a900f11d99b0f6e65cf3b1e63b0bd22f45db
Link:
https://www.unpac.me/results/bac75c8a-4c7b-4a16-8aae-c003178dd249/
SH256 hash:
2022d227a29dce5db4ff976cbf762bc300c917318367125dcbcba46780dbef5c
MD5 hash:
ced7cf45066948700224a0ac5b61dccb
SHA1 hash:
dbee1d1faf544aed0ce48c0959cf1ec7510e1e31
Link:
https://www.unpac.me/results/bac75c8a-4c7b-4a16-8aae-c003178dd249/
SH256 hash:
43da19a0f18ca201ee3f213e30699e121bbe812bb14e405344dfe43e52b95d6a
MD5 hash:
c83860b0db60b9f69468301ee2a58fca
SHA1 hash:
d826cc0323eb208e36b3e9ef00225430c6f031e1
Link:
https://www.unpac.me/results/bac75c8a-4c7b-4a16-8aae-c003178dd249/
SH256 hash:
c3320f7881a1e39aaae81bc3e5399e695cf1ec22e1f33b2454a5d2d4c43ef9fe
MD5 hash:
efc82b95a1ede9af1c833e9912c62818
SHA1 hash:
c433cf849e818fb1bac2caea97984ac8b0bafb73
Link:
https://www.unpac.me/results/bac75c8a-4c7b-4a16-8aae-c003178dd249/
SH256 hash:
c8afcdf046c8f341ba02dc56abaa08b4b7cc0df34087c22d11236d16011eb3e6
MD5 hash:
5f2ddd37132f21311b5cc07f94952faf
SHA1 hash:
9af762055be8491978955640a56b58a9b2ad488c
Link:
https://www.unpac.me/results/bac75c8a-4c7b-4a16-8aae-c003178dd249/
SH256 hash:
cffd20d82557041e59658fd018ce33c9a3d14de632c81b9d2c8852e0c4fdc381
MD5 hash:
2ee46b72485d9af033ea5f8229cd77c8
SHA1 hash:
8a4357ca0ecc207a63fd1e3a750115c05f9759e2
Link:
https://www.unpac.me/results/bac75c8a-4c7b-4a16-8aae-c003178dd249/
SH256 hash:
bc6dfe9ae53c745b83810c092635dee8d3a5e58fda2e91552cc5683399568c09
MD5 hash:
8c9e935bccc4fac6b11920ef96927aac
SHA1 hash:
38bd94eb5a5ef481a1e7c5192d9f824b7a16d792
Link:
https://www.unpac.me/results/bac75c8a-4c7b-4a16-8aae-c003178dd249/
SH256 hash:
0e2e68dc9724fc97647db64d367e7eed6ecf41b6cfe23fef257260607f86445d
MD5 hash:
91220afa4a880b7fb2d1b6a5117bf30d
SHA1 hash:
486b03728efe58dfbe19078bceb412e43eb153dd
Link:
https://www.unpac.me/results/bac75c8a-4c7b-4a16-8aae-c003178dd249/
SH256 hash:
972c33057d6944870e2fe26b4a5f2497cde0b540150386bdba04c8fc607f4b01
MD5 hash:
d5d68f6d0c6e151d2fb689740f5f3f75
SHA1 hash:
cb5ef9eb004073daba0eb683f1ff69d1dd5f21eb
Detections:
win_smokeloader_a2
Create hunting rule
SmokeLoaderStage2
Create hunting rule
Link:
https://www.unpac.me/results/bac75c8a-4c7b-4a16-8aae-c003178dd249/
Parent samples :
f33c9c6f077b7fb4d243925fe48b875581bb8af46e452b39bd4a2c3dd68f0ef9
822ee6c4b4bb9a619985e83c04a2dfe1a09152dc0276bd698f6d03be6ec7b83a
cfcab36f73560b2d15b6c266feaaf0195a6e0d18c22aa22b672e7eb2f979923e
7287980c1afb840a7438471126c0c95c36fefa79a013f9620264507e5f98c7a6
f9c9b3fbf4d11f96ff06fc8292d8c67ad6cf5432409754bbfc95c5c80e6b160d
72b6da82c3aa6faeee19e842814f77874cab37b3425ce6c503754b90c43a4610
e4fb39b3f6aa19028ccdd531437e7994a9b6f62b317adfa3edc16ba51e57acb1
582bd655f491fe76a95b9c8900a3051d379dcbb86036f273b2a7bc6cdd928e9b
9265b09595c59007e116c60605c28bd616387cf0dff79c7db8c5880e23cfef8e
abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb6bd2120da1c01fb1a5a
SH256 hash:
51d1fb6c91c859ebbe0d33009feb91e61ac92c14412addfeb6e5b097d84b7b63
MD5 hash:
ca367012ebf8a17e84253413281d5e72
SHA1 hash:
9db93109d5bfb255c1997e422a2538beefdbb36e
Detections:
win_gcleaner_auto
Create hunting rule
Link:
https://www.unpac.me/results/bac75c8a-4c7b-4a16-8aae-c003178dd249/
Parent samples :
582bd655f491fe76a95b9c8900a3051d379dcbb86036f273b2a7bc6cdd928e9b
abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb6bd2120da1c01fb1a5a
SH256 hash:
4d122504d709e4b3c9bf75835b9453aab45dc8fc748f2745e5ad31c6ba09cf92
MD5 hash:
f9d11f710246b5647625e117f42deb2a
SHA1 hash:
b37aa574bc9b6661bb1967d266b358caab2aa591
Link:
https://www.unpac.me/results/bac75c8a-4c7b-4a16-8aae-c003178dd249/
SH256 hash:
a992a679ba3a3d1258de721b25376f96f6480f7478829342d8a948e43c9c2899
MD5 hash:
b0341f67fa78c5e0241aaa80e82b734b
SHA1 hash:
f070d6eb4620e1ba404fc97de06a69a69b9be6f1
Link:
https://www.unpac.me/results/bac75c8a-4c7b-4a16-8aae-c003178dd249/
SH256 hash:
a08a022c535785e68b478c09880dbec9cc33796987a03a4604c1bfbf94da8f9b
MD5 hash:
f5434fb7b62389136300693bc00f45b7
SHA1 hash:
b71c8bac7087dce16d24517d7cf5ce737de2e4ab
Link:
https://www.unpac.me/results/bac75c8a-4c7b-4a16-8aae-c003178dd249/
SH256 hash:
cebbf28ba48c16bf880e1b2dd06242805af021b8bded51589f7658d40e1fd307
MD5 hash:
e6e328226018555101feb6285ff40ac1
SHA1 hash:
5e417ca1008de11a41b1bca1395984afa70e6347
Detections:
win_privateloader_auto
Create hunting rule
Link:
https://www.unpac.me/results/bac75c8a-4c7b-4a16-8aae-c003178dd249/
SH256 hash:
582bd655f491fe76a95b9c8900a3051d379dcbb86036f273b2a7bc6cdd928e9b
MD5 hash:
b968dfca2c74f26c008abffa22c74581
SHA1 hash:
160dc676ce1696daa20f3c2d56cf41d84481d628
Link:
https://www.unpac.me/results/bac75c8a-4c7b-4a16-8aae-c003178dd249/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/582bd655f491fe76a95b9c8900a3051d379dcbb86036f273b2a7bc6cdd928e9b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:command_and_control
Create hunting rule
Author:CD_R0M_
Description:This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group
Rule name:INDICATOR_EXE_Packed_ASPack
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ASPack
Rule name:MALWARE_Win_Arechclient2
Create hunting rule
Author:ditekSHen
Description:Detects Arechclient2 RAT
Rule name:MALWARE_Win_DLInjector03
Create hunting rule
Author:ditekSHen
Description:Detects unknown loader / injector
Rule name:MALWARE_Win_OnlyLogger
Create hunting rule
Author:ditekSHen
Description:Detects OnlyLogger loader variants
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:RedLine_b
Create hunting rule
Author:@bartblaze
Description:Identifies RedLine stealer.
Rule name:redline_stealer
Create hunting rule
Author:jeFF0Falltrades
Description:This rule matches unpacked RedLine Stealer samples and derivatives (as of APR2021)
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:SUSP_XORed_Mozilla
Create hunting rule
Author:Florian Roth
Description:Detects suspicious single byte XORed keyword 'Mozilla/5.0' - it uses yara's XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key.
Reference:https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force()
Rule name:SUSP_XORed_Mozilla_RID2DB4
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed keyword - Mozilla/5.0
Reference:Internal Research
Rule name:Windows_Trojan_RedLineStealer_3d9371fd
Create hunting rule
Author:Elastic Security
Rule name:Windows_Trojan_RedLineStealer_f54632eb
Create hunting rule
Author:Elastic Security
Rule name:Windows_Trojan_Smokeloader_3687686f
Create hunting rule
Author:Elastic Security
Rule name:win_gcleaner_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.gcleaner.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/324068/

Comments