MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6f6e8e9441fa7b35c0b1676a69957404081ca8a357b38a6640adb38375a7424d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

ArkeiStealer

Vendor detections: 14

Intelligence 14 IOCs 1 YARA 4 File information Comments

SHA256 hash:	6f6e8e9441fa7b35c0b1676a69957404081ca8a357b38a6640adb38375a7424d
SHA3-384 hash:	eba3b0f7edd201d2a32e8d31bd842de05db410620d495c0bcfdd90a7e042c4285e48dec50fe91e318d821a27fdc5fa9f
SHA1 hash:	895ccd4af6171223e708f32d83b1c08e65ce5500
MD5 hash:	1b7cc250c7b8b28f5267e244d3cc5e8d
humanhash:	video-virginia-blossom-ack
File name:	1b7cc250c7b8b28f5267e244d3cc5e8d.exe
Download:	download sample
Signature	ArkeiStealer Create hunting rule
File size:	2'714'459 bytes
First seen:	2022-10-27 20:10:47 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	2bba10bc6e6e0c67365da76653e3e10d (11 x RedLineStealer, 3 x ArkeiStealer, 1 x ErbiumStealer)
ssdeep	24576:/EJcFJUhm7FYiYoA7iQ61MN1WdPNJib1HZwzbmXnSF6Q1LtDel3RuQ55313t:FUhmh7qZ7XSF6Q1pyl3H
Threatray	88 similar samples on MalwareBazaar
TLSH	T198C52A135A8B0D75DDD23BB4A1CB633AA734ED30CA2A8F7FB608C53959532C56C1A742
TrID	33.5% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 21.3% (.EXE) Win64 Executable (generic) (10523/12/4) 13.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 10.2% (.EXE) Win16 NE executable (generic) (5038/12/1) 9.1% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	abuse_ch
Tags:	ArkeiStealer exe

abuse_ch

ArkeiStealer C2:
http://195.201.253.169/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
http://195.201.253.169/	https://threatfox.abuse.ch/ioc/878075/

Intelligence

File Origin

# of uploads :

# of downloads :

270

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

redline

ID:

File name:

@bfg_animeshnik-962b1785-13b2-448e-90c8-209296087764.exe

Verdict:

Malicious activity

Analysis date:

2022-10-04 15:31:03 UTC

Tags:

trojan rat redline

Link:

https://app.any.run/tasks/28bd6e75-95bf-4886-97a0-f047e05e5690

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/325129/

Detection(s):

Win.Malware.Redlinestealer-9973123-0

Win.Packed.Redlinestealer-9973388-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Result

Malware family:

n/a

Score:

8/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/46103/overview

Behaviour

MalwareBazaar

MeasuringTime

SystemUptime

EvasionQueryPerformanceCounter

EvasionGetTickCount

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

RedLine stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/72ea8ca7-bf78-43be-829d-5dc2416895a7

Result

Threat name:

Laplas Clipper, RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1099767

Behaviour

Behavior Graph:

n/a

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/6f6e8e9441fa7b35c0b1676a69957404081ca8a357b38a6640adb38375a7424d/

Threat name:

Win32.Trojan.RedLine

Status:

Malicious

First seen:

2022-10-23 19:50:00 UTC

File Type:

PE (Exe)

AV detection:

23 of 26 (88.46%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=n5xi5fcb7j5tlqfrm5vgtfluaqebzkfdk6zyuzsavwzyg5nhijgq._file

Verdict:

malicious

ArkeiStealer

359f9ca568b7525fa41e8ce63450ef4fe1f5c4ba5a334d1473ef93867b21f8a5

ArkeiStealer

4c0003c3a45e94129cd5b6771200feebc7c4f53f0d5b110276d8dc7ae29c9e8c

ArkeiStealer

5d48f8503446780ca198fb5a5c7ccebc7a8ca729f9a0cad78a2fc5f381500d13

ArkeiStealer

a6ccbe999228a8ef36443b321573865ddf4dac81e20a586d694d8a2ff4837279

ArkeiStealer

ee08608492383853c0cf59e355f9721f413d83f18d3e4a2c344f5b90407caf4a

ArkeiStealer

f8a941938484a00306232e77b8af41e7f81df56e4aa9864a2b59ea8ebfbc892b

ArkeiStealer

+ 78 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline evasion infostealer persistence spyware themida trojan

Link:

https://tria.ge/reports/221027-yx9wesdce5/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Program crash

Drops file in Windows directory

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks whether UAC is enabled

Checks BIOS information in registry

Checks computer location settings

Loads dropped DLL

Themida packer

Downloads MZ/PE file

Executes dropped EXE

Modifies Windows Firewall

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Modifies WinLogon for persistence

RedLine

RedLine payload

Malware Config

C2 Extraction:

62.204.41.141:24758

Unpacked files

SH256 hash:

713f670f649ff998fd71bcfe14659c0069a445775686134874fa35f6b45b4bde

MD5 hash:

3ec877a8d31acba8f7e111ac9d398918

SHA1 hash:

b83c0db3a5b544964260cdf5dc71632364566e22

Detections:

redline

Link:

https://www.unpac.me/results/c0c74db0-a7bf-4944-afc5-52bb1b406c3e/

SH256 hash:

6f6e8e9441fa7b35c0b1676a69957404081ca8a357b38a6640adb38375a7424d

MD5 hash:

1b7cc250c7b8b28f5267e244d3cc5e8d

SHA1 hash:

895ccd4af6171223e708f32d83b1c08e65ce5500

Link:

https://www.unpac.me/results/c0c74db0-a7bf-4944-afc5-52bb1b406c3e/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Redline

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/6f6e8e9441fa7b35c0b1676a69957404081ca8a357b38a6640adb38375a7424d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	AppLaunch Create hunting rule
Author:	iam-py-test
Description:	Detect files referencing .Net AppLaunch.exe

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/325129/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample