MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a4a8506c8f2bc00ba1d6ef93780ee6de4072e988113474758a24b2bc88b8e708. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 13


Intelligence 13 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a4a8506c8f2bc00ba1d6ef93780ee6de4072e988113474758a24b2bc88b8e708
SHA3-384 hash: 7ab23f3f0d778917d3dbb0e2db3428acf422dd56672479a76b80c2dd4f5cbdb2a4d81c77da4519a9729c0100b3b7b034
SHA1 hash: 5ceb0574c486274ad2b2da37831341a9afb654ba
MD5 hash: 3ec33396a0f7ef6b51ce517c9a9e8521
humanhash: hotel-finch-lemon-magazine
File name:3ec33396a0f7ef6b51ce517c9a9e8521.exe
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:2'422'443 bytes
First seen:2022-10-26 21:45:37 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c30adf91ebe9d66e552316724764f4c1 (9 x RedLineStealer, 1 x ArkeiStealer, 1 x DCRat)
ssdeep 24576:+wnUYsYufPXovM65v3YBtueCScwYRg7AkRsLoa7WPl3RuQ55313H:+wl2cwmg7AkRsEPl3Z
Threatray 9'438 similar samples on MalwareBazaar
TLSH T1ECB50A036A8B1E75DDC23BB4618B633AA734FD30CA2A9F7FB60DC53559532C4681A742
TrID 33.5% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
21.3% (.EXE) Win64 Executable (generic) (10523/12/4)
13.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
10.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.1% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter abuse_ch
Tags:ArkeiStealer exe


Avatar
abuse_ch
ArkeiStealer C2:
http://95.217.29.33/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://95.217.29.33/ https://threatfox.abuse.ch/ioc/950016/

Intelligence

File Origin
# of uploads :
1
# of downloads :
264
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
3ec33396a0f7ef6b51ce517c9a9e8521.exe
Verdict:
Malicious activity
Analysis date:
2022-10-26 21:46:21 UTC
Tags:
trojan rat redline loader stealer
Link:
https://app.any.run/tasks/c535715c-811b-4dec-908c-75726d9a0095

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/324571/
Detection(s):
SecuriteInfo.com.Variant.Fragtor.155090.7503.13010.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/45776/overview
Behaviour
MalwareBazaar
MeasuringTime
SystemUptime
EvasionQueryPerformanceCounter
EvasionGetTickCount
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Certishell
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/38666f65-cbd8-409a-92c2-9a1ff0b9de65
Result
Threat name:
Laplas Clipper, RedLine, Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1098888
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Detected unpacking (changes PE section rights)
DLL side loading technique detected
Drops executables to the windows directory (C:\Windows) and starts them
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Modifies the windows firewall
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has nameless sections
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses process hollowing technique
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses netsh to modify the Windows network and firewall settings
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Laplas Clipper
Yara detected RedLine Stealer
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 731538 Sample: vPMLS1HVsL.exe Startdate: 27/10/2022 Architecture: WINDOWS Score: 100 103 clipper.guru 2->103 123 Snort IDS alert for network traffic 2->123 125 Multi AV Scanner detection for domain / URL 2->125 127 Malicious sample detected (through community Yara rule) 2->127 129 11 other signatures 2->129 11 vPMLS1HVsL.exe 1 2->11         started        14 svcupdater.exe 2->14         started        16 chrome.exe 2->16         started        18 chrome.exe 2->18         started        signatures3 process4 signatures5 153 Contains functionality to inject code into remote processes 11->153 155 Writes to foreign memory regions 11->155 157 Allocates memory in foreign processes 11->157 159 Injects a PE file into a foreign processes 11->159 20 vbc.exe 15 11 11->20         started        25 conhost.exe 11->25         started        161 Multi AV Scanner detection for dropped file 14->161 163 Machine Learning detection for dropped file 14->163 process6 dnsIp7 105 185.215.113.83, 49699, 60722 WHOLESALECONNECTIONSNL Portugal 20->105 107 dl.uploadgram.me 176.9.247.226, 443, 49702 HETZNER-ASDE Germany 20->107 109 2 other IPs or domains 20->109 87 C:\Users\user\AppData\Local\Temp\start.exe, PE32+ 20->87 dropped 89 C:\Users\user\AppData\Local\...\ofg.exe, PE32 20->89 dropped 91 C:\Users\user\AppData\Local\...\chrome.exe, MS-DOS 20->91 dropped 93 2 other malicious files 20->93 dropped 131 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 20->131 133 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 20->133 135 Tries to harvest and steal browser information (history, passwords, etc) 20->135 137 Tries to steal Crypto Currency Wallets 20->137 27 chrome.exe 20->27         started        31 app.exe 1 20->31         started        33 brave.exe 20->33         started        35 2 other processes 20->35 file8 signatures9 process10 file11 95 C:\WindowsbehaviorgraphoogleUpdate.exe, PE32 27->95 dropped 165 Multi AV Scanner detection for dropped file 27->165 167 Detected unpacking (changes PE section rights) 27->167 169 Machine Learning detection for dropped file 27->169 175 6 other signatures 27->175 37 GoogleUpdate.exe 27->37         started        41 powershell.exe 27->41         started        43 schtasks.exe 27->43         started        45 schtasks.exe 27->45         started        171 Allocates memory in foreign processes 31->171 47 vbc.exe 31->47         started        50 WerFault.exe 31->50         started        56 2 other processes 31->56 97 C:\ProgramData\Updater\VCXRYF.exe, PE32+ 33->97 dropped 173 Antivirus detection for dropped file 33->173 99 C:\Users\user\AppData\...\svcupdater.exe, PE32 35->99 dropped 52 powershell.exe 35->52         started        54 cmd.exe 35->54         started        signatures12 process13 dnsIp14 111 api.peer2profit.com 172.66.43.60, 443, 49703, 49706 CLOUDFLARENETUS United States 37->111 113 162.19.175.140, 443, 49705, 49707 CENTURYLINK-US-LEGACY-QWESTUS United States 37->113 115 162.19.175.147, 443, 50026, 50028 CENTURYLINK-US-LEGACY-QWESTUS United States 37->115 139 Uses netsh to modify the Windows network and firewall settings 37->139 141 Modifies the windows firewall 37->141 58 netsh.exe 37->58         started        61 netsh.exe 37->61         started        63 netsh.exe 37->63         started        65 conhost.exe 41->65         started        67 conhost.exe 43->67         started        69 conhost.exe 45->69         started        117 t.me 149.154.167.99, 443, 49951 TELEGRAMRU United Kingdom 47->117 119 95.217.29.33, 49967, 80 HETZNER-ASDE Germany 47->119 101 C:\ProgramData\sqlite3.dll, PE32 47->101 dropped 143 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 47->143 145 Tries to harvest and steal browser information (history, passwords, etc) 47->145 147 DLL side loading technique detected 47->147 149 Tries to steal Crypto Currency Wallets 47->149 71 cmd.exe 47->71         started        151 Queries memory information (via WMI often done to detect virtual machines) 52->151 73 conhost.exe 52->73         started        75 2 other processes 54->75 file15 signatures16 process17 dnsIp18 121 192.168.2.1 unknown unknown 58->121 77 conhost.exe 58->77         started        79 conhost.exe 61->79         started        81 conhost.exe 63->81         started        83 conhost.exe 71->83         started        85 timeout.exe 71->85         started        process19
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a4a8506c8f2bc00ba1d6ef93780ee6de4072e988113474758a24b2bc88b8e708/
Threat name:
Win32.Trojan.RedLine
Create hunting rule
Status:
Malicious
First seen:
2022-10-22 14:40:45 UTC
File Type:
PE (Exe)
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=usufa3epfpaaxiow56jxqdxg3zahf2mice2hi5mkeszlzcfy44ea._file
Verdict:
malicious
Similar samples:
13a0b3e462a014b605489df82b082618b64d7292140bbfdbb7b58e683cb80b3b
ArkeiStealer
169e01599ade6b92e0a47abbb8ad87b26b72c43ad7d6e9b9ea604ce59961d673
ArkeiStealer
185162ce404a5fa9310340b9c39516ab09073c1460dfc1dd066541c1756563a4
ArkeiStealer
28120e30e6493e67c89ef159d2d1b2866cc05ebc0be35758023feef924eb5d1b
ArkeiStealer
2986955a86572ace49ad3773a3e1ddb742ade6a5d0b09e9f4597bba2477a1465
ArkeiStealer
44c6ed2ddb5e2077c153de0a299dcbff82ba1d2a9f304c0e4fed47496ba82af7
ArkeiStealer
5d243ded181eefcd0d051a13f2ba7845223b576d6c8f93777552cf252e28bc90
ArkeiStealer
6f03dfd71abd06402371157eac912ffeae7871a6d93b8d2dad3242ae59644fcf
ArkeiStealer
ddd8aa44e44b27ae1604042ccd9564ab5bc44d72b680293856057995f154cbc9
ArkeiStealer
+ 9'428 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:redline family:vidar botnet:1707 evasion infostealer spyware stealer
Link:
https://tria.ge/reports/221026-1ml3qahca4/
Behaviour
Creates scheduled task(s)
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Windows directory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks computer location settings
Loads dropped DLL
Uses the VBS compiler for execution
Downloads MZ/PE file
Executes dropped EXE
Modifies Windows Firewall
Vidar
RedLine
RedLine payload
Malware Config
C2 Extraction:
185.215.113.83:60722
https://t.me/slivetalks
https://c.im/@xinibin420
Unpacked files
SH256 hash:
48ff591ab8fe005fa2cf623a2ae5a24360157811d9c4f467a5dae81bf12b5dec
MD5 hash:
d3e27daf2addff4305a1c614d30bacd7
SHA1 hash:
b416e92bb3cc0a23f3419f88e31e6088688081cd
Link:
https://www.unpac.me/results/77f61e16-3780-4568-a11a-3155ab6bf8a9/
SH256 hash:
a4a8506c8f2bc00ba1d6ef93780ee6de4072e988113474758a24b2bc88b8e708
MD5 hash:
3ec33396a0f7ef6b51ce517c9a9e8521
SHA1 hash:
5ceb0574c486274ad2b2da37831341a9afb654ba
Link:
https://www.unpac.me/results/77f61e16-3780-4568-a11a-3155ab6bf8a9/
Malware family:
RedLine.D
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/a4a8506c8f2b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a4a8506c8f2bc00ba1d6ef93780ee6de4072e988113474758a24b2bc88b8e708

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/324571/

Comments