MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a86f94f68d4c8783df4ef089dc725dc6bb7f5069926a8041120f01401a20ca73. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 16


Intelligence 16 IOCs 1 YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a86f94f68d4c8783df4ef089dc725dc6bb7f5069926a8041120f01401a20ca73
SHA3-384 hash: d78df191146afabe942bd57aa6654628f14276aa2999a1ee6fe18888b465fd14c3ef85eaa16275d3f9bf4aa411bb7581
SHA1 hash: ad35af983cf9a3cea2b28911b661b01d3a9b7b4b
MD5 hash: 8d15c4637a6a98644ed11a222db283eb
humanhash: hydrogen-texas-shade-three
File name:A86F94F68D4C8783DF4EF089DC725DC6BB7F5069926A8.exe
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:1'216'928 bytes
First seen:2022-10-25 00:20:57 UTC
Last seen:2022-10-25 01:20:25 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash b19a059d8269ea8d79811bc3a86adbb1 (2 x ArkeiStealer, 1 x RedLineStealer, 1 x DCRat)
ssdeep 12288:YpaE/zF4gKFtIWoO2acBqETluzt4kBAp3mvTFH/qZSRH/zyTkfRHqVjbbfKhCT:2/4fTIWriTLmv0ZMuTkfUT
Threatray 1'928 similar samples on MalwareBazaar
TLSH T1F3457E31A976281EC7CD0B78FF9C6252A1AF07D06E4056A7B1BC137958D28DC87FB294
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter abuse_ch
Tags:ArkeiStealer exe


Avatar
abuse_ch
ArkeiStealer C2:
http://78.47.204.168/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://78.47.204.168/ https://threatfox.abuse.ch/ioc/891320/

Intelligence

File Origin
# of uploads :
2
# of downloads :
251
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
A86F94F68D4C8783DF4EF089DC725DC6BB7F5069926A8.exe
Verdict:
Malicious activity
Analysis date:
2022-10-25 00:22:26 UTC
Tags:
trojan rat redline loader stealer vidar
Link:
https://app.any.run/tasks/ec93703e-740e-459a-9825-46c131ba919f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/323705/
Detection(s):
SecuriteInfo.com.Trojan.Siggen18.45531.16229.30427.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Creating a window
Using the Windows Management Instrumentation requests
Reading critical registry keys
Сreating synchronization primitives
DNS request
Sending an HTTP GET request
Creating a file
Creating a process from a recently created file
Sending a custom TCP request
Creating a file in the %AppData% subdirectories
Running batch commands
Sending a TCP request to an infection source
Stealing user critical data
Unauthorized injection to a recently created process
Launching the process to change the firewall settings
Unauthorized injection to a system process
Enabling autorun by creating a file
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/45197/overview
Behaviour
MalwareBazaar
MeasuringTime
CallSleep
CheckCmdLine
EvasionQueryPerformanceCounter
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/be585bdd-17cb-4b15-a343-473623b5dc66
Result
Threat name:
RedLine, Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1097122
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Detected unpacking (changes PE section rights)
DLL side loading technique detected
Drops executables to the windows directory (C:\Windows) and starts them
Found hidden mapped module (file has been removed from disk)
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies power options to not sleep / hibernate
Modifies the context of a thread in another process (thread injection)
Modifies the windows firewall
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
PE file has nameless sections
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses process hollowing technique
Sigma detected: Stop multiple services
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses netsh to modify the Windows network and firewall settings
Uses powercfg.exe to modify the power settings
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected RedLine Stealer
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 729763 Sample: A86F94F68D4C8783DF4EF089DC7... Startdate: 25/10/2022 Architecture: WINDOWS Score: 100 121 Snort IDS alert for network traffic 2->121 123 Multi AV Scanner detection for domain / URL 2->123 125 Malicious sample detected (through community Yara rule) 2->125 127 14 other signatures 2->127 10 A86F94F68D4C8783DF4EF089DC725DC6BB7F5069926A8.exe 1 2->10         started        13 svcupdater.exe 14 2 2->13         started        16 chrome.exe 2->16         started        18 chrome.exe 2->18         started        process3 dnsIp4 155 Contains functionality to inject code into remote processes 10->155 157 Writes to foreign memory regions 10->157 159 Allocates memory in foreign processes 10->159 161 Injects a PE file into a foreign processes 10->161 20 AppLaunch.exe 15 11 10->20         started        25 conhost.exe 10->25         started        117 clipper.guru 45.159.189.115, 49714, 49822, 80 HOSTING-SOLUTIONSUS Netherlands 13->117 119 192.168.2.1 unknown unknown 13->119 163 Multi AV Scanner detection for dropped file 13->163 165 Machine Learning detection for dropped file 13->165 signatures5 process6 dnsIp7 103 185.215.113.83, 49710, 60722 WHOLESALECONNECTIONSNL Portugal 20->103 105 dl.uploadgram.me 176.9.247.226, 443, 49715 HETZNER-ASDE Germany 20->105 107 2 other IPs or domains 20->107 83 C:\Users\user\AppData\Local\Temp\start.exe, PE32+ 20->83 dropped 85 C:\Users\user\AppData\Local\...\test.exe, PE32 20->85 dropped 87 C:\Users\user\AppData\Local\...\ofg.exe, PE32 20->87 dropped 89 2 other malicious files 20->89 dropped 129 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 20->129 131 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 20->131 133 Tries to harvest and steal browser information (history, passwords, etc) 20->133 135 Tries to steal Crypto Currency Wallets 20->135 27 chrome.exe 20->27         started        31 test.exe 1 20->31         started        33 brave.exe 20->33         started        35 2 other processes 20->35 file8 signatures9 process10 dnsIp11 93 C:\WindowsbehaviorgraphoogleUpdate.exe, PE32 27->93 dropped 167 Multi AV Scanner detection for dropped file 27->167 169 Detected unpacking (changes PE section rights) 27->169 171 Machine Learning detection for dropped file 27->171 191 2 other signatures 27->191 38 GoogleUpdate.exe 27->38         started        55 3 other processes 27->55 173 Writes to foreign memory regions 31->173 175 Allocates memory in foreign processes 31->175 177 Injects a PE file into a foreign processes 31->177 42 vbc.exe 31->42         started        57 2 other processes 31->57 95 C:\Users\user\AppData\Local\Temp\D578.tmp, PE32+ 33->95 dropped 97 C:\Program Filesbehaviorgraphoogle\Chrome\updater.exe, PE32+ 33->97 dropped 179 Modifies the context of a thread in another process (thread injection) 33->179 181 Found hidden mapped module (file has been removed from disk) 33->181 183 Adds a directory exclusion to Windows Defender 33->183 185 Maps a DLL or memory area into another process 33->185 45 cmd.exe 33->45         started        47 cmd.exe 33->47         started        49 powershell.exe 33->49         started        51 powershell.exe 33->51         started        101 goback.delivery 104.21.84.12 CLOUDFLARENETUS United States 35->101 99 C:\Users\user\AppData\...\svcupdater.exe, PE32 35->99 dropped 187 Antivirus detection for dropped file 35->187 189 Tries to harvest and steal browser information (history, passwords, etc) 35->189 53 cmd.exe 1 35->53         started        file12 signatures13 process14 dnsIp15 109 141.95.93.175, 443, 49718, 49719 DFNVereinzurFoerderungeinesDeutschenForschungsnetzese Germany 38->109 111 api.peer2profit.com 172.66.40.196, 443, 49716, 49717 CLOUDFLARENETUS United States 38->111 137 Uses netsh to modify the Windows network and firewall settings 38->137 139 Modifies the windows firewall 38->139 59 netsh.exe 38->59         started        61 netsh.exe 38->61         started        63 netsh.exe 38->63         started        113 t.me 149.154.167.99, 443, 49762 TELEGRAMRU United Kingdom 42->113 115 78.47.204.168, 49777, 80 HETZNER-ASDE Germany 42->115 91 C:\ProgramData\sqlite3.dll, PE32 42->91 dropped 141 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 42->141 143 Tries to harvest and steal browser information (history, passwords, etc) 42->143 145 DLL side loading technique detected 42->145 147 Tries to steal Crypto Currency Wallets 42->147 69 5 other processes 45->69 71 7 other processes 47->71 65 conhost.exe 49->65         started        67 conhost.exe 51->67         started        149 Uses schtasks.exe or at.exe to add and modify task schedules 53->149 151 Uses powercfg.exe to modify the power settings 53->151 153 Modifies power options to not sleep / hibernate 53->153 73 2 other processes 53->73 75 3 other processes 55->75 file16 signatures17 process18 process19 77 conhost.exe 59->77         started        79 conhost.exe 61->79         started        81 conhost.exe 63->81         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a86f94f68d4c8783df4ef089dc725dc6bb7f5069926a8041120f01401a20ca73/
Threat name:
Win32.Trojan.Fugrafa
Create hunting rule
Status:
Malicious
First seen:
2022-09-09 00:28:13 UTC
File Type:
PE (Exe)
AV detection:
24 of 26 (92.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=vbxzj5unjsdyhx2o6ce5y4s5y25x6udjsjviaqisb4auagrazjzq._file
Verdict:
malicious
Similar samples:
0b1f6297e8bfa8fc9ff8a7ad85487ff456c0d66ef2d908588cd27345fba5f4e6
ArkeiStealer
3c755dda9245f3bf25d22e5564c6224239ab3d698a5cc8faadaa4db4709b5656
ArkeiStealer
5d48f8503446780ca198fb5a5c7ccebc7a8ca729f9a0cad78a2fc5f381500d13
ArkeiStealer
6a057c152abb59ec3c2327352401f03fe611e1b52d5507b144e39fc4b393b804
ArkeiStealer
ee08608492383853c0cf59e355f9721f413d83f18d3e4a2c344f5b90407caf4a
ArkeiStealer
f6d7c5513d746eac1534713e99099c09fef34b16c9060f03e4345116c4e6c9bb
ArkeiStealer
fd4f3959acec139b27223a7d47ce8c5c00ff02e60d34ea3c7a8d8d466c831f74
ArkeiStealer
+ 1'918 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:redline family:vidar botnet:1707 evasion infostealer persistence spyware stealer upx
Link:
https://tria.ge/reports/221025-anb12abagr/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Delays execution with timeout.exe
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Drops file in Program Files directory
Drops file in Windows directory
Launches sc.exe
Drops file in System32 directory
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Loads dropped DLL
Uses the VBS compiler for execution
Downloads MZ/PE file
Executes dropped EXE
Modifies Windows Firewall
Sets service image path in registry
Stops running service(s)
UPX packed file
Modifies security service
RedLine
RedLine payload
Suspicious use of NtCreateUserProcessOtherParentProcess
Vidar
Malware Config
C2 Extraction:
185.215.113.83:60722
https://t.me/slivetalks
https://c.im/@xinibin420
Unpacked files
SH256 hash:
a169f2556910c0df30d26f73c260cf5b8e94fd09b2a2e83ff5aaefa1dbd0020a
MD5 hash:
2dccdc58029e0a081206ff799a969699
SHA1 hash:
ba67d39f317d8cae6aa2b3d631ec2d56a7f54483
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/d3382362-8982-4f8b-98f1-eeff8613d7be/
SH256 hash:
a86f94f68d4c8783df4ef089dc725dc6bb7f5069926a8041120f01401a20ca73
MD5 hash:
8d15c4637a6a98644ed11a222db283eb
SHA1 hash:
ad35af983cf9a3cea2b28911b661b01d3a9b7b4b
Link:
https://www.unpac.me/results/d3382362-8982-4f8b-98f1-eeff8613d7be/
Malware family:
RedLine.D
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/a86f94f68d4c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a86f94f68d4c8783df4ef089dc725dc6bb7f5069926a8041120f01401a20ca73

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Sectigo_Code_Signed
Create hunting rule
Description:Detects code signed by the Sectigo RSA Code Signing CA
Reference:https://bazaar.abuse.ch/export/csv/cscb/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/323705/

Comments