MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e6c10b5c83bab9793c417a9cbe94da6836becb1aac4a8ca7cbd1ef3ca89f9349. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 15


Intelligence 15 IOCs 1 YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e6c10b5c83bab9793c417a9cbe94da6836becb1aac4a8ca7cbd1ef3ca89f9349
SHA3-384 hash: 9fefd890b58821c2e6d16b8576199ce7f936a0f11ffeda302ac53a55b1f3f9738b58fe7560850b393cb68357f9b9103f
SHA1 hash: c79e4a73712af3ce63e7a265816ab6255819205b
MD5 hash: 807fba0fb2100457462f5d35fd5feab7
humanhash: michigan-alaska-mountain-ceiling
File name:E6C10B5C83BAB9793C417A9CBE94DA6836BECB1AAC4A8.exe
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:462'920 bytes
First seen:2022-10-24 22:05:39 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 4840e6d262602608a662d4d4b7925a34 (2 x RedLineStealer, 1 x ArkeiStealer)
ssdeep 12288:BFA5Moi7K/wkMNDVBC8tDrXP3NW2M0bA+09:Be5Ni78MPBZHXPHlMr9
Threatray 2'150 similar samples on MalwareBazaar
TLSH T1E6A49E0275B2C0B2C5578A719E7EC74A643AF5101F2249EBABC44DB92EB03C16972F77
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter abuse_ch
Tags:ArkeiStealer exe


Avatar
abuse_ch
ArkeiStealer C2:
http://78.47.204.168/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://78.47.204.168/ https://threatfox.abuse.ch/ioc/891320/

Intelligence

File Origin
# of uploads :
1
# of downloads :
247
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
E6C10B5C83BAB9793C417A9CBE94DA6836BECB1AAC4A8.exe
Verdict:
Malicious activity
Analysis date:
2022-10-24 22:08:23 UTC
Tags:
trojan rat redline loader stealer vidar
Link:
https://app.any.run/tasks/256003e8-138c-4d16-ba7b-0193b1880a14

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/323671/
Detection(s):
Win.Malware.Generickdz-9967822-0
Create hunting rule

Win.Malware.Exploitx-9967939-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/45165/overview
Behaviour
MalwareBazaar
MeasuringTime
CheckCmdLine
EvasionQueryPerformanceCounter
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/cb76ffbc-e523-4ff6-a92a-ce13ee4c10a4
Result
Threat name:
RedLine, Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1097066
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Connects to a pastebin service (likely for C&C)
Contains functionality to inject code into remote processes
Drops executables to the windows directory (C:\Windows) and starts them
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the windows firewall
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Stop multiple services
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses netsh to modify the Windows network and firewall settings
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected RedLine Stealer
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 729707 Sample: E6C10B5C83BAB9793C417A9CBE9... Startdate: 25/10/2022 Architecture: WINDOWS Score: 100 105 t.me 2->105 107 raw.githubusercontent.com 2->107 109 2 other IPs or domains 2->109 131 Snort IDS alert for network traffic 2->131 133 Malicious sample detected (through community Yara rule) 2->133 135 Antivirus detection for dropped file 2->135 137 11 other signatures 2->137 11 E6C10B5C83BAB9793C417A9CBE94DA6836BECB1AAC4A8.exe 1 2->11         started        14 svcupdater.exe 2->14         started        16 chrome.exe 2->16         started        18 chrome.exe 2->18         started        signatures3 process4 signatures5 155 Contains functionality to inject code into remote processes 11->155 157 Writes to foreign memory regions 11->157 159 Allocates memory in foreign processes 11->159 161 Injects a PE file into a foreign processes 11->161 20 AppLaunch.exe 15 11 11->20         started        25 WerFault.exe 23 9 11->25         started        27 conhost.exe 11->27         started        29 WerFault.exe 11->29         started        163 Multi AV Scanner detection for dropped file 14->163 165 Machine Learning detection for dropped file 14->165 process6 dnsIp7 111 79.137.192.7, 39946, 49706 PSKSET-ASRU Russian Federation 20->111 113 adigitalshop.com 151.106.122.215, 443, 49708 PLUSSERVER-ASN1DE Germany 20->113 115 4 other IPs or domains 20->115 85 C:\Users\user\AppData\Local\...\Launcher.exe, PE32 20->85 dropped 87 C:\Users\user\AppData\Local\...\test.exe, PE32 20->87 dropped 89 C:\Users\user\AppData\Local\...\ofg.exe, PE32 20->89 dropped 91 2 other malicious files 20->91 dropped 139 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 20->139 141 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 20->141 143 Tries to harvest and steal browser information (history, passwords, etc) 20->143 145 Tries to steal Crypto Currency Wallets 20->145 31 chrome.exe 20->31         started        35 brave.exe 20->35         started        37 Launcher.exe 20->37         started        39 2 other processes 20->39 file8 signatures9 process10 file11 93 C:\WindowsbehaviorgraphoogleUpdate.exe, PE32 31->93 dropped 119 Multi AV Scanner detection for dropped file 31->119 121 Machine Learning detection for dropped file 31->121 123 Drops executables to the windows directory (C:\Windows) and starts them 31->123 125 Injects a PE file into a foreign processes 31->125 41 GoogleUpdate.exe 31->41         started        45 powershell.exe 31->45         started        47 schtasks.exe 31->47         started        49 schtasks.exe 31->49         started        95 C:\Users\user\AppData\Local\Temp\8325.tmp, PE32+ 35->95 dropped 97 C:\Program Filesbehaviorgraphoogle\Chrome\updater.exe, PE32+ 35->97 dropped 127 Adds a directory exclusion to Windows Defender 35->127 51 powershell.exe 35->51         started        53 cmd.exe 35->53         started        57 2 other processes 35->57 99 C:\ProgramData\Dllhost\dllhost.exe, PE32 37->99 dropped 101 C:\ProgramData\Dllhost\WinRing0x64.sys, PE32+ 37->101 dropped 129 Antivirus detection for dropped file 37->129 103 C:\Users\user\AppData\...\svcupdater.exe, PE32 39->103 dropped 55 cmd.exe 39->55         started        59 2 other processes 39->59 signatures12 process13 dnsIp14 117 api.peer2profit.com 172.66.43.60, 443, 49713, 49715 CLOUDFLARENETUS United States 41->117 147 Uses netsh to modify the Windows network and firewall settings 41->147 149 Modifies the windows firewall 41->149 61 netsh.exe 41->61         started        73 2 other processes 41->73 63 conhost.exe 45->63         started        65 conhost.exe 47->65         started        67 conhost.exe 49->67         started        151 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 51->151 69 conhost.exe 51->69         started        71 conhost.exe 53->71         started        153 Uses schtasks.exe or at.exe to add and modify task schedules 55->153 75 2 other processes 55->75 77 2 other processes 57->77 signatures15 process16 process17 79 conhost.exe 61->79         started        81 conhost.exe 73->81         started        83 conhost.exe 73->83         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e6c10b5c83bab9793c417a9cbe94da6836becb1aac4a8ca7cbd1ef3ca89f9349/
Threat name:
Win32.Spyware.RedLine
Create hunting rule
Status:
Malicious
First seen:
2022-09-21 00:41:16 UTC
File Type:
PE (Exe)
AV detection:
23 of 26 (88.46%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=43aqwxedxk4xspcbpkol5fg2na3l5sy2vrfizj6l2hxtzke7sneq._file
Verdict:
malicious
Similar samples:
1adc68849d784b9530292b7187f492aa1d798d89a099a9eb8105fdfc9edaf2a0
ArkeiStealer
24b8e1a6d1fc20f4ab5a58edb6a0467bab030932219a28849a437a6d3d7d3a49
ArkeiStealer
2e8a28941c9837d1709600bf43c418d42ce78510e4a2b85f1f57819b1f419967
ArkeiStealer
4c0003c3a45e94129cd5b6771200feebc7c4f53f0d5b110276d8dc7ae29c9e8c
ArkeiStealer
5d48f8503446780ca198fb5a5c7ccebc7a8ca729f9a0cad78a2fc5f381500d13
ArkeiStealer
6a057c152abb59ec3c2327352401f03fe611e1b52d5507b144e39fc4b393b804
ArkeiStealer
fd4f3959acec139b27223a7d47ce8c5c00ff02e60d34ea3c7a8d8d466c831f74
ArkeiStealer
+ 2'140 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:redline family:vidar botnet:1707 evasion infostealer persistence spyware stealer upx
Link:
https://tria.ge/reports/221024-1z3k8sagg7/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Delays execution with timeout.exe
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Drops file in Program Files directory
Drops file in Windows directory
Launches sc.exe
Drops file in System32 directory
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Legitimate hosting services abused for malware hosting/C2
Loads dropped DLL
Uses the VBS compiler for execution
Downloads MZ/PE file
Executes dropped EXE
Modifies Windows Firewall
Sets service image path in registry
Stops running service(s)
UPX packed file
Modifies security service
RedLine
RedLine payload
Suspicious use of NtCreateUserProcessOtherParentProcess
Vidar
Malware Config
C2 Extraction:
79.137.192.7:39946
https://t.me/slivetalks
https://c.im/@xinibin420
Unpacked files
SH256 hash:
50466857ea5101023c52758d4546fefc5724fd3922f5544a134a55bfc4556058
MD5 hash:
01b65cd447caf0fdd37be674cb0d9bbc
SHA1 hash:
36752ec8bfdab5a2c87d45d7b9b50816ead8271b
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/147c1a1c-00f2-47b4-894f-c6dcc596c50f/
SH256 hash:
e6c10b5c83bab9793c417a9cbe94da6836becb1aac4a8ca7cbd1ef3ca89f9349
MD5 hash:
807fba0fb2100457462f5d35fd5feab7
SHA1 hash:
c79e4a73712af3ce63e7a265816ab6255819205b
Link:
https://www.unpac.me/results/147c1a1c-00f2-47b4-894f-c6dcc596c50f/
Malware family:
RedLine.D
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e6c10b5c83ba/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e6c10b5c83bab9793c417a9cbe94da6836becb1aac4a8ca7cbd1ef3ca89f9349

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/323671/

Comments