MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0ab9cd8d5f1da2d03ab76db5be55dbbcb575ec0d8785db3677366fab2eafd48e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 15


Intelligence 15 IOCs 3 YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0ab9cd8d5f1da2d03ab76db5be55dbbcb575ec0d8785db3677366fab2eafd48e
SHA3-384 hash: 2c05d26d8086aeef77d4654c6285eec7fbc7d1549e733027fae66cc9ad1eba3fee110d39081bda78ebcf4e97f2115efa
SHA1 hash: 9d4874a26c587c3501324702ac609325c1b7087c
MD5 hash: 0f584671295bd312cf31fa8e938fd8b9
humanhash: seventeen-tango-solar-hot
File name:0AB9CD8D5F1DA2D03AB76DB5BE55DBBCB575EC0D8785D.exe
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:1'187'840 bytes
First seen:2021-12-10 17:31:45 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash ca357d1c9b605d95e9d31e67e1c53033 (6 x AZORult, 2 x RaccoonStealer, 1 x NetWire)
ssdeep 24576:4As0+vRQPeCXD7luaw2F0dkTW2ipbteq12WGzCeq:4As1y7lJp5ipbteq128r
Threatray 8'150 similar samples on MalwareBazaar
TLSH T1BD45120269258563F10109B14BA695F40B3AFD32D441DE0FB745BE1D3EB2A8B6DE1B3B
File icon (PE):PE icon
dhash icon 82cce4d2c0ccce82 (1 x ArkeiStealer)
Reporter abuse_ch
Tags:ArkeiStealer exe


Avatar
abuse_ch
ArkeiStealer C2:
http://pretorian.ac.ug/index.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://prepepe.ac.ug/ https://threatfox.abuse.ch/ioc/273519/
http://pretorian.ac.ug/index.php https://threatfox.abuse.ch/ioc/273798/
http://185.225.19.55/ https://threatfox.abuse.ch/ioc/273799/

Intelligence

File Origin
# of uploads :
1
# of downloads :
292
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
0AB9CD8D5F1DA2D03AB76DB5BE55DBBCB575EC0D8785D.exe
Verdict:
No threats detected
Analysis date:
2021-12-10 17:34:52 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/4c1f917e-3d11-4761-b8e7-0401687c1fb7

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Raccoon
Create hunting rule
Link:
https://www.capesandbox.com/analysis/213241/
Detection(s):
Win.Trojan.Barys-9890423-0
Create hunting rule

Win.Trojan.Generic-9907541-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Creating a file in the %temp% directory
Creating a process from a recently created file
Sending a custom TCP request
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/1592/overview
Behaviour
MalwareBazaar
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
barys greyware obfuscated packed razy remcos
Link:
https://www.filescan.io/uploads/61b38f16fa72c81b5b16ebf7/reports/bfb5d5e9-ad07-4cad-8aba-e76d4623dfe2/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Raccoon Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b5545545-d4d9-4a25-b51a-673723b68ac3
Result
Threat name:
Azorult Raccoon Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/905500
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with function prologues
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Performs DNS queries to domains with low reputation
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to resolve many domain names, but no domain seems valid
Yara detected Azorult
Yara detected Azorult Info Stealer
Yara detected Raccoon Stealer
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 537978 Sample: 0AB9CD8D5F1DA2D03AB76DB5BE5... Startdate: 10/12/2021 Architecture: WINDOWS Score: 100 83 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->83 85 Found malware configuration 2->85 87 Malicious sample detected (through community Yara rule) 2->87 89 14 other signatures 2->89 10 0AB9CD8D5F1DA2D03AB76DB5BE55DBBCB575EC0D8785D.exe 15 2->10         started        process3 file4 63 C:\Users\user\AppData\Local\...\cxvrame.exe, PE32 10->63 dropped 101 Detected unpacking (changes PE section rights) 10->101 103 Maps a DLL or memory area into another process 10->103 14 cxvrame.exe 4 10->14         started        17 0AB9CD8D5F1DA2D03AB76DB5BE55DBBCB575EC0D8785D.exe 6 10->17         started        signatures5 process6 signatures7 113 Antivirus detection for dropped file 14->113 115 Multi AV Scanner detection for dropped file 14->115 117 Performs DNS queries to domains with low reputation 14->117 123 2 other signatures 14->123 19 cxvrame.exe 23 14->19         started        119 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 17->119 121 Overwrites code with function prologues 17->121 process8 dnsIp9 69 partiad.xyz 19->69 72 muylove.ac.ug 19->72 74 21 other IPs or domains 19->74 43 C:\Users\user\AppData\Local\...\Dropakxa.exe, PE32 19->43 dropped 45 C:\Users\user\AppData\Local\...\DropaGkxa.exe, PE32 19->45 dropped 47 C:\Users\user\AppData\Local\...\ghjk[2].exe, PE32 19->47 dropped 49 C:\Users\user\AppData\Local\...\ghjk[1].exe, PE32 19->49 dropped 23 Dropakxa.exe 7 19->23         started        27 DropaGkxa.exe 4 19->27         started        file10 91 Tries to resolve many domain names, but no domain seems valid 72->91 signatures11 process12 file13 59 C:\Users\user\AppData\...\FFDvbcrdfqs.exe, PE32 23->59 dropped 61 C:\Users\user\AppData\Local\...\Dcvxaamev.exe, PE32 23->61 dropped 93 Antivirus detection for dropped file 23->93 95 Multi AV Scanner detection for dropped file 23->95 97 Machine Learning detection for dropped file 23->97 99 Maps a DLL or memory area into another process 23->99 29 Dcvxaamev.exe 4 23->29         started        32 FFDvbcrdfqs.exe 4 23->32         started        34 Dropakxa.exe 23->34         started        signatures14 process15 dnsIp16 105 Antivirus detection for dropped file 29->105 107 Multi AV Scanner detection for dropped file 29->107 109 Machine Learning detection for dropped file 29->109 37 Dcvxaamev.exe 14 29->37         started        111 Maps a DLL or memory area into another process 32->111 41 FFDvbcrdfqs.exe 12 32->41         started        65 185.225.19.55, 49701, 80 MIVOCLOUDMD Romania 34->65 67 194.180.174.53, 49699, 80 MIVOCLOUDMD unknown 34->67 signatures17 process18 dnsIp19 76 prepepe.ac.ug 37->76 51 C:\ProgramData\sqlite3.dll, PE32 37->51 dropped 53 C:\ProgramData\softokn3.dll, PE32 37->53 dropped 55 C:\ProgramData\mozglue.dll, PE32 37->55 dropped 57 C:\ProgramData\freebl3.dll, PE32 37->57 dropped 78 pretorian.ac.ug 41->78 81 192.168.2.1 unknown unknown 41->81 file20 125 Tries to resolve many domain names, but no domain seems valid 78->125 signatures21
Detection:
azorult
Create hunting rule
Link:
https://mwdb.cert.pl/sample/0ab9cd8d5f1da2d03ab76db5be55dbbcb575ec0d8785db3677366fab2eafd48e/
Threat name:
Win32.Trojan.Remcos
Create hunting rule
Status:
Malicious
First seen:
2021-11-23 07:38:41 UTC
File Type:
PE (Exe)
Extracted files:
55
AV detection:
23 of 28 (82.14%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=bk443dk7dwrnaovxnw234vo3xs2xl3anq6c5wntxgzx2wlvp2sha._file
Verdict:
malicious
Similar samples:
37e292496f057cbbba45f28b7510c8e4b555dcb2ad4308e1df9f251c9980830d
ArkeiStealer
42caa5a2e19134770914b3b33dffaceaae03a44fc52babd8abc250d7d7696945
ArkeiStealer
84a40405e621a10c9259ff45e052fab0789a6ff956eb95985a12d715d64e5b72
ArkeiStealer
9d4a0a8ffa11fc953750c07bd6997bcd23871fe277f65b4113e197b779aa24f0
ArkeiStealer
ccd5ab291113bf69fcbccee8ab889c9cf5a0d0240feed43b73785497ace3c467
ArkeiStealer
d8eb6d3fe02a890173827c242182acd22aa699e4bbd918fd22b95c00aa3a6445
ArkeiStealer
fa40dc2c8055f953099d7d354ba97fbf3a5f3aa501ce95cb8cefa810b80ea5d4
ArkeiStealer
+ 8'140 additional samples on MalwareBazaar
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:azorult family:oski family:raccoon botnet:5781468cedb3a203003fdf1f12e72fe98d6f1c0f discovery infostealer spyware stealer suricata trojan
Link:
https://tria.ge/reports/211210-v4ahcsagar/
Behaviour
Checks processor information in registry
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
Azorult
Oski
Raccoon
Suspicious use of NtCreateProcessExOtherParentProcess
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
suricata: ET MALWARE Win32/AZORult V3.3 Client Checkin M17
suricata: ET MALWARE Win32/AZORult V3.3 Client Checkin M5
Malware Config
C2 Extraction:
http://195.245.112.115/index.php
prepepe.ac.ug
Unpacked files
SH256 hash:
a7e409631b6ea686af282eea3412bf07ef13303bdc9235aae8525b45945388b7
MD5 hash:
c81689483f642ec0f5606403613294e4
SHA1 hash:
7626d76070716bab61f4541e4033629c60f152be
Link:
https://www.unpac.me/results/9279efba-f3ba-46f6-ba43-402955a3b1fb/
SH256 hash:
6da1fd088779593791503fb1442d661f684e64745b6048ef4d9ec04f39e6a71c
MD5 hash:
099bc7b20bfc81836ff6eac2b548761f
SHA1 hash:
06b1e401764e544af0ad3f345d546ed45cc24a07
Link:
https://www.unpac.me/results/9279efba-f3ba-46f6-ba43-402955a3b1fb/
SH256 hash:
0ab9cd8d5f1da2d03ab76db5be55dbbcb575ec0d8785db3677366fab2eafd48e
MD5 hash:
0f584671295bd312cf31fa8e938fd8b9
SHA1 hash:
9d4874a26c587c3501324702ac609325c1b7087c
Link:
https://www.unpac.me/results/9279efba-f3ba-46f6-ba43-402955a3b1fb/
Malware family:
AZORult v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/0ab9cd8d5f1d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0ab9cd8d5f1da2d03ab76db5be55dbbcb575ec0d8785db3677366fab2eafd48e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:MALWARE_Win_Meteorite
Create hunting rule
Author:ditekSHen
Description:Detects Meteorite downloader

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/213241/

Comments