MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 394c61c695af669dcfe4d3dcf73de5099ed8e7fea036dd25f45ff6d234f9547a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 13


Intelligence 13 IOCs 1 YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 394c61c695af669dcfe4d3dcf73de5099ed8e7fea036dd25f45ff6d234f9547a
SHA3-384 hash: 1ee821e3d3368314f49d9a90c896d8f98589abe2a5d10424417cfbd50d1d695309bb7e7bfbe8241a96549f05a2ad4bf6
SHA1 hash: 87e8826484135a91d14a610176f7ed6347ebdc5d
MD5 hash: 1c14f817504c54653c779387de0a058a
humanhash: beer-alanine-delaware-juliet
File name:1c14f817504c54653c779387de0a058a.exe
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:3'778'560 bytes
First seen:2021-10-03 08:20:50 UTC
Last seen:2021-10-03 08:48:11 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'748 x AgentTesla, 19'645 x Formbook, 12'245 x SnakeKeylogger)
ssdeep 49152:zMqcEXeQ0LZzl0LAiu0vA5ylRmqx0uBEGFFeVJHHhQo:A
Threatray 4'385 similar samples on MalwareBazaar
TLSH T1A80612BB8632EFB4AE683ABE945736402D512A9F80CCC779B18D51F739D3A0549D807C
File icon (PE):PE icon
dhash icon f0f0e47171bad4e0 (2 x ArkeiStealer, 2 x RedLineStealer, 1 x AZORult)
Reporter abuse_ch
Tags:ArkeiStealer exe


Avatar
abuse_ch
ArkeiStealer C2:
http://194.180.174.82/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://194.180.174.82/ https://threatfox.abuse.ch/ioc/229691/

Intelligence

File Origin
# of uploads :
2
# of downloads :
163
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
1c14f817504c54653c779387de0a058a.exe
Verdict:
Malicious activity
Analysis date:
2021-10-03 08:21:32 UTC
Tags:
trojan stealer vidar loader rat azorult
Link:
https://app.any.run/tasks/1709fe81-1881-4be3-9656-e71fd603377d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/194327/
Detection(s):
SecuriteInfo.com.Suspicious.Win32.Save.a.23562.15239.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-vm fingerprint obfuscated obfuscated packed stealer
Link:
https://www.filescan.io/uploads/615c2ecce3d213d202b77386/reports/e5c9beee-6c45-46ee-bb5b-4c4382432380/overview
Malware family:
Raccoon Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0be33164-76e9-4aa5-978a-63cd0b46de8c
Result
Threat name:
Azorult DBatLoader IPack Miner Raccoon
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/863384
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Self deletion via cmd delete
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected Azorult
Yara detected Azorult Info Stealer
Yara detected Costura Assembly Loader
Yara detected DBatLoader
Yara detected IPack Miner
Yara detected Raccoon Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 495812 Sample: uD2awAEJIj.exe Startdate: 03/10/2021 Architecture: WINDOWS Score: 100 65 youtube.com 2->65 67 prda.aadg.msidentity.com 2->67 69 4 other IPs or domains 2->69 91 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->91 93 Multi AV Scanner detection for domain / URL 2->93 95 Malicious sample detected (through community Yara rule) 2->95 97 12 other signatures 2->97 10 uD2awAEJIj.exe 3 7 2->10         started        signatures3 process4 file5 47 C:\Users\user\AppData\...\uD2awAEJIj.exe, PE32 10->47 dropped 49 C:\Users\...\uD2awAEJIj.exe:Zone.Identifier, ASCII 10->49 dropped 51 C:\Users\...\Sinshwgbbjkobohqpsxmxghl.vbs, ASCII 10->51 dropped 53 2 other files (1 malicious) 10->53 dropped 99 Writes to foreign memory regions 10->99 101 Allocates memory in foreign processes 10->101 103 Injects a PE file into a foreign processes 10->103 14 uD2awAEJIj.exe 10->14         started        19 wscript.exe 10->19         started        21 powershell.exe 70 10->21         started        23 2 other processes 10->23 signatures6 process7 dnsIp8 75 194.180.174.82, 49752, 80 MIVOCLOUDMD unknown 14->75 77 maurizio.ac.ug 185.215.113.77, 49755, 49762, 49789 WHOLESALECONNECTIONSNL Portugal 14->77 79 t.me 149.154.167.99, 443, 49751 TELEGRAMRU United Kingdom 14->79 57 C:\Users\user\AppData\...\kL3LMbANPO.exe, PE32+ 14->57 dropped 59 C:\Users\user\AppData\...\L02q4GbUgn.exe, PE32 14->59 dropped 61 C:\Users\user\AppData\...\vcruntime140.dll, PE32 14->61 dropped 63 58 other files (none is malicious) 14->63 dropped 85 Tries to steal Mail credentials (via file access) 14->85 87 Self deletion via cmd delete 14->87 89 Tries to harvest and steal browser information (history, passwords, etc) 14->89 25 L02q4GbUgn.exe 14->25         started        27 Syrtlbqrhgojcisaconsoleapp18.exe 19->27         started        81 youtube.com 142.250.203.110 GOOGLEUS United States 21->81 30 conhost.exe 21->30         started        83 192.168.2.1 unknown unknown 23->83 32 conhost.exe 23->32         started        file9 signatures10 process11 file12 55 C:\Users\user\...\Qtscbzjoconsoleapp5.exe, PE32 27->55 dropped 34 powershell.exe 27->34         started        37 powershell.exe 27->37         started        39 conhost.exe 27->39         started        41 2 other processes 27->41 process13 dnsIp14 71 youtube.com 34->71 43 conhost.exe 34->43         started        73 youtube.com 37->73 45 conhost.exe 37->45         started        process15
Detection:
raccoon
Create hunting rule
Link:
https://mwdb.cert.pl/sample/394c61c695af669dcfe4d3dcf73de5099ed8e7fea036dd25f45ff6d234f9547a/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-10-03 08:21:10 UTC
AV detection:
10 of 45 (22.22%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hfggdruvv5tj3t7e2popoppfbgpnrz76ua3n2jpul73nenhzkr5a._file
Verdict:
malicious
Label(s):
azorult
Create hunting rule
raccoon
Create hunting rule
Similar samples:
1b9339d0a70cdef37f4827a81100f9e8158a5633dc8b7a2c3b616f070ce49b5d
ArkeiStealer
7045ebc8901b28437b116f9ff37d6e16caf2b47e3b7986cc233add8410f1ec9f
ArkeiStealer
7982b6446285ca06d96a1bc1e0ac8a2618123664173bff105d02e22bf617c757
ArkeiStealer
7b8ffb495d71939d9dfb9b4f4b0bd9bd9d3fad675aa487e2b20129c33f877c50
ArkeiStealer
a60bebe1f77523c999022885b6d6ba4c2e96e930d21b26f2254f113e179c48cc
ArkeiStealer
d0b7a458e09fd14ae8476200bd5acf2fc93ea0e2fea357079a88df80e720c23d
ArkeiStealer
d3d844bca757cfac2bc5cd8cc9bd9d806358eb3af100fdecddb5d0848cd706af
ArkeiStealer
e80d7de90473de5e1d9fb140d2537896872f7a7ca665e9342514426604f4f708
ArkeiStealer
e8e31ad00eb7d6e4124e0d9dcd2a2e4ca20afa68007c0e655ae8cc5ca4bfdad9
ArkeiStealer
fa40dc2c8055f953099d7d354ba97fbf3a5f3aa501ce95cb8cefa810b80ea5d4
ArkeiStealer
+ 4'375 additional samples on MalwareBazaar
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:azorult family:oski family:raccoon botnet:e16d9c3413a8d3bc552d87560e5a14148908608d discovery infostealer persistence spyware stealer trojan
Link:
https://tria.ge/reports/211003-j8z32afbc3/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Delays execution with timeout.exe
Kills process with taskkill
Modifies registry class
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
Azorult
Oski
Raccoon
Malware Config
C2 Extraction:
http://195.245.112.115/index.php
maurizio.ug
Unpacked files
SH256 hash:
7d50dfa00f81ddc8255102e53f0fca6609329f77f2b6f29220b040034ace4f9d
MD5 hash:
54f519300eee4a97b406d4b26b9fb04e
SHA1 hash:
ed00b1f8d2ab0208391b1416d313d6db554981c6
Link:
https://www.unpac.me/results/0135f9ae-a6a6-4431-b7f8-de38bb4d1017/
SH256 hash:
743df3825b06f48259f2e86f665a5b9c943364944f7e339d6bc9627ea4ee6d3d
MD5 hash:
283c2750aacf528e2d0c1bbe1606acd8
SHA1 hash:
c46e49d45c2132eb9a345f3f5a94a85991198aca
Link:
https://www.unpac.me/results/0135f9ae-a6a6-4431-b7f8-de38bb4d1017/
SH256 hash:
3dcd5f1473ad75d2da7a6be98c4ca47332e60f9839bc241599e091165a6c675c
MD5 hash:
5d8dad91c75734256c2d09f41176b900
SHA1 hash:
a90566d5fdde97af7fd5a2d311f9ac3d302a18a6
Link:
https://www.unpac.me/results/0135f9ae-a6a6-4431-b7f8-de38bb4d1017/
SH256 hash:
0f6fe124ae1394581e89369206734305b8db162b80cc1d79127d5f85dbae90f1
MD5 hash:
a64be19dda99ba9a5fd81badc068f89a
SHA1 hash:
13a8ca43ddbd34ffcca51fb8063f7cf9be1235bd
Detections:
win_azorult_g1
Create hunting rule
win_azorult_auto
Create hunting rule
Link:
https://www.unpac.me/results/0135f9ae-a6a6-4431-b7f8-de38bb4d1017/
Parent samples :
e80d7de90473de5e1d9fb140d2537896872f7a7ca665e9342514426604f4f708
394c61c695af669dcfe4d3dcf73de5099ed8e7fea036dd25f45ff6d234f9547a
SH256 hash:
0b00a9228e205910e00c68c9ac9cfe88e47f3bd7a4b8e301753e2afc01199848
MD5 hash:
810505e159fb35515d5560da7260605a
SHA1 hash:
f1687a08d67cd32046d5858c0ca1687a03d81e98
Detections:
win_raccoon_auto
Create hunting rule
Link:
https://www.unpac.me/results/0135f9ae-a6a6-4431-b7f8-de38bb4d1017/
Parent samples :
394c61c695af669dcfe4d3dcf73de5099ed8e7fea036dd25f45ff6d234f9547a
63cff2624610c0ba77145f4ca69ca649dd063e5da23b6f9534ffc643fe30b203
SH256 hash:
1c9a82983eb4f67d2640818b42f98e0730c82123158405fa4c5cd23a4feed3dd
MD5 hash:
95086d2f848857fbfa791ecce97964c8
SHA1 hash:
642e34dfd5c5a7aac6ff19e628c1d692dd68e76d
Link:
https://www.unpac.me/results/0135f9ae-a6a6-4431-b7f8-de38bb4d1017/
SH256 hash:
f256255cacf6550dff3cfaf33c11fb79d898a0513502d5a40350871844b68275
MD5 hash:
19aaa891852f646752dfe1de820574d1
SHA1 hash:
4b55cbfbbb0d44c16b8bd5ceebfa4e274fb5858b
Link:
https://www.unpac.me/results/0135f9ae-a6a6-4431-b7f8-de38bb4d1017/
SH256 hash:
d2e9a8fbee49d4a958b6a0799e5dc4789b3ab21420109d40c954f973424513dc
MD5 hash:
52624fce8b44e594c9eca7574328a97a
SHA1 hash:
ed99ee114ffb9009135d37dffb67c75ad60c7242
Link:
https://www.unpac.me/results/0135f9ae-a6a6-4431-b7f8-de38bb4d1017/
SH256 hash:
be404d7b9b2f2f53356aa972c76631f0ac86126fd5bfd111c4249d696ffd0aff
MD5 hash:
d3792f20227bd036ab1770108c9cff76
SHA1 hash:
3b69bde8d27852846f3c95e37a072430095934d9
Detections:
win_oski_g0
Create hunting rule
win_oski_auto
Create hunting rule
Link:
https://www.unpac.me/results/0135f9ae-a6a6-4431-b7f8-de38bb4d1017/
SH256 hash:
c26b5a14d8575cee3d6fe628356a2f451ded36fa6eacabe7fe99eb000f7f58bd
MD5 hash:
62c9abfc81b88a48593ac2eef302f134
SHA1 hash:
0a85dec0ca1b0a848557a92c09c86a8d6c6365ad
Link:
https://www.unpac.me/results/0135f9ae-a6a6-4431-b7f8-de38bb4d1017/
SH256 hash:
394c61c695af669dcfe4d3dcf73de5099ed8e7fea036dd25f45ff6d234f9547a
MD5 hash:
1c14f817504c54653c779387de0a058a
SHA1 hash:
87e8826484135a91d14a610176f7ed6347ebdc5d
Link:
https://www.unpac.me/results/0135f9ae-a6a6-4431-b7f8-de38bb4d1017/
Malware family:
Mal/HTMLGen-A
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/394c61c695af/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/394c61c695af669dcfe4d3dcf73de5099ed8e7fea036dd25f45ff6d234f9547a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_raccoon_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.raccoon.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ArkeiStealer

Executable exe 394c61c695af669dcfe4d3dcf73de5099ed8e7fea036dd25f45ff6d234f9547a

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1322752/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/399076/
  
URLhaus
https://urlhaus.abuse.ch/url/1539152/
  
URLhaus
https://urlhaus.abuse.ch/url/1514313/
  
URLhaus
https://urlhaus.abuse.ch/url/1514098/
  
URLhaus
https://urlhaus.abuse.ch/url/422736/
  
URLhaus
https://urlhaus.abuse.ch/url/1596393/
Cape
Cape
https://www.capesandbox.com/analysis/194327/
  
URLhaus
https://urlhaus.abuse.ch/url/906880/

Comments