MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7b8ffb495d71939d9dfb9b4f4b0bd9bd9d3fad675aa487e2b20129c33f877c50. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 11


Intelligence 11 IOCs 1 YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7b8ffb495d71939d9dfb9b4f4b0bd9bd9d3fad675aa487e2b20129c33f877c50
SHA3-384 hash: dcaaa66c94bf01d4fd168413997ea0646bb31328b8835fbea8b5f630b83d41475ff0afc966e9ef50fdf889d262afdbf2
SHA1 hash: c6171e833d87a0c3780a3ef7432e914c81da3887
MD5 hash: cdab0a271501c0039121d368fba3d946
humanhash: indigo-music-whiskey-sodium
File name:cdab0a271501c0039121d368fba3d946.exe
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:2'077'696 bytes
First seen:2021-09-11 12:00:41 UTC
Last seen:2021-09-11 13:15:21 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'454 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 49152:sBgWUB2AkegT2Ec6vSXLUWF68BuHvxYbdS:sWWoEZvSXLUEgpOw
Threatray 4'525 similar samples on MalwareBazaar
TLSH T102A5011173FC9729EAEE6734E0300A9517F6F84AA17EE78D184599AE1E97F418D003B3
dhash icon f0f0e47171bad4e0 (2 x ArkeiStealer, 2 x RedLineStealer, 1 x AZORult)
Reporter abuse_ch
Tags:ArkeiStealer exe


Avatar
abuse_ch
ArkeiStealer C2:
http://mazooyaar.ac.ug/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://mazooyaar.ac.ug/ https://threatfox.abuse.ch/ioc/220322/

Intelligence

File Origin
# of uploads :
2
# of downloads :
147
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
cdab0a271501c0039121d368fba3d946.exe
Verdict:
Malicious activity
Analysis date:
2021-09-11 12:02:36 UTC
Tags:
trojan stealer raccoon rat azorult vidar loader
Link:
https://app.any.run/tasks/c18c8be4-1856-4a2c-86dd-e3ca91eade2c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/187058/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.AAWK.8202.31762.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Malware family:
AZORult
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2b9456a2-4cd8-48b3-89b7-d16e716cf042
Result
Threat name:
Azorult Raccoon
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/849149
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Self deletion via cmd delete
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected Azorult
Yara detected Azorult Info Stealer
Yara detected Raccoon Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 481580 Sample: esROxxwm62.exe Startdate: 11/09/2021 Architecture: WINDOWS Score: 100 76 youtube-ui.l.google.com 2->76 78 www.youtube.com 2->78 80 2 other IPs or domains 2->80 108 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->108 110 Malicious sample detected (through community Yara rule) 2->110 112 Antivirus detection for URL or domain 2->112 114 9 other signatures 2->114 11 esROxxwm62.exe 3 8 2->11         started        signatures3 process4 file5 60 C:\Users\user\AppData\...\esROxxwm62.exe, PE32 11->60 dropped 62 C:\Users\...\Hdhsfivjmtcqodpaconsoleapp6.exe, PE32 11->62 dropped 64 C:\Users\...\esROxxwm62.exe:Zone.Identifier, ASCII 11->64 dropped 66 2 other malicious files 11->66 dropped 116 Writes to foreign memory regions 11->116 118 Injects a PE file into a foreign processes 11->118 15 esROxxwm62.exe 84 11->15         started        20 wscript.exe 1 11->20         started        22 powershell.exe 20 11->22         started        signatures6 process7 dnsIp8 90 mazoyer.ac.ug 185.215.113.77, 49788, 49791, 80 WHOLESALECONNECTIONSNL Portugal 15->90 92 5.181.156.77, 49774, 80 MIVOCLOUDMD Moldova Republic of 15->92 94 telete.in 195.201.225.248, 443, 49773 HETZNER-ASDE Germany 15->94 52 C:\Users\user\AppData\...\Ol4R5WRhSm.exe, PE32 15->52 dropped 54 C:\Users\user\AppData\...\vcruntime140.dll, PE32 15->54 dropped 56 C:\Users\user\AppData\...\ucrtbase.dll, PE32 15->56 dropped 58 57 other files (none is malicious) 15->58 dropped 102 Tries to steal Mail credentials (via file access) 15->102 104 Self deletion via cmd delete 15->104 106 Tries to harvest and steal browser information (history, passwords, etc) 15->106 24 cmd.exe 15->24         started        26 Ol4R5WRhSm.exe 15->26         started        28 Hdhsfivjmtcqodpaconsoleapp6.exe 20->28         started        96 youtube-ui.l.google.com 22->96 98 www.youtube.com 22->98 100 www.google.com 22->100 32 conhost.exe 22->32         started        file9 signatures10 process11 file12 34 conhost.exe 24->34         started        36 timeout.exe 24->36         started        68 C:\Users\user\...\Mbhiluulewoconsoleapp6.exe, PE32 28->68 dropped 120 Injects a PE file into a foreign processes 28->120 38 wscript.exe 28->38         started        40 powershell.exe 28->40         started        43 Hdhsfivjmtcqodpaconsoleapp6.exe 28->43         started        signatures13 process14 dnsIp15 45 Mbhiluulewoconsoleapp6.exe 38->45         started        82 192.168.2.1 unknown unknown 40->82 84 youtube-ui.l.google.com 40->84 88 2 other IPs or domains 40->88 47 conhost.exe 40->47         started        86 mazoyer.ac.ug 43->86 process16 process17 49 powershell.exe 45->49         started        dnsIp18 70 youtube-ui.l.google.com 49->70 72 www.youtube.com 49->72 74 www.google.com 49->74
Detection:
raccoon
Create hunting rule
Link:
https://mwdb.cert.pl/sample/7b8ffb495d71939d9dfb9b4f4b0bd9bd9d3fad675aa487e2b20129c33f877c50/
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=poh7wsk5ogjz3hp3tnhuwc6zxwot7llhlksipyvsaeu4gp4hpria._file
Verdict:
malicious
Label(s):
azorult
Create hunting rule
Similar samples:
1b9339d0a70cdef37f4827a81100f9e8158a5633dc8b7a2c3b616f070ce49b5d
ArkeiStealer
493aa6892b773d1e49a1f861eb163134759fa1a9f44708bfdf1148231606b4be
ArkeiStealer
7045ebc8901b28437b116f9ff37d6e16caf2b47e3b7986cc233add8410f1ec9f
ArkeiStealer
8d83c8cd1c00fda08e1e524c4be95484070cfe1a87b38162a31cd6c86aec566b
ArkeiStealer
93ddf61c1aa7c0b867ffbd579b9febdeed4b027d14f8b86d62f7da493706731c
ArkeiStealer
d0b7a458e09fd14ae8476200bd5acf2fc93ea0e2fea357079a88df80e720c23d
ArkeiStealer
dec6b08ad93d22660e040ff56d4a6523428243741af91d0980efd00dc2521951
ArkeiStealer
e8e31ad00eb7d6e4124e0d9dcd2a2e4ca20afa68007c0e655ae8cc5ca4bfdad9
ArkeiStealer
fa40dc2c8055f953099d7d354ba97fbf3a5f3aa501ce95cb8cefa810b80ea5d4
ArkeiStealer
+ 4'515 additional samples on MalwareBazaar
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:azorult family:oski family:raccoon discovery infostealer spyware stealer trojan
Link:
https://tria.ge/reports/210911-n6weaabch4/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Delays execution with timeout.exe
Kills process with taskkill
Modifies registry class
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Deletes itself
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
Azorult
Oski
Raccoon
Malware Config
C2 Extraction:
http://195.245.112.115/index.php
mazooyaar.ac.ug
Unpacked files
SH256 hash:
3ba311c7315dcaf54dcf06f7c03e09a2d3ea6bf5aa1d561fa96ecccb54e87b01
MD5 hash:
e0de95a8a60db7f5b08c34580f2dcfaf
SHA1 hash:
e40a82eb22c38cc12d013f95d359dda68b5149b7
Detections:
win_azorult_g1
Create hunting rule
win_azorult_auto
Create hunting rule
Link:
https://www.unpac.me/results/bdcc23ca-7307-43f1-95c9-f6a616a65dc2/
Parent samples :
93ddf61c1aa7c0b867ffbd579b9febdeed4b027d14f8b86d62f7da493706731c
7b8ffb495d71939d9dfb9b4f4b0bd9bd9d3fad675aa487e2b20129c33f877c50
SH256 hash:
0fc3188a4581af021d4902b60b1b07c3fb0f78690b96f83e9d7c4edb5f3089bb
MD5 hash:
3dac47f89ce40ee2b6cb217953cba2a9
SHA1 hash:
b7482ef6c60c8fe5f0d4a1f1a8b014e7394872dc
Link:
https://www.unpac.me/results/bdcc23ca-7307-43f1-95c9-f6a616a65dc2/
SH256 hash:
782305a71befe4f6863c094850a0ffe01354078f42fc12f7d06c00f4e45cfcce
MD5 hash:
a15ff6d27d56a66138f3e01616217719
SHA1 hash:
75ae22492a0fdaed471f0a0bdbf1085b91f7e5c2
Link:
https://www.unpac.me/results/bdcc23ca-7307-43f1-95c9-f6a616a65dc2/
SH256 hash:
7087f8e7341f98de856918f40127fd3b34d6cc6022ec7d4fbfea8c3ce2ea2d37
MD5 hash:
642ba98d9365b3ced08f1e24d86d6f71
SHA1 hash:
438fc1eb0c8c24f9e0e4ebaeb85696ed4db9ea2b
Detections:
win_azorult_g1
Create hunting rule
Link:
https://www.unpac.me/results/bdcc23ca-7307-43f1-95c9-f6a616a65dc2/
SH256 hash:
03bd6b15db856ec16f033d9d4dbaf24a981155f6c504c85be0732d0b3e0dc687
MD5 hash:
c39532e8a0d2e2e0e8dd8f92607ea26c
SHA1 hash:
96fcf8a6d441cb7bf21e766da7454138c412ad31
Link:
https://www.unpac.me/results/bdcc23ca-7307-43f1-95c9-f6a616a65dc2/
SH256 hash:
749ff1c200515da767867186a25269259b1644a54bddce0611bb428b2f086ec8
MD5 hash:
67b07fec856773356cfb6a4c2cf5ca51
SHA1 hash:
3356bbf316c32798d5a96284b5cebee80e36ade5
Link:
https://www.unpac.me/results/bdcc23ca-7307-43f1-95c9-f6a616a65dc2/
SH256 hash:
c83a25c0161ddcd918eb5a1a63597713c29ed846c367e5f66644f70710afee80
MD5 hash:
1f8ff26d08702106b8ed9654a9c54278
SHA1 hash:
05203528830886f42688e478358a1c2af80f3d6a
Detections:
win_raccoon_auto
Create hunting rule
Link:
https://www.unpac.me/results/bdcc23ca-7307-43f1-95c9-f6a616a65dc2/
Parent samples :
7b8ffb495d71939d9dfb9b4f4b0bd9bd9d3fad675aa487e2b20129c33f877c50
42caa5a2e19134770914b3b33dffaceaae03a44fc52babd8abc250d7d7696945
e80d7de90473de5e1d9fb140d2537896872f7a7ca665e9342514426604f4f708
SH256 hash:
34146649dd05b1a2f7788da2fc899c2ca868db29b8a2c67924017b325fadff8b
MD5 hash:
92eb5e70db791a862b4bd061e9f2e18e
SHA1 hash:
847c6b778e8cc85a35e361ebf9b6bf4885234378
Detections:
win_oski_g0
Create hunting rule
win_oski_auto
Create hunting rule
Link:
https://www.unpac.me/results/bdcc23ca-7307-43f1-95c9-f6a616a65dc2/
SH256 hash:
83c8dcf5c5c94c9dabc5809582d0b5ddcc281e92fef805b3d67893c03f07fcb4
MD5 hash:
287ee2edf99060a8a85b9b74c5ebe341
SHA1 hash:
8e91e9285603dc893271b4667496aae08af8f74a
Link:
https://www.unpac.me/results/bdcc23ca-7307-43f1-95c9-f6a616a65dc2/
SH256 hash:
702efb382c2bb10b2fe50ad10fe364d983d058f4f5757e933257ec9f245b701e
MD5 hash:
748da87da5ac51a63afe7a497323fea6
SHA1 hash:
4686ef86d6bffadc93866cf44e5fe96b96437c4c
Link:
https://www.unpac.me/results/bdcc23ca-7307-43f1-95c9-f6a616a65dc2/
SH256 hash:
7b8ffb495d71939d9dfb9b4f4b0bd9bd9d3fad675aa487e2b20129c33f877c50
MD5 hash:
cdab0a271501c0039121d368fba3d946
SHA1 hash:
c6171e833d87a0c3780a3ef7432e914c81da3887
Detections:
win_karkoff_auto
Create hunting rule
Link:
https://www.unpac.me/results/bdcc23ca-7307-43f1-95c9-f6a616a65dc2/
Malware family:
Raccoon v1.7.2
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/7b8ffb495d71/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7b8ffb495d71939d9dfb9b4f4b0bd9bd9d3fad675aa487e2b20129c33f877c50

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_karkoff_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:win_raccoon_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.raccoon.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ArkeiStealer

Executable exe 7b8ffb495d71939d9dfb9b4f4b0bd9bd9d3fad675aa487e2b20129c33f877c50

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1539152/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1514098/
  
URLhaus
https://urlhaus.abuse.ch/url/422736/
  
URLhaus
https://urlhaus.abuse.ch/url/906880/
  
URLhaus
https://urlhaus.abuse.ch/url/1514313/
Cape
Cape
https://www.capesandbox.com/analysis/187058/
  
URLhaus
https://urlhaus.abuse.ch/url/1322752/
  
URLhaus
https://urlhaus.abuse.ch/url/399076/
  
URLhaus
https://urlhaus.abuse.ch/url/1596393/

Comments