MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8c51bd57966ec69de3ab44f909272ba471ba7aa29728e182689e715747a3f507. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 10


Maldoc score: 9


Intelligence 10 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8c51bd57966ec69de3ab44f909272ba471ba7aa29728e182689e715747a3f507
SHA3-384 hash: b92e8dd69a070a48a0607e1e6624b9148e0abb2440acf9ed4071885137693334f5dd181288cb81754d76a9be16383373
SHA1 hash: dfa1458ad52d175f166f9b0c00d26c5926c19885
MD5 hash: 70a49a915b357be6a9379c38953e71ac
humanhash: mountain-glucose-south-single
File name:P-200 Signature Form.doc
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:117'760 bytes
First seen:2021-11-12 09:03:27 UTC
Last seen:2021-11-12 10:07:29 UTC
File type:Word file doc
MIME type:application/msword
ssdeep 1536:/B5SOqcuTUdehXyvl0f4CZpUcab2GFVbgPuDF7exsylBviKsUlP+a94:ic6EehCfCZpUHKGXbBKsii
TLSH T131B3CF46339BCD0BF44602386A97E74B3BB23D29CD3252173A413F0EBD761769869B52
Reporter madjack_red
Tags:ArkeiStealer doc

Office OLE Information

This malware samples appears to be an Office document. The following table provides more information about this document using oletools and oledump.

OLE id
Maldoc score: 9
OLE dump

MalwareBazaar was able to identify 12 sections in this file using oledump:

Section IDSection sizeSection name
1114 bytesCompObj
24096 bytesDocumentSummaryInformation
34096 bytesSummaryInformation
47504 bytes1Table
585938 bytesData
6420 bytesMacros/PROJECT
765 bytesMacros/PROJECTwm
8984 bytesMacros/VBA/Module1
92313 bytesMacros/VBA/ThisDocument
102756 bytesMacros/VBA/_VBA_PROJECT
11562 bytesMacros/VBA/dir
124096 bytesWordDocument
OLE vba

MalwareBazaar was able to extract and deobfuscate VBA script(s) the following information from OLE objects embedded in this file using olevba:

TypeKeywordDescription
AutoExecDocument_OpenRuns when the Word or Publisher document is opened
SuspiciousOpenMay open a file
SuspiciousCreateTextFileMay create a text file
SuspiciousGetObjectMay get an OLE object with a running instance
SuspiciousHex StringsHex-encoded strings were detected, may be used to obfuscate strings (option --decode to see all)

Intelligence

File Origin
# of uploads :
2
# of downloads :
135
Origin country :
n/a
Vendor Threat Intelligence
Verdict:
Malicious
File type:
application/msword
Has a screenshot:
False
Contains macros:
True
Detection(s):
TwinWave.EvilDoc.GOStringGamesBangBang.20200908.UNOFFICIAL
Create hunting rule

TwinWave.EvilDoc.DOCXSTRGOOD.HTTP
Create hunting rule

TwinWave.EvilDoc.DOCXRSTRGOOD.START-BITSTRANSFER.210729.UNOFFICIAL
Create hunting rule

TwinWave.EvilDoc.DOCXSTRGOOD..EXE.211019.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malicious
File Type:
Legacy Word File with Macro
Link:
https://app.docguard.net/8c51bd57966ec69de3ab44f909272ba471ba7aa29728e182689e715747a3f507/results/dashboard
Payload URLs
URL
File name
PROJECT.MODULE1.ANIMALFOCUS
1Table
Document image
Image:
Download PNG
Document image
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
cmd macros macros-on-open phishing powershell
Link:
https://www.filescan.io/uploads/618e2e06a00afa9663a4e794/reports/5fa111f1-dc73-4461-9830-4b6961903094/overview
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/8c51bd57966ec69de3ab44f909272ba471ba7aa29728e182689e715747a3f507
Details
Macro with Startup Hook
Detected macro logic that will automatically execute on document open. Most malware contains some execution hook.
Document With Few Pages
Document contains between one and three pages of content. Most malicious documents are sparse in page count.
Macro with File System Write
Detected macro logic that can write data to the file system.
Macro Execution Coercion
Detected a document that appears to social engineer the user into activating embedded logic.
Result
Threat name:
AgentTesla Vidar
Create hunting rule
Detection:
malicious
Classification:
expl.evad.troj.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/887977
Signature
.NET source code contains very large array initializations
Document contains an embedded VBA macro with suspicious strings
Document exploit detected (creates forbidden files)
Document exploit detected (process start blacklist hit)
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Execution from Suspicious Folder
Sigma detected: Microsoft Office Product Spawning Windows Shell
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected AgentTesla
Yara detected Obfuscated Powershell
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 520450 Sample: P-200 Signature Form.doc Startdate: 12/11/2021 Architecture: WINDOWS Score: 100 61 cryptosgain.com 2->61 63 bit.do 2->63 77 Found malware configuration 2->77 79 Malicious sample detected (through community Yara rule) 2->79 81 Multi AV Scanner detection for submitted file 2->81 83 10 other signatures 2->83 12 WINWORD.EXE 44 34 2->12         started        signatures3 process4 file5 53 C:\Users\...\P-200 Signature Form.doc.LNK, MS 12->53 dropped 55 C:\Users\user\...\~DF66343F2E75A8AA26.TMP, Composite 12->55 dropped 57 C:\Users\Public\Documents\god.bat, ASCII 12->57 dropped 89 Document exploit detected (creates forbidden files) 12->89 16 cmd.exe 1 12->16         started        signatures6 process7 process8 18 powershell.exe 28 16->18         started        20 conhost.exe 16->20         started        process9 22 bornexist.exe 17 18->22         started        file10 43 C:\Users\user\AppData\Local\...\pccobxylp.dll, PE32 22->43 dropped 85 Injects a PE file into a foreign processes 22->85 26 bornexist.exe 130 22->26         started        signatures11 process12 dnsIp13 65 cryptosgain.com 68.65.122.37, 443, 49755, 49762 NAMECHEAP-NETUS United States 26->65 67 185.242.104.143, 49789, 49790, 80 FISHNET-ASRU Latvia 26->67 69 bit.do 54.83.52.76, 49753, 49792, 80 AMAZON-AESUS United States 26->69 45 C:\ProgramData\testw.exe, PE32 26->45 dropped 47 C:\Users\user\AppData\...\sqlite3[1].dll, PE32 26->47 dropped 49 C:\...\Win_32Activator_kl_nt4_Itself[1].exe, PE32 26->49 dropped 51 C:\ProgramData\sqlite3.dll, PE32 26->51 dropped 87 Tries to harvest and steal browser information (history, passwords, etc) 26->87 31 testw.exe 17 26->31         started        35 cmd.exe 1 26->35         started        file14 signatures15 process16 file17 59 C:\Users\user\AppData\Local\...\mklneziv.dll, PE32 31->59 dropped 71 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 31->71 73 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 31->73 75 Injects a PE file into a foreign processes 31->75 37 testw.exe 2 31->37         started        39 conhost.exe 35->39         started        41 timeout.exe 1 35->41         started        signatures18 process19
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8c51bd57966ec69de3ab44f909272ba471ba7aa29728e182689e715747a3f507/
Threat name:
Document-Excel.Trojan.Woreflint
Create hunting rule
Status:
Malicious
First seen:
2021-11-12 01:22:27 UTC
AV detection:
10 of 44 (22.73%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rri32v4wn3dj3y5lit4qsjzlury3u6vcs4uodatitzyvor5d6udq._file
Result
Malware family:
arkei
Create hunting rule
Score:
  10/10
Tags:
family:arkei botnet:default macro macro_on_action stealer xlm
Link:
https://tria.ge/reports/211112-k1lq4schh9/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Office loads VBA resources, possible macro or embedded object present
Program crash
Drops file in Windows directory
Suspicious use of SetThreadContext
Loads dropped DLL
Downloads MZ/PE file
Arkei Stealer Payload
Arkei
Process spawned unexpected child process
Malware Config
C2 Extraction:
http://185.242.104.143/LBsx06U4hn.php
Dropper Extraction:
http://bit.do/mar-signature_request
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/8c51bd57966e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8c51bd57966ec69de3ab44f909272ba471ba7aa29728e182689e715747a3f507

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:buerloader_halo_generated
Create hunting rule
Author:Halogen Generated Rule, Corsin Camichel
Rule name:zloader_halo_generated
Create hunting rule
Author:Halogen Generated Rule, Corsin Camichel

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments