MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8d40ac7ff823a82053b413326beba33bf94380a79c49165545fed3e92089b6eb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ARCrypter


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8d40ac7ff823a82053b413326beba33bf94380a79c49165545fed3e92089b6eb
SHA3-384 hash: e687fab6239693f64fef43b0cf0fdeaebfcd4d7f88a6ad2ffe3828cdd25850b76f9b4e3f8dbaca929c1d29d55e185592
SHA1 hash: 5c7676e5f1a4841e2a539b7dacfdc847c1e59ad7
MD5 hash: 6b402772ac82df77da8ead65636423da
humanhash: fourteen-thirteen-asparagus-lake
File name:8d40ac7ff823a82053b413326beba33bf94380a79c49165545fed3e92089b6eb
Download: download sample
Signature ARCrypter
Create hunting rule
File size:766'464 bytes
First seen:2022-11-17 02:15:34 UTC
Last seen:2022-11-17 03:38:56 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 7f928347212fd6dce5f7ee29086225dd (2 x ARCrypter)
ssdeep 12288:LzQ88eWYgeWYg955/155/P6DQG8UNNbQzo1op6ZZofO0/d50fBVib61S:LzQ886DQZQVAo1Y6ZCfO0307ee
Threatray 3'221 similar samples on MalwareBazaar
TLSH T198F4CF86A7A503F8E1BBD13888464506E7B2BC4547709BDF23A0572A5F732E25E3F361
TrID 48.7% (.EXE) Win64 Executable (generic) (10523/12/4)
23.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.3% (.EXE) OS/2 Executable (generic) (2029/13)
9.2% (.EXE) Generic Win/DOS Executable (2002/3)
9.2% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):PE icon
dhash icon d8949494d4b8f8e3 (2 x ARCrypter)
Reporter Arkbird_SOLG
Tags:ARCrypter dropper exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
416
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
8d40ac7ff823a82053b413326beba33bf94380a79c49165545fed3e92089b6eb
Verdict:
Suspicious activity
Analysis date:
2022-08-05 06:33:49 UTC
Tags:
stealer
Link:
https://app.any.run/tasks/6251f5bc-0b97-473b-bea0-d06f744e45ef

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/335133/
Detection(s):
SecuriteInfo.com.Heur.Ransom.REntS.Gen.1.28430.25447.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Running batch commands
Creating a process with a hidden window
Using the Windows Management Instrumentation requests
Searching for the window
Modifying an executable file
Delayed reading of the file
Launching cmd.exe command interpreter
Sending a custom TCP request
Launching a tool to kill processes
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/637599636fda73cab64e2547/reports/0e21e4f5-1eb4-42a6-b640-adccef03ac52/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0931d128-1845-4729-bf79-be88122fa633
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
60 / 100
Link:
https://www.joesandbox.com/analysis/1115427
Signature
Antivirus / Scanner detection for submitted sample
Found Tor onion address
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 748122 Sample: 7jmvenyh9q.exe Startdate: 17/11/2022 Architecture: WINDOWS Score: 60 27 Antivirus / Scanner detection for submitted sample 2->27 29 Multi AV Scanner detection for submitted file 2->29 31 Found Tor onion address 2->31 8 7jmvenyh9q.exe 3 2->8         started        process3 process4 10 cmd.exe 1 8->10         started        13 conhost.exe 8->13         started        file5 25 C:\Users\user\Desktop\7jmvenyh9q.exe, ASCII 10->25 dropped 15 cmd.exe 1 10->15         started        17 taskkill.exe 1 10->17         started        19 taskkill.exe 1 10->19         started        21 8 other processes 10->21 process6 process7 23 conhost.exe 15->23         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8d40ac7ff823a82053b413326beba33bf94380a79c49165545fed3e92089b6eb/
Threat name:
Win64.Ransomware.ArcDropper
Create hunting rule
Status:
Malicious
First seen:
2022-08-03 21:03:24 UTC
File Type:
PE+ (Exe)
Extracted files:
4
AV detection:
23 of 41 (56.10%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rvaky77yeoucau5ucmzgx25dhp4uhafhtrermvkf73j6siejw3vq._file
Verdict:
malicious
Similar samples:
257b99a8149825c3714e40ef1f4e0d1ccb35e0cc692deeb4e9fab1f38d9dddc9
ARCrypter
2e1d1c1629abb3aa966337d50dce159721048417ee11b47127302dae0eb3f09c
ARCrypter
32708c5d376f130b48bf3bd706879c1945a2d701036d94e25aceea41a4042052
ARCrypter
36e08c2df39cd84d8969a95de6a6882fbc954e7ca31a5a5d4be8ec33cfa84649
ARCrypter
39b74b2fb057e8c78a2ba6639cf3d58ae91685e6ac13b57b70d2afb158cf742d
ARCrypter
a1a3d07b7d2a764011affbede324e5f01590697e110a1c934d21c3627d3d1484
ARCrypter
b14cde376a8a7a9d7ad34cdfd07108c132ad8be7f60c5c0a0f17b6b63eb28b49
ARCrypter
cc0bd45536a6c15f8b76fe06fd637857e6fbb483dc620793aa3aa27e1ab75a62
ARCrypter
e0efcfb64134200889c4a098fcd2d0d0031bf6b5b5e0c718059b39bdf63aad91
ARCrypter
eee0f2f6b2524498f8287f95dd184828a044677700d61e2c0a109866f3dd504d
ARCrypter
+ 3'211 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/221117-cp5qvahe4s/
Behaviour
Kills process with taskkill
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Deletes itself
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/76d52b25-da7f-43b5-a1bb-b128e03fb090
Unpacked files
SH256 hash:
8d40ac7ff823a82053b413326beba33bf94380a79c49165545fed3e92089b6eb
MD5 hash:
6b402772ac82df77da8ead65636423da
SHA1 hash:
5c7676e5f1a4841e2a539b7dacfdc847c1e59ad7
Link:
https://www.unpac.me/results/813d3c32-8431-4cee-9f49-59284d99f5e2/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8d40ac7ff823a82053b413326beba33bf94380a79c49165545fed3e92089b6eb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Link
https://blogs.blackberry.com/en/2022/11/arcrypter-ransomware-expands-its-operations-from-latin-america-to-the-world
Cape
Cape
https://www.capesandbox.com/analysis/335133/

Comments