MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c0ff93ef4930a7dc2d95a6ee490fecdddcbe946e479b1d4fdb47285245b28675. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 10


Intelligence 10 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c0ff93ef4930a7dc2d95a6ee490fecdddcbe946e479b1d4fdb47285245b28675
SHA3-384 hash: f2407ae0d02a196567332130a627203aceea1b5f15f2036dabd504d218f7d89e774f6014d7fe74a4d631b7ef0f7a4098
SHA1 hash: 8d98313ff780d8d8c2d779ce5022cc03d72f606b
MD5 hash: a27e08ddf60d5403c02a482a8c3885ac
humanhash: failed-may-black-twelve
File name:BillOfLading.exe
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:266'318 bytes
First seen:2021-03-31 07:01:46 UTC
Last seen:2021-03-31 07:56:52 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 7fa974366048f9c551ef45714595665e (946 x Formbook, 398 x Loki, 261 x AgentTesla)
ssdeep 6144:zAP7SZJKE9fNnU4Y6nicpZhwIIC29c1QsQ:2S+yfNUXJcHhwII19c8
Threatray 869 similar samples on MalwareBazaar
TLSH 0744122B27E048DBD56B0470607BC72973BBB315632026AB7F65BF651D311C3E922A1E
Reporter abuse_ch
Tags:ArkeiStealer exe


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: cloudhost-75426.au-south-1.nxcli.net
Sending IP: 103.224.90.79
From: TNT Express <service@tnt.com>
Subject: Consignment Notification: BL Draft and PL
Attachment: BillOfLading.cab (contains "BillOfLading.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
103
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
BillOfLading.exe
Verdict:
Malicious activity
Analysis date:
2021-03-31 07:39:29 UTC
Tags:
installer trojan stealer vidar loader
Link:
https://app.any.run/tasks/6700869a-b2d1-4523-a56f-e22a2a665b44

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/129177/
Detection(s):
SecuriteInfo.com.Trojan.Siggen12.62803.16431.20537.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Unauthorized injection to a recently created process
Connection attempt
Creating a file
Deleting a recently created file
Reading critical registry keys
Replacing files
Creating a window
Delayed writing of the file
Running batch commands
Creating a process with a hidden window
Using the Windows Management Instrumentation requests
Searching for the window
Sending a UDP request
Stealing user critical data
Launching a tool to kill processes
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/659991
Signature
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Downloads files with wrong headers with respect to MIME Content-Type
Found many strings related to Crypto-Wallets (likely being stolen)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Posts data to a JPG file (protocol mismatch)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c0ff93ef4930a7dc2d95a6ee490fecdddcbe946e479b1d4fdb47285245b28675/
Threat name:
Win32.Trojan.SpyNoon
Create hunting rule
Status:
Malicious
First seen:
2021-03-31 02:43:20 UTC
AV detection:
6 of 47 (12.77%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=yd7zh32jgct5ylmvu3xesd7m3xol5fdoi6nr2t63i4ufernsqz2q._file
Verdict:
malicious
Similar samples:
033741ca568e4e71a586be960e503415579b0520d2c9ecd298ed03becf406b9c
ArkeiStealer
1d1db9028a99d5ccfd2e898e61dd4c0fbd2b363934f0623aa9503280fa3229a9
ArkeiStealer
3b9f555888df6326a6a0c7dd2c2c1c2d78bbb969c1b7d40ea0d0e9679a06bbc5
ArkeiStealer
40afa1e323be151d0d7a38c72f771b0b9e909f49ddade942d4260a5e29e5ec2f
ArkeiStealer
5389a958986f6ceccaa9e44006852becbccabfb07f126d69e6b031227fb0b487
ArkeiStealer
69fe5bb4b975f9437b6c3bcf3f07dc807a8f2e848f1e0c5802012295b06a742c
ArkeiStealer
8959562f5a87f40b9c3917a98e10d68e2c459c8df9bdd9664f615af6d5b9959e
ArkeiStealer
b699a2766f106ff77377780bad431b72ef1748bf989e09f2b82fb73cf30cbde3
ArkeiStealer
d217032899487162688fa6c3855e13040b074de38d9c57c91b47c1190842edc2
ArkeiStealer
d40dedd7f637a1ef9703b582a6d536469d1cf62bddc1a462a9cceeb7f9194f13
ArkeiStealer
+ 859 additional samples on MalwareBazaar
Result
Malware family:
oski
Create hunting rule
Score:
  10/10
Tags:
family:oski discovery infostealer spyware stealer
Link:
https://tria.ge/reports/210331-szjcmflb1n/
Behaviour
Checks processor information in registry
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Deletes itself
Loads dropped DLL
Reads user/profile data of web browsers
Oski
Unpacked files
SH256 hash:
5c232086592bda059effb4fdd00457144931c63e7e2b3ac1b038e974c97a1400
MD5 hash:
7558844d4e3faf04d3bdccad451b4dd3
SHA1 hash:
d31eeaa1c53fdc6633c7a0043727213fcf548d1b
Link:
https://www.unpac.me/results/d7b0fe32-5067-42a0-bb7c-96030082eb01/
SH256 hash:
c0ff93ef4930a7dc2d95a6ee490fecdddcbe946e479b1d4fdb47285245b28675
MD5 hash:
a27e08ddf60d5403c02a482a8c3885ac
SHA1 hash:
8d98313ff780d8d8c2d779ce5022cc03d72f606b
Link:
https://www.unpac.me/results/d7b0fe32-5067-42a0-bb7c-96030082eb01/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Eldorado
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/c0ff93ef4930a7dc2d95a6ee490fecdddcbe946e479b1d4fdb47285245b28675

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_Vidar
Create hunting rule
Author:ditekSHen
Description:Detects Vidar / ArkeiStealer
Rule name:Vidar
Create hunting rule
Author:kevoreilly
Description:Vidar Payload
Rule name:win_oski_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:win_oski_g0
Create hunting rule
Author:Slavo Greminger, SWITCH-CERT

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

ArkeiStealer

cab 7c25d9ffd3b33b9133ed819172935b9dddf3967ad74d100d43148d7e384e7e27

ArkeiStealer

Executable exe c0ff93ef4930a7dc2d95a6ee490fecdddcbe946e479b1d4fdb47285245b28675

(this sample)

  
Dropped by
MD5 a37efc46d4ad5693ecb5f43754fe26c7
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/129177/
  
Dropped by
SHA256 7c25d9ffd3b33b9133ed819172935b9dddf3967ad74d100d43148d7e384e7e27

Comments