MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ff22d13021f2bd9af9ec6f70782562460c5ea710e1fbbaa50ba997294c506a7e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 11


Intelligence 11 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ff22d13021f2bd9af9ec6f70782562460c5ea710e1fbbaa50ba997294c506a7e
SHA3-384 hash: 763cd1cad9cc76b78698a17ac77c06baf6b6acadee7ad5a9440c7115b0952afdb32e99fc92e6b0d6a43beefbc04b4e97
SHA1 hash: 3ba4d7a81345c72fa8d41c629db96e6f07509665
MD5 hash: b331089678362706e64ef923e2d15fd4
humanhash: six-kitten-timing-berlin
File name:b331089678362706e64ef923e2d15fd4.exe
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:257'536 bytes
First seen:2021-02-10 09:29:33 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'597 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 6144:uWZSRBpU2+zUPfE+m2/HxikMK2gZroDDWFm:uW+pU2OhBnuoDaFm
Threatray 655 similar samples on MalwareBazaar
TLSH FC44020232B98F62E1BAAFF58075568483B675AB6851F3185EC832EF15B2F006613F57
Reporter abuse_ch
Tags:ArkeiStealer exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
100
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
54f838b71063393f8dd2b5f901718a2a.exe
Verdict:
Malicious activity
Analysis date:
2021-02-10 07:42:54 UTC
Tags:
loader stealer trojan rat azorult
Link:
https://app.any.run/tasks/0e4fc27c-663c-4710-a158-9ca28427cb11

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/116472/
Detection(s):
SecuriteInfo.com.Trojan.PWS.Siggen2.61478.1973.11854.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Sending an HTTP GET request
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file
DNS request
Sending an HTTP POST request
Deleting a recently created file
Replacing files
Unauthorized injection to a recently created process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AsyncRAT Azorult
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/604217
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
Binary contains a suspicious time stamp
C2 URLs / IPs found in malware configuration
Creates a thread in another existing process (thread injection)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Executable Used by PlugX in Uncommon Location
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AsyncRAT
Yara detected Azorult
Yara detected Azorult Info Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 351142 Sample: z3LPr7pOcN.exe Startdate: 10/02/2021 Architecture: WINDOWS Score: 100 112 icacxndo.ac.ug 2->112 114 brudfascaqezd.ac.ug 2->114 116 2 other IPs or domains 2->116 126 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->126 128 Multi AV Scanner detection for domain / URL 2->128 130 Found malware configuration 2->130 132 17 other signatures 2->132 11 z3LPr7pOcN.exe 15 5 2->11         started        16 cmd.exe 2->16         started        18 taskkill.exe 2->18         started        signatures3 process4 dnsIp5 124 hanxlas.ac.ug 185.215.113.77, 49720, 49722, 49725 WHOLESALECONNECTIONSNL Portugal 11->124 102 C:\Users\user\AppData\...\ojhxcvsdfqw.exe, PE32 11->102 dropped 104 C:\Users\user\AppData\...\z3LPr7pOcN.exe.log, ASCII 11->104 dropped 154 Injects a PE file into a foreign processes 11->154 20 z3LPr7pOcN.exe 71 11->20         started        25 ojhxcvsdfqw.exe 3 11->25         started        27 nrm4bbk3.exe 16->27         started        29 conhost.exe 16->29         started        31 conhost.exe 18->31         started        file6 signatures7 process8 dnsIp9 118 taurus.ug 20->118 94 C:\Users\user\AppData\Local\Temp\rc.exe, PE32 20->94 dropped 96 C:\Users\user\AppData\Local\Temp\ds2.exe, PE32 20->96 dropped 98 C:\Users\user\AppData\Local\Temp\ds1.exe, PE32 20->98 dropped 100 49 other files (1 malicious) 20->100 dropped 142 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 20->142 144 Tries to steal Instant Messenger accounts or passwords 20->144 146 Tries to steal Mail credentials (via file access) 20->146 152 4 other signatures 20->152 33 rc.exe 20->33         started        38 ds1.exe 20->38         started        40 ac.exe 20->40         started        46 2 other processes 20->46 148 Injects a PE file into a foreign processes 25->148 42 ojhxcvsdfqw.exe 188 25->42         started        44 ojhxcvsdfqw.exe 25->44         started        150 Detected unpacking (overwrites its own PE header) 27->150 file10 signatures11 process12 dnsIp13 106 cdn.discordapp.com 162.159.129.233, 443, 49728 CLOUDFLARENETUS United States 33->106 108 192.168.2.1 unknown unknown 33->108 80 C:\Users\Public\Libraries\Wxycezen.exe, PE32 33->80 dropped 134 Creates a thread in another existing process (thread injection) 33->134 136 Injects a PE file into a foreign processes 33->136 48 ds1.exe 38->48         started        51 ds1.exe 38->51         started        82 C:\Users\user\AppData\Local\...\tmp19B8.tmp, XML 40->82 dropped 84 C:\Users\user\AppData\Roaming84AKqfx.exe, PE32 40->84 dropped 53 ac.exe 40->53         started        56 schtasks.exe 40->56         started        110 hanxlas.ac.ug 42->110 86 C:\ProgramData\vcruntime140.dll, PE32 42->86 dropped 88 C:\ProgramData\sqlite3.dll, PE32 42->88 dropped 90 C:\ProgramData\softokn3.dll, PE32 42->90 dropped 92 4 other files (none is malicious) 42->92 dropped 138 Tries to harvest and steal browser information (history, passwords, etc) 42->138 140 Tries to steal Crypto Currency Wallets 42->140 58 cmd.exe 42->58         started        60 ds2.exe 46->60         started        62 conhost.exe 46->62         started        64 timeout.exe 46->64         started        file14 signatures15 process16 dnsIp17 78 C:\Windows\Temp\nrm4bbk3.exe, PE32 48->78 dropped 66 cmstp.exe 48->66         started        120 icacxndo.ac.ug 53->120 122 icando.ug 91.193.75.94, 49729, 49735, 49736 DAVID_CRAIGGG Serbia 53->122 68 conhost.exe 56->68         started        70 conhost.exe 58->70         started        72 taskkill.exe 58->72         started        74 powershell.exe 60->74         started        file18 process19 process20 76 conhost.exe 74->76         started       
Detection:
azorult
Create hunting rule
Link:
https://mwdb.cert.pl/sample/ff22d13021f2bd9af9ec6f70782562460c5ea710e1fbbaa50ba997294c506a7e/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-02-09 09:46:00 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=74rncmbb6k6zv6pmn5yhqjlciygf5jyq4h53vjilvglsstcqnj7a._file
Verdict:
malicious
Label(s):
azorult
Create hunting rule
Similar samples:
15145ed8e5ae3cf2acf9ad25bbcb3f782c4d8ba9674185d06baa66ae6d17f25a
ArkeiStealer
308c96557c6be5d4519ba4bac38c23e611c7b61683cfc1063a6009e216c24f5e
ArkeiStealer
34a27a9beb4f68668a75967b9ea609dd2a958b29c66b70e0bd8e69bc5456fedb
ArkeiStealer
4be1e912f4b6f65dd938f0a6fa1f1d9b8d4c20fc25ac3c3189e10013c29e4dea
ArkeiStealer
60152e8f49b376387ea78e05be97894b52c0dc862a9906248b12a441e840ee2d
ArkeiStealer
7294bdc3333d08ac9c2397b3555c0126928c13600b23de09f21841cfee83f55a
ArkeiStealer
ac8a0b325adca9cc88fc6ee32c912024adfe5228024712e1c757183c51260d16
ArkeiStealer
ca9730cf7bc314d918ba3c287987fed3b6516688c1be0171f9d18e20b7f90984
ArkeiStealer
d2c1530870532abdf2123652c9f97dc9de79dc8aabbb8cfd185b1011d6cdbb01
ArkeiStealer
d8f37e199f10881b2045823553fd64f3f52ec616e24f2235a47dae7c435a3c72
ArkeiStealer
+ 645 additional samples on MalwareBazaar
Result
Malware family:
oski
Create hunting rule
Score:
  10/10
Tags:
family:azorult family:oski discovery infostealer ransomware spyware trojan
Link:
https://tria.ge/reports/210210-vs2s84b8hn/
Behaviour
Checks processor information in registry
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Azorult
Oski
Malware Config
C2 Extraction:
http://195.245.112.115/index.php
Unpacked files
SH256 hash:
109b9cca0349b0e2e926adfa62b3f15cc1aa029e27be586c3e8ee89650305f5c
MD5 hash:
3975132d97530c35adcd42c48816d607
SHA1 hash:
e606e8df109aa141bddd470020bb935887368a55
Link:
https://www.unpac.me/results/1ae00e7c-9e31-4c5e-b885-66db5cc4418a/
SH256 hash:
2ec41720b412f91f91daaefea38007449491b2c016238aa8f23b6866c89bc788
MD5 hash:
987ce346069cf47535e5ac57265c7228
SHA1 hash:
d0085325ed78fcac6d1f605753237abd1c40db22
Link:
https://www.unpac.me/results/1ae00e7c-9e31-4c5e-b885-66db5cc4418a/
SH256 hash:
11199a3d6b343c58eed6ce60c4c88de9c285ce4a4f3821433a1c4a09ad39fd36
MD5 hash:
467d500dc2543b31d467b2402877d986
SHA1 hash:
a2b8d87570f785aa80cd6679f54492648c1dc889
Detections:
win_azorult_g1
Create hunting rule
win_azorult_auto
Create hunting rule
Link:
https://www.unpac.me/results/1ae00e7c-9e31-4c5e-b885-66db5cc4418a/
Parent samples :
ff22d13021f2bd9af9ec6f70782562460c5ea710e1fbbaa50ba997294c506a7e
a74793a39fe6c942643ceb7ec5640d92890dd34b49244582113b3161863c3409
SH256 hash:
ff22d13021f2bd9af9ec6f70782562460c5ea710e1fbbaa50ba997294c506a7e
MD5 hash:
b331089678362706e64ef923e2d15fd4
SHA1 hash:
3ba4d7a81345c72fa8d41c629db96e6f07509665
Link:
https://www.unpac.me/results/1ae00e7c-9e31-4c5e-b885-66db5cc4418a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.45
Link:
https://yomi.yoroi.company/submissions/ff22d13021f2bd9af9ec6f70782562460c5ea710e1fbbaa50ba997294c506a7e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_Vidar
Create hunting rule
Author:ditekSHen
Description:Detects Vidar infostealer variants
Rule name:Vidar
Create hunting rule
Author:kevoreilly
Description:Vidar Payload
Rule name:win_oski_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ArkeiStealer

Executable exe ff22d13021f2bd9af9ec6f70782562460c5ea710e1fbbaa50ba997294c506a7e

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/116472/
  
URLhaus
https://urlhaus.abuse.ch/url/998666/
  
Delivery method
Distributed via web download

Comments