arkei

Sharing

Copy URL

Twitter E-mail

General

Target

3e201fc20a90e669990e2994d2114b83.exe
Size

139KB
Sample

210926-s4rersfaap
MD5

3e201fc20a90e669990e2994d2114b83
SHA1

24bfc9636c793e7ceb309b08e319b2d925a080bd
SHA256

c8c2f5565b13fbb60b89d11b7e71a03666c3afb2246b87e633cac8023bec0b24
SHA512

4dae9203c1003ca32600d153d7a9f08fa3c50d7c665ee81d4d7608d8f47354e48493d4bb39af2a3259c7882ca0ba38f4db52033b0df3ddf4321cb7118b228591

Malware Config

Extracted

Family

smokeloader

Version

2020

http://naghenrietti1.top/

http://kimballiett2.top/

http://xadriettany3.top/

http://jebeccallis4.top/

http://nityanneron5.top/

http://umayaniela6.top/

http://lynettaram7.top/

http://sadineyalas8.top/

http://geenaldencia9.top/

http://aradysiusep10.top/

rc4.i32

Extracted

Family

redline

Botnet

installszxc

138.124.186.2:27999

Extracted

Family

redline

Botnet

z0rm1onbuild

45.156.21.209:56326

Extracted

Family

raccoon

Botnet

b2f2e53f9e27f901d453d8f6fbafe1b4d5266bb7

Attributes

url4cnc
https://t.me/hcdrom1

rc4.plain

Extracted

Family

raccoon

Botnet

5ff0ccb2bc00dc52d1ad09949e9c7663bc9ca4d4

Attributes

url4cnc
https://t.me/agrybirdsgamerept

rc4.plain

Extracted

Family

redline

Botnet

Bliss

185.237.98.178:62607

Extracted

Family

redline

Botnet

karma

94.103.9.133:39323

Targets

- Target
  
  3e201fc20a90e669990e2994d2114b83.exe
- Size
  
  139KB
- MD5
  
  3e201fc20a90e669990e2994d2114b83
- SHA1
  
  24bfc9636c793e7ceb309b08e319b2d925a080bd
- SHA256
  
  c8c2f5565b13fbb60b89d11b7e71a03666c3afb2246b87e633cac8023bec0b24
- SHA512
  
  4dae9203c1003ca32600d153d7a9f08fa3c50d7c665ee81d4d7608d8f47354e48493d4bb39af2a3259c7882ca0ba38f4db52033b0df3ddf4321cb7118b228591
Score

10^/10

arkei chinese_generic_botnet raccoon redline smokeloader 5ff0ccb2bc00dc52d1ad09949e9c7663bc9ca4d4 b2f2e53f9e27f901d453d8f6fbafe1b4d5266bb7 bliss installszxc karma z0rm1onbuild backdoor botnet discovery evasion infostealer spyware stealer themida trojan persistence suricata
- Arkei
  Arkei is an infostealer written in C++.
  stealer arkei
- Generic Chinese Botnet
  A botnet originating from China which is currently unnamed publicly.
  botnet chinese_generic_botnet
- Raccoon
  Simple but powerful infostealer which was very active in 2019.
  stealer raccoon
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine Payload
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- suricata: ET MALWARE Win32.Raccoon Stealer CnC Activity (dependency download)
  suricata: ET MALWARE Win32.Raccoon Stealer CnC Activity (dependency download)
  suricata
- suricata: ET MALWARE Win32.Raccoon Stealer Data Exfil Attempt
  suricata: ET MALWARE Win32.Raccoon Stealer Data Exfil Attempt
  suricata
- Arkei Stealer Payload
  stealer
- Chinese Botnet Payload
  botnet
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Downloads MZ/PE file
- Executes dropped EXE
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Deletes itself
- Loads dropped DLL
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Checks whether UAC is enabled
  evasion trojan
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Targets

Generic Chinese Botnet

Raccoon

RedLine

RedLine Payload

SmokeLoader

suricata: ET MALWARE Win32.Raccoon Stealer CnC Activity (dependency download)

suricata: ET MALWARE Win32.Raccoon Stealer Data Exfil Attempt

Arkei Stealer Payload

Chinese Botnet Payload

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Executes dropped EXE

Checks BIOS information in registry

Deletes itself

Loads dropped DLL

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Themida packer

Accesses cryptocurrency files/wallets, possible credential harvesting

Adds Run key to start application

Checks installed software on the system

Checks whether UAC is enabled

Enumerates connected drives

Drops file in System32 directory

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2