arkei

Resubmissions

27-09-2021 21:27

210927-1av5vsabhr 10

27-09-2021 10:54

210927-mzle3agfa6 10

27-09-2021 05:33

210927-f83x5sfge7 10

26-09-2021 14:49

210926-r68amaehcr 10

Sharing

Copy URL

Twitter E-mail

General

Target

setup_x86_x64_install.exe
Size

4.6MB
Sample

210927-f83x5sfge7
MD5

f7cf8f9694e81ee7d8af08ebb8324bc0
SHA1

28183d4304bc8257b9e3bf922c2d684075bdf552
SHA256

84b57d3d7fdabaebcd85cf01dbf14b9cb94e08fe081abcb60b218c1298c55995
SHA512

402fb16fb00cce4146bb7720317b7040d9987fb80b1beeda95e47158f8652fa6da70eb10b99ec64ebd49db3942fad0dcd349f6b3bbe1bce8178e730a13083e22

Malware Config

Extracted

Family

redline

Botnet

jamesoldd

65.108.20.195:6774

Extracted

Family

smokeloader

Version

2020

http://govsurplusstore.com/upload/

http://best-forsale.com/upload/

http://chmxnautoparts.com/upload/

http://kwazone.com/upload/

rc4.i32

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://shellloader.top/welcome

Extracted

Family

redline

Botnet

UTS

45.9.20.20:13441

Targets

- Target
  
  setup_x86_x64_install.exe
- Size
  
  4.6MB
- MD5
  
  f7cf8f9694e81ee7d8af08ebb8324bc0
- SHA1
  
  28183d4304bc8257b9e3bf922c2d684075bdf552
- SHA256
  
  84b57d3d7fdabaebcd85cf01dbf14b9cb94e08fe081abcb60b218c1298c55995
- SHA512
  
  402fb16fb00cce4146bb7720317b7040d9987fb80b1beeda95e47158f8652fa6da70eb10b99ec64ebd49db3942fad0dcd349f6b3bbe1bce8178e730a13083e22
Score

10^/10

djvu redline socelars vidar jamesoldd aspackv2 discovery evasion infostealer ransomware spyware stealer trojan themida smokeloader tofsee backdoor persistence arkei xmrig miner uts
- Arkei
  Arkei is an infostealer written in C++.
  stealer arkei
- Djvu Ransomware
  Ransomware which is a variant of the STOP family.
  ransomware djvu
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine Payload
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Socelars
  Socelars is an infostealer targeting browser cookies and credit card credentials.
  stealer socelars
- Socelars Payload
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Tofsee
  Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
  trojan tofsee
- Turns off Windows Defender SpyNet reporting
  evasion
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- Windows security bypass
  evasion trojan
- xmrig
  XMRig is a high performance, open source, cross platform CPU/GPU miner.
  miner xmrig
- Arkei Stealer Payload
  stealer
- Checks for common network interception software
  Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
  evasion
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Vidar Stealer
  stealer
- ASPack v2.12-2.42
  Detects executables packed with ASPack v2.12-2.42
  aspackv2
- Blocklisted process makes network request
- Creates new service(s)
  persistence
- Downloads MZ/PE file
- Drops file in Drivers directory
- Executes dropped EXE
- Modifies Windows Firewall
  evasion
- Stops running service(s)
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Modifies file permissions
  discovery
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Windows security modification
  evasion trojan
- Accesses 2FA software files, possible credential harvesting
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks for any installed AV software in registry
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Checks whether UAC is enabled
  evasion trojan
- Drops Chrome extension
- Drops desktop.ini file(s)
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2 behavioral3 behavioral4 behavioral5 behavioral6 behavioral7 behavioral8