arkei | a9dea10c6d4d205faab1ac8db69384e9c3dc91fd5a718266957e4e164f76cd4a

Resubmissions

14-10-2021 15:13

211014-slznesafgr 10

13-10-2021 11:15

211013-ncl9hsdggp 10

Analysis

max time kernel
65s
max time network
137s
platform
windows10_x64
resource
win10v20210408
submitted
13-10-2021 11:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a9dea10c6d4d205faab1ac8db69384e9c3dc91fd5a718266957e4e164f76cd4a.bin.exe
Size

311KB
MD5

0050729426253655c88625a8ad93d7a2
SHA1

a8ea376bc26eba3ff32e72cb2bf43cccfa1c87d7
SHA256

a9dea10c6d4d205faab1ac8db69384e9c3dc91fd5a718266957e4e164f76cd4a
SHA512

1947c78aba1933c3da2eed125d760bf7c4b3bf75a113139a22db0d2f1e1e3e8b4640c0330b5220712275884567daf9548467a96747fb550fc8cb24dfc989d37c

Score

10^/10

arkei spyware stealer

Malware Config

Signatures

Arkei
Arkei is an infostealer written in C++.
stealer arkei
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

Processes:

WerFault.exe

description pid process target process

PID 928 created 3128 928 WerFault.exe a9dea10c6d4d205faab1ac8db69384e9c3dc91fd5a718266957e4e164f76cd4a.bin.exe

description	pid	process	target process
PID 928 created 3128	928	WerFault.exe	a9dea10c6d4d205faab1ac8db69384e9c3dc91fd5a718266957e4e164f76cd4a.bin.exe

Arkei Stealer Payload 2 IoCs

stealer

Processes:

resource	yara_rule
behavioral2/memory/3128-116-0x0000000000400000-0x00000000016C0000-memory.dmp	family_arkei
behavioral2/memory/3128-115-0x0000000001930000-0x0000000001949000-memory.dmp	family_arkei

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

928 3128 WerFault.exe a9dea10c6d4d205faab1ac8db69384e9c3dc91fd5a718266957e4e164f76cd4a.bin.exe

pid	pid_target	process	target process
928	3128	WerFault.exe	a9dea10c6d4d205faab1ac8db69384e9c3dc91fd5a718266957e4e164f76cd4a.bin.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

WerFault.exe

pid	process
928	WerFault.exe
928	WerFault.exe
928	WerFault.exe
928	WerFault.exe
928	WerFault.exe
928	WerFault.exe
928	WerFault.exe
928	WerFault.exe
928	WerFault.exe
928	WerFault.exe
928	WerFault.exe
928	WerFault.exe
928	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 928 WerFault.exe
Token: SeBackupPrivilege 928 WerFault.exe
Token: SeDebugPrivilege 928 WerFault.exe

description	pid	process
Token: SeRestorePrivilege	928	WerFault.exe
Token: SeBackupPrivilege	928	WerFault.exe
Token: SeDebugPrivilege	928	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\a9dea10c6d4d205faab1ac8db69384e9c3dc91fd5a718266957e4e164f76cd4a.bin.exe
"C:\Users\Admin\AppData\Local\Temp\a9dea10c6d4d205faab1ac8db69384e9c3dc91fd5a718266957e4e164f76cd4a.bin.exe"
1⤵
PID:3128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3128 -s 1212
2⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:928

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3128-114-0x00000000019B6000-0x00000000019C7000-memory.dmp

Filesize
68KB

Download
memory/3128-116-0x0000000000400000-0x00000000016C0000-memory.dmp

Filesize
18.8MB

Download
memory/3128-115-0x0000000001930000-0x0000000001949000-memory.dmp

Filesize
100KB

Download