Analysis
-
max time kernel
123s -
max time network
132s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
14-10-2021 15:13
Static task
static1
Behavioral task
behavioral1
Sample
a9dea10c6d4d205faab1ac8db69384e9c3dc91fd5a718266957e4e164f76cd4a.bin.exe
Resource
win7-en-20210920
windows7_x64
0 signatures
0 seconds
General
-
Target
a9dea10c6d4d205faab1ac8db69384e9c3dc91fd5a718266957e4e164f76cd4a.bin.exe
-
Size
311KB
-
MD5
0050729426253655c88625a8ad93d7a2
-
SHA1
a8ea376bc26eba3ff32e72cb2bf43cccfa1c87d7
-
SHA256
a9dea10c6d4d205faab1ac8db69384e9c3dc91fd5a718266957e4e164f76cd4a
-
SHA512
1947c78aba1933c3da2eed125d760bf7c4b3bf75a113139a22db0d2f1e1e3e8b4640c0330b5220712275884567daf9548467a96747fb550fc8cb24dfc989d37c
Malware Config
Extracted
Family
arkei
Botnet
Default
C2
http://game2030.link/ggate.php
Signatures
-
Arkei Stealer Payload 2 IoCs
resource yara_rule behavioral1/memory/1172-57-0x0000000000400000-0x00000000016C0000-memory.dmp family_arkei behavioral1/memory/1172-56-0x0000000000220000-0x0000000000239000-memory.dmp family_arkei -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Program crash 1 IoCs
pid pid_target Process procid_target 1384 1172 WerFault.exe 26 -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 1384 WerFault.exe 1384 WerFault.exe 1384 WerFault.exe 1384 WerFault.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1384 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1384 WerFault.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1172 wrote to memory of 1384 1172 a9dea10c6d4d205faab1ac8db69384e9c3dc91fd5a718266957e4e164f76cd4a.bin.exe 28 PID 1172 wrote to memory of 1384 1172 a9dea10c6d4d205faab1ac8db69384e9c3dc91fd5a718266957e4e164f76cd4a.bin.exe 28 PID 1172 wrote to memory of 1384 1172 a9dea10c6d4d205faab1ac8db69384e9c3dc91fd5a718266957e4e164f76cd4a.bin.exe 28 PID 1172 wrote to memory of 1384 1172 a9dea10c6d4d205faab1ac8db69384e9c3dc91fd5a718266957e4e164f76cd4a.bin.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\a9dea10c6d4d205faab1ac8db69384e9c3dc91fd5a718266957e4e164f76cd4a.bin.exe"C:\Users\Admin\AppData\Local\Temp\a9dea10c6d4d205faab1ac8db69384e9c3dc91fd5a718266957e4e164f76cd4a.bin.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1172 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1172 -s 8122⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1384
-