a9dea10c6d4d205faab1ac8db69384e9c3dc91fd5a718266957e4e164f76cd4a.bin
General
Target
Filesize
Completed
a9dea10c6d4d205faab1ac8db69384e9c3dc91fd5a718266957e4e164f76cd4a.bin.exe
311KB
14-10-2021 15:16
Score
10/10
MD5
SHA1
SHA256
0050729426253655c88625a8ad93d7a2
a8ea376bc26eba3ff32e72cb2bf43cccfa1c87d7
a9dea10c6d4d205faab1ac8db69384e9c3dc91fd5a718266957e4e164f76cd4a
Malware Config
Extracted
Family | arkei |
Botnet | Default |
C2 |
http://game2030.link/ggate.php |
Signatures 8
Filter: none
Collection
Credential Access
-
Arkei
Description
Arkei is an infostealer written in C++.
Tags
-
Arkei Stealer Payload
Tags
Reported IOCs
resource yara_rule behavioral1/memory/1172-57-0x0000000000400000-0x00000000016C0000-memory.dmp family_arkei behavioral1/memory/1172-56-0x0000000000220000-0x0000000000239000-memory.dmp family_arkei -
Reads user/profile data of web browsers
Description
Infostealers often target stored browser data, which can include saved credentials etc.
Tags
TTPs
-
Program crashWerFault.exe
Reported IOCs
pid pid_target process target process 1384 1172 WerFault.exe a9dea10c6d4d205faab1ac8db69384e9c3dc91fd5a718266957e4e164f76cd4a.bin.exe -
Suspicious behavior: EnumeratesProcessesWerFault.exe
Reported IOCs
pid process 1384 WerFault.exe 1384 WerFault.exe 1384 WerFault.exe 1384 WerFault.exe -
Suspicious behavior: GetForegroundWindowSpamWerFault.exe
Reported IOCs
pid process 1384 WerFault.exe -
Suspicious use of AdjustPrivilegeTokenWerFault.exe
Reported IOCs
description pid process Token: SeDebugPrivilege 1384 WerFault.exe -
Suspicious use of WriteProcessMemorya9dea10c6d4d205faab1ac8db69384e9c3dc91fd5a718266957e4e164f76cd4a.bin.exe
Reported IOCs
description pid process target process PID 1172 wrote to memory of 1384 1172 a9dea10c6d4d205faab1ac8db69384e9c3dc91fd5a718266957e4e164f76cd4a.bin.exe WerFault.exe PID 1172 wrote to memory of 1384 1172 a9dea10c6d4d205faab1ac8db69384e9c3dc91fd5a718266957e4e164f76cd4a.bin.exe WerFault.exe PID 1172 wrote to memory of 1384 1172 a9dea10c6d4d205faab1ac8db69384e9c3dc91fd5a718266957e4e164f76cd4a.bin.exe WerFault.exe PID 1172 wrote to memory of 1384 1172 a9dea10c6d4d205faab1ac8db69384e9c3dc91fd5a718266957e4e164f76cd4a.bin.exe WerFault.exe
Processes 2
-
C:\Users\Admin\AppData\Local\Temp\a9dea10c6d4d205faab1ac8db69384e9c3dc91fd5a718266957e4e164f76cd4a.bin.exe"C:\Users\Admin\AppData\Local\Temp\a9dea10c6d4d205faab1ac8db69384e9c3dc91fd5a718266957e4e164f76cd4a.bin.exe"Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1172 -s 812Program crashSuspicious behavior: EnumeratesProcessesSuspicious behavior: GetForegroundWindowSpamSuspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Collection
Command and Control
Credential Access
Defense Evasion
Discovery
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Replay Monitor
00:00
00:00
Downloads
-
memory/1172-54-0x00000000017BB000-0x00000000017CC000-memory.dmp
-
memory/1172-55-0x0000000075821000-0x0000000075823000-memory.dmp
-
memory/1172-57-0x0000000000400000-0x00000000016C0000-memory.dmp
-
memory/1172-56-0x0000000000220000-0x0000000000239000-memory.dmp
-
memory/1384-58-0x0000000000000000-mapping.dmp
-
memory/1384-59-0x0000000001CC0000-0x0000000001CC1000-memory.dmp
Title
Loading data