a9dea10c6d4d205faab1ac8db69384e9c3dc91fd5a718266957e4e164f76cd4a.bin

General
Target

a9dea10c6d4d205faab1ac8db69384e9c3dc91fd5a718266957e4e164f76cd4a.bin.exe

Filesize

311KB

Completed

14-10-2021 15:16

Score
10/10
MD5

0050729426253655c88625a8ad93d7a2

SHA1

a8ea376bc26eba3ff32e72cb2bf43cccfa1c87d7

SHA256

a9dea10c6d4d205faab1ac8db69384e9c3dc91fd5a718266957e4e164f76cd4a

Malware Config

Extracted

Family arkei
Botnet Default
C2

http://game2030.link/ggate.php

Signatures 8

Filter: none

Collection
Credential Access
  • Arkei

    Description

    Arkei is an infostealer written in C++.

  • Arkei Stealer Payload

    Tags

    Reported IOCs

    resourceyara_rule
    behavioral1/memory/1172-57-0x0000000000400000-0x00000000016C0000-memory.dmpfamily_arkei
    behavioral1/memory/1172-56-0x0000000000220000-0x0000000000239000-memory.dmpfamily_arkei
  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    TTPs

    Data from Local SystemCredentials in Files
  • Program crash
    WerFault.exe

    Reported IOCs

    pidpid_targetprocesstarget process
    13841172WerFault.exea9dea10c6d4d205faab1ac8db69384e9c3dc91fd5a718266957e4e164f76cd4a.bin.exe
  • Suspicious behavior: EnumeratesProcesses
    WerFault.exe

    Reported IOCs

    pidprocess
    1384WerFault.exe
    1384WerFault.exe
    1384WerFault.exe
    1384WerFault.exe
  • Suspicious behavior: GetForegroundWindowSpam
    WerFault.exe

    Reported IOCs

    pidprocess
    1384WerFault.exe
  • Suspicious use of AdjustPrivilegeToken
    WerFault.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege1384WerFault.exe
  • Suspicious use of WriteProcessMemory
    a9dea10c6d4d205faab1ac8db69384e9c3dc91fd5a718266957e4e164f76cd4a.bin.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1172 wrote to memory of 13841172a9dea10c6d4d205faab1ac8db69384e9c3dc91fd5a718266957e4e164f76cd4a.bin.exeWerFault.exe
    PID 1172 wrote to memory of 13841172a9dea10c6d4d205faab1ac8db69384e9c3dc91fd5a718266957e4e164f76cd4a.bin.exeWerFault.exe
    PID 1172 wrote to memory of 13841172a9dea10c6d4d205faab1ac8db69384e9c3dc91fd5a718266957e4e164f76cd4a.bin.exeWerFault.exe
    PID 1172 wrote to memory of 13841172a9dea10c6d4d205faab1ac8db69384e9c3dc91fd5a718266957e4e164f76cd4a.bin.exeWerFault.exe
Processes 2
  • C:\Users\Admin\AppData\Local\Temp\a9dea10c6d4d205faab1ac8db69384e9c3dc91fd5a718266957e4e164f76cd4a.bin.exe
    "C:\Users\Admin\AppData\Local\Temp\a9dea10c6d4d205faab1ac8db69384e9c3dc91fd5a718266957e4e164f76cd4a.bin.exe"
    Suspicious use of WriteProcessMemory
    PID:1172
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1172 -s 812
      Program crash
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      PID:1384
Network
MITRE ATT&CK Matrix
Command and Control
    Credential Access
    Defense Evasion
      Discovery
        Execution
          Exfiltration
            Impact
              Initial Access
                Lateral Movement
                  Persistence
                    Privilege Escalation
                      Replay Monitor
                      00:00 00:00
                      Downloads
                      • memory/1172-54-0x00000000017BB000-0x00000000017CC000-memory.dmp

                      • memory/1172-55-0x0000000075821000-0x0000000075823000-memory.dmp

                      • memory/1172-57-0x0000000000400000-0x00000000016C0000-memory.dmp

                      • memory/1172-56-0x0000000000220000-0x0000000000239000-memory.dmp

                      • memory/1384-58-0x0000000000000000-mapping.dmp

                      • memory/1384-59-0x0000000001CC0000-0x0000000001CC1000-memory.dmp