2e86f7dfe3f2f795ef1995bd9d6efdea.exe

General
Target

2e86f7dfe3f2f795ef1995bd9d6efdea.exe

Size

390KB

Sample

211021-wpq28safa4

Score
10 /10
MD5

2e86f7dfe3f2f795ef1995bd9d6efdea

SHA1

a2c279c2c2ffd37bd6ee59eadfe037d7e3524c1e

SHA256

20e5765385bc92922a64f7454367d98a77693adfd62bcb4a44703705ddffbdb0

SHA512

1c3aca6e80ddd3353c0fcb62895c81b3e398a44d40539dba37768e11ca6eb0cb7657d4a1b4d3878a3e0317153a2629288f34e34d15f2b6eaea26aebd704b18d0

Malware Config

Extracted

Family fickerstealer
C2

game2030.site:80

Extracted

Family arkei
Botnet Default
C2

http://gurums.online/ggate.php

Extracted

Family cryptbot
C2

veoalm42.top

moruhx04.top

Attributes
payload_url
http://tynjua14.top/download.php?file=lv.exe
Targets
Target

2e86f7dfe3f2f795ef1995bd9d6efdea.exe

MD5

2e86f7dfe3f2f795ef1995bd9d6efdea

Filesize

390KB

Score
10 /10
SHA1

a2c279c2c2ffd37bd6ee59eadfe037d7e3524c1e

SHA256

20e5765385bc92922a64f7454367d98a77693adfd62bcb4a44703705ddffbdb0

SHA512

1c3aca6e80ddd3353c0fcb62895c81b3e398a44d40539dba37768e11ca6eb0cb7657d4a1b4d3878a3e0317153a2629288f34e34d15f2b6eaea26aebd704b18d0

Tags

Signatures

  • Arkei

    Description

    Arkei is an infostealer written in C++.

    Tags

  • CryptBot

    Description

    A C++ stealer distributed widely in bundle with other software.

    Tags

  • Fickerstealer

    Description

    Ficker is an infostealer written in Rust and ASM.

    Tags

  • Suspicious use of NtCreateProcessExOtherParentProcess

  • Arkei Stealer Payload

    Tags

  • Downloads MZ/PE file

  • Executes dropped EXE

  • Deletes itself

  • Loads dropped DLL

  • Reads local data of messenger clients

    Description

    Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    Tags

    TTPs

    Data from Local System Credentials in Files
  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    Tags

    TTPs

    Data from Local System Credentials in Files
  • Accesses cryptocurrency files/wallets, possible credential harvesting

    Tags

    TTPs

    Data from Local System Credentials in Files
  • Adds Run key to start application

    Tags

    TTPs

    Registry Run Keys / Startup Folder Modify Registry
  • Checks installed software on the system

    Description

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    Tags

    TTPs

    Query Registry
  • Legitimate hosting services abused for malware hosting/C2

    TTPs

    Web Service
  • Looks up external IP address via web service

    Description

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext

Related Tasks

MITRE ATT&CK Matrix
Command and Control
    Credential Access
    Execution
      Exfiltration
        Impact
          Initial Access
            Lateral Movement
              Privilege Escalation
                Tasks