Description
Arkei is an infostealer written in C++.
General
Target
Size
Sample
18176b08524ee3052c25cfcbc6d9647fd79124534e2324a49da607b8b7f1d3a1
169KB
211119-2w9qtaehd8
Score
10/10
MD5
SHA1
SHA256
SHA512
aeab8d7bcc1e0ce3f75ae55d548bf489
93a2c0d2460a041484b79b8f5e18eaf547736209
18176b08524ee3052c25cfcbc6d9647fd79124534e2324a49da607b8b7f1d3a1
9e6634f7f51c526b721f61f3f89eb5a31cc137f5789695d75f603ada211bf29303f14f3992750bc65591a1ab4182b735d87701725d60145d960902c2f5d91b2d
Malware Config
Extracted
| Family | smokeloader |
| Version | 2020 |
| C2 |
http://host-file-host6.com/ http://host-host-file8.com/ http://srtuiyhuali.at/ http://fufuiloirtu.com/ http://amogohuigotuli.at/ http://novohudosovu.com/ http://brutuilionust.com/ http://bubushkalioua.com/ http://dumuilistrati.at/ http://verboliatsiaeeees.com/ |
| rc4.i32 |
|
| rc4.i32 |
|
| rc4.i32 |
|
| rc4.i32 |
|
Extracted
| Family | raccoon |
| Version | 1.8.3-hotfix |
| Botnet | ddf183af4241e3172885cf1b2c4c1fb4ee03d05a |
| Attributes |
url4cnc http://91.219.236.27/capibar http://5.181.156.92/capibar http://91.219.236.207/capibar http://185.225.19.18/capibar http://91.219.237.227/capibar https://t.me/capibar |
| rc4.plain |
|
| rc4.plain |
|
Extracted
| Family | redline |
| C2 |
185.159.80.90:38637 |
Extracted
| Family | arkei |
| Botnet | Default |
| C2 |
http://file-file-host4.com/tratata.php |
Extracted
| Family | raccoon |
| Version | 1.8.3-hotfix |
| Botnet | 59885c564847bf29ddd9457b81c619998245ba90 |
| Attributes |
url4cnc http://91.219.236.27/opussenseus1 http://5.181.156.92/opussenseus1 http://91.219.236.207/opussenseus1 http://185.225.19.18/opussenseus1 http://91.219.237.227/opussenseus1 https://t.me/opussenseus1 |
| rc4.plain |
|
| rc4.plain |
|
Extracted
| Family | redline |
| Botnet | Alex |
| C2 |
178.238.8.72:49214 |
Extracted
| Family | redline |
| Botnet | bot_tg |
| C2 |
188.119.113.20:27724 |
Extracted
| Family | vidar |
| Version | 48.6 |
| Botnet | 706 |
| C2 |
https://mastodon.online/@valhalla https://koyu.space/@valhalla |
| Attributes |
profile_id 706 |
Targets
Target
MD5
Filesize
18176b08524ee3052c25cfcbc6d9647fd79124534e2324a49da607b8b7f1d3a1
aeab8d7bcc1e0ce3f75ae55d548bf489
169KB
Score
10/10
SHA1
SHA256
SHA512
93a2c0d2460a041484b79b8f5e18eaf547736209
18176b08524ee3052c25cfcbc6d9647fd79124534e2324a49da607b8b7f1d3a1
9e6634f7f51c526b721f61f3f89eb5a31cc137f5789695d75f603ada211bf29303f14f3992750bc65591a1ab4182b735d87701725d60145d960902c2f5d91b2d
Tags
Signatures
-
Arkei
-
Process spawned unexpected child process
Description
This typically indicates the parent process was compromised via an exploit or macro.
-
Raccoon
Description
Simple but powerful infostealer which was very active in 2019.
Tags
-
RedLine
Description
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
Tags
-
RedLine Payload
-
SmokeLoader
Description
Modular backdoor trojan in use since 2014.
Tags
-
Vidar
Description
Vidar is an infostealer based on Arkei stealer.
Tags
-
Arkei Stealer Payload
Tags
-
Vidar Stealer
Tags
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Deletes itself
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Description
Infostealers often target stored browser data, which can include saved credentials etc.
Tags
TTPs
-
Accesses 2FA software files, possible credential harvesting
Tags
TTPs
-
Accesses Microsoft Outlook profiles
Tags
TTPs
-
Accesses cryptocurrency files/wallets, possible credential harvesting
Tags
TTPs
-
Adds Run key to start application
Tags
TTPs
-
Checks installed software on the system
Description
Looks up Uninstall key entries in the registry to enumerate software on the system.
Tags
TTPs
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
Related Tasks
MITRE ATT&CK Matrix
Collection
Command and Control
Credential Access
Defense Evasion
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Tasks
static1
Score
N/A
behavioral1
Score
10/10