arkei

Sharing

General

Target

cf3c7fa5375d2e3cb82764c124e5dfed8e43126d6184b7fb65868f237c1999be
Size

159KB
Sample

211119-p1hrnsadaj
MD5

9ea77a52d268997ee300979b27359628
SHA1

b5e91c5e8f7475b8a41992ce7037c1b798d23d28
SHA256

cf3c7fa5375d2e3cb82764c124e5dfed8e43126d6184b7fb65868f237c1999be
SHA512

6564e4b324b197ef42e2dc5a51934daa1903462b0700127f447cffd9d836f5de85e190869e7671ac20dc4ef791d63f85bd70b23abb535c43c9cf9cd780d17892

Score

10^/10

Malware Config

Extracted

Family

smokeloader

Version

2020

http://host-file-host6.com/

http://host-host-file8.com/

http://srtuiyhuali.at/

http://fufuiloirtu.com/

http://amogohuigotuli.at/

http://novohudosovu.com/

http://brutuilionust.com/

http://bubushkalioua.com/

http://dumuilistrati.at/

http://verboliatsiaeeees.com/

rc4.i32

Extracted

Family

redline

185.159.80.90:38637

Extracted

Family

raccoon

Version

1.8.3-hotfix

Botnet

ddf183af4241e3172885cf1b2c4c1fb4ee03d05a

Attributes

url4cnc
http://91.219.236.27/capibar
http://5.181.156.92/capibar
http://91.219.236.207/capibar
http://185.225.19.18/capibar
http://91.219.237.227/capibar
https://t.me/capibar

rc4.plain

Extracted

Family

arkei

Botnet

Default

http://file-file-host4.com/tratata.php

Extracted

Family

redline

Botnet

easymoneydontshiny

45.153.186.153:56675

Extracted

Family

vidar

Version

48.6

Botnet

706

https://mastodon.online/@valhalla

https://koyu.space/@valhalla

Attributes

profile_id
706

Targets

- Target
  
  cf3c7fa5375d2e3cb82764c124e5dfed8e43126d6184b7fb65868f237c1999be
- Size
  
  159KB
- MD5
  
  9ea77a52d268997ee300979b27359628
- SHA1
  
  b5e91c5e8f7475b8a41992ce7037c1b798d23d28
- SHA256
  
  cf3c7fa5375d2e3cb82764c124e5dfed8e43126d6184b7fb65868f237c1999be
- SHA512
  
  6564e4b324b197ef42e2dc5a51934daa1903462b0700127f447cffd9d836f5de85e190869e7671ac20dc4ef791d63f85bd70b23abb535c43c9cf9cd780d17892
Score

10^/10

arkei raccoon redline smokeloader vidar 706 ddf183af4241e3172885cf1b2c4c1fb4ee03d05a default easymoneydontshiny backdoor collection discovery infostealer spyware stealer suricata trojan
- Arkei
  Arkei is an infostealer written in C++.
  stealer arkei
- Raccoon
  Simple but powerful infostealer which was very active in 2019.
  stealer raccoon
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine Payload
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Suspicious use of NtCreateProcessExOtherParentProcess
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
  suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
  suricata
- suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
  suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
  suricata
- suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
  suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
  suricata
- suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil
  suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil
  suricata
- Arkei Stealer Payload
  stealer
- Vidar Stealer
  stealer
- Downloads MZ/PE file
- Executes dropped EXE
- Deletes itself
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses 2FA software files, possible credential harvesting
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Tasks

static1

Score

N/A

behavioral1

arkeiraccoonredlinesmokeloadervidar706ddf183af4241e3172885cf1b2c4c1fb4ee03d05adefaulteasymoneydontshinybackdoorcollectiondiscoveryinfostealerspywarestealersuricatatrojan

Score

10^/10

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Targets

Raccoon

RedLine

RedLine Payload

SmokeLoader

Suspicious use of NtCreateProcessExOtherParentProcess

Vidar

suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)

suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload

suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil

suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil

Arkei Stealer Payload

Vidar Stealer

Downloads MZ/PE file

Executes dropped EXE

Deletes itself

Loads dropped DLL

Reads user/profile data of web browsers

Accesses 2FA software files, possible credential harvesting

Accesses Microsoft Outlook profiles

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1