arkei | f6f217b81efa31016030da14f61724806b4d6064ea8fa313869a521940fa9a7f

Analysis

max time kernel
33s
max time network
68s
platform
windows10_x64
resource
win10-en-20211104
submitted
03-12-2021 11:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f6f217b81efa31016030da14f61724806b4d6064ea8fa313869a521940fa9a7f.exe
Size

319KB
MD5

24ff8d2f666e28dfee4bf3c0260d9b75
SHA1

f22d725a9c34f36a54b068fec6defd3fcb5e8f3a
SHA256

f6f217b81efa31016030da14f61724806b4d6064ea8fa313869a521940fa9a7f
SHA512

aa9c3978e3c1b8c07eee112e0ebfbeb8291166adc5504f5236b10d159b95c54225a59df4f879192c765ea05a854f990f2f982c8eda079c368f33601dbfca76d2

Score

10^/10

arkei cryptbot redline smokeloader default backdoor infostealer spyware stealer themida trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

http://host-data-coin-11.com/

http://file-coin-host-12.com/

http://srtuiyhuali.at/

http://fufuiloirtu.com/

http://amogohuigotuli.at/

http://novohudosovu.com/

http://brutuilionust.com/

http://bubushkalioua.com/

http://dumuilistrati.at/

http://verboliatsiaeeees.com/

rc4.i32

Extracted

Family

redline

92.255.76.197:38637

Extracted

Family

arkei

Botnet

Default

http://file-file-host4.com/tratata.php

Signatures

Arkei
Arkei is an infostealer written in C++.
stealer arkei
CryptBot
A C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2540-144-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral1/memory/2540-145-0x0000000000418EE6-mapping.dmp	family_redline
behavioral1/memory/2540-155-0x00000000055E0000-0x0000000005BE6000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Arkei Stealer Payload 2 IoCs

stealer

Processes:

resource	yara_rule
behavioral1/memory/500-166-0x00000000001C0000-0x00000000001E1000-memory.dmp	family_arkei
behavioral1/memory/500-167-0x0000000000400000-0x00000000004D4000-memory.dmp	family_arkei

Downloads MZ/PE file
Executes dropped EXE 5 IoCs

Processes:

79D.exeD7A.exe10A8.exe14FE.exe79D.exe

pid process

3160 79D.exe
4180 D7A.exe
500 10A8.exe
808 14FE.exe
2540 79D.exe
Deletes itself 1 IoCs

Processes:

pid process

396

pid	process
3160	79D.exe
4180	D7A.exe
500	10A8.exe
808	14FE.exe
2540	79D.exe

pid	process
396

Themida packer 6 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\2115.exe	themida
C:\Users\Admin\AppData\Local\Temp\2115.exe	themida
behavioral1/memory/1212-159-0x0000000000C80000-0x0000000001362000-memory.dmp	themida
behavioral1/memory/1212-161-0x0000000000C80000-0x0000000001362000-memory.dmp	themida
behavioral1/memory/1212-162-0x0000000000C80000-0x0000000001362000-memory.dmp	themida
behavioral1/memory/1212-163-0x0000000000C80000-0x0000000001362000-memory.dmp	themida

Suspicious use of SetThreadContext 2 IoCs

Processes:

f6f217b81efa31016030da14f61724806b4d6064ea8fa313869a521940fa9a7f.exe79D.exe

description	pid	process	target process
PID 2180 set thread context of 4016	2180	f6f217b81efa31016030da14f61724806b4d6064ea8fa313869a521940fa9a7f.exe	f6f217b81efa31016030da14f61724806b4d6064ea8fa313869a521940fa9a7f.exe
PID 3160 set thread context of 2540	3160	79D.exe	79D.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

D7A.exef6f217b81efa31016030da14f61724806b4d6064ea8fa313869a521940fa9a7f.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	D7A.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	D7A.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	D7A.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	f6f217b81efa31016030da14f61724806b4d6064ea8fa313869a521940fa9a7f.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	f6f217b81efa31016030da14f61724806b4d6064ea8fa313869a521940fa9a7f.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	f6f217b81efa31016030da14f61724806b4d6064ea8fa313869a521940fa9a7f.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

f6f217b81efa31016030da14f61724806b4d6064ea8fa313869a521940fa9a7f.exe

pid	process
4016	f6f217b81efa31016030da14f61724806b4d6064ea8fa313869a521940fa9a7f.exe
4016	f6f217b81efa31016030da14f61724806b4d6064ea8fa313869a521940fa9a7f.exe
396
396
396
396
396
396
396
396
396
396
396
396
396
396
396
396
396
396
396
396
396
396
396
396
396
396
396
396
396
396
396
396
396
396
396
396
396
396
396
396
396
396
396
396
396
396
396
396
396
396
396
396
396
396
396
396
396
396
396
396
396
396

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

f6f217b81efa31016030da14f61724806b4d6064ea8fa313869a521940fa9a7f.exe

pid process

4016 f6f217b81efa31016030da14f61724806b4d6064ea8fa313869a521940fa9a7f.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

description	pid	process
Token: SeShutdownPrivilege	396
Token: SeCreatePagefilePrivilege	396
Token: SeShutdownPrivilege	396
Token: SeCreatePagefilePrivilege	396
Token: SeShutdownPrivilege	396
Token: SeCreatePagefilePrivilege	396
Token: SeShutdownPrivilege	396
Token: SeCreatePagefilePrivilege	396
Token: SeShutdownPrivilege	396
Token: SeCreatePagefilePrivilege	396
Token: SeShutdownPrivilege	396
Token: SeCreatePagefilePrivilege	396

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

f6f217b81efa31016030da14f61724806b4d6064ea8fa313869a521940fa9a7f.exe79D.exe

description	pid	process	target process
PID 2180 wrote to memory of 4016	2180	f6f217b81efa31016030da14f61724806b4d6064ea8fa313869a521940fa9a7f.exe	f6f217b81efa31016030da14f61724806b4d6064ea8fa313869a521940fa9a7f.exe
PID 2180 wrote to memory of 4016	2180	f6f217b81efa31016030da14f61724806b4d6064ea8fa313869a521940fa9a7f.exe	f6f217b81efa31016030da14f61724806b4d6064ea8fa313869a521940fa9a7f.exe
PID 2180 wrote to memory of 4016	2180	f6f217b81efa31016030da14f61724806b4d6064ea8fa313869a521940fa9a7f.exe	f6f217b81efa31016030da14f61724806b4d6064ea8fa313869a521940fa9a7f.exe
PID 2180 wrote to memory of 4016	2180	f6f217b81efa31016030da14f61724806b4d6064ea8fa313869a521940fa9a7f.exe	f6f217b81efa31016030da14f61724806b4d6064ea8fa313869a521940fa9a7f.exe
PID 2180 wrote to memory of 4016	2180	f6f217b81efa31016030da14f61724806b4d6064ea8fa313869a521940fa9a7f.exe	f6f217b81efa31016030da14f61724806b4d6064ea8fa313869a521940fa9a7f.exe
PID 2180 wrote to memory of 4016	2180	f6f217b81efa31016030da14f61724806b4d6064ea8fa313869a521940fa9a7f.exe	f6f217b81efa31016030da14f61724806b4d6064ea8fa313869a521940fa9a7f.exe
PID 396 wrote to memory of 3160	396		79D.exe
PID 396 wrote to memory of 3160	396		79D.exe
PID 396 wrote to memory of 3160	396		79D.exe
PID 3160 wrote to memory of 2540	3160	79D.exe	79D.exe
PID 3160 wrote to memory of 2540	3160	79D.exe	79D.exe
PID 3160 wrote to memory of 2540	3160	79D.exe	79D.exe
PID 396 wrote to memory of 4180	396		D7A.exe
PID 396 wrote to memory of 4180	396		D7A.exe
PID 396 wrote to memory of 4180	396		D7A.exe
PID 396 wrote to memory of 500	396		10A8.exe
PID 396 wrote to memory of 500	396		10A8.exe
PID 396 wrote to memory of 500	396		10A8.exe
PID 396 wrote to memory of 808	396		14FE.exe
PID 396 wrote to memory of 808	396		14FE.exe
PID 396 wrote to memory of 808	396		14FE.exe
PID 3160 wrote to memory of 2540	3160	79D.exe	79D.exe
PID 3160 wrote to memory of 2540	3160	79D.exe	79D.exe
PID 3160 wrote to memory of 2540	3160	79D.exe	79D.exe
PID 3160 wrote to memory of 2540	3160	79D.exe	79D.exe
PID 3160 wrote to memory of 2540	3160	79D.exe	79D.exe

C:\Users\Admin\AppData\Local\Temp\f6f217b81efa31016030da14f61724806b4d6064ea8fa313869a521940fa9a7f.exe
"C:\Users\Admin\AppData\Local\Temp\f6f217b81efa31016030da14f61724806b4d6064ea8fa313869a521940fa9a7f.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2180

C:\Users\Admin\AppData\Local\Temp\f6f217b81efa31016030da14f61724806b4d6064ea8fa313869a521940fa9a7f.exe
"C:\Users\Admin\AppData\Local\Temp\f6f217b81efa31016030da14f61724806b4d6064ea8fa313869a521940fa9a7f.exe"
2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4016

C:\Users\Admin\AppData\Local\Temp\79D.exe
C:\Users\Admin\AppData\Local\Temp\79D.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3160

C:\Users\Admin\AppData\Local\Temp\79D.exe
C:\Users\Admin\AppData\Local\Temp\79D.exe
2⤵
- Executes dropped EXE
PID:2540

C:\Users\Admin\AppData\Local\Temp\D7A.exe
C:\Users\Admin\AppData\Local\Temp\D7A.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4180

C:\Users\Admin\AppData\Local\Temp\10A8.exe
C:\Users\Admin\AppData\Local\Temp\10A8.exe
1⤵
- Executes dropped EXE
PID:500

C:\Users\Admin\AppData\Local\Temp\14FE.exe
C:\Users\Admin\AppData\Local\Temp\14FE.exe
1⤵
- Executes dropped EXE
PID:808

C:\Users\Admin\AppData\Local\Temp\2115.exe
C:\Users\Admin\AppData\Local\Temp\2115.exe
1⤵
PID:1212

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\79D.exe.log
MD5
41fbed686f5700fc29aaccf83e8ba7fd

SHA1
5271bc29538f11e42a3b600c8dc727186e912456

SHA256
df4e9d012687cdabd15e86bf37be15d6c822e1f50dde530a02468f0006586437

SHA512
234b2235c1ced25810a4121c5eabcbf9f269e82c126a1adc363ee34478173f8b462e90eb53f5f11533641663350b90ec1e2360fd805b10c041fab12f4da7a034

Download Submit
C:\Users\Admin\AppData\Local\Temp\10A8.exe
MD5
5c3f6f9571ef9c75134cfe4326580e29

SHA1
6ef76acdc35b48faa5d8b6349d79ae1215e07fb7

SHA256
5ce101bc3876f4f5afe3a588e53326006db7b2bcd8a61bc132ceb8c18da3d72a

SHA512
beff13fd866f911f910279dcfd6eea01c485dcd2410fb990e7c12559a7b42b99c117cf97b700f2b1e2dcbf80b804d90a67679cdf780a91ab566e21f095a32b32

Download Submit
C:\Users\Admin\AppData\Local\Temp\10A8.exe
MD5
5c3f6f9571ef9c75134cfe4326580e29

SHA1
6ef76acdc35b48faa5d8b6349d79ae1215e07fb7

SHA256
5ce101bc3876f4f5afe3a588e53326006db7b2bcd8a61bc132ceb8c18da3d72a

SHA512
beff13fd866f911f910279dcfd6eea01c485dcd2410fb990e7c12559a7b42b99c117cf97b700f2b1e2dcbf80b804d90a67679cdf780a91ab566e21f095a32b32

Download Submit
C:\Users\Admin\AppData\Local\Temp\14FE.exe
MD5
24ff8d2f666e28dfee4bf3c0260d9b75

SHA1
f22d725a9c34f36a54b068fec6defd3fcb5e8f3a

SHA256
f6f217b81efa31016030da14f61724806b4d6064ea8fa313869a521940fa9a7f

SHA512
aa9c3978e3c1b8c07eee112e0ebfbeb8291166adc5504f5236b10d159b95c54225a59df4f879192c765ea05a854f990f2f982c8eda079c368f33601dbfca76d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\14FE.exe
MD5
24ff8d2f666e28dfee4bf3c0260d9b75

SHA1
f22d725a9c34f36a54b068fec6defd3fcb5e8f3a

SHA256
f6f217b81efa31016030da14f61724806b4d6064ea8fa313869a521940fa9a7f

SHA512
aa9c3978e3c1b8c07eee112e0ebfbeb8291166adc5504f5236b10d159b95c54225a59df4f879192c765ea05a854f990f2f982c8eda079c368f33601dbfca76d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\2115.exe
MD5
ca16ca4aa9cf9777274447c9f4ba222e

SHA1
1025ed93e5f44d51b96f1a788764cc4487ee477e

SHA256
0016755526279c5c404b670ecb2d81af46066d879c389924a6574ab9864b5c04

SHA512
72d8d2a729b8ce2940235d3a317ee3eb0eb8d1411e847d6d11e36484f520bb88b3cabd03716b3c2988b0a053426be14aace154f13d306883788f952cd03cf712

Download Submit
C:\Users\Admin\AppData\Local\Temp\2115.exe
MD5
ca16ca4aa9cf9777274447c9f4ba222e

SHA1
1025ed93e5f44d51b96f1a788764cc4487ee477e

SHA256
0016755526279c5c404b670ecb2d81af46066d879c389924a6574ab9864b5c04

SHA512
72d8d2a729b8ce2940235d3a317ee3eb0eb8d1411e847d6d11e36484f520bb88b3cabd03716b3c2988b0a053426be14aace154f13d306883788f952cd03cf712

Download Submit
C:\Users\Admin\AppData\Local\Temp\79D.exe
MD5
5115e5dab211559a85cd0154e8100f53

SHA1
347800b72ac53ec6e2c87e433763b20282a2c06d

SHA256
ef156fb3a203fe197d89d63e2ea7805a1b9af505dfff5a58532dbfe34e7aabaa

SHA512
d03e58376be1e299a6da57a28ed5db176999baded713aa54ddb59cf8c82b97e8c0b028ce07bddb6989c7c77e518e151e112dde2f1d5244ac2572e4371fa68c12

Download Submit
C:\Users\Admin\AppData\Local\Temp\79D.exe
MD5
5115e5dab211559a85cd0154e8100f53

SHA1
347800b72ac53ec6e2c87e433763b20282a2c06d

SHA256
ef156fb3a203fe197d89d63e2ea7805a1b9af505dfff5a58532dbfe34e7aabaa

SHA512
d03e58376be1e299a6da57a28ed5db176999baded713aa54ddb59cf8c82b97e8c0b028ce07bddb6989c7c77e518e151e112dde2f1d5244ac2572e4371fa68c12

Download Submit
C:\Users\Admin\AppData\Local\Temp\79D.exe
MD5
5115e5dab211559a85cd0154e8100f53

SHA1
347800b72ac53ec6e2c87e433763b20282a2c06d

SHA256
ef156fb3a203fe197d89d63e2ea7805a1b9af505dfff5a58532dbfe34e7aabaa

SHA512
d03e58376be1e299a6da57a28ed5db176999baded713aa54ddb59cf8c82b97e8c0b028ce07bddb6989c7c77e518e151e112dde2f1d5244ac2572e4371fa68c12

Download Submit
C:\Users\Admin\AppData\Local\Temp\D7A.exe
MD5
df13fac0d8b182e4d8b9a02ba87a9571

SHA1
b2187debc6fde96e08d5014ce4f1af5cf568bce5

SHA256
af64f5b2b6c4cc63b0ca4bb48f369eba1629886d85e289a469a5c9612c4a5ee3

SHA512
bc842a80509bda8afff6e12f5b5c64ccf7f1d7360f99f63cebbc1f21936a15487ec16bde3c2acff22c49ebcedf5c426621d6f69503f4968aacc8e75611e3a816

Download Submit
C:\Users\Admin\AppData\Local\Temp\D7A.exe
MD5
df13fac0d8b182e4d8b9a02ba87a9571

SHA1
b2187debc6fde96e08d5014ce4f1af5cf568bce5

SHA256
af64f5b2b6c4cc63b0ca4bb48f369eba1629886d85e289a469a5c9612c4a5ee3

SHA512
bc842a80509bda8afff6e12f5b5c64ccf7f1d7360f99f63cebbc1f21936a15487ec16bde3c2acff22c49ebcedf5c426621d6f69503f4968aacc8e75611e3a816

Download Submit
memory/396-164-0x00000000021F0000-0x0000000002206000-memory.dmp

Filesize
88KB

Download
memory/396-122-0x00000000006D0000-0x00000000006E6000-memory.dmp

Filesize
88KB

Download
memory/500-167-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/500-166-0x00000000001C0000-0x00000000001E1000-memory.dmp

Filesize
132KB

Download
memory/500-135-0x0000000000000000-mapping.dmp

Download
memory/808-141-0x0000000000000000-mapping.dmp

Download
memory/1212-160-0x0000000076F70000-0x00000000770FE000-memory.dmp

Filesize
1.6MB

Download
memory/1212-163-0x0000000000C80000-0x0000000001362000-memory.dmp

Filesize
6.9MB

Download
memory/1212-156-0x0000000000000000-mapping.dmp

Download
memory/1212-159-0x0000000000C80000-0x0000000001362000-memory.dmp

Filesize
6.9MB

Download
memory/1212-161-0x0000000000C80000-0x0000000001362000-memory.dmp

Filesize
6.9MB

Download
memory/1212-162-0x0000000000C80000-0x0000000001362000-memory.dmp

Filesize
6.9MB

Download
memory/2180-118-0x0000000000791000-0x00000000007A2000-memory.dmp

Filesize
68KB

Download
memory/2180-119-0x0000000000030000-0x0000000000039000-memory.dmp

Filesize
36KB

Download
memory/2540-154-0x0000000005730000-0x0000000005731000-memory.dmp

Filesize
4KB

Download
memory/2540-155-0x00000000055E0000-0x0000000005BE6000-memory.dmp

Filesize
6.0MB

Download
memory/2540-144-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2540-150-0x0000000005BF0000-0x0000000005BF1000-memory.dmp

Filesize
4KB

Download
memory/2540-151-0x0000000005690000-0x0000000005691000-memory.dmp

Filesize
4KB

Download
memory/2540-152-0x00000000057C0000-0x00000000057C1000-memory.dmp

Filesize
4KB

Download
memory/2540-153-0x00000000056F0000-0x00000000056F1000-memory.dmp

Filesize
4KB

Download
memory/2540-145-0x0000000000418EE6-mapping.dmp

Download
memory/3160-130-0x00000000051E0000-0x00000000051E1000-memory.dmp

Filesize
4KB

Download
memory/3160-134-0x0000000004CD0000-0x0000000004CD1000-memory.dmp

Filesize
4KB

Download
memory/3160-129-0x0000000000D40000-0x0000000000D41000-memory.dmp

Filesize
4KB

Download
memory/3160-128-0x0000000004B10000-0x0000000004B11000-memory.dmp

Filesize
4KB

Download
memory/3160-126-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/3160-123-0x0000000000000000-mapping.dmp

Download
memory/4016-120-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4016-121-0x0000000000402F47-mapping.dmp

Download
memory/4180-138-0x0000000002CA0000-0x0000000002DEA000-memory.dmp

Filesize
1.3MB

Download
memory/4180-139-0x0000000002CA0000-0x0000000002DEA000-memory.dmp

Filesize
1.3MB

Download
memory/4180-131-0x0000000000000000-mapping.dmp

Download
memory/4180-140-0x0000000000400000-0x0000000002B64000-memory.dmp

Filesize
39.4MB

Download