arkei

Sharing

Copy URL

Twitter E-mail

General

Target

4429d7bb14f60e8b2673db64a7f3e9550947d40cd53eadd1006f3c3959201fb7
Size

272KB
Sample

211204-waa3gabddm
MD5

ca53d7c908eff8fbefc337406939a07d
SHA1

05c4da8a7e8ffac6ac90424d53b83be16df7814f
SHA256

4429d7bb14f60e8b2673db64a7f3e9550947d40cd53eadd1006f3c3959201fb7
SHA512

b2cef6bb2f4eef06ab92dc8926c5880baedf3dbc79bf985c5468f05a2736dddad48ebc2e0d318207e2b082f8d0e3deec364ee88d43b5ba78d5423141fc452e1a

Malware Config

Extracted

Path

C:\read-me.txt

Ransom Note

All your files are Encrypted! For data recovery needs decryptor. How to buy decryptor: ---------------------------------------------------------------------------------------- | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion/?STAHYJUHGFV | 3. Create Ticket ---------------------------------------------------------------------------------------- Note! This link is available via Tor Browser only. ------------------------------------------------------------ or http://helpqvrg3cc5mvb3.onion/ Your ID ��C8 F5 52 A4 6D 3C 79 12 60 6A 57 29 9B E1 A9 B5 B0 15 7B 93 13 A2 24 94 2A F6 07 77 3E 0B 3C B2 4D D7 02 92 13 F7 E0 91 17 D3 D3 9D C3 84 2B E6 CF CE B8 A3 24 07 88 EE BF D5 61 DD A9 04 4D 93 E4 5D 3E 9D 20 57 4D 2A BB 53 24 0C 70 C9 6A E2 C3 B1 24 DD 32 C3 90 17 3E 6A 35 3D 23 B5 2A B5 E6 03 10 14 E3 A2 99 4E BF 30 7A 54 04 DA 58 AD 49 F0 FE 4A F7 E1 8D 9E 70 99 62 09 13 89 E0 D2 4E A9 66 15 2B F2 9A 78 8E DC CB 36 A6 64 B6 B5 9E F7 D1 A8 B3 32 7A ED 4E 64 FA E8 F8 C4 4E F6 37 23 BD 64 65 1F E1 94 6D 45 DF C4 FC CA 7E A1 43 2E EF E0 B0 F5 F5 51 13 DA 6B 8B B1 30 60 36 1C A9 F5 0E F2 F6 CF D8 C9 EC 1F 7E A4 CC 6F F8 89 CB 84 2E 69 A9 83 C5 14 E4 C8 3F 87 D7 98 87 9D 4F F4 7B DB 59 DE 38 53 98 82 5D 90 32 99 3C 33 50 6B BD 70 9A 41 84 8C D5 3E 93 81 C6 28 A3

URLs

http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion/?STAHYJUHGFV

http://helpqvrg3cc5mvb3.onion/

Extracted

Path

C:\Boot\bg-BG\Read_Me.txt

Ransom Note

Attention! All your files, documents, photos, databases and other important files are encrypted The only method of recovering files is to purchase an unique decryptor. Only we can give you this decryptor and only we can recover your files. The server with your decryptor is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- 1. Download Tor browser - https://www.torproject.org/ 2. Install Tor browser 3. Open Tor Browser 4. Open link in TOR browser: http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion/?101LCEFCZAS 5. and open ticket ---------------------------------------------------------------------------------------- Alternate communication channel here: https://yip.su/2QstD5

URLs

http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion/?101LCEFCZAS

https://yip.su/2QstD5

Extracted

Family

smokeloader

Version

2020

http://host-data-coin-11.com/

http://file-coin-host-12.com/

http://srtuiyhuali.at/

http://fufuiloirtu.com/

http://amogohuigotuli.at/

http://novohudosovu.com/

http://brutuilionust.com/

http://bubushkalioua.com/

http://dumuilistrati.at/

http://verboliatsiaeeees.com/

http://planilhasvba.com.br/wp-admin/js/k/index.php

http://rpk32ubon.ac.th/backup/k/index.php

http://4urhappiness.com/app/k/index.php

http://swedenkhabar.com/wp-admin/js/k/index.php

http://cio.lankapanel.net/wp-admin/js/k/index.php

http://fcmsites.com.br/canal/wp-admin/js/k/index.php

http://lacoibipitanga.com.br/maxart/k/index.php

http://lacoibipitanga.com.br/cgi-bin/k/index.php

http://video.nalahotel.com/k/index.php

http://diving-phocea.com/wp-admin/k/index.php

rc4.i32

Extracted

Family

raccoon

Version

1.8.3-hotfix

Botnet

8b6023dd139bdc34aab99c286fae23d1442b4956

Attributes

url4cnc
http://91.219.236.27/h_electricryptors2
http://5.181.156.92/h_electricryptors2
http://91.219.236.207/h_electricryptors2
http://185.225.19.18/h_electricryptors2
http://91.219.237.227/h_electricryptors2
https://t.me/h_electricryptors2

rc4.plain

Extracted

Family

arkei

Botnet

Default

http://153.92.210.92/lYWcN6H7B1.php

Extracted

Family

raccoon

Version

1.8.3-hotfix

Botnet

b620be4c85b4051a92040003edbc322be4eb082d

Attributes

url4cnc
http://91.219.236.207/capibar
http://185.225.19.18/capibar
http://91.219.237.227/capibar
https://t.me/capibar

rc4.plain

Extracted

Family

raccoon

Version

1.8.3-hotfix

Botnet

b2ef6df07cefd70742a1d2de874b0494a6c0af23

Attributes

url4cnc
http://94.158.245.137/lesterri2
http://91.219.236.27/lesterri2
http://94.158.245.167/lesterri2
http://185.163.204.216/lesterri2
http://185.225.19.238/lesterri2
http://185.163.204.218/lesterri2
https://t.me/lesterri2

rc4.plain

Extracted

Family

raccoon

Version

1.8.3-hotfix

Botnet

a1fcef6b211f7efaa652483b438c193569359f50

Attributes

url4cnc
http://94.158.245.137/duglassa1
http://91.219.236.27/duglassa1
http://94.158.245.167/duglassa1
http://185.163.204.216/duglassa1
http://185.225.19.238/duglassa1
http://185.163.204.218/duglassa1
https://t.me/duglassa1

rc4.plain

Targets

- Target
  
  4429d7bb14f60e8b2673db64a7f3e9550947d40cd53eadd1006f3c3959201fb7
- Size
  
  272KB
- MD5
  
  ca53d7c908eff8fbefc337406939a07d
- SHA1
  
  05c4da8a7e8ffac6ac90424d53b83be16df7814f
- SHA256
  
  4429d7bb14f60e8b2673db64a7f3e9550947d40cd53eadd1006f3c3959201fb7
- SHA512
  
  b2cef6bb2f4eef06ab92dc8926c5880baedf3dbc79bf985c5468f05a2736dddad48ebc2e0d318207e2b082f8d0e3deec364ee88d43b5ba78d5423141fc452e1a
Score

10^/10

arkei cryptbot limerat raccoon redline smokeloader 8b6023dd139bdc34aab99c286fae23d1442b4956 a1fcef6b211f7efaa652483b438c193569359f50 b2ef6df07cefd70742a1d2de874b0494a6c0af23 b620be4c85b4051a92040003edbc322be4eb082d default backdoor collection discovery evasion infostealer persistence ransomware rat spyware stealer suricata trojan upx
- Arkei
  Arkei is an infostealer written in C++.
  stealer arkei
- CryptBot
  A C++ stealer distributed widely in bundle with other software.
  spyware stealer cryptbot
- LimeRAT
  Simple yet powerful RAT for Windows machines written in .NET.
  rat limerat
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Raccoon
  Simple but powerful infostealer which was very active in 2019.
  stealer raccoon
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine Payload
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- suricata: ET MALWARE Possible Malicous Macro DL EXE Jul 01 2016 (userdir dotted quad)
  suricata: ET MALWARE Possible Malicous Macro DL EXE Jul 01 2016 (userdir dotted quad)
  suricata
- suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
  suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
  suricata
- suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil
  suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil
  suricata
- Arkei Stealer Payload
  stealer
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Downloads MZ/PE file
- Executes dropped EXE
- Modifies extensions of user files
  Ransomware generally changes the extension on encrypted files.
  ransomware
- Sets file to hidden
  Modifies file attributes to stop it showing in Explorer etc.
  evasion
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Deletes itself
- Loads dropped DLL
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Checks whether UAC is enabled
  evasion trojan
- Drops desktop.ini file(s)
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1