Extracted

Extracted

• • Target

    4446186b0133b453f35a839b841ba453377c9a5638c1d81ee2313bb3adc22aaf

  • Size

    339KB

  • MD5

    b75726b4b619811b4c50d917822a4083

  • SHA1

    ed8b418d7357609ce03c4f7123c0bb711b9d227d

  • SHA256

    4446186b0133b453f35a839b841ba453377c9a5638c1d81ee2313bb3adc22aaf

  • SHA512

    59516fdf6334f4005c7881322eb9a057939804e18ba8f13d0cb48fdc460aab19570c482e87700c6884807e1c885864ed422646f3150d9df731a10ecf5a7e05c9

  Score

  10^/10

  arkeismokeloadertofseevidarxmrigbackdoorcollectiondiscoveryevasionminerpersistencespywarestealersuricatatrojan

  • Arkei

    Arkei is an infostealer written in C++.

    stealerarkei

  • Process spawned unexpected child process

    This typically indicates the parent process was compromised via an exploit or macro.

  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    trojantofsee

  • Vidar

    Vidar is an infostealer based on Arkei stealer.

    stealervidar

  • Windows security bypass

    evasiontrojan

  • suricata: ET MALWARE Fake Software Download Redirect Leading to Malware M3

    suricata: ET MALWARE Fake Software Download Redirect Leading to Malware M3

    suricata

  • suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01

    suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01

    suricata

  • suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload

    suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload

    suricata

  • suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)

    suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)

    suricata

  • suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

    suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

    suricata

  • suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload

    suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload

    suricata

  • suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern

    suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern

    suricata

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig

  • Arkei Stealer Payload

    stealer

  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    evasion

  • XMRig Miner Payload

    miner

  • Creates new service(s)

    persistence

  • Downloads MZ/PE file

  • Executes dropped EXE

  • Modifies Windows Firewall

    evasion

  • Sets service image path in registry

    persistence

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Deletes itself

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Accesses Microsoft Outlook profiles

    collection

  • Accesses cryptocurrency files/wallets, possible credential harvesting

    spyware

  • Checks installed software on the system

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery

  • Checks whether UAC is enabled

    evasiontrojan

  • Legitimate hosting services abused for malware hosting/C2

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Looks up geolocation information via web service

    Uses a legitimate geolocation service to find the infected system's geolocation info.

  • Drops file in System32 directory

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  • Suspicious use of SetThreadContext

  behavioral1