arkei | 4fd9309f1c39c28d69415f834c167a3fc943f1abf428e7c131f1b2f16bbb536c | Triage

Submit
Reports

Overview

overview

Static

static

dridex

windows10-2004_x64

Sharing

General

Target

4fd9309f1c39c28d69415f834c167a3fc943f1abf428e7c131f1b2f16bbb536c
Size

319KB
Sample

220115-exv8gscggn
MD5

8f18b3951ebf449691a64b31cdb19f3e
SHA1

299884e381f8d243430b00732de3d6374a8cb245
SHA256

4fd9309f1c39c28d69415f834c167a3fc943f1abf428e7c131f1b2f16bbb536c
SHA512

26e979d335d72954550915efe62fad1d07a0981ec4f9502ed81115cefaf329fb5bfd161cf4f5e634dc389fb77f1a186c7827f3bd2c8ac167821f6fd266570b89

Score

10^/10

arkei smokeloader tofsee default backdoor evasion persistence stealer suricata trojan

Static task

static1

Behavioral task

behavioral1

Sample

4fd9309f1c39c28d69415f834c167a3fc943f1abf428e7c131f1b2f16bbb536c.exe

Resource

win10v2004-en-20220112

arkei smokeloader tofsee default backdoor evasion persistence stealer suricata trojan

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://host-data-coin-11.com/

http://file-coin-host-12.com/

http://srtuiyhuali.at/

http://fufuiloirtu.com/

http://amogohuigotuli.at/

http://novohudosovu.com/

http://brutuilionust.com/

http://bubushkalioua.com/

http://dumuilistrati.at/

http://verboliatsiaeeees.com/

rc4.i32

rc4.i32

rc4.i32

rc4.i32

Extracted

Family

arkei

Botnet

Default

C2

http://file-file-host4.com/tratata.php

Extracted

Family

tofsee

C2

patmushta.info

parubey.info

Targets

- Target
  
  4fd9309f1c39c28d69415f834c167a3fc943f1abf428e7c131f1b2f16bbb536c
- Size
  
  319KB
- MD5
  
  8f18b3951ebf449691a64b31cdb19f3e
- SHA1
  
  299884e381f8d243430b00732de3d6374a8cb245
- SHA256
  
  4fd9309f1c39c28d69415f834c167a3fc943f1abf428e7c131f1b2f16bbb536c
- SHA512
  
  26e979d335d72954550915efe62fad1d07a0981ec4f9502ed81115cefaf329fb5bfd161cf4f5e634dc389fb77f1a186c7827f3bd2c8ac167821f6fd266570b89
Score

10^/10

arkei smokeloader tofsee default backdoor evasion persistence stealer suricata trojan
- Arkei
  Arkei is an infostealer written in C++.
  stealer arkei
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Suspicious use of NtCreateProcessExOtherParentProcess
- Tofsee
  Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
  trojan tofsee
- suricata: ET MALWARE Sharik/Smoke CnC Beacon 11
  suricata: ET MALWARE Sharik/Smoke CnC Beacon 11
  suricata
- Arkei Stealer Payload
  stealer
- Creates new service(s)
  persistence
- Downloads MZ/PE file
- Executes dropped EXE
- Modifies Windows Firewall
  evasion
- Sets service image path in registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

New Service

Registry Run Keys / Startup Folder

Privilege Escalation

New Service

Defense Evasion

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

arkeismokeloadertofseedefaultbackdoorevasionpersistencestealersuricatatrojan

© 2018-2024

Terms | Privacy