arkei | 438acfda9ebe75b126a2100b2492d3bcd42ed63808fa17a18fd944ff0a2486c6

General

Target

438acfda9ebe75b126a2100b2492d3bcd42ed63808fa17a18fd944ff0a2486c6.exe
Size

350KB
MD5

3e80e94c1d7f450368170229f9c3883f
SHA1

ac8904a52d7ee81153b64139f329f35a43fec7b3
SHA256

438acfda9ebe75b126a2100b2492d3bcd42ed63808fa17a18fd944ff0a2486c6
SHA512

74d6ed67a2f31091c4a3c05ecd034cf897ace203469099d5a680fe60647d4a17572a8d390cad2f52a9f8c61a684c2cc0224eb89f50d8d8be480e9c392c655c9b

Score

10^/10

arkei default spyware stealer

Malware Config

Extracted

Family

arkei

Botnet

Default

C2

http://coin-file-file-19.com/tratata.php

Signatures

Arkei
Arkei is an infostealer written in C++.
stealer arkei

Arkei Stealer Payload 2 IoCs

stealer

Processes:

resource	yara_rule
behavioral1/memory/964-55-0x0000000000220000-0x000000000023C000-memory.dmp	family_arkei
behavioral1/memory/964-56-0x0000000000400000-0x000000000045F000-memory.dmp	family_arkei

Downloads MZ/PE file
Loads dropped DLL 1 IoCs

Processes:

438acfda9ebe75b126a2100b2492d3bcd42ed63808fa17a18fd944ff0a2486c6.exe

pid process

964 438acfda9ebe75b126a2100b2492d3bcd42ed63808fa17a18fd944ff0a2486c6.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
964	438acfda9ebe75b126a2100b2492d3bcd42ed63808fa17a18fd944ff0a2486c6.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

chrome.exechrome.exe

pid process

1232 chrome.exe
320 chrome.exe
320 chrome.exe

pid	process
1232	chrome.exe
320	chrome.exe
320	chrome.exe

Suspicious use of FindShellTrayWindow 34 IoCs

Processes:

chrome.exe

pid	process
320	chrome.exe
320	chrome.exe
320	chrome.exe
320	chrome.exe
320	chrome.exe
320	chrome.exe
320	chrome.exe
320	chrome.exe
320	chrome.exe
320	chrome.exe
320	chrome.exe
320	chrome.exe
320	chrome.exe
320	chrome.exe
320	chrome.exe
320	chrome.exe
320	chrome.exe
320	chrome.exe
320	chrome.exe
320	chrome.exe
320	chrome.exe
320	chrome.exe
320	chrome.exe
320	chrome.exe
320	chrome.exe
320	chrome.exe
320	chrome.exe
320	chrome.exe
320	chrome.exe
320	chrome.exe
320	chrome.exe
320	chrome.exe
320	chrome.exe
320	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

Processes:

chrome.exe

pid	process
320	chrome.exe
320	chrome.exe
320	chrome.exe
320	chrome.exe
320	chrome.exe
320	chrome.exe
320	chrome.exe
320	chrome.exe
320	chrome.exe
320	chrome.exe
320	chrome.exe
320	chrome.exe
320	chrome.exe
320	chrome.exe
320	chrome.exe
320	chrome.exe
320	chrome.exe
320	chrome.exe
320	chrome.exe
320	chrome.exe
320	chrome.exe
320	chrome.exe
320	chrome.exe
320	chrome.exe
320	chrome.exe
320	chrome.exe
320	chrome.exe
320	chrome.exe
320	chrome.exe
320	chrome.exe
320	chrome.exe
320	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 320 wrote to memory of 1320	320	chrome.exe	chrome.exe
PID 320 wrote to memory of 1320	320	chrome.exe	chrome.exe
PID 320 wrote to memory of 1320	320	chrome.exe	chrome.exe
PID 320 wrote to memory of 1048	320	chrome.exe	chrome.exe
PID 320 wrote to memory of 1048	320	chrome.exe	chrome.exe
PID 320 wrote to memory of 1048	320	chrome.exe	chrome.exe
PID 320 wrote to memory of 1048	320	chrome.exe	chrome.exe
PID 320 wrote to memory of 1048	320	chrome.exe	chrome.exe
PID 320 wrote to memory of 1048	320	chrome.exe	chrome.exe
PID 320 wrote to memory of 1048	320	chrome.exe	chrome.exe
PID 320 wrote to memory of 1048	320	chrome.exe	chrome.exe
PID 320 wrote to memory of 1048	320	chrome.exe	chrome.exe
PID 320 wrote to memory of 1048	320	chrome.exe	chrome.exe
PID 320 wrote to memory of 1048	320	chrome.exe	chrome.exe
PID 320 wrote to memory of 1048	320	chrome.exe	chrome.exe
PID 320 wrote to memory of 1048	320	chrome.exe	chrome.exe
PID 320 wrote to memory of 1048	320	chrome.exe	chrome.exe
PID 320 wrote to memory of 1048	320	chrome.exe	chrome.exe
PID 320 wrote to memory of 1048	320	chrome.exe	chrome.exe
PID 320 wrote to memory of 1048	320	chrome.exe	chrome.exe
PID 320 wrote to memory of 1048	320	chrome.exe	chrome.exe
PID 320 wrote to memory of 1048	320	chrome.exe	chrome.exe
PID 320 wrote to memory of 1048	320	chrome.exe	chrome.exe
PID 320 wrote to memory of 1048	320	chrome.exe	chrome.exe
PID 320 wrote to memory of 1048	320	chrome.exe	chrome.exe
PID 320 wrote to memory of 1048	320	chrome.exe	chrome.exe
PID 320 wrote to memory of 1048	320	chrome.exe	chrome.exe
PID 320 wrote to memory of 1048	320	chrome.exe	chrome.exe
PID 320 wrote to memory of 1048	320	chrome.exe	chrome.exe
PID 320 wrote to memory of 1048	320	chrome.exe	chrome.exe
PID 320 wrote to memory of 1048	320	chrome.exe	chrome.exe
PID 320 wrote to memory of 1048	320	chrome.exe	chrome.exe
PID 320 wrote to memory of 1048	320	chrome.exe	chrome.exe
PID 320 wrote to memory of 1048	320	chrome.exe	chrome.exe
PID 320 wrote to memory of 1048	320	chrome.exe	chrome.exe
PID 320 wrote to memory of 1048	320	chrome.exe	chrome.exe
PID 320 wrote to memory of 1048	320	chrome.exe	chrome.exe
PID 320 wrote to memory of 1048	320	chrome.exe	chrome.exe
PID 320 wrote to memory of 1048	320	chrome.exe	chrome.exe
PID 320 wrote to memory of 1048	320	chrome.exe	chrome.exe
PID 320 wrote to memory of 1048	320	chrome.exe	chrome.exe
PID 320 wrote to memory of 1048	320	chrome.exe	chrome.exe
PID 320 wrote to memory of 1048	320	chrome.exe	chrome.exe
PID 320 wrote to memory of 1048	320	chrome.exe	chrome.exe
PID 320 wrote to memory of 1232	320	chrome.exe	chrome.exe
PID 320 wrote to memory of 1232	320	chrome.exe	chrome.exe
PID 320 wrote to memory of 1232	320	chrome.exe	chrome.exe
PID 320 wrote to memory of 1548	320	chrome.exe	chrome.exe
PID 320 wrote to memory of 1548	320	chrome.exe	chrome.exe
PID 320 wrote to memory of 1548	320	chrome.exe	chrome.exe
PID 320 wrote to memory of 1548	320	chrome.exe	chrome.exe
PID 320 wrote to memory of 1548	320	chrome.exe	chrome.exe
PID 320 wrote to memory of 1548	320	chrome.exe	chrome.exe
PID 320 wrote to memory of 1548	320	chrome.exe	chrome.exe
PID 320 wrote to memory of 1548	320	chrome.exe	chrome.exe
PID 320 wrote to memory of 1548	320	chrome.exe	chrome.exe
PID 320 wrote to memory of 1548	320	chrome.exe	chrome.exe
PID 320 wrote to memory of 1548	320	chrome.exe	chrome.exe
PID 320 wrote to memory of 1548	320	chrome.exe	chrome.exe
PID 320 wrote to memory of 1548	320	chrome.exe	chrome.exe
PID 320 wrote to memory of 1548	320	chrome.exe	chrome.exe
PID 320 wrote to memory of 1548	320	chrome.exe	chrome.exe
PID 320 wrote to memory of 1548	320	chrome.exe	chrome.exe
PID 320 wrote to memory of 1548	320	chrome.exe	chrome.exe

C:\Users\Admin\AppData\Local\Temp\438acfda9ebe75b126a2100b2492d3bcd42ed63808fa17a18fd944ff0a2486c6.exe
"C:\Users\Admin\AppData\Local\Temp\438acfda9ebe75b126a2100b2492d3bcd42ed63808fa17a18fd944ff0a2486c6.exe"
1⤵
- Loads dropped DLL
PID:964

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:320

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6644f50,0x7fef6644f60,0x7fef6644f70
2⤵
PID:1320

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1128,3850830920307370132,224339131491208191,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1272 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1232

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1128,3850830920307370132,224339131491208191,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1136 /prefetch:2
2⤵
PID:1048

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1128,3850830920307370132,224339131491208191,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1896 /prefetch:8
2⤵
PID:1548

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1128,3850830920307370132,224339131491208191,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2040 /prefetch:1
2⤵
PID:1776

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1128,3850830920307370132,224339131491208191,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2092 /prefetch:1
2⤵
PID:1920

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1128,3850830920307370132,224339131491208191,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2816 /prefetch:8
2⤵
PID:1724

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1128,3850830920307370132,224339131491208191,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=swiftshader-webgl --mojo-platform-channel-handle=1204 /prefetch:2
2⤵
PID:1600

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1128,3850830920307370132,224339131491208191,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2832 /prefetch:1
2⤵
PID:1612

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1128,3850830920307370132,224339131491208191,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2620 /prefetch:8
2⤵
PID:1620

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1128,3850830920307370132,224339131491208191,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3244 /prefetch:8
2⤵
PID:528

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1128,3850830920307370132,224339131491208191,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3352 /prefetch:8
2⤵
PID:2084

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1128,3850830920307370132,224339131491208191,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3156 /prefetch:8
2⤵
PID:2092

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1128,3850830920307370132,224339131491208191,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4008 /prefetch:8
2⤵
PID:2288

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\??\pipe\crashpad_320_CDSZBCPCRPXLTHEB
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\ProgramData\sqlite3.dll
MD5
e477a96c8f2b18d6b5c27bde49c990bf

SHA1
e980c9bf41330d1e5bd04556db4646a0210f7409

SHA256
16574f51785b0e2fc29c2c61477eb47bb39f714829999511dc8952b43ab17660

SHA512
335a86268e7c0e568b1c30981ec644e6cd332e66f96d2551b58a82515316693c1859d87b4f4b7310cf1ac386cee671580fdd999c3bcb23acf2c2282c01c8798c

Download Submit
memory/964-54-0x0000000000020000-0x0000000000031000-memory.dmp

Filesize
68KB

Download
memory/964-55-0x0000000000220000-0x000000000023C000-memory.dmp

Filesize
112KB

Download
memory/964-56-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/964-57-0x0000000075601000-0x0000000075603000-memory.dmp

Filesize
8KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads