arkei

General

Target

01b31a5b16aa19085e8182dab279ddf8.exe
Size

330KB
Sample

220218-wsla6adfej
MD5

01b31a5b16aa19085e8182dab279ddf8
SHA1

005fed815cef211835a93b94b0185bd6abe98db4
SHA256

e461fe15f9e582be71695a8a52439cc93c6c68b5168f527ffd28f2c62236f46f
SHA512

2cb4a021438356173ea8d680ba3aec8af167fdb76b5bdf694579f5a4870119152cacfbdde9652211a6258179abe8ac448fd26e8aa36afda314afbad3376c71a4

Score

10^/10

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://dollybuster.at/upload/

http://spaldingcompanies.com/upload/

http://remik-franchise.ru/upload/

http://fennsports.com/upload/

http://am1420wbec.com/upload/

http://islamic-city.com/upload/

http://egsagl.com/upload/

http://mordo.ru/upload/

http://piratia-life.ru/upload/

https://oakland-studio.video/search.php

https://seattle-university.video/search.php

http://statssblogsta.in/stat/

http://statssblogsta.com/stat/

rc4.i32

Extracted

Family

icedid

Campaign

1860595763

C2

badgoodreason.com

Extracted

Family

warzonerat

C2

193.203.203.96:5200

Targets

- Target
  
  01b31a5b16aa19085e8182dab279ddf8.exe
- Size
  
  330KB
- MD5
  
  01b31a5b16aa19085e8182dab279ddf8
- SHA1
  
  005fed815cef211835a93b94b0185bd6abe98db4
- SHA256
  
  e461fe15f9e582be71695a8a52439cc93c6c68b5168f527ffd28f2c62236f46f
- SHA512
  
  2cb4a021438356173ea8d680ba3aec8af167fdb76b5bdf694579f5a4870119152cacfbdde9652211a6258179abe8ac448fd26e8aa36afda314afbad3376c71a4
Score

10^/10

arkei icedid smokeloader 1860595763 backdoor banker discovery evasion spyware stealer suricata trojan warzonerat collection infostealer rat
- Arkei
  Arkei is an infostealer written in C++.
  stealer arkei
- IcedID, BokBot
  IcedID is a banking trojan capable of stealing credentials.
  trojan banker icedid
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Suspicious use of NtCreateProcessExOtherParentProcess
- WarzoneRat, AveMaria
  WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
  rat infostealer warzonerat
- suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
  suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
  suricata
- suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
  suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
  suricata
- suricata: ET MALWARE Win32/IcedID Request Cookie
  suricata: ET MALWARE Win32/IcedID Request Cookie
  suricata
- suricata: ET MALWARE Win32/Vidar Variant/Mars Stealer CnC Exfil
  suricata: ET MALWARE Win32/Vidar Variant/Mars Stealer CnC Exfil
  suricata
- suricata: ET MALWARE Windows dir Microsoft Windows DOS prompt command exit OUTBOUND
  suricata: ET MALWARE Windows dir Microsoft Windows DOS prompt command exit OUTBOUND
  suricata
- suricata: ET MALWARE Windows route Microsoft Windows DOS prompt command exit OUTBOUND
  suricata: ET MALWARE Windows route Microsoft Windows DOS prompt command exit OUTBOUND
  suricata
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Warzone RAT Payload
  rat
- Downloads MZ/PE file
- Executes dropped EXE
- Modifies Windows Firewall
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Checks whether UAC is enabled
  evasion trojan
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2