arkei

General

Target

1.exezeakapqe
Size

360KB
Sample

220419-eqhzksbagk
MD5

b441579edee209535eca6408d91a9be1
SHA1

460c5cb8d760dfc21d01184a3bf2de63a4d0d802
SHA256

3927d5f26c91ddb637336063ef3a8c744ff1a65bdff6a92b2632e3f2fc2f75e3
SHA512

32214c73cf475f342edfbe3aab68ad09afe4db8885d4a9d56e4e8a7ab2492225916c6a890e322e58d5a7314537d2f919bf08492e23a98c7368fc1f41cf17f1a7

Score

10^/10

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://hydroxychl0roquine.xyz/

https://hydroxychl0roquine.xyz/

rc4.i32

Extracted

Family

redline

Botnet

@ChelnEvreya

C2

46.8.220.88:65531

Attributes

auth_value
d24bb0cd8742d0e0fba1abfab06e4005

Extracted

Family

redline

Botnet

install

C2

193.150.103.38:40169

Attributes

auth_value
7b121606198c8456e17d49ab8c2d0e42

Extracted

Family

arkei

Botnet

Default

C2

http://92.119.160.244/Biasdmxit.php

Extracted

Family

redline

Botnet

test run

C2

2.58.56.219:39064

Attributes

auth_value
8d3e3da14c8032e314235e1d040823c7

Targets

- Target
  
  1.exezeakapqe
- Size
  
  360KB
- MD5
  
  b441579edee209535eca6408d91a9be1
- SHA1
  
  460c5cb8d760dfc21d01184a3bf2de63a4d0d802
- SHA256
  
  3927d5f26c91ddb637336063ef3a8c744ff1a65bdff6a92b2632e3f2fc2f75e3
- SHA512
  
  32214c73cf475f342edfbe3aab68ad09afe4db8885d4a9d56e4e8a7ab2492225916c6a890e322e58d5a7314537d2f919bf08492e23a98c7368fc1f41cf17f1a7
Score

10^/10

arkei redline smokeloader @chelnevreya default install test run agilenet backdoor discovery infostealer persistence spyware stealer suricata trojan vmprotect
- Arkei
  Arkei is an infostealer written in C++.
  stealer arkei
- Modifies WinLogon for persistence
  persistence
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine Payload
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- suricata: ET MALWARE Base64 Encoded Stealer Config from Server - APPDATA Environment Variable M4
  suricata: ET MALWARE Base64 Encoded Stealer Config from Server - APPDATA Environment Variable M4
  suricata
- suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
  suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
  suricata
- Downloads MZ/PE file
- Executes dropped EXE
- VMProtect packed file
  Detects executables packed with VMProtect commercial packer.
  vmprotect
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Obfuscated with Agile.Net obfuscator
  Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
  agilenet
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2