Malware Analysis Report

2025-06-16 05:10

Sample ID 220419-ffmqfsdfdk
Target zxcv.EXE
SHA256 df4876573295b4e7beb618db31a015ea617f61b811978bb168d432c4052f7731
Tags
arkei default stealer suricata
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

df4876573295b4e7beb618db31a015ea617f61b811978bb168d432c4052f7731

Threat Level: Known bad

The file zxcv.EXE was found to be: Known bad.

Malicious Activity Summary

arkei default stealer suricata

Arkei

suricata: ET MALWARE Base64 Encoded Stealer Config from Server - APPDATA Environment Variable M4

Checks computer location settings

Suspicious use of SetThreadContext

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-04-19 04:48

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-04-19 04:48

Reported

2022-04-19 05:00

Platform

win7-20220414-en

Max time kernel

121s

Max time network

140s

Command Line

"C:\Users\Admin\AppData\Local\Temp\zxcv.exe"

Signatures

Arkei

stealer arkei

suricata: ET MALWARE Base64 Encoded Stealer Config from Server - APPDATA Environment Variable M4

suricata

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\zxcv.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1172 set thread context of 1804 N/A C:\Users\Admin\AppData\Local\Temp\zxcv.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\zxcv.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\zxcv.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1172 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\zxcv.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 1172 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\zxcv.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 1172 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\zxcv.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 1172 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\zxcv.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 1172 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\zxcv.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 1172 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\zxcv.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 1172 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\zxcv.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 1172 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\zxcv.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 1172 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\zxcv.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 1172 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\zxcv.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 1172 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\zxcv.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Processes

C:\Users\Admin\AppData\Local\Temp\zxcv.exe

"C:\Users\Admin\AppData\Local\Temp\zxcv.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Network

Country Destination Domain Proto
SC 185.215.113.89:80 185.215.113.89 tcp
US 8.8.8.8:53 rockrock.ug udp
SC 185.215.113.89:80 rockrock.ug tcp
SC 185.215.113.89:80 rockrock.ug tcp

Files

memory/1172-54-0x00000000001A0000-0x00000000001BE000-memory.dmp

memory/1172-55-0x00000000084B0000-0x0000000008614000-memory.dmp

memory/1172-56-0x0000000005AF0000-0x0000000005B38000-memory.dmp

memory/1804-57-0x0000000000400000-0x000000000043D000-memory.dmp

memory/1804-58-0x0000000000400000-0x000000000043D000-memory.dmp

memory/1804-60-0x0000000000400000-0x000000000043D000-memory.dmp

memory/1804-62-0x0000000000400000-0x000000000043D000-memory.dmp

memory/1804-63-0x0000000000400000-0x000000000043D000-memory.dmp

memory/1804-65-0x0000000000400000-0x000000000043D000-memory.dmp

memory/1804-67-0x000000000043C0B2-mapping.dmp

memory/1804-66-0x0000000000400000-0x000000000043D000-memory.dmp

memory/1804-69-0x0000000000400000-0x000000000043D000-memory.dmp

memory/1804-70-0x0000000000400000-0x000000000043D000-memory.dmp

memory/1804-71-0x00000000755A1000-0x00000000755A3000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-04-19 04:48

Reported

2022-04-19 05:00

Platform

win10v2004-20220414-en

Max time kernel

133s

Max time network

168s

Command Line

"C:\Users\Admin\AppData\Local\Temp\zxcv.exe"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\zxcv.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\zxcv.exe

"C:\Users\Admin\AppData\Local\Temp\zxcv.exe"

Network

Country Destination Domain Proto
US 67.26.211.254:80 tcp
US 209.197.3.8:80 tcp
US 67.26.211.254:80 tcp
US 67.26.211.254:80 tcp
US 67.24.169.254:80 tcp
US 67.24.169.254:80 tcp
IE 13.69.239.73:443 tcp
SC 185.215.113.89:80 tcp
US 67.26.211.254:80 tcp
US 67.26.211.254:80 tcp
US 67.26.207.254:80 tcp
US 67.26.211.254:80 tcp
US 8.252.118.126:80 tcp
US 93.184.220.29:80 tcp
US 204.79.197.203:80 tcp

Files

memory/4072-130-0x00000000006F0000-0x000000000070E000-memory.dmp

memory/4072-131-0x0000000005730000-0x0000000005CD4000-memory.dmp

memory/4072-132-0x00000000050A0000-0x0000000005132000-memory.dmp

memory/4072-133-0x0000000005160000-0x000000000516A000-memory.dmp