General

  • Target

    0b4c35d12d6472f69dd06ccdba38802fceba972c397f7eca17b16e0aabab60db

  • Size

    271KB

  • Sample

    220419-jqy31sdhe4

  • MD5

    214e6795f6b2f271485a9678856ab69b

  • SHA1

    4ec3cea82374ee9d210099b499229266f8d25bdf

  • SHA256

    0b4c35d12d6472f69dd06ccdba38802fceba972c397f7eca17b16e0aabab60db

  • SHA512

    2b0e5fdf47872fd874308d3197c3aa95d60636cc5be698a674e3601afc4099025a537cf1b101e6ab377c0cce384014236dc5a0ab718c46ca648838e90d91617b

Malware Config

Extracted

Family

arkei

Botnet

Default

C2

http://jsdkci.link/588711.php

Targets

    • Target

      0b4c35d12d6472f69dd06ccdba38802fceba972c397f7eca17b16e0aabab60db

    • Size

      271KB

    • MD5

      214e6795f6b2f271485a9678856ab69b

    • SHA1

      4ec3cea82374ee9d210099b499229266f8d25bdf

    • SHA256

      0b4c35d12d6472f69dd06ccdba38802fceba972c397f7eca17b16e0aabab60db

    • SHA512

      2b0e5fdf47872fd874308d3197c3aa95d60636cc5be698a674e3601afc4099025a537cf1b101e6ab377c0cce384014236dc5a0ab718c46ca648838e90d91617b

    • Arkei

      Arkei is an infostealer written in C++.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks