General

  • Target

    1E9311C594D49FEBA530C3CE815DFD2D - Kopie

  • Size

    24KB

  • Sample

    220506-f4641acaan

  • MD5

    24cd5c386318545b5e0521a45914fb48

  • SHA1

    f9845e0afcb7a33f82f708c15275e9c3b3ef5314

  • SHA256

    bf9bf6b10b3958738af06e9384ae99067250e2a49f50823361724086af0ab933

  • SHA512

    40ee8f842aa557b8ed9d789dccdc64858f21abd2747a0f9e31646e4fe8b5edd9e9660df4e6bb1b3b033ce75b06700d851478c973d69044472617163e8a04f0b7

Malware Config

Extracted

Family

arkei

Botnet

Default

Targets

    • Target

      1E9311C594D49FEBA530C3CE815DFD2D - Kopie

    • Size

      24KB

    • MD5

      24cd5c386318545b5e0521a45914fb48

    • SHA1

      f9845e0afcb7a33f82f708c15275e9c3b3ef5314

    • SHA256

      bf9bf6b10b3958738af06e9384ae99067250e2a49f50823361724086af0ab933

    • SHA512

      40ee8f842aa557b8ed9d789dccdc64858f21abd2747a0f9e31646e4fe8b5edd9e9660df4e6bb1b3b033ce75b06700d851478c973d69044472617163e8a04f0b7

    • Arkei

      Arkei is an infostealer written in C++.

    • suricata: ET MALWARE Win32/Vidar Variant/Mars Stealer CnC Exfil

      suricata: ET MALWARE Win32/Vidar Variant/Mars Stealer CnC Exfil

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v6

Tasks