Malware Analysis Report

2025-04-13 10:41

Sample ID 220507-e7a1asegaq
Target zxcvb.exesdwelzxu
SHA256 df4876573295b4e7beb618db31a015ea617f61b811978bb168d432c4052f7731
Tags
arkei default stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

df4876573295b4e7beb618db31a015ea617f61b811978bb168d432c4052f7731

Threat Level: Known bad

The file zxcvb.exesdwelzxu was found to be: Known bad.

Malicious Activity Summary

arkei default stealer

Arkei

Checks computer location settings

Suspicious use of SetThreadContext

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-05-07 04:34

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-05-07 04:34

Reported

2022-05-07 04:47

Platform

win7-20220414-en

Max time kernel

125s

Max time network

173s

Command Line

"C:\Users\Admin\AppData\Local\Temp\zxcvb.exe"

Signatures

Arkei

stealer arkei

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\zxcvb.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1996 set thread context of 1716 N/A C:\Users\Admin\AppData\Local\Temp\zxcvb.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\zxcvb.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\zxcvb.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1996 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\zxcvb.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 1996 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\zxcvb.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 1996 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\zxcvb.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 1996 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\zxcvb.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 1996 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\zxcvb.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 1996 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\zxcvb.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 1996 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\zxcvb.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 1996 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\zxcvb.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 1996 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\zxcvb.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 1996 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\zxcvb.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 1996 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\zxcvb.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Processes

C:\Users\Admin\AppData\Local\Temp\zxcvb.exe

"C:\Users\Admin\AppData\Local\Temp\zxcvb.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Network

Country Destination Domain Proto
SC 185.215.113.89:80 185.215.113.89 tcp
US 8.8.8.8:53 rockrock.ug udp
SC 185.215.113.89:80 rockrock.ug tcp
SC 185.215.113.89:80 rockrock.ug tcp

Files

memory/1996-54-0x00000000009F0000-0x0000000000A0E000-memory.dmp

memory/1996-55-0x0000000075B71000-0x0000000075B73000-memory.dmp

memory/1996-56-0x0000000008840000-0x00000000089A4000-memory.dmp

memory/1996-57-0x0000000005E10000-0x0000000005E58000-memory.dmp

memory/1716-58-0x0000000000400000-0x000000000043D000-memory.dmp

memory/1716-59-0x0000000000400000-0x000000000043D000-memory.dmp

memory/1716-61-0x0000000000400000-0x000000000043D000-memory.dmp

memory/1716-63-0x0000000000400000-0x000000000043D000-memory.dmp

memory/1716-64-0x0000000000400000-0x000000000043D000-memory.dmp

memory/1716-66-0x0000000000400000-0x000000000043D000-memory.dmp

memory/1716-68-0x000000000043C0B2-mapping.dmp

memory/1716-67-0x0000000000400000-0x000000000043D000-memory.dmp

memory/1716-70-0x0000000000400000-0x000000000043D000-memory.dmp

memory/1716-71-0x0000000000400000-0x000000000043D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-05-07 04:34

Reported

2022-05-07 04:47

Platform

win10v2004-20220414-en

Max time kernel

165s

Max time network

184s

Command Line

"C:\Users\Admin\AppData\Local\Temp\zxcvb.exe"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\zxcvb.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\zxcvb.exe

"C:\Users\Admin\AppData\Local\Temp\zxcvb.exe"

Network

Country Destination Domain Proto
US 20.189.173.6:443 tcp
SC 185.215.113.89:80 tcp

Files

memory/4080-130-0x0000000000D90000-0x0000000000DAE000-memory.dmp

memory/4080-131-0x0000000005C70000-0x0000000006214000-memory.dmp

memory/4080-132-0x0000000005760000-0x00000000057F2000-memory.dmp

memory/4080-133-0x00000000058F0000-0x00000000058FA000-memory.dmp