Overview

overview

10

Static

static

NEW ORDER.docx

windows7_x64

10

NEW ORDER.docx

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    NEW ORDER.docx

  • Size

    183KB

  • Sample

    220524-j9ehqagce6

  • MD5

    e3269bf05703bb2d4e7cfcceca146ed5

  • SHA1

    e5e2a9a4c2dca94eb93669ef73219cfc7754a260

  • SHA256

    0d3613b7a4aec3b9ad6f0fc308bdf7da98a4574e6cae6ab91a8c0ea4857f1fbc

  • SHA512

    acd7810464891ad926e63b579b6b09bb569397b5f8edbbbce4c9d2407cfe2d9a807d5f2a314cf592ff489a14773ee206e9029b077953503b58ba8d22586c8f15

Score
10/10
arkeisnakekeyloggerdefaultkeyloggerstealer

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://www.mediafire.com/file/jjqt737nagc8wqp/1.dll/file

Extracted

Family

arkei

Botnet

Default

Targets

    • Target

      NEW ORDER.docx

    • Size

      183KB

    • MD5

      e3269bf05703bb2d4e7cfcceca146ed5

    • SHA1

      e5e2a9a4c2dca94eb93669ef73219cfc7754a260

    • SHA256

      0d3613b7a4aec3b9ad6f0fc308bdf7da98a4574e6cae6ab91a8c0ea4857f1fbc

    • SHA512

      acd7810464891ad926e63b579b6b09bb569397b5f8edbbbce4c9d2407cfe2d9a807d5f2a314cf592ff489a14773ee206e9029b077953503b58ba8d22586c8f15

    Score
    10/10
    arkeisnakekeyloggerdefaultkeyloggerstealer

    • Arkei

      Arkei is an infostealer written in C++.

      stealerarkei

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

      stealerkeyloggersnakekeylogger

    • Snake Keylogger Payload

    • Blocklisted process makes network request

    • Executes dropped EXE

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks