Overview

overview

10

Static

static

NEW ORDER.docx

windows7_x64

10

NEW ORDER.docx

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    NEW ORDER.docx

  • Size

    183KB

  • Sample

    220524-j9yllagce9

  • MD5

    e3269bf05703bb2d4e7cfcceca146ed5

  • SHA1

    e5e2a9a4c2dca94eb93669ef73219cfc7754a260

  • SHA256

    0d3613b7a4aec3b9ad6f0fc308bdf7da98a4574e6cae6ab91a8c0ea4857f1fbc

  • SHA512

    acd7810464891ad926e63b579b6b09bb569397b5f8edbbbce4c9d2407cfe2d9a807d5f2a314cf592ff489a14773ee206e9029b077953503b58ba8d22586c8f15

Score
10/10
arkeisnakekeyloggerdefaultcollectionkeyloggerspywarestealersuricata

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://www.mediafire.com/file/jjqt737nagc8wqp/1.dll/file

Extracted

Credentials

  • Protocol:     ftp
  • Host:
    103.153.77.98
  • Port:
    21
  • Username:
    jfhdjfhd1
  • Password:
    fhsjdhsje3333

Extracted

Family

arkei

Botnet

Default

Targets

    • Target

      NEW ORDER.docx

    • Size

      183KB

    • MD5

      e3269bf05703bb2d4e7cfcceca146ed5

    • SHA1

      e5e2a9a4c2dca94eb93669ef73219cfc7754a260

    • SHA256

      0d3613b7a4aec3b9ad6f0fc308bdf7da98a4574e6cae6ab91a8c0ea4857f1fbc

    • SHA512

      acd7810464891ad926e63b579b6b09bb569397b5f8edbbbce4c9d2407cfe2d9a807d5f2a314cf592ff489a14773ee206e9029b077953503b58ba8d22586c8f15

    Score
    10/10
    arkeisnakekeyloggerdefaultcollectionkeyloggerspywarestealersuricata

    • Arkei

      Arkei is an infostealer written in C++.

      stealerarkei

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

      stealerkeyloggersnakekeylogger

    • Snake Keylogger Payload

    • suricata: ET MALWARE Generic gate .php GET with minimal headers

      suricata: ET MALWARE Generic gate .php GET with minimal headers

      suricata

    • suricata: ET MALWARE Trojan Generic - POST To gate.php with no accept headers

      suricata: ET MALWARE Trojan Generic - POST To gate.php with no accept headers

      suricata

    • suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer

      suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer

      suricata

    • suricata: ET MALWARE Win32/Vidar Variant/Mars Stealer CnC Exfil

      suricata: ET MALWARE Win32/Vidar Variant/Mars Stealer CnC Exfil

      suricata

    • Blocklisted process makes network request

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Drops desktop.ini file(s)

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks