arkei | df4876573295b4e7beb618db31a015ea617f61b811978bb168d432c4052f7731

Analysis

max time kernel
85s
max time network
48s
platform
windows7_x64
resource
win7-20220414-en
submitted
24-05-2022 07:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

df4876573295b4e7beb618db31a015ea617f61b811978bb168d432c4052f7731.exe
Size

100KB
MD5

c7a310982da68b10360854f9cd78e718
SHA1

60140c28e0b7db797a771c2dee081fa3812246db
SHA256

df4876573295b4e7beb618db31a015ea617f61b811978bb168d432c4052f7731
SHA512

6747fa3f7637922eeaa0feeb25d430dc6ab66fd9f3d22e7e5fd16bad9b75528a8174c34a8baf681950b64e8cdaa6a14e37633592e843c363e75468622ebd2ec3

Score

10^/10

arkei azorult default infostealer stealer trojan

Malware Config

Extracted

Family

arkei

Botnet

Default

Extracted

Family

azorult

http://195.245.112.115/index.php

Signatures

Arkei
Arkei is an infostealer written in C++.
stealer arkei
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Control Panel\International\Geo\Nation	df4876573295b4e7beb618db31a015ea617f61b811978bb168d432c4052f7731.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1356 set thread context of 1800	1356	df4876573295b4e7beb618db31a015ea617f61b811978bb168d432c4052f7731.exe	28

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
860	timeout.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1356	df4876573295b4e7beb618db31a015ea617f61b811978bb168d432c4052f7731.exe
1356	df4876573295b4e7beb618db31a015ea617f61b811978bb168d432c4052f7731.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1356	df4876573295b4e7beb618db31a015ea617f61b811978bb168d432c4052f7731.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1356 wrote to memory of 1800	1356	df4876573295b4e7beb618db31a015ea617f61b811978bb168d432c4052f7731.exe	28
PID 1356 wrote to memory of 1800	1356	df4876573295b4e7beb618db31a015ea617f61b811978bb168d432c4052f7731.exe	28
PID 1356 wrote to memory of 1800	1356	df4876573295b4e7beb618db31a015ea617f61b811978bb168d432c4052f7731.exe	28
PID 1356 wrote to memory of 1800	1356	df4876573295b4e7beb618db31a015ea617f61b811978bb168d432c4052f7731.exe	28
PID 1356 wrote to memory of 1800	1356	df4876573295b4e7beb618db31a015ea617f61b811978bb168d432c4052f7731.exe	28
PID 1356 wrote to memory of 1800	1356	df4876573295b4e7beb618db31a015ea617f61b811978bb168d432c4052f7731.exe	28
PID 1356 wrote to memory of 1800	1356	df4876573295b4e7beb618db31a015ea617f61b811978bb168d432c4052f7731.exe	28
PID 1356 wrote to memory of 1800	1356	df4876573295b4e7beb618db31a015ea617f61b811978bb168d432c4052f7731.exe	28
PID 1356 wrote to memory of 1800	1356	df4876573295b4e7beb618db31a015ea617f61b811978bb168d432c4052f7731.exe	28
PID 1356 wrote to memory of 1800	1356	df4876573295b4e7beb618db31a015ea617f61b811978bb168d432c4052f7731.exe	28
PID 1356 wrote to memory of 1800	1356	df4876573295b4e7beb618db31a015ea617f61b811978bb168d432c4052f7731.exe	28

C:\Users\Admin\AppData\Local\Temp\df4876573295b4e7beb618db31a015ea617f61b811978bb168d432c4052f7731.exe
"C:\Users\Admin\AppData\Local\Temp\df4876573295b4e7beb618db31a015ea617f61b811978bb168d432c4052f7731.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1356
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  2⤵
  PID:1800
- - C:\Users\Admin\AppData\Roaming\azne.exe
    "C:\Users\Admin\AppData\Roaming\azne.exe"
    3⤵
    PID:1000
  - - C:\Users\Admin\AppData\Roaming\azne.exe
      C:\Users\Admin\AppData\Roaming\azne.exe
      4⤵
      PID:1360
- - C:\Users\Admin\AppData\Roaming\pm.exe
    "C:\Users\Admin\AppData\Roaming\pm.exe"
    3⤵
    PID:556
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwBlAHQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgACcAQwA6AFwAJwAsACcAQwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAFIAbwBhAG0AaQBuAGcAXABYAGUAZwBuAHIAZgBiAGwAXABIAGoAYgBqAG0ALgBlAHgAZQAnAA==
      4⤵
      PID:1392
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
      4⤵
      PID:1852
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" & exit
    3⤵
    PID:900
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 5
      4⤵
      Delays execution with timeout.exe
      PID:860

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\azne.exe

Filesize
93KB

MD5
a888bc872b13e418a7b47b92116304dd

SHA1
597d00ffa29ea4418a780717926ed5ce11766cfa

SHA256
e0b8f06628cc2e1c8b677ed34b402ccc03d88497ad683dad54c1949bd2887c51

SHA512
cdbbaf0663e4073fe7806164d94925793789e4392bba615079f5bb36c02726848dfa1c70c868bbda83832129fd0175601a80e67d0f79c51d10cdbc81745e654b

Download Submit
C:\Users\Admin\AppData\Roaming\azne.exe

Filesize
100KB

MD5
683600b61a32d3eb2cd44cb34fdf7ab3

SHA1
e8bdd864c2610495850bf525cd1529c66c0b0b53

SHA256
26f35270f714065705474f3a330a9b7676c2d7e30b9cb9de57d726930768fe29

SHA512
5e85802a49875fadfff9bd2d1e4f04bb3e391709813757e14364b99f674e3e7fea757f861c2d811e9882035737d122ebfd4aa17039fdc08dc16f73028159e389

Download Submit
C:\Users\Admin\AppData\Roaming\azne.exe

Filesize
100KB

MD5
683600b61a32d3eb2cd44cb34fdf7ab3

SHA1
e8bdd864c2610495850bf525cd1529c66c0b0b53

SHA256
26f35270f714065705474f3a330a9b7676c2d7e30b9cb9de57d726930768fe29

SHA512
5e85802a49875fadfff9bd2d1e4f04bb3e391709813757e14364b99f674e3e7fea757f861c2d811e9882035737d122ebfd4aa17039fdc08dc16f73028159e389

Download Submit
C:\Users\Admin\AppData\Roaming\pm.exe

Filesize
167KB

MD5
11c2ec90270f5bddd3d86c1a7ae1ebd4

SHA1
b43569ebdc2faa80c07def0e5e91f7f4a020ea46

SHA256
fb4019b4d15074a98702792c8a104c0eb22031e778bf20e5f269ba6303d6a310

SHA512
d49dbfa0274530e604f62f8bd8f42332fae7db5137c661698679661a83675976e901bc57081e4d8378da8ddb9a3026e31e9bddb77a38a1d19f785847f5062143

Download Submit
C:\Users\Admin\AppData\Roaming\pm.exe

Filesize
118KB

MD5
94cb601a5109803f7a482d54d22d59b6

SHA1
35f456a4025a805432d63f0a6bfb660a3dc0b858

SHA256
c0850f59211ed165f2eded7bf3fe401b9006f12ad3b9f9cff54867c11d85e0b3

SHA512
a3739ff26083931eea89b52e5082a35383f74de8c744ba7ea1303a0759622c66909c5c70f35d561ca4809145b48d1cf6fbc000ab318435aab053fb907dfdd065

Download Submit
\ProgramData\mozglue.dll

Filesize
115KB

MD5
428a70826c277973e478f51bfd726150

SHA1
ea8758834678dfdcacdc03b98af38eebea0ea655

SHA256
7e51038cfe7bd6883355a1a22b824f060ae7bd3e06deddef92d88527cbb86f30

SHA512
cbaa1e0e79b46f1741bbc90966655665aa812252f0ce1aa80919ec8d890cf97c94405ec6d232a27155aa1767f60683e262647dc4c5324ae4152c97b5a0f46157

Download Submit
\ProgramData\nss3.dll

Filesize
126KB

MD5
9c59726f1695d9b7536401c7475f4e0c

SHA1
00745ae690c3f7f471d477b54b52068df004dc27

SHA256
abfb948bcbe6fe5c043c0aba6a0203f216c818a1a682e3b3210e69300b73c836

SHA512
d56efcbf69893a16aceacbdb7b93ee9a0ca58478e84d8d3751d5fad4e9400e595ba0cedc211bb0c433f797e871395c6a46dd7a995b4e3e4e8ef419cd8f881db9

Download Submit
\Users\Admin\AppData\Roaming\azne.exe

Filesize
100KB

MD5
683600b61a32d3eb2cd44cb34fdf7ab3

SHA1
e8bdd864c2610495850bf525cd1529c66c0b0b53

SHA256
26f35270f714065705474f3a330a9b7676c2d7e30b9cb9de57d726930768fe29

SHA512
5e85802a49875fadfff9bd2d1e4f04bb3e391709813757e14364b99f674e3e7fea757f861c2d811e9882035737d122ebfd4aa17039fdc08dc16f73028159e389

Download Submit
\Users\Admin\AppData\Roaming\azne.exe

Filesize
100KB

MD5
683600b61a32d3eb2cd44cb34fdf7ab3

SHA1
e8bdd864c2610495850bf525cd1529c66c0b0b53

SHA256
26f35270f714065705474f3a330a9b7676c2d7e30b9cb9de57d726930768fe29

SHA512
5e85802a49875fadfff9bd2d1e4f04bb3e391709813757e14364b99f674e3e7fea757f861c2d811e9882035737d122ebfd4aa17039fdc08dc16f73028159e389

Download Submit
\Users\Admin\AppData\Roaming\azne.exe

Filesize
94KB

MD5
3155484d3d1dcdcda8c913f940770860

SHA1
954168ec8625d8bbc98390878e11713bd627a40a

SHA256
2e14dfc3b1dfccdc85a5e55d585466fc0657082ef690d185f86f32710552b59c

SHA512
ab35444594fd9bb63145bc519ded02b0475c86b99bb85b8c0303f2c28a9699ae0672f3f911c600e1d1f23a745804d3380bd57628d45b2c0bf129e850ed502087

Download Submit
\Users\Admin\AppData\Roaming\azne.exe

Filesize
100KB

MD5
683600b61a32d3eb2cd44cb34fdf7ab3

SHA1
e8bdd864c2610495850bf525cd1529c66c0b0b53

SHA256
26f35270f714065705474f3a330a9b7676c2d7e30b9cb9de57d726930768fe29

SHA512
5e85802a49875fadfff9bd2d1e4f04bb3e391709813757e14364b99f674e3e7fea757f861c2d811e9882035737d122ebfd4aa17039fdc08dc16f73028159e389

Download Submit
\Users\Admin\AppData\Roaming\pm.exe

Filesize
154KB

MD5
d9e9f70c3d3e60d09d28f3cedc30dd89

SHA1
418eba50ee79f0cabe61f8d7284b605ca4ba8e80

SHA256
529f0daf3663b76da720d79822e57396495efeb2520133d526e4fe66544ab338

SHA512
55c95233a8351146002d86bcb199b347684a44d67c90879af29f514d774847e02ef3e2089ed35ceab1c68824d26a44c7eb4004bbe6cba304419b764eecd16fea

Download Submit
\Users\Admin\AppData\Roaming\pm.exe

Filesize
153KB

MD5
25835e3054f2b4d2823d639ca82aa5b8

SHA1
d09e3653aade156723de4dfc6dfe8241bc5ee9fb

SHA256
51fb66218786cf87a1ba318d7806281ba7ff49c5fb8b48e4fe905b6898cfee4f

SHA512
6ace33bf680f9c3368bdbcb904fa1f45ae3de52666879ef6812c62ddba03ea5783e8054c20f026bcbd698b97eb8760591e11d72b1bded4b24c048b744c8a27c3

Download Submit
\Users\Admin\AppData\Roaming\pm.exe

Filesize
163KB

MD5
ea169d695eb9aa1c4859d642266a5f8f

SHA1
54dd190b049809465975056678dfc67f23acc0c2

SHA256
9dfc59469b07fc700a39c6d7c46e27ce2071ac7e438f607646636da4a7b687ab

SHA512
f4874dfa69f3d75afd61ae8aafc05a9e8056457c9846975809f4bbb99237625f4f33398a25a6587746f2809e0143f32fd97ef991e731f0e789f73f9c4a3b6d3e

Download Submit
\Users\Admin\AppData\Roaming\pm.exe

Filesize
154KB

MD5
26cd072089f8e762d4921a51ed87644f

SHA1
1fb1394d34454bed7146ca11b8432b4b4b350f4a

SHA256
0a2ab69b0c875b6d6882f9b0fbd9479074d0c6559bad64952012f0be6f2638a8

SHA512
b7e18d007db7b417915c1f40969478f9c8224c737ed70a2a5ef3beb0c7cb4727c2812045f0e563519bdbaa275c0ef2805bf8fd0f31c038d58b8d14b48f2f7f27

Download Submit
memory/556-117-0x0000000000CE0000-0x0000000000D7E000-memory.dmp

Filesize
632KB

Download
memory/556-116-0x000000001B516000-0x000000001B535000-memory.dmp

Filesize
124KB

Download
memory/556-112-0x000000001BBE0000-0x000000001BDAE000-memory.dmp

Filesize
1.8MB

Download
memory/556-111-0x000007FEFB751000-0x000007FEFB753000-memory.dmp

Filesize
8KB

Download
memory/556-110-0x0000000001340000-0x0000000001526000-memory.dmp

Filesize
1.9MB

Download
memory/1000-131-0x0000000006A80000-0x0000000006C1E000-memory.dmp

Filesize
1.6MB

Download
memory/1000-101-0x00000000010C0000-0x00000000010DE000-memory.dmp

Filesize
120KB

Download
memory/1000-132-0x0000000004FC0000-0x0000000004FF8000-memory.dmp

Filesize
224KB

Download
memory/1356-56-0x00000000084D0000-0x0000000008634000-memory.dmp

Filesize
1.4MB

Download
memory/1356-55-0x0000000075541000-0x0000000075543000-memory.dmp

Filesize
8KB

Download
memory/1356-54-0x0000000000AA0000-0x0000000000ABE000-memory.dmp

Filesize
120KB

Download
memory/1356-57-0x0000000004C60000-0x0000000004CA8000-memory.dmp

Filesize
288KB

Download
memory/1360-136-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1360-134-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1360-133-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1360-137-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1360-138-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1360-140-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1360-145-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1360-144-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1800-66-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1800-73-0x0000000060900000-0x0000000060992000-memory.dmp

Filesize
584KB

Download
memory/1800-64-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1800-70-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1800-67-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1800-63-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1800-61-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1800-71-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1800-59-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1800-58-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1852-128-0x00000000005C0000-0x000000000060E000-memory.dmp

Filesize
312KB

Download
memory/1852-121-0x0000000140000000-0x000000014007A000-memory.dmp

Filesize
488KB

Download
memory/1852-130-0x000000001BCC6000-0x000000001BCE5000-memory.dmp

Filesize
124KB

Download
memory/1852-129-0x00000000008E0000-0x000000000092C000-memory.dmp

Filesize
304KB

Download
memory/1852-127-0x0000000002420000-0x00000000024C6000-memory.dmp

Filesize
664KB

Download
memory/1852-118-0x0000000140000000-0x000000014007A000-memory.dmp

Filesize
488KB

Download
memory/1852-119-0x0000000140000000-0x000000014007A000-memory.dmp

Filesize
488KB

Download
memory/1852-123-0x0000000140000000-0x000000014007A000-memory.dmp

Filesize
488KB

Download