arkei | 21dcb10cb40e5357959aaed507513d8e04e72ba0e348c91288beeb8a00340c42 | Triage

Submit
Reports

Overview

overview

Static

static

Purchase O...).docx

windows7_x64

Purchase O...).docx

windows10-2004_x64

Sharing

General

Target

Purchase Order (Ref M050417).docx
Size

169KB
Sample

220524-xs71laaafn
MD5

f3507e52fb0692a6fbac4afdc60b0f84
SHA1

11ecc242faa42035b8a98e564b6a93eeaaf15338
SHA256

21dcb10cb40e5357959aaed507513d8e04e72ba0e348c91288beeb8a00340c42
SHA512

8f67a97360b12fc2cdd3bf0f24becc3c39719de58c93a52de47916a9a86445ab5ffb672d06f7be95604034aa3e0861bfa6f1a6a2f7a151179b46722a86716e67

Score

10^/10

arkei snakekeylogger default keylogger stealer suricata

Static task

static1

Behavioral task

behavioral1

Sample

Purchase Order (Ref M050417).docx

Resource

win7-20220414-en

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

Purchase Order (Ref M050417).docx

Resource

win10v2004-20220414-en

arkei snakekeylogger default keylogger stealer suricata

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://www.mediafire.com/file/66qmupxl6a3kglz/12.dll/file

Extracted

Family

arkei

Botnet

Default

Extracted

Family

snakekeylogger

Credentials

Protocol: ftp
Host:
ftp://103.153.77.98/
Port:
21
Username:
jfhgjuere12
Password:
hdhddjhfu1299

Targets

- Target
  
  Purchase Order (Ref M050417).docx
- Size
  
  169KB
- MD5
  
  f3507e52fb0692a6fbac4afdc60b0f84
- SHA1
  
  11ecc242faa42035b8a98e564b6a93eeaaf15338
- SHA256
  
  21dcb10cb40e5357959aaed507513d8e04e72ba0e348c91288beeb8a00340c42
- SHA512
  
  8f67a97360b12fc2cdd3bf0f24becc3c39719de58c93a52de47916a9a86445ab5ffb672d06f7be95604034aa3e0861bfa6f1a6a2f7a151179b46722a86716e67
Score

10^/10

arkei snakekeylogger default keylogger stealer suricata
- Arkei
  Arkei is an infostealer written in C++.
  stealer arkei
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Snake Keylogger
  Keylogger and Infostealer first seen in November 2020.
  stealer keylogger snakekeylogger
- Snake Keylogger Payload
- suricata: ET MALWARE Generic gate .php GET with minimal headers
  suricata: ET MALWARE Generic gate .php GET with minimal headers
  suricata
- Blocklisted process makes network request
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Install Root Certificate

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

arkeisnakekeyloggerdefaultkeyloggerstealersuricata

© 2018-2025

Terms | Privacy