arkei

General

Target

GBE_PO_3000105160.docx
Size

212KB
Sample

220524-xs71laaafp
MD5

5a0187dff6fcc8149b2e9d01e20179fa
SHA1

143ad92b2253eb5f23fa22d320844510f5c02834
SHA256

e79cbe266df0e4a6a72b6be67d0d0d4dc276ee4559c627a3dfd73dd1859af7f5
SHA512

b55c14806876fa155ab086ea3851ad25f876a547c6b045b224b9d6b2c3109a158d9361a3a30c0f8b262b9c3f811fc5736b8100b69fc3a9245bf1de145b23bfd7

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://www.mediafire.com/file/2xfbajsftslryfu/3.dll/file

Extracted

Credentials

Protocol: ftp
Host:
103.153.77.98
Port:
21
Username:
bvhffasoo3
Password:
txcmnxcaspo00

Extracted

Family

arkei

Botnet

Default

Extracted

Family

snakekeylogger

Credentials

Protocol: ftp
Host:
ftp://103.153.77.98/
Port:
21
Username:
bvhffasoo3
Password:
txcmnxcaspo00

Targets

- Target
  
  GBE_PO_3000105160.docx
- Size
  
  212KB
- MD5
  
  5a0187dff6fcc8149b2e9d01e20179fa
- SHA1
  
  143ad92b2253eb5f23fa22d320844510f5c02834
- SHA256
  
  e79cbe266df0e4a6a72b6be67d0d0d4dc276ee4559c627a3dfd73dd1859af7f5
- SHA512
  
  b55c14806876fa155ab086ea3851ad25f876a547c6b045b224b9d6b2c3109a158d9361a3a30c0f8b262b9c3f811fc5736b8100b69fc3a9245bf1de145b23bfd7
Score

10^/10

arkei snakekeylogger default collection keylogger spyware stealer suricata
- Arkei
  Arkei is an infostealer written in C++.
  stealer arkei
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Snake Keylogger
  Keylogger and Infostealer first seen in November 2020.
  stealer keylogger snakekeylogger
- Snake Keylogger Payload
- suricata: ET MALWARE Generic gate .php GET with minimal headers
  suricata: ET MALWARE Generic gate .php GET with minimal headers
  suricata
- suricata: ET MALWARE Trojan Generic - POST To gate.php with no accept headers
  suricata: ET MALWARE Trojan Generic - POST To gate.php with no accept headers
  suricata
- suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer
  suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer
  suricata
- suricata: ET MALWARE Win32/Vidar Variant/Mars Stealer CnC Exfil
  suricata: ET MALWARE Win32/Vidar Variant/Mars Stealer CnC Exfil
  suricata
- Blocklisted process makes network request
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Drops desktop.ini file(s)
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2