arkei

General

Target

Payment-Remittance advice invoice JF-EXP-2022-028.docx
Size

185KB
Sample

220524-xs71laaafq
MD5

12c52790792eb41dd711c80d962c4cb7
SHA1

1ee28c19dbb2c76421a6da3b97cf98fe0a9838a7
SHA256

c01d6244c576e3535e1ca3516c7d7358126b3d109f431d267c461137c0cdf16d
SHA512

c9a02261d2a40c8d9f9a88e6b27b69398c674f2d028870dd2616b36ad4692eecc5c9477edb8933630b0cd94b783fad8a246dda089ca4c55b6dc39fcd3938eee3

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://www.mediafire.com/file/6ied8rswkve2dfr/15.dll/file

Extracted

Credentials

Protocol: ftp
Host:
103.153.77.98
Port:
21
Username:
jdfhjdfooo15
Password:
wwssjdhsdd446

Extracted

Family

arkei

Botnet

Default

Extracted

Family

snakekeylogger

Credentials

Protocol: ftp
Host:
ftp://103.153.77.98/
Port:
21
Username:
jdfhjdfooo15
Password:
wwssjdhsdd446

Targets

- Target
  
  Payment-Remittance advice invoice JF-EXP-2022-028.docx
- Size
  
  185KB
- MD5
  
  12c52790792eb41dd711c80d962c4cb7
- SHA1
  
  1ee28c19dbb2c76421a6da3b97cf98fe0a9838a7
- SHA256
  
  c01d6244c576e3535e1ca3516c7d7358126b3d109f431d267c461137c0cdf16d
- SHA512
  
  c9a02261d2a40c8d9f9a88e6b27b69398c674f2d028870dd2616b36ad4692eecc5c9477edb8933630b0cd94b783fad8a246dda089ca4c55b6dc39fcd3938eee3
Score

10^/10

arkei snakekeylogger default collection keylogger spyware stealer suricata
- Arkei
  Arkei is an infostealer written in C++.
  stealer arkei
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Snake Keylogger
  Keylogger and Infostealer first seen in November 2020.
  stealer keylogger snakekeylogger
- Snake Keylogger Payload
- suricata: ET MALWARE Generic gate .php GET with minimal headers
  suricata: ET MALWARE Generic gate .php GET with minimal headers
  suricata
- suricata: ET MALWARE Trojan Generic - POST To gate.php with no accept headers
  suricata: ET MALWARE Trojan Generic - POST To gate.php with no accept headers
  suricata
- suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer
  suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer
  suricata
- suricata: ET MALWARE Win32/Vidar Variant/Mars Stealer CnC Exfil
  suricata: ET MALWARE Win32/Vidar Variant/Mars Stealer CnC Exfil
  suricata
- Blocklisted process makes network request
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Drops desktop.ini file(s)
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2