arkei

General

Target

028e110e35ec6f116521ec73e424da232b578c05f274a250611e3085e1d37f32
Size

683KB
Sample

220528-ehqz8agaa5
MD5

92def7f5c05e2aeec0c51991724def95
SHA1

8609585394aae744d881faf7483c9f41c859cc0d
SHA256

028e110e35ec6f116521ec73e424da232b578c05f274a250611e3085e1d37f32
SHA512

0f0a8451f0536a774af54d3f7c74aef72463f8f9a9a816758f2eb1d440a2e88c84096bdfb03e04eecce06d9241fc5e456eda648016b14d894148a67e57a5fb08

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://qwertzx.ru/qwerty.ps1

Extracted

Family

arkei

Botnet

Default

Targets

- Target
  
  028e110e35ec6f116521ec73e424da232b578c05f274a250611e3085e1d37f32
- Size
  
  683KB
- MD5
  
  92def7f5c05e2aeec0c51991724def95
- SHA1
  
  8609585394aae744d881faf7483c9f41c859cc0d
- SHA256
  
  028e110e35ec6f116521ec73e424da232b578c05f274a250611e3085e1d37f32
- SHA512
  
  0f0a8451f0536a774af54d3f7c74aef72463f8f9a9a816758f2eb1d440a2e88c84096bdfb03e04eecce06d9241fc5e456eda648016b14d894148a67e57a5fb08
Score

10^/10

arkei default spyware stealer suricata
- Arkei
  Arkei is an infostealer written in C++.
  stealer arkei
- suricata: ET MALWARE Base64 Encoded Stealer Config from Server - APPDATA or USERPROFILE Environment Variable M4
  suricata: ET MALWARE Base64 Encoded Stealer Config from Server - APPDATA or USERPROFILE Environment Variable M4
  suricata
- suricata: ET MALWARE Win32/Vidar Variant/Mars Stealer CnC Exfil
  suricata: ET MALWARE Win32/Vidar Variant/Mars Stealer CnC Exfil
  suricata
- suricata: ET MALWARE Windows executable base64 encoded
  suricata: ET MALWARE Windows executable base64 encoded
  suricata
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Targets

suricata: ET MALWARE Base64 Encoded Stealer Config from Server - APPDATA or USERPROFILE Environment Variable M4

suricata: ET MALWARE Win32/Vidar Variant/Mars Stealer CnC Exfil

suricata: ET MALWARE Windows executable base64 encoded

Blocklisted process makes network request

Downloads MZ/PE file

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Accesses cryptocurrency files/wallets, possible credential harvesting

Drops file in System32 directory

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2