Overview

overview

10

Static

static

028e110e35...32.lnk

windows7_x64

10

028e110e35...32.lnk

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    028e110e35ec6f116521ec73e424da232b578c05f274a250611e3085e1d37f32

  • Size

    683KB

  • Sample

    220528-ehqz8agaa5

  • MD5

    92def7f5c05e2aeec0c51991724def95

  • SHA1

    8609585394aae744d881faf7483c9f41c859cc0d

  • SHA256

    028e110e35ec6f116521ec73e424da232b578c05f274a250611e3085e1d37f32

  • SHA512

    0f0a8451f0536a774af54d3f7c74aef72463f8f9a9a816758f2eb1d440a2e88c84096bdfb03e04eecce06d9241fc5e456eda648016b14d894148a67e57a5fb08

Score
10/10
arkeidefaultspywarestealersuricata

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

http://qwertzx.ru/qwerty.ps1

Extracted

Family

arkei

Botnet

Default

Targets

    • Target

      028e110e35ec6f116521ec73e424da232b578c05f274a250611e3085e1d37f32

    • Size

      683KB

    • MD5

      92def7f5c05e2aeec0c51991724def95

    • SHA1

      8609585394aae744d881faf7483c9f41c859cc0d

    • SHA256

      028e110e35ec6f116521ec73e424da232b578c05f274a250611e3085e1d37f32

    • SHA512

      0f0a8451f0536a774af54d3f7c74aef72463f8f9a9a816758f2eb1d440a2e88c84096bdfb03e04eecce06d9241fc5e456eda648016b14d894148a67e57a5fb08

    Score
    10/10
    arkeidefaultspywarestealersuricata

    • Arkei

      Arkei is an infostealer written in C++.

      stealerarkei

    • suricata: ET MALWARE Base64 Encoded Stealer Config from Server - APPDATA or USERPROFILE Environment Variable M4

      suricata: ET MALWARE Base64 Encoded Stealer Config from Server - APPDATA or USERPROFILE Environment Variable M4

      suricata

    • suricata: ET MALWARE Win32/Vidar Variant/Mars Stealer CnC Exfil

      suricata: ET MALWARE Win32/Vidar Variant/Mars Stealer CnC Exfil

      suricata

    • suricata: ET MALWARE Windows executable base64 encoded

      suricata: ET MALWARE Windows executable base64 encoded

      suricata

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks