arkei | 3f0841eff18ab98e2614071d89619c1fb84e653cb1c524384801bdf00d7e9d42

General

Target

f3b2c0e21faa2d771b315cfda97a4c32.exe
Size

2.5MB
MD5

f3b2c0e21faa2d771b315cfda97a4c32
SHA1

806b920c7c0299ffa9fbe4c94825d0313381927f
SHA256

3f0841eff18ab98e2614071d89619c1fb84e653cb1c524384801bdf00d7e9d42
SHA512

6c0503c9523027ebc2c4363e2d3aef39c513316aaf69bdf5f660112a1f3f1371ca20d5f8f134485ee573076084592ace1bc5e1056c8d645e010bb6b2267b19b2

Score

10^/10

arkei default stealer

Malware Config

Extracted

Family

arkei

Botnet

Default

C2

http://jsdkca.link/518855.php

Signatures

Arkei
Arkei is an infostealer written in C++.
stealer arkei

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1068 set thread context of 4352	1068	f3b2c0e21faa2d771b315cfda97a4c32.exe	88

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1068	f3b2c0e21faa2d771b315cfda97a4c32.exe
1068	f3b2c0e21faa2d771b315cfda97a4c32.exe
1068	f3b2c0e21faa2d771b315cfda97a4c32.exe
1068	f3b2c0e21faa2d771b315cfda97a4c32.exe
1068	f3b2c0e21faa2d771b315cfda97a4c32.exe
1068	f3b2c0e21faa2d771b315cfda97a4c32.exe
1068	f3b2c0e21faa2d771b315cfda97a4c32.exe
1068	f3b2c0e21faa2d771b315cfda97a4c32.exe
1068	f3b2c0e21faa2d771b315cfda97a4c32.exe
1068	f3b2c0e21faa2d771b315cfda97a4c32.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	1068	f3b2c0e21faa2d771b315cfda97a4c32.exe
Token: SeIncBasePriorityPrivilege	1068	f3b2c0e21faa2d771b315cfda97a4c32.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 1068 wrote to memory of 4352	1068	f3b2c0e21faa2d771b315cfda97a4c32.exe	88
PID 1068 wrote to memory of 4352	1068	f3b2c0e21faa2d771b315cfda97a4c32.exe	88
PID 1068 wrote to memory of 4352	1068	f3b2c0e21faa2d771b315cfda97a4c32.exe	88
PID 1068 wrote to memory of 4352	1068	f3b2c0e21faa2d771b315cfda97a4c32.exe	88
PID 1068 wrote to memory of 4352	1068	f3b2c0e21faa2d771b315cfda97a4c32.exe	88

C:\Users\Admin\AppData\Local\Temp\f3b2c0e21faa2d771b315cfda97a4c32.exe
"C:\Users\Admin\AppData\Local\Temp\f3b2c0e21faa2d771b315cfda97a4c32.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1068
- C:\Users\Admin\AppData\Local\Temp\f3b2c0e21faa2d771b315cfda97a4c32.exe
  "C:\Users\Admin\AppData\Local\Temp\f3b2c0e21faa2d771b315cfda97a4c32.exe"
  2⤵
  PID:4352

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1068-140-0x0000000010190000-0x000000001048A000-memory.dmp

Filesize
3.0MB

Download
memory/1068-134-0x0000000003B60000-0x0000000003B88000-memory.dmp

Filesize
160KB

Download
memory/1068-130-0x0000000000E40000-0x0000000001271000-memory.dmp

Filesize
4.2MB

Download
memory/1068-151-0x00000000033C0000-0x0000000003529000-memory.dmp

Filesize
1.4MB

Download
memory/1068-141-0x0000000010190000-0x000000001048A000-memory.dmp

Filesize
3.0MB

Download
memory/1068-135-0x00000000033C0000-0x0000000003529000-memory.dmp

Filesize
1.4MB

Download
memory/1068-137-0x0000000000790000-0x0000000000794000-memory.dmp

Filesize
16KB

Download
memory/1068-136-0x0000000001280000-0x000000000158D000-memory.dmp

Filesize
3.1MB

Download
memory/1068-138-0x00000000033C0000-0x0000000003529000-memory.dmp

Filesize
1.4MB

Download
memory/1068-139-0x0000000000B90000-0x0000000000B94000-memory.dmp

Filesize
16KB

Download
memory/1068-132-0x0000000000790000-0x0000000000794000-memory.dmp

Filesize
16KB

Download
memory/1068-131-0x0000000001280000-0x000000000158D000-memory.dmp

Filesize
3.1MB

Download
memory/1068-133-0x0000000000E40000-0x0000000001271000-memory.dmp

Filesize
4.2MB

Download
memory/1068-150-0x0000000000E40000-0x0000000001271000-memory.dmp

Filesize
4.2MB

Download
memory/1068-149-0x0000000010190000-0x000000001048A000-memory.dmp

Filesize
3.0MB

Download
memory/4352-147-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4352-148-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4352-145-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4352-143-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4352-152-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download

Analysis

Sharing