arkei

General

Target

-setup-EP4hSEO.zip
Size

12.2MB
Sample

220609-hmsamahbgr
MD5

ffaed703eda0f2794abac48f481814ad
SHA1

cecb6ed759d27525fd9d0fd17c1325959ea45008
SHA256

93af2dea04dcdf910e7e8935d97ef4152234433f070d76e2621db0fb8462bfa8
SHA512

760cb17715b580fdb293e02769999553f08804ec2239757ae1f9b455d00867d3061a66b46b58aac660546d436bb27f00da3f665131b6b9cf9cb1b97e5cdba3a6

Score

10^/10

Malware Config

Extracted

Family

arkei

Botnet

Default

Targets

- Target
  
  -setup-EP4hSEO.exe
- Size
  
  6.9MB
- MD5
  
  ad6f77750e2dcc496173ae38c404e27a
- SHA1
  
  5b328534d8afdd5a13170b91cddee3be6be7c0ab
- SHA256
  
  45cc6b4e95694369805efde940f551c9bfa3d3b0d7589d83d7738273a6832b64
- SHA512
  
  1ff9dbfcafbfeffa0a36dfb4865d29d0be9aeee987e49607143ca24ab9d80ad86674b483571e541deb049771b804167a36bf7c8ddaef4dce5b0536a160b1951e
Score

10^/10

arkei default agilenet discovery persistence spyware stealer suricata upx
- Arkei
  Arkei is an infostealer written in C++.
  stealer arkei
- suricata: ET MALWARE AutoHotkey Downloader Checkin via IPLogger
  suricata: ET MALWARE AutoHotkey Downloader Checkin via IPLogger
  suricata
- suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
  suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
  suricata
- suricata: ET MALWARE Win32/Vidar Variant/Mars CnC Activity (GET)
  suricata: ET MALWARE Win32/Vidar Variant/Mars CnC Activity (GET)
  suricata
- suricata: ET MALWARE Win32/Vidar Variant/Mars Stealer CnC Exfil
  suricata: ET MALWARE Win32/Vidar Variant/Mars Stealer CnC Exfil
  suricata
- Blocklisted process makes network request
- Downloads MZ/PE file
- Drops file in Drivers directory
- Executes dropped EXE
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Loads dropped DLL
- Obfuscated with Agile.Net obfuscator
  Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
  agilenet
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks for any installed AV software in registry
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Drops Chrome extension
- Drops desktop.ini file(s)
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1
- Target
  
  .............exe
- Size
  
  5.8MB
- MD5
  
  288d7d66024b6562feeb4d6baed41849
- SHA1
  
  cb9efb823a462d1afc8057839fecd224d661102a
- SHA256
  
  7dfffd124e41f73e266f806951457060dfff9950caca0fcd1c542ff5e9a21e34
- SHA512
  
  1793b4c153f4277d65cf99b2758c586f4a59234760916280deab35ae69bd48b3584ba76474243ac67efb98c052b4e9a184c16b93b10ea92292eac46224cf334a
Score

8^/10

discovery
- Executes dropped EXE
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
behavioral2