Overview

overview

10

Static

static

fa104a88d0...24.exe

windows7_x64

10

fa104a88d0...24.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    fa104a88d04bb381e8f1993eaa559f77e4b7eae75daa54190b26e2c58523ce24.zip

  • Size

    7.2MB

  • Sample

    220613-ekt5nahgc6

  • MD5

    923f52bbbe3a163fc0a4a87cd074bf11

  • SHA1

    d07ab1b2813a1194a8317fb811d98a6cce93a6fd

  • SHA256

    4c69490f8086cff194db7fdd814d9bcc54f6245389f66fd52a667704a1d240d0

  • SHA512

    e2dd25f75a9f093bc9a949c919a117fdf2c1cd4786312a427d4ad9afae65c18499bc1a6de0f1a4cf5d48fbbebde98d88c2c3fe959a813c5db739b84dfe45ff04

Score
10/10
arkeisocelarsdefaultagilenetspywarestealersuricatavmprotect

Malware Config

Extracted

Family

socelars

C2

https://sa-us-bucket.s3.us-east-2.amazonaws.com/ujfreids61/

Extracted

Family

arkei

Botnet

Default

Targets

    • Target

      fa104a88d04bb381e8f1993eaa559f77e4b7eae75daa54190b26e2c58523ce24

    • Size

      7.2MB

    • MD5

      4b94dd9a273357df8aa448b98acb30da

    • SHA1

      ec45188361a9eaf3035e3057e7dad27edee602a0

    • SHA256

      fa104a88d04bb381e8f1993eaa559f77e4b7eae75daa54190b26e2c58523ce24

    • SHA512

      662de391d3f05a700845df444a08facd988dfcc86f48b1b94415b33507fb6d45acd7392cb070b1eec3d162e1844c1ea6150722d59e85fe4ab6da16a27623117d

    Score
    10/10
    arkeisocelarsdefaultagilenetstealersuricatavmprotectspyware

    • Arkei

      Arkei is an infostealer written in C++.

      stealerarkei

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Socelars

      Socelars is an infostealer targeting browser cookies and credit card credentials.

      stealersocelars

    • Socelars Payload

    • suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

      suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

      suricata

    • suricata: ET MALWARE Win32/Vidar Variant/Mars CnC Activity (GET)

      suricata: ET MALWARE Win32/Vidar Variant/Mars CnC Activity (GET)

      suricata

    • Downloads MZ/PE file

    • Executes dropped EXE

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

      vmprotect

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

      agilenet

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

1
T1130

Modify Registry

1
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

2
T1012

System Information Discovery

3
T1082

Peripheral Device Discovery

1
T1120

Remote System Discovery

1
T1018

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Tasks