arkei

General

Target

ppx.ps1
Size

1.0MB
Sample

220621-qjnf9sdfbr
MD5

e579b1afc9c6bf6f25f461fc8f96c349
SHA1

c6b10e55440832e2b9877c05e77b2c93585f507d
SHA256

249fa3bc0b500df45b167912505c5edffeac8681e3d4708e92e97340f155da67
SHA512

683804fdbda25be2763726d49ee0186959c7e2d3b855c53ff74d42c6601c18cde7e1b8db547d11accbd34f3c326bcc8b43ebe71284cd5f681b855932bf34d12a

Score

10^/10

Malware Config

Extracted

Family

recordbreaker

C2

http://136.244.65.99/

http://140.82.52.55/

Extracted

Family

arkei

Botnet

Default

Targets

- Target
  
  ppx.ps1
- Size
  
  1.0MB
- MD5
  
  e579b1afc9c6bf6f25f461fc8f96c349
- SHA1
  
  c6b10e55440832e2b9877c05e77b2c93585f507d
- SHA256
  
  249fa3bc0b500df45b167912505c5edffeac8681e3d4708e92e97340f155da67
- SHA512
  
  683804fdbda25be2763726d49ee0186959c7e2d3b855c53ff74d42c6601c18cde7e1b8db547d11accbd34f3c326bcc8b43ebe71284cd5f681b855932bf34d12a
Score

10^/10

arkei recordbreaker default discovery spyware stealer suricata
- Arkei
  Arkei is an infostealer written in C++.
  stealer arkei
- RecordBreaker
  RecordBreaker is an information stealer capable of downloading and executing secondary payloads written in C++.
  stealer recordbreaker
- suricata: ET MALWARE Base64 Encoded Stealer Config from Server - APPDATA or USERPROFILE Environment Variable M4
  suricata: ET MALWARE Base64 Encoded Stealer Config from Server - APPDATA or USERPROFILE Environment Variable M4
  suricata
- suricata: ET MALWARE Win32/Vidar Variant/Mars Stealer CnC Exfil
  suricata: ET MALWARE Win32/Vidar Variant/Mars Stealer CnC Exfil
  suricata
- Downloads MZ/PE file
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

3

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Targets

RecordBreaker

suricata: ET MALWARE Base64 Encoded Stealer Config from Server - APPDATA or USERPROFILE Environment Variable M4

suricata: ET MALWARE Win32/Vidar Variant/Mars Stealer CnC Exfil

Downloads MZ/PE file

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Reads user/profile data of web browsers

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2