General

  • Target

    ghjk.exe

  • Size

    772KB

  • Sample

    220626-f9raqsage5

  • MD5

    d946c183fd128b4acf88d83ee89d79d3

  • SHA1

    6f35da72f339c7101e93a7adada27d24902db598

  • SHA256

    529586cbbd8586d7f33a3ea9bdd517b7ead617b4e12165106e81e4bfad859474

  • SHA512

    793727b08b92df108144308a7ac798e55ba35742308db18466cce6caa564b6c1cb5b0fece2850511450f69e497df1dba49a9cb3a0ff17b4f9cc27e05ef2fcd62

Malware Config

Extracted

Family

arkei

Botnet

Default

Extracted

Family

recordbreaker

C2

http://136.244.65.99/

http://140.82.52.55/

Targets

    • Target

      ghjk.exe

    • Size

      772KB

    • MD5

      d946c183fd128b4acf88d83ee89d79d3

    • SHA1

      6f35da72f339c7101e93a7adada27d24902db598

    • SHA256

      529586cbbd8586d7f33a3ea9bdd517b7ead617b4e12165106e81e4bfad859474

    • SHA512

      793727b08b92df108144308a7ac798e55ba35742308db18466cce6caa564b6c1cb5b0fece2850511450f69e497df1dba49a9cb3a0ff17b4f9cc27e05ef2fcd62

    • Arkei

      Arkei is an infostealer written in C++.

    • RecordBreaker

      RecordBreaker is an information stealer capable of downloading and executing secondary payloads written in C++.

    • suricata: ET MALWARE Base64 Encoded Stealer Config from Server - APPDATA or USERPROFILE Environment Variable M4

      suricata: ET MALWARE Base64 Encoded Stealer Config from Server - APPDATA or USERPROFILE Environment Variable M4

    • suricata: ET MALWARE Win32/Vidar Variant/Mars Stealer CnC Exfil

      suricata: ET MALWARE Win32/Vidar Variant/Mars Stealer CnC Exfil

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

3
T1012

System Information Discovery

3
T1082

Collection

Data from Local System

2
T1005

Tasks