arkei | 529586cbbd8586d7f33a3ea9bdd517b7ead617b4e12165106e81e4bfad859474

General

Target

ghjk.exe
Size

772KB
MD5

d946c183fd128b4acf88d83ee89d79d3
SHA1

6f35da72f339c7101e93a7adada27d24902db598
SHA256

529586cbbd8586d7f33a3ea9bdd517b7ead617b4e12165106e81e4bfad859474
SHA512

793727b08b92df108144308a7ac798e55ba35742308db18466cce6caa564b6c1cb5b0fece2850511450f69e497df1dba49a9cb3a0ff17b4f9cc27e05ef2fcd62

Score

10^/10

arkei recordbreaker default stealer

Malware Config

Extracted

Family

recordbreaker

C2

http://136.244.65.99/

http://140.82.52.55/

Extracted

Family

arkei

Botnet

Default

Signatures

Arkei
Arkei is an infostealer written in C++.
stealer arkei
RecordBreaker
RecordBreaker is an information stealer capable of downloading and executing secondary payloads written in C++.
stealer recordbreaker
Executes dropped EXE 2 IoCs

Processes:

fcvtee.exefcvtee.exe

pid process

3140 fcvtee.exe
724 fcvtee.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

ghjk.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation ghjk.exe
Suspicious use of SetThreadContext 2 IoCs

Processes:

ghjk.exefcvtee.exe

description pid process target process

PID 4668 set thread context of 4812 4668 ghjk.exe ghjk.exe
PID 3140 set thread context of 724 3140 fcvtee.exe fcvtee.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

ghjk.exefcvtee.exe

pid process

4668 ghjk.exe
3140 fcvtee.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

ghjk.exefcvtee.exe

pid process

4668 ghjk.exe
3140 fcvtee.exe

pid	process
3140	fcvtee.exe
724	fcvtee.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	ghjk.exe

description	pid	process	target process
PID 4668 set thread context of 4812	4668	ghjk.exe	ghjk.exe
PID 3140 set thread context of 724	3140	fcvtee.exe	fcvtee.exe

pid	process
4668	ghjk.exe
3140	fcvtee.exe

pid	process
4668	ghjk.exe
3140	fcvtee.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

ghjk.exefcvtee.exe

description	pid	process	target process
PID 4668 wrote to memory of 3140	4668	ghjk.exe	fcvtee.exe
PID 4668 wrote to memory of 3140	4668	ghjk.exe	fcvtee.exe
PID 4668 wrote to memory of 3140	4668	ghjk.exe	fcvtee.exe
PID 4668 wrote to memory of 4812	4668	ghjk.exe	ghjk.exe
PID 4668 wrote to memory of 4812	4668	ghjk.exe	ghjk.exe
PID 4668 wrote to memory of 4812	4668	ghjk.exe	ghjk.exe
PID 4668 wrote to memory of 4812	4668	ghjk.exe	ghjk.exe
PID 3140 wrote to memory of 724	3140	fcvtee.exe	fcvtee.exe
PID 3140 wrote to memory of 724	3140	fcvtee.exe	fcvtee.exe
PID 3140 wrote to memory of 724	3140	fcvtee.exe	fcvtee.exe
PID 3140 wrote to memory of 724	3140	fcvtee.exe	fcvtee.exe

C:\Users\Admin\AppData\Local\Temp\ghjk.exe
"C:\Users\Admin\AppData\Local\Temp\ghjk.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4668

C:\Users\Admin\AppData\Roaming\fcvtee.exe
"C:\Users\Admin\AppData\Roaming\fcvtee.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3140

C:\Users\Admin\AppData\Roaming\fcvtee.exe
"C:\Users\Admin\AppData\Roaming\fcvtee.exe"
3⤵
- Executes dropped EXE
PID:724

C:\Users\Admin\AppData\Local\Temp\ghjk.exe
"C:\Users\Admin\AppData\Local\Temp\ghjk.exe"
2⤵
PID:4812

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\fcvtee.exe
Filesize
392KB

MD5
32ab5685131d8bcfa172bf165adf9338

SHA1
5e3b167bc66a15c246a8f29f7b634cbe52731319

SHA256
2a0dc11c02495205fadbbb4a5a5304a9e77fd079dcab58daa04804a59e4cc87e

SHA512
c6a48a49427a260510f08e8fd93a626445e69659c6e60364308163c92866ed43f163fee3e3f44951466457331eb0804d6e97ba623cfab20b7ef52e74c5c3e437

Download Submit
C:\Users\Admin\AppData\Roaming\fcvtee.exe
Filesize
392KB

MD5
32ab5685131d8bcfa172bf165adf9338

SHA1
5e3b167bc66a15c246a8f29f7b634cbe52731319

SHA256
2a0dc11c02495205fadbbb4a5a5304a9e77fd079dcab58daa04804a59e4cc87e

SHA512
c6a48a49427a260510f08e8fd93a626445e69659c6e60364308163c92866ed43f163fee3e3f44951466457331eb0804d6e97ba623cfab20b7ef52e74c5c3e437

Download Submit
C:\Users\Admin\AppData\Roaming\fcvtee.exe
Filesize
392KB

MD5
32ab5685131d8bcfa172bf165adf9338

SHA1
5e3b167bc66a15c246a8f29f7b634cbe52731319

SHA256
2a0dc11c02495205fadbbb4a5a5304a9e77fd079dcab58daa04804a59e4cc87e

SHA512
c6a48a49427a260510f08e8fd93a626445e69659c6e60364308163c92866ed43f163fee3e3f44951466457331eb0804d6e97ba623cfab20b7ef52e74c5c3e437

Download Submit
memory/724-140-0x0000000000000000-mapping.dmp

Download
memory/724-143-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/724-144-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3140-132-0x0000000000000000-mapping.dmp

Download
memory/3140-142-0x0000000000910000-0x0000000000916000-memory.dmp

Filesize
24KB

Download
memory/4668-138-0x0000000002C10000-0x0000000002C18000-memory.dmp

Filesize
32KB

Download
memory/4812-137-0x0000000000000000-mapping.dmp

Download
memory/4812-139-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads