Overview

overview

10

Static

static

zxcvb.exe

windows7_x64

10

zxcvb.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    zxcvb.exervbgtufh

  • Size

    768KB

  • Sample

    220626-g4d9nabgg6

  • MD5

    63645a9e1f5e77ba3c75366f3a14ab87

  • SHA1

    ed1497c47dc283118bbc57d49cd9f354785cf73d

  • SHA256

    2ced9b36b931b73b1d325bececd01f0e4fa6bd0fff98f8b76f2f45b473311cd0

  • SHA512

    4efce16194322c1288603ccd4ab6507fa5905debb137ce9b200e7a76e2c041c2d2aa720061b0679f2dfb5c21a668e12fe5eeb5fe99542f5a88d4bcdf103296f0

Score
10/10
arkeirecordbreakerdefaultdiscoveryspywarestealersuricata

Malware Config

Extracted

Family

recordbreaker

C2

http://136.244.65.99/

http://140.82.52.55/

Extracted

Family

arkei

Botnet

Default

Targets

    • Target

      zxcvb.exervbgtufh

    • Size

      768KB

    • MD5

      63645a9e1f5e77ba3c75366f3a14ab87

    • SHA1

      ed1497c47dc283118bbc57d49cd9f354785cf73d

    • SHA256

      2ced9b36b931b73b1d325bececd01f0e4fa6bd0fff98f8b76f2f45b473311cd0

    • SHA512

      4efce16194322c1288603ccd4ab6507fa5905debb137ce9b200e7a76e2c041c2d2aa720061b0679f2dfb5c21a668e12fe5eeb5fe99542f5a88d4bcdf103296f0

    Score
    10/10
    arkeirecordbreakerdefaultdiscoveryspywarestealersuricata

    • Arkei

      Arkei is an infostealer written in C++.

      stealerarkei

    • RecordBreaker

      RecordBreaker is an information stealer capable of downloading and executing secondary payloads written in C++.

      stealerrecordbreaker

    • suricata: ET MALWARE Base64 Encoded Stealer Config from Server - APPDATA or USERPROFILE Environment Variable M4

      suricata: ET MALWARE Base64 Encoded Stealer Config from Server - APPDATA or USERPROFILE Environment Variable M4

      suricata

    • suricata: ET MALWARE Win32/Vidar Variant/Mars Stealer CnC Exfil

      suricata: ET MALWARE Win32/Vidar Variant/Mars Stealer CnC Exfil

      suricata

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

3
T1012

System Information Discovery

3
T1082

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Tasks