arkei

General

Target

zxcv.EXElwmyfpvl
Size

772KB
Sample

220626-g4krfabgg8
MD5

d946c183fd128b4acf88d83ee89d79d3
SHA1

6f35da72f339c7101e93a7adada27d24902db598
SHA256

529586cbbd8586d7f33a3ea9bdd517b7ead617b4e12165106e81e4bfad859474
SHA512

793727b08b92df108144308a7ac798e55ba35742308db18466cce6caa564b6c1cb5b0fece2850511450f69e497df1dba49a9cb3a0ff17b4f9cc27e05ef2fcd62

Score

10^/10

Malware Config

Extracted

Family

recordbreaker

C2

http://136.244.65.99/

http://140.82.52.55/

Extracted

Family

arkei

Botnet

Default

Targets

- Target
  
  zxcv.EXElwmyfpvl
- Size
  
  772KB
- MD5
  
  d946c183fd128b4acf88d83ee89d79d3
- SHA1
  
  6f35da72f339c7101e93a7adada27d24902db598
- SHA256
  
  529586cbbd8586d7f33a3ea9bdd517b7ead617b4e12165106e81e4bfad859474
- SHA512
  
  793727b08b92df108144308a7ac798e55ba35742308db18466cce6caa564b6c1cb5b0fece2850511450f69e497df1dba49a9cb3a0ff17b4f9cc27e05ef2fcd62
Score

10^/10

arkei recordbreaker default discovery spyware stealer suricata
- Arkei
  Arkei is an infostealer written in C++.
  stealer arkei
- RecordBreaker
  RecordBreaker is an information stealer capable of downloading and executing secondary payloads written in C++.
  stealer recordbreaker
- suricata: ET MALWARE Base64 Encoded Stealer Config from Server - APPDATA or USERPROFILE Environment Variable M4
  suricata: ET MALWARE Base64 Encoded Stealer Config from Server - APPDATA or USERPROFILE Environment Variable M4
  suricata
- suricata: ET MALWARE Win32/Vidar Variant/Mars Stealer CnC Exfil
  suricata: ET MALWARE Win32/Vidar Variant/Mars Stealer CnC Exfil
  suricata
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

3

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Targets

RecordBreaker

suricata: ET MALWARE Base64 Encoded Stealer Config from Server - APPDATA or USERPROFILE Environment Variable M4

suricata: ET MALWARE Win32/Vidar Variant/Mars Stealer CnC Exfil

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Reads user/profile data of web browsers

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2