arkei | 79103532395036c14b755d90f9cacfdec6b588f1b031a7cba936c1b9d2ef3b51

General

Target

d9c650fdcc961cfb86baaff737d8c7bd.exe
Size

1000KB
MD5

d9c650fdcc961cfb86baaff737d8c7bd
SHA1

0a5d1730dbd7c2d925c88bf1bd3c726ba6f62e2d
SHA256

79103532395036c14b755d90f9cacfdec6b588f1b031a7cba936c1b9d2ef3b51
SHA512

bc735fe469f91fc2ee5fd5aa1ad11141b115f1c04c466f8cfcd8b192c137a3d24927f1d2dcd3edd5f237f17e1cdfa417e3d8c02a2865fbbe5185743f17ccdd6f

Score

10^/10

arkei recordbreaker default stealer

Malware Config

Extracted

Family

arkei

Botnet

Default

Extracted

Family

recordbreaker

C2

http://193.106.191.146/

http://185.215.113.89/

Signatures

Arkei
Arkei is an infostealer written in C++.
stealer arkei
RecordBreaker
RecordBreaker is an information stealer capable of downloading and executing secondary payloads written in C++.
stealer recordbreaker

Executes dropped EXE 2 IoCs

Processes:

sdame.exesdame.exe

pid	Process
1604	sdame.exe
4196	sdame.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

d9c650fdcc961cfb86baaff737d8c7bd.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	d9c650fdcc961cfb86baaff737d8c7bd.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

d9c650fdcc961cfb86baaff737d8c7bd.exesdame.exe

description	pid	Process	procid_target
PID 916 set thread context of 5048	916	d9c650fdcc961cfb86baaff737d8c7bd.exe	83
PID 1604 set thread context of 4196	1604	sdame.exe	84

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

d9c650fdcc961cfb86baaff737d8c7bd.exesdame.exe

pid	Process
916	d9c650fdcc961cfb86baaff737d8c7bd.exe
1604	sdame.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

d9c650fdcc961cfb86baaff737d8c7bd.exesdame.exe

pid	Process
916	d9c650fdcc961cfb86baaff737d8c7bd.exe
1604	sdame.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

d9c650fdcc961cfb86baaff737d8c7bd.exesdame.exe

description	pid	Process	procid_target
PID 916 wrote to memory of 1604	916	d9c650fdcc961cfb86baaff737d8c7bd.exe	80
PID 916 wrote to memory of 1604	916	d9c650fdcc961cfb86baaff737d8c7bd.exe	80
PID 916 wrote to memory of 1604	916	d9c650fdcc961cfb86baaff737d8c7bd.exe	80
PID 916 wrote to memory of 5048	916	d9c650fdcc961cfb86baaff737d8c7bd.exe	83
PID 916 wrote to memory of 5048	916	d9c650fdcc961cfb86baaff737d8c7bd.exe	83
PID 916 wrote to memory of 5048	916	d9c650fdcc961cfb86baaff737d8c7bd.exe	83
PID 1604 wrote to memory of 4196	1604	sdame.exe	84
PID 1604 wrote to memory of 4196	1604	sdame.exe	84
PID 1604 wrote to memory of 4196	1604	sdame.exe	84
PID 916 wrote to memory of 5048	916	d9c650fdcc961cfb86baaff737d8c7bd.exe	83
PID 1604 wrote to memory of 4196	1604	sdame.exe	84

C:\Users\Admin\AppData\Local\Temp\d9c650fdcc961cfb86baaff737d8c7bd.exe
"C:\Users\Admin\AppData\Local\Temp\d9c650fdcc961cfb86baaff737d8c7bd.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:916
- C:\Users\Admin\AppData\Local\Temp\sdame.exe
  "C:\Users\Admin\AppData\Local\Temp\sdame.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1604
- - C:\Users\Admin\AppData\Local\Temp\sdame.exe
    "C:\Users\Admin\AppData\Local\Temp\sdame.exe"
    3⤵
    - Executes dropped EXE
    PID:4196
- C:\Users\Admin\AppData\Local\Temp\d9c650fdcc961cfb86baaff737d8c7bd.exe
  "C:\Users\Admin\AppData\Local\Temp\d9c650fdcc961cfb86baaff737d8c7bd.exe"
  2⤵
  PID:5048

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\sdame.exe

Filesize
556KB

MD5
75cd6ae901a6583211a13c768b901718

SHA1
ee6bd9c0443e5337d39764fa254209726469f6d8

SHA256
944e64b81f23985c0defc1a683806d93d5c13b131d5fa970b5124ee9634d1df0

SHA512
dd7a218595b092e2c46d2f8e40428dab8b83adf164ea4e520192df280f23ce7aaf248a2e0045cef8f05263bc69be94f898c096cc8c77ee7911384a3480fe4ee5

Download Submit
C:\Users\Admin\AppData\Local\Temp\sdame.exe

Filesize
556KB

MD5
75cd6ae901a6583211a13c768b901718

SHA1
ee6bd9c0443e5337d39764fa254209726469f6d8

SHA256
944e64b81f23985c0defc1a683806d93d5c13b131d5fa970b5124ee9634d1df0

SHA512
dd7a218595b092e2c46d2f8e40428dab8b83adf164ea4e520192df280f23ce7aaf248a2e0045cef8f05263bc69be94f898c096cc8c77ee7911384a3480fe4ee5

Download Submit
C:\Users\Admin\AppData\Local\Temp\sdame.exe

Filesize
556KB

MD5
75cd6ae901a6583211a13c768b901718

SHA1
ee6bd9c0443e5337d39764fa254209726469f6d8

SHA256
944e64b81f23985c0defc1a683806d93d5c13b131d5fa970b5124ee9634d1df0

SHA512
dd7a218595b092e2c46d2f8e40428dab8b83adf164ea4e520192df280f23ce7aaf248a2e0045cef8f05263bc69be94f898c096cc8c77ee7911384a3480fe4ee5

Download Submit
memory/916-137-0x00000000034D0000-0x00000000034D7000-memory.dmp

Filesize
28KB

Download
memory/1604-132-0x0000000000000000-mapping.dmp

Download
memory/4196-139-0x0000000000000000-mapping.dmp

Download
memory/4196-141-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4196-143-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/5048-138-0x0000000000000000-mapping.dmp

Download
memory/5048-142-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads