Overview

overview

10

Static

static

RFQ.xll

windows7-x64

7

RFQ.xll

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    RFQ.xll

  • Size

    728KB

  • Sample

    220719-wme7ysfgg3

  • MD5

    8256cc1447b4199fbe35f627cffd3ae9

  • SHA1

    51540c8084f61ae5a9aafeb6b681b74cddc52cec

  • SHA256

    7ba2a7701e6a8519f6c61142c669c4f5da01fe09b1bb789078b888da2a832be9

  • SHA512

    67e1231aec5b9c81f04e7f90a6d60d5ad2b83301da8fa499c31fea43e4611962b3a0a9dfd41f6aa27f611b3d2035474a2ac0a293266d81b0b30cdd6026d036da

Score
10/10
arkeiguloaderdefaultdownloaderspywarestealer

Malware Config

Extracted

Language
xlm4.0
Source

Extracted

Family

arkei

Botnet

Default

Targets

    • Target

      RFQ.xll

    • Size

      728KB

    • MD5

      8256cc1447b4199fbe35f627cffd3ae9

    • SHA1

      51540c8084f61ae5a9aafeb6b681b74cddc52cec

    • SHA256

      7ba2a7701e6a8519f6c61142c669c4f5da01fe09b1bb789078b888da2a832be9

    • SHA512

      67e1231aec5b9c81f04e7f90a6d60d5ad2b83301da8fa499c31fea43e4611962b3a0a9dfd41f6aa27f611b3d2035474a2ac0a293266d81b0b30cdd6026d036da

    Score
    10/10
    arkeiguloaderdefaultdownloaderspywarestealer

    • Arkei

      Arkei is an infostealer written in C++.

      stealerarkei

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

      downloaderguloader

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Checks QEMU agent file

      Checks presence of QEMU agent, possibly to detect virtualization.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

3
T1012

System Information Discovery

4
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Tasks