Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

185.4.65.2...6a.exe

windows7-x64

10

185.4.65.2...6a.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    79s
  • max time network
    137s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220414-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/07/2022, 09:16 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    185.4.65.203_-_update.exe___b78436c8bdcd14b81c4a828651ef8f6a.exe

  • Size

    159KB

  • MD5

    b78436c8bdcd14b81c4a828651ef8f6a

  • SHA1

    bee132bfbb59e41b02dd0fbd65ba3eba2a3a5c17

  • SHA256

    f5d6e5e4b06d5597f705053b15db15b8cbcb33c40c5437cda4d90af430a218fa

  • SHA512

    9b7db48478eee118b708cd34d4e0755705e5437c476fc2c73875ec72582a93a657b6779808d36f7a358272d262048605a5b56809c6b32800dcf7e0ca493d413a

Score
10/10
arkeidefaultdiscoveryspywarestealer

Malware Config

Extracted

Family

arkei

Botnet

Default

Signatures

  • Arkei

    Arkei is an infostealer written in C++.

    stealerarkei
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

Processes

  • C:\Users\Admin\AppData\Local\Temp\185.4.65.203_-_update.exe___b78436c8bdcd14b81c4a828651ef8f6a.exe
    "C:\Users\Admin\AppData\Local\Temp\185.4.65.203_-_update.exe___b78436c8bdcd14b81c4a828651ef8f6a.exe"
    1⤵
    • Loads dropped DLL
    • Checks processor information in registry
    PID:4684

Network

  • flag-ru
    GET
    http://185.4.65.203/hikuykyu.php
    185.4.65.203_-_update.exe___b78436c8bdcd14b81c4a828651ef8f6a.exe
    Remote address:
    185.4.65.203:80
    Request
    GET /hikuykyu.php HTTP/1.1
    Host: 185.4.65.203
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Date: Wed, 20 Jul 2022 09:17:20 GMT
    Server: Apache/2.4.41 (Ubuntu)
    Set-Cookie: PHPSESSID=qn5gvl3vslo1khegcjnkueinbl; path=/
    Expires: Thu, 19 Nov 1981 08:52:00 GMT
    Cache-Control: no-store, no-cache, must-revalidate
    Pragma: no-cache
    Vary: Accept-Encoding
    Content-Length: 212
    Keep-Alive: timeout=5, max=100
    Connection: Keep-Alive
    Content-Type: text/html; charset=UTF-8
  • flag-ru
    GET
    http://185.4.65.203/request
    185.4.65.203_-_update.exe___b78436c8bdcd14b81c4a828651ef8f6a.exe
    Remote address:
    185.4.65.203:80
    Request
    GET /request HTTP/1.1
    Host: 185.4.65.203
    Cache-Control: no-cache
    Cookie: PHPSESSID=qn5gvl3vslo1khegcjnkueinbl
    Response
    HTTP/1.1 200 OK
    Date: Wed, 20 Jul 2022 09:17:20 GMT
    Server: Apache/2.4.41 (Ubuntu)
    Last-Modified: Tue, 22 Feb 2022 01:34:00 GMT
    ETag: "17e499-5d89157e47200"
    Accept-Ranges: bytes
    Content-Length: 1565849
  • flag-ru
    POST
    http://185.4.65.203/hikuykyu.php
    185.4.65.203_-_update.exe___b78436c8bdcd14b81c4a828651ef8f6a.exe
    Remote address:
    185.4.65.203:80
    Request
    POST /hikuykyu.php HTTP/1.1
    Content-Type: multipart/form-data; boundary=----16FKXLF3EKF37YUA
    Host: 185.4.65.203
    Content-Length: 71920
    Connection: Keep-Alive
    Cache-Control: no-cache
    Cookie: PHPSESSID=qn5gvl3vslo1khegcjnkueinbl
    Response
    HTTP/1.1 200 OK
    Date: Wed, 20 Jul 2022 09:17:22 GMT
    Server: Apache/2.4.41 (Ubuntu)
    Expires: Thu, 19 Nov 1981 08:52:00 GMT
    Cache-Control: no-store, no-cache, must-revalidate
    Pragma: no-cache
    Content-Length: 0
    Keep-Alive: timeout=5, max=98
    Connection: Keep-Alive
    Content-Type: text/html; charset=UTF-8
  • 185.4.65.203:80
    http://185.4.65.203/hikuykyu.php
    http
    185.4.65.203_-_update.exe___b78436c8bdcd14b81c4a828651ef8f6a.exe
    128.0kB
     1.6MB
     1216
    1193

    HTTP Request

    GET http://185.4.65.203/hikuykyu.php

    HTTP Response

    200

    HTTP Request

    GET http://185.4.65.203/request

    HTTP Response

    200

    HTTP Request

    POST http://185.4.65.203/hikuykyu.php

    HTTP Response

    200
  • 20.189.173.1:443
    322 B
     7
  • 13.107.21.200:443
    www.bing.com
    tls, https
    2.8kB
     8.5kB
     19
    18
  • 104.18.25.243:80
    322 B
     7
No results found

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\mozglue.dll
    Filesize

    133KB

    MD5

    8f73c08a9660691143661bf7332c3c27

    SHA1

    37fa65dd737c50fda710fdbde89e51374d0c204a

    SHA256

    3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd

    SHA512

    0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

    Download Submit

  • C:\ProgramData\nss3.dll
    Filesize

    1.2MB

    MD5

    bfac4e3c5908856ba17d41edcd455a51

    SHA1

    8eec7e888767aa9e4cca8ff246eb2aacb9170428

    SHA256

    e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78

    SHA512

    2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

    Download Submit

  • memory/4684-130-0x0000000000400000-0x000000000043D000-memory.dmp

    Filesize

    244KB

    Download

  • memory/4684-131-0x0000000060900000-0x0000000060992000-memory.dmp

    Filesize

    584KB

    Download

  • memory/4684-152-0x0000000000400000-0x000000000043D000-memory.dmp

    Filesize

    244KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.