arkei | d98129981f18ffdf2db5edd0fc09442cc35ac1458971ca0ed14fe58dcd0dd3e0

Analysis

max time kernel
148s
max time network
86s
platform
windows7_x64
resource
win7-20220715-en
resource tags

arch:x64arch:x86image:win7-20220715-enlocale:en-usos:windows7-x64system
submitted
31/07/2022, 13:47 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

03e81c8df40db6549e905d8832fa1b80.exe
Size

359KB
MD5

03e81c8df40db6549e905d8832fa1b80
SHA1

8653cebf8079fa38d845d12e424bcde4afd625b4
SHA256

d98129981f18ffdf2db5edd0fc09442cc35ac1458971ca0ed14fe58dcd0dd3e0
SHA512

b2999496aa5eb2ca90603a458d96523fc5795365c86e71d5a03cf79b2764ec572d4f1da15207836a78ec0df1b703b0efad46643945ffd5225c607abe5327c9e0

Score

10^/10

arkei default stealer

Malware Config

Extracted

Family

arkei

Botnet

Default

Signatures

Arkei
Arkei is an infostealer written in C++.
stealer arkei

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1220 set thread context of 1064	1220	03e81c8df40db6549e905d8832fa1b80.exe	26

Program crash 1 IoCs

pid	pid_target	Process	procid_target
828	1064	WerFault.exe	26

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1220 wrote to memory of 1064	1220	03e81c8df40db6549e905d8832fa1b80.exe	26
PID 1220 wrote to memory of 1064	1220	03e81c8df40db6549e905d8832fa1b80.exe	26
PID 1220 wrote to memory of 1064	1220	03e81c8df40db6549e905d8832fa1b80.exe	26
PID 1220 wrote to memory of 1064	1220	03e81c8df40db6549e905d8832fa1b80.exe	26
PID 1220 wrote to memory of 1064	1220	03e81c8df40db6549e905d8832fa1b80.exe	26
PID 1220 wrote to memory of 1064	1220	03e81c8df40db6549e905d8832fa1b80.exe	26
PID 1220 wrote to memory of 1064	1220	03e81c8df40db6549e905d8832fa1b80.exe	26
PID 1220 wrote to memory of 1064	1220	03e81c8df40db6549e905d8832fa1b80.exe	26
PID 1220 wrote to memory of 1064	1220	03e81c8df40db6549e905d8832fa1b80.exe	26
PID 1220 wrote to memory of 1064	1220	03e81c8df40db6549e905d8832fa1b80.exe	26
PID 1220 wrote to memory of 1064	1220	03e81c8df40db6549e905d8832fa1b80.exe	26
PID 1064 wrote to memory of 828	1064	03e81c8df40db6549e905d8832fa1b80.exe	29
PID 1064 wrote to memory of 828	1064	03e81c8df40db6549e905d8832fa1b80.exe	29
PID 1064 wrote to memory of 828	1064	03e81c8df40db6549e905d8832fa1b80.exe	29
PID 1064 wrote to memory of 828	1064	03e81c8df40db6549e905d8832fa1b80.exe	29

C:\Users\Admin\AppData\Local\Temp\03e81c8df40db6549e905d8832fa1b80.exe
"C:\Users\Admin\AppData\Local\Temp\03e81c8df40db6549e905d8832fa1b80.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1220
- C:\Users\Admin\AppData\Local\Temp\03e81c8df40db6549e905d8832fa1b80.exe
  "C:\Users\Admin\AppData\Local\Temp\03e81c8df40db6549e905d8832fa1b80.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1064
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1064 -s 464
    3⤵
    - Program crash
    PID:828

Network

DNS

moneyd.link

03e81c8df40db6549e905d8832fa1b80.exe

Remote address:

8.8.8.8:53

Request

moneyd.link

IN A

Response

moneyd.link

IN A

176.53.160.10
GET

http://moneyd.link/8sd87v7.php

03e81c8df40db6549e905d8832fa1b80.exe

Remote address:

176.53.160.10:80

Request

GET /8sd87v7.php HTTP/1.1
Host: moneyd.link
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Sun, 31 Jul 2022 13:48:13 GMT
Server: Apache/2.4.41 (Ubuntu)
Set-Cookie: PHPSESSID=g8q00j3b2nqtt8bgsgv1qrqubi; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Content-Length: 28
Connection: close
Content-Type: text/html; charset=UTF-8

176.53.160.10:80

http://moneyd.link/8sd87v7.php

http

03e81c8df40db6549e905d8832fa1b80.exe

327 B
495 B
5
3

HTTP Request

GET http://moneyd.link/8sd87v7.php

HTTP Response

200
176.53.160.10:80

moneyd.link

03e81c8df40db6549e905d8832fa1b80.exe

152 B
3
176.53.160.10:80

moneyd.link

03e81c8df40db6549e905d8832fa1b80.exe

152 B
3

8.8.8.8:53

moneyd.link

dns

03e81c8df40db6549e905d8832fa1b80.exe

57 B
73 B
1
1

DNS Request

moneyd.link

DNS Response

176.53.160.10

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1064-54-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1064-57-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1064-60-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1064-61-0x00000000753E1000-0x00000000753E3000-memory.dmp

Filesize
8KB

Download
memory/1064-63-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1220-58-0x000000000051E000-0x000000000053F000-memory.dmp

Filesize
132KB

Download
memory/1220-59-0x00000000002C0000-0x00000000002EA000-memory.dmp

Filesize
168KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

HTTP Request

HTTP Response

DNS Request

DNS Response

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.