arkei | 50dec188746b9f3e72fe1effd96444eb8ed1b74ae86dc923ab55734b73dbbd6b

Analysis

max time kernel
138s
max time network
147s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
24-10-2022 09:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

InstallerNPW.exe
Size

505.1MB
MD5

a7181bdf496d2c79b321f14de2598680
SHA1

c4f30ccc90fe2a4c392a8c7f665b831c04757553
SHA256

5390a252d7d09aa1a46aca97c8fd9642adac289a6a33d9fc6d3eb1b3f5c0194d
SHA512

a94a43eb45f30d8cfe1144c90d642480d93100cea6c77f693d25318abc98a30a279a443da5fe67e4356922ae7be651d0775361742b16cc0232c6c7c1c4f58bbe
SSDEEP

6144:gCFtTT32Sw1eIKWgpxAOzuuXUXs/nEcYY6rpohYxNJgIzMfKkve4uQLl8+:dHT32SwAguXUc/nr6rDxzUSyPLq+

Score

10^/10

arkei marsstealer default stealer

Malware Config

Extracted

Family

arkei

Botnet

Default

Extracted

Family

marsstealer

Botnet

Default

46.3.197.98/hsdf7w34rhdjsf.php

Signatures

Arkei
Arkei is an infostealer written in C++.
stealer arkei
Mars Stealer
An infostealer written in C++ based on other infostealers.
stealer marsstealer

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1640 set thread context of 980	1640	InstallerNPW.exe	28

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1640 wrote to memory of 980	1640	InstallerNPW.exe	28
PID 1640 wrote to memory of 980	1640	InstallerNPW.exe	28
PID 1640 wrote to memory of 980	1640	InstallerNPW.exe	28
PID 1640 wrote to memory of 980	1640	InstallerNPW.exe	28
PID 1640 wrote to memory of 980	1640	InstallerNPW.exe	28
PID 1640 wrote to memory of 980	1640	InstallerNPW.exe	28
PID 1640 wrote to memory of 980	1640	InstallerNPW.exe	28
PID 1640 wrote to memory of 980	1640	InstallerNPW.exe	28
PID 1640 wrote to memory of 980	1640	InstallerNPW.exe	28
PID 1640 wrote to memory of 980	1640	InstallerNPW.exe	28
PID 1640 wrote to memory of 980	1640	InstallerNPW.exe	28
PID 1640 wrote to memory of 980	1640	InstallerNPW.exe	28
PID 1640 wrote to memory of 980	1640	InstallerNPW.exe	28
PID 1640 wrote to memory of 980	1640	InstallerNPW.exe	28

C:\Users\Admin\AppData\Local\Temp\InstallerNPW.exe
"C:\Users\Admin\AppData\Local\Temp\InstallerNPW.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1640
- C:\Users\Admin\AppData\Local\Temp\InstallerNPW.exe
  "C:\Users\Admin\AppData\Local\Temp\InstallerNPW.exe"
  2⤵
  PID:980

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/980-54-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/980-55-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/980-57-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/980-59-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/980-60-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/980-66-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/980-63-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/980-62-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/980-67-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/980-68-0x0000000075811000-0x0000000075813000-memory.dmp

Filesize
8KB

Download
memory/980-69-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads