arkei | 960a8b99ffcc13827dbf38256c81cf5b8a37e4308b526713445080d2b096fbc0

General

Target

3c3156de49276bfcb908126759ea0f7e.exe
Size

1.1MB
MD5

3c3156de49276bfcb908126759ea0f7e
SHA1

3b580fa227336f11512e592c99040db279352e92
SHA256

960a8b99ffcc13827dbf38256c81cf5b8a37e4308b526713445080d2b096fbc0
SHA512

429ea2f4bd883144f730223e97085ab2dd646155efb668e446f836337937b9af1c2532ba4b04ce43040b9fbf2f4fe1c68c28fdc4c0b9ba300a396fed79e497b1
SSDEEP

24576:3Ia4wNu3SaZYo+51mnW0Lj7oBj3bqoWVomcqBoG:351uCr10j7oBj3mLVlcqBo

Score

10^/10

arkei spyware stealer

Malware Config

Extracted

Family

arkei

C2

185.241.52.252/qRdXmPWvrh.php

Signatures

Arkei
Arkei is an infostealer written in C++.
stealer arkei
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Suspicious use of SetThreadContext 1 IoCs

Processes:

3c3156de49276bfcb908126759ea0f7e.exe

description pid process target process

PID 2908 set thread context of 3064 2908 3c3156de49276bfcb908126759ea0f7e.exe 3c3156de49276bfcb908126759ea0f7e.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4796 3064 WerFault.exe 3c3156de49276bfcb908126759ea0f7e.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

3c3156de49276bfcb908126759ea0f7e.exe

pid process

2908 3c3156de49276bfcb908126759ea0f7e.exe
2908 3c3156de49276bfcb908126759ea0f7e.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

3c3156de49276bfcb908126759ea0f7e.exe

description pid process

Token: SeDebugPrivilege 2908 3c3156de49276bfcb908126759ea0f7e.exe

description	pid	process	target process
PID 2908 set thread context of 3064	2908	3c3156de49276bfcb908126759ea0f7e.exe	3c3156de49276bfcb908126759ea0f7e.exe

pid	pid_target	process	target process
4796	3064	WerFault.exe	3c3156de49276bfcb908126759ea0f7e.exe

pid	process
2908	3c3156de49276bfcb908126759ea0f7e.exe
2908	3c3156de49276bfcb908126759ea0f7e.exe

description	pid	process
Token: SeDebugPrivilege	2908	3c3156de49276bfcb908126759ea0f7e.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

3c3156de49276bfcb908126759ea0f7e.exe

description	pid	process	target process
PID 2908 wrote to memory of 2100	2908	3c3156de49276bfcb908126759ea0f7e.exe	3c3156de49276bfcb908126759ea0f7e.exe
PID 2908 wrote to memory of 2100	2908	3c3156de49276bfcb908126759ea0f7e.exe	3c3156de49276bfcb908126759ea0f7e.exe
PID 2908 wrote to memory of 2100	2908	3c3156de49276bfcb908126759ea0f7e.exe	3c3156de49276bfcb908126759ea0f7e.exe
PID 2908 wrote to memory of 3064	2908	3c3156de49276bfcb908126759ea0f7e.exe	3c3156de49276bfcb908126759ea0f7e.exe
PID 2908 wrote to memory of 3064	2908	3c3156de49276bfcb908126759ea0f7e.exe	3c3156de49276bfcb908126759ea0f7e.exe
PID 2908 wrote to memory of 3064	2908	3c3156de49276bfcb908126759ea0f7e.exe	3c3156de49276bfcb908126759ea0f7e.exe
PID 2908 wrote to memory of 3064	2908	3c3156de49276bfcb908126759ea0f7e.exe	3c3156de49276bfcb908126759ea0f7e.exe
PID 2908 wrote to memory of 3064	2908	3c3156de49276bfcb908126759ea0f7e.exe	3c3156de49276bfcb908126759ea0f7e.exe
PID 2908 wrote to memory of 3064	2908	3c3156de49276bfcb908126759ea0f7e.exe	3c3156de49276bfcb908126759ea0f7e.exe
PID 2908 wrote to memory of 3064	2908	3c3156de49276bfcb908126759ea0f7e.exe	3c3156de49276bfcb908126759ea0f7e.exe
PID 2908 wrote to memory of 3064	2908	3c3156de49276bfcb908126759ea0f7e.exe	3c3156de49276bfcb908126759ea0f7e.exe
PID 2908 wrote to memory of 3064	2908	3c3156de49276bfcb908126759ea0f7e.exe	3c3156de49276bfcb908126759ea0f7e.exe

C:\Users\Admin\AppData\Local\Temp\3c3156de49276bfcb908126759ea0f7e.exe
"C:\Users\Admin\AppData\Local\Temp\3c3156de49276bfcb908126759ea0f7e.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2908

C:\Users\Admin\AppData\Local\Temp\3c3156de49276bfcb908126759ea0f7e.exe
"C:\Users\Admin\AppData\Local\Temp\3c3156de49276bfcb908126759ea0f7e.exe"
2⤵
PID:2100

C:\Users\Admin\AppData\Local\Temp\3c3156de49276bfcb908126759ea0f7e.exe
"C:\Users\Admin\AppData\Local\Temp\3c3156de49276bfcb908126759ea0f7e.exe"
2⤵
PID:3064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3064 -s 1260
3⤵
- Program crash
PID:4796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3064 -ip 3064
1⤵
PID:4644

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2908-10-0x0000000075320000-0x0000000075AD0000-memory.dmp

Filesize
7.7MB

Download
memory/2908-2-0x00000000055D0000-0x000000000566C000-memory.dmp

Filesize
624KB

Download
memory/2908-1-0x0000000075320000-0x0000000075AD0000-memory.dmp

Filesize
7.7MB

Download
memory/2908-12-0x0000000006E30000-0x0000000006EA6000-memory.dmp

Filesize
472KB

Download
memory/2908-11-0x00000000058B0000-0x00000000058C0000-memory.dmp

Filesize
64KB

Download
memory/2908-5-0x0000000005E70000-0x0000000006414000-memory.dmp

Filesize
5.6MB

Download
memory/2908-6-0x0000000005720000-0x00000000057B2000-memory.dmp

Filesize
584KB

Download
memory/2908-8-0x0000000005920000-0x0000000005976000-memory.dmp

Filesize
344KB

Download
memory/2908-7-0x0000000005710000-0x000000000571A000-memory.dmp

Filesize
40KB

Download
memory/2908-9-0x0000000008420000-0x0000000008438000-memory.dmp

Filesize
96KB

Download
memory/2908-3-0x00000000058B0000-0x00000000058C0000-memory.dmp

Filesize
64KB

Download
memory/2908-0-0x0000000000B10000-0x0000000000C28000-memory.dmp

Filesize
1.1MB

Download
memory/2908-4-0x0000000005530000-0x0000000005531000-memory.dmp

Filesize
4KB

Download
memory/2908-13-0x0000000008600000-0x000000000868C000-memory.dmp

Filesize
560KB

Download
memory/2908-14-0x000000000AD70000-0x000000000AD8C000-memory.dmp

Filesize
112KB

Download
memory/2908-20-0x0000000075320000-0x0000000075AD0000-memory.dmp

Filesize
7.7MB

Download
memory/3064-18-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3064-17-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3064-15-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3064-21-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3064-23-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing