arkei | 382dbb2ef5f54e3735817318b680935e068749651f702213ab3edfb7842115fd

Analysis

max time kernel
92s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
26-01-2024 11:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

772e5f453fa9373d39f023d7c38e6b38.exe
Size

54KB
MD5

772e5f453fa9373d39f023d7c38e6b38
SHA1

6e80a1283ec85c129ad355942faa3bdd7a00b4dd
SHA256

382dbb2ef5f54e3735817318b680935e068749651f702213ab3edfb7842115fd
SHA512

e3f6aa11fea7b3d3b7ee4569f283ad13e0625afb996a3cb5c7d1120fdb0d4dee08b65dda72b51e5b1994576e2b3593bc355721162429132b5503a8d83b9d5e0f
SSDEEP

1536:nnuJMdwyV/iPs3mFmIW8VWE46Csg5kl+BxIMmGpvHe:nuewEqPpFDWJ/6CsgJBWMV+

Score

10^/10

arkei stealer

Malware Config

Extracted

Family

arkei

95.181.157.6/3Wy90FKGCj.php

Signatures

Arkei
Arkei is an infostealer written in C++.
stealer arkei

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	772e5f453fa9373d39f023d7c38e6b38.exe

Executes dropped EXE 1 IoCs

pid	Process
2280	asas.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3544 wrote to memory of 2280	3544	772e5f453fa9373d39f023d7c38e6b38.exe	85
PID 3544 wrote to memory of 2280	3544	772e5f453fa9373d39f023d7c38e6b38.exe	85
PID 3544 wrote to memory of 2280	3544	772e5f453fa9373d39f023d7c38e6b38.exe	85

C:\Users\Admin\AppData\Local\Temp\772e5f453fa9373d39f023d7c38e6b38.exe
"C:\Users\Admin\AppData\Local\Temp\772e5f453fa9373d39f023d7c38e6b38.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3544
- C:\Users\Admin\AppData\Local\Temp\asas.exe
  "C:\Users\Admin\AppData\Local\Temp\asas.exe"
  2⤵
  - Executes dropped EXE
  PID:2280

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\asas.exe

Filesize
70KB

MD5
335b5c9b0ba062e19ae6f46957c8bb5b

SHA1
f1f3be6660d9ba500f4c68e743567be7dc417b08

SHA256
8bdd1bd535172297305ccdc2e0603d41d477f340b2ac034689775d3625333c82

SHA512
d266bd1a7e35c9046096d9ed7b8025c5a7d37fe29d4bc0434ee7bdfdcb85e5be047e0b965c68307220899571dc837453563a75132774eca86311f2cf2b4a2a58

Download Submit
C:\Users\Admin\AppData\Local\Temp\asas.exe

Filesize
45KB

MD5
e65b376fd773ca430ba2eab2c5e60cd0

SHA1
ce0706d4a97051bb046417308e37718cbc295641

SHA256
b73e807e4ea845ea62c02a063c7fadb904db7f722db77f9867b0a368c782edfc

SHA512
d3f61d22754d21dd29007ad6c10c80e824169f6e936fb0ce0e8a9ec1ddac1e106e6b8f5db3a7430255c5cfec0f5162981146a457c749f550c9c45ab21f856669

Download Submit
C:\Users\Admin\AppData\Local\Temp\asas.exe

Filesize
86KB

MD5
22804c7553cf19c32dceaacfff99c655

SHA1
78d6bac5ca361785b5f0d854aa7317110f8227f7

SHA256
067c18a6afdc5414f131a205f31781a0b109c30e39fc1d9302073bed0f9fcb04

SHA512
a3f2954739774190dcda73f87a56bd05158329d7a5aae1b6f8dae50bcc1f535c908c7e24bbcab944c2e4cf1a719ab09e50b37efea787e264159b2abfc0916675

Download Submit
memory/3544-0-0x0000000000520000-0x0000000000534000-memory.dmp

Filesize
80KB

Download
memory/3544-3-0x00007FFDF7F60000-0x00007FFDF8A21000-memory.dmp

Filesize
10.8MB

Download
memory/3544-4-0x0000000000E90000-0x0000000000EA0000-memory.dmp

Filesize
64KB

Download
memory/3544-13-0x00007FFDF7F60000-0x00007FFDF8A21000-memory.dmp

Filesize
10.8MB

Download