BLACK FRIDAY: 2-for-1 offer NOVEMBER 20 - 26 See details
30
Global rank
24
Month rank
26
Week rank
3447
IOCs

Arkei is a stealer type malware capable of collecting passwords, autosaved forms, cryptocurrency wallet credentials, and files.

Stealer
Type
ex-USSR
Origin
21 May, 2018
First seen
2 December, 2023
Last seen
Also known as
ArkeiStealer

How to analyze Arkei with ANY.RUN

Type
ex-USSR
Origin
21 May, 2018
First seen
2 December, 2023
Last seen

IOCs

IP addresses
104.0.0.0
103.0.0.0
1.1.1.1
5.252.178.50
45.84.0.112
45.67.229.135
45.67.35.117
176.126.113.228
146.19.247.187
62.204.41.126
Hashes
8fc5c4a8a802b28da1e4649db28cbe3244803f941a067ce286fe279a79d464f8
f6756b83075098b827cadafc262c7ece2acfb437ea6b9b4cad07411b0dac92d1
b5312f0f1e8863b06e526b429083ab016cf73f5f502d18bea176b383630c8594
301365cc154524b9565f25d56da0f43033a1a15f5693e3f584208cf4266c7083
f22ce3349f795e98b9d048ba3a1cd051457b331995aad3564c3af44bbff0c829
98e809419fb3c2488d0303e8ce21ac1b0189e78435c9765dafc001ff62c7243e
2f740d9a143bb448ba25e581a4dab70d53ed3d689ce99c50e00e731a6289d656
10211e561ab1de13f53b85b307b6eb51fc9a718415e426d880e2a99a1af90df8
ccc3cdfb5c6b4301b3e88dc7a88d1b6a6868b9ff2dad6076e19e13798a195cc9
fc5336b039a9cc8e14d515f338c90a5a404249adab200032324c65f055904255
da5f869e09c374e7a3a31d7144750081b676b68aeed4a71b277c089a271ab4a6
6e54ed1a2e63174a158e2fc6141ae0abfbba6463489b86b4d3c7c44fa1f80c84
855c6d4fbb1f520d7ea7b5c742888bf77222ea8f44088dbbe30f9b0e3d7c9feb
63eb697cd9232c67031c4dee26703db46357aff6465329a06edf9b911d5e9b52
b81395534097bede81c1160f66ef161e8d00edce94b3eb0cf49575cd753680f4
a157272568718cdcaf364faf21dea7d9a54fee651e34df6177038d25c38c9abd
6e76651efe5979df03ae5f1a14eb3f4899e147a9fe9399c2e215cd5933ce7b7e
726855dc870ed0224d91891b898e542393149b0eaef7817aa332b71c13b22ae0
344a2773478c85ecc7dae793488087cf954d177f4b1e844c8ce7fbd713ef0a1e
3b77db3c80869eeb2192ed903a3794eb9cd49effb4e1b1e6a2042722af63b96b
Domains
mas.to
URLs
https://t.me/cybehost
https://steamcommunity.com/profiles/76561199263069598
http://sughicent.com/
https://t.me/grizmons
https://steamcommunity.com/profiles/76561199557479327
https://mastodon.online/@ronxik13
https://t.me/hyipsdigest
http://alpha.twinsources.shop/gate.php
https://t.me/solonichat
https://steamcommunity.com/profiles/76561199555780195
https://t.me/bonoboaz
https://steamcommunity.com/profiles/76561199550790047
https://steamcommunity.com/profiles/76561198272578552
https://t.me/libpcre
http://194.233.168.238/hell.php
http://cheapa.link/
http://woor.link/548152.php
http://195.201.34.151:2083/
http://195.201.34.151:2083/8036442451e00fa27a235c4a80cbfb3c
http://195.201.34.151:2083/getfiles.zip
Last Seen at

Recent blog posts

3 Cybersecurity Events ANY.RUN Attended in No...
watchers 140
comments 0
5 malware threats we discovered in the wild i...
watchers 343
comments 0
RisePro Malware Analysis: Exploring C2 Commun...
watchers 2312
comments 0

What is Arkei malware

Arkei is a stealer designed to exfiltrate information from infected systems. Typical for this malware type, it is distributed using Malware-as-a-Service (MaaL) model, which means that anyone can use the malware with minimal technical knowledge — all you need is to purchase access to a control pane from a website that sells the service.

This malware — which is written in C++ — targets Windows systems and is considered a medium impact and medium risk threat.

Having been around since 2018, Arkei has become popular among adversaries: not only is it widely used, but it has spawned several forks including Mars, Oski, and Vidar stealer, which we have covered before in the ANY.RUN trends trackers.

Arkei is capable of retrieving a variety of information from infected machines, including:

  • Form autosaves stored in the browser
  • Login and passwords
  • Files
  • Cryptocurrency wallets

Cryptocurrency owners are at the highest risk and are the main targets of Arkei. It can extract data from around 40 crypto wallet extensions, including MetaMask that accounts for over 80% of web3 wallet usage.

The stealer also targets more than 30 web browsers, including Chrome, Firefox, Microsoft Edge, Opera, Brave, and TOR.

Arkei can also target 2FA extensions, a capability it has had roughly since the beginning of 2022. It's unclear how attackers are planning to use this data, but it's certain that this development could pose new risks for both corporate and private users.

The specific data types that the malware targets depend on its configuration file — a ​​Base64-encoded file with the .PHP extensions — and will vary from campaign to campaign. The attacker can use it to set Arkei's behavior with custom rules, and target specific information.

It is important to note that Arkei terminates execution on machines from the ex-USSR regions.

The stealer identifies the region by accessing the language identifier of the Region Format setting. This behavior is typical for malware originating from the ex-USSR territories, which gives an insight into Arkei’s origin.

Arkei is equipped with multiple evasion techniques that help it avoid detection. For example, it checks that the computer name is not set to ​ “”HAL9TH”” and the username to “”JohnDoe” — these are the default settings of the Windows Defender emulator. It also checks if several DLLs are loaded in a process against a list of antivirus and emulation software.

Once it's time to gather the data, Arkei compiles its findings into a .zip archive, gives it a random 12-character name, and sends it to its control server. In addition to the information specified by the config file, it captures a system screenshot and extracts system information.

How to get more information from Arkei malware

You can obtain Arkei’s malware configurations in the ANY.RUN's sample.

Malware configuration of Arkei stealer Figure 1: Arkei configuration automatically extracted by ANY.RUN

Users can access comprehensive malware configuration data on ANY.RUN interactive online sandbox in as little as 10 seconds after starting the sandbox. There's no need to wait for the emulation to finish running.

Arkei execution process

After a system is infected, a TCP connection is established with the hacker's remote server. The server sends encoded Base64 parameters to the malware, including search path templates and file search masks. Using these parameters, the malware determines which information it needs to steal from the victim's computer.

The malware then requests the libraries necessary for its operation from the remote server. These libraries are sent as ZIP archives.

Subsequent communication with the server involves sending stolen files to the C2 server. Some threat actors use packing techniques on Arkei samples (T1027.002) to avoid detection by signatures. An example of this behavior can be seen in this task we recorded in ANY.RUN.

After launching the packed sample, the AppLaunch.exe process is created in the system, which is part of the .NET Framework. The malicious code is then injected into this process.

Distribution of Arkei

Arkei finds its victims in a number of ways. It’s delivered with malicious email campaigns in infected attachments, distributed through malicious ads, and is sometimes found in cracked software.

Adversaries use trojan horse tactics to entice potential victims into installing Arkei to their systems: social engineering techniques can be utilized, such as offering a free version of a premium software.

Arkei has also been tied to campaigns utilizing SmokeLoader — an advanced modular malware used to gain an initial foothold in the system and drop other executables. Although Smoke Loader, as you probably have guessed from its name, is primarily used as a loader, it can be armed with information stealing functionality itself — double the threat, when used together with Arkei.

Conclusion

Arkei is a that poses a significant risk to users' sensitive data, particularly crypto wallets.

But users can keep their login and password information, files, and 2FA data secure by following these best practices:

  • Avoiding clicking on suspicious links
  • Being vigilant with emails from unknown senders
  • Staying clear from lurid ads
  • Being mindful where they download software from

You can identify and analyze threats like Arkei — and more — in a matter of minutes using ANY.RUN’s interactive sandbox. Sign up for a demo!

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Amadey screenshot
Amadey
amadey
Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks.
Read More
AsyncRAT screenshot
AsyncRAT
asyncrat
AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.
Read More
WarZone screenshot
WarZone
warzone avemaria stealer trojan rat
WarZone RAT is a remote access trojan, which is written in C++ and offered as a malware-as-a-service. It packs a wide range of capabilities, from stealing victims’ files and passwords to capturing desktop activities. WarZone RAT is primarily distributed via phishing emails and receives regular updates from its C2.
Read More
Azorult screenshot
Azorult
azorult trojan rat
AZORult can steal banking information, including passwords and credit card details, as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat.
Read More

Our website uses cookies. By visiting the pages of the site, you agree to our Privacy Policy