BLACK FRIDAY: 2-for-1 offer NOVEMBER 20 - 26 See details
43
Global rank
69 infographic chevron month
Month rank
79 infographic chevron week
Week rank
0
IOCs

Arkei is a stealer type malware capable of collecting passwords, autosaved forms, cryptocurrency wallet credentials, and files.

Stealer
Type
ex-USSR
Origin
21 May, 2018
First seen
9 October, 2024
Last seen
Also known as
ArkeiStealer

How to analyze Arkei with ANY.RUN

Type
ex-USSR
Origin
21 May, 2018
First seen
9 October, 2024
Last seen

IOCs

IP addresses
5.252.178.50
104.0.0.0
103.0.0.0
45.84.0.112
45.67.229.135
45.67.35.117
176.126.113.228
146.19.247.187
62.204.41.126
Hashes
3a2be7855350184ea40ecac7315587f1256413b98c204c22ec78507812551a96
780db2201a60a16938c09875bbb0c5de57f5262393fc84512c6307c7598d7203
f321e067082cf4a0058f39ae3ea94366c3f32890352093513661deb722579f39
ef4d643d867aef497756d304dc2ba7dbb63ff3e7a439751bbf08879f5cf74e55
da71ff866ad3abae08644e82bbb238e44a19b126746bdaad506fef13e1058488
8748cad1dcf6b11e30c451b61d5eae35ac94d402b6eb606cc9353f81863ab3ca
4d7438e5dc1fd020f5202677267f342737e4bdbc3e85409ac45666585cd6b002
421f9782e6c65ce36a96d87ffb85ac0700508652b08ef77c1c2404c1beace839
7877c08fba0ff1a892650af1ddbecb5dff4f66d7f0b3d705815947392710a197
81180c513c6393c2308f7fb8a156c5b1e4a263e9b4b63a294140fc49ff4cfcc6
fb458f6d1ebde670a3ef01ae86c60934825106a695eb961f7d4ded6fa0aceb01
4b9eef55c79deb4eab36f37087c2d71ab95493595253660e5a6257081d0a9133
7cb5bbc9b0068839732a268d3a798c6d81161e09bc4dcd89d99814bf0ec24882
143d364dd50674268fcbf22c2914348ba92f6f1ec2822b43b39a5ba0ed316d77
f453a3f926f470564a28e7a7fa6321401eed343582b95cc285614997a7f7d835
bf1d4645972f8a10ef66d4343d0b3dc5b66ea2050a061e8194e6858a88220454
3ab80235610c9adcb3b7f5428174cbcd2c7473d467b16d282f3c78dddec422a2
556f8b06b92ddbc4008dea5298eab3934c61647a1cd7333a9087c37cc5a75456
873d7cc34e36a67ca9be2e9c5896df1a6984fd430e18fe4adb2c939a7c53d14f
96bfe4860eb78783dd945f6d3f30e25bd252449c8f18f871334bd7c66978fd30
Domains
mas.to
URLs
http://ip-api.com/line/
http://l3monrat.com/server.php
http://l3monrat.com/www//7.jpg
http://l3monrat.com/www//5.jpg
http://l3monrat.com/www//4.jpg
http://l3monrat.com/www//3.jpg
http://l3monrat.com/www//2.jpg
http://l3monrat.com/www//1.jpg
http://l3monrat.com/www//6.jpg
http://kenesrakishev.net/wp-admin/admin-ajax.php
https://t.me/tatlimark
https://steamcommunity.com/profiles/76561199536605936
http://104.194.151.11/AP.php
https://t.me/litlebey
https://steamcommunity.com/profiles/76561199472399815
http://62.204.41.69/
http://sughicent.com/
https://koyu.space/@ronxik123
http://prepepe.ac.ug/nss3.dll
http://prepepe.ac.ug/sqlite3.dll
Last Seen at
Last Seen at

Recent blog posts

post image
Private AI Assistant for Malware Analysis in...
watchers 925
comments 0
post image
5 Characteristics of Good Threat Intelligence...
watchers 467
comments 0
post image
New PhantomLoader Malware Distributes SSLoad:...
watchers 4027
comments 0

What is Arkei malware

Arkei is a stealer designed to exfiltrate information from infected systems. Typical for this malware type, it is distributed using Malware-as-a-Service (MaaL) model, which means that anyone can use the malware with minimal technical knowledge — all you need is to purchase access to a control pane from a website that sells the service.

This malware — which is written in C++ — targets Windows systems and is considered a medium impact and medium risk threat.

Having been around since 2018, Arkei has become popular among adversaries: not only is it widely used, but it has spawned several forks including Mars, Oski, and Vidar stealer, which we have covered before in the ANY.RUN trends trackers.

Arkei is capable of retrieving a variety of information from infected machines, including:

  • Form autosaves stored in the browser
  • Login and passwords
  • Files
  • Cryptocurrency wallets

Cryptocurrency owners are at the highest risk and are the main targets of Arkei. It can extract data from around 40 crypto wallet extensions, including MetaMask that accounts for over 80% of web3 wallet usage.

The stealer also targets more than 30 web browsers, including Chrome, Firefox, Microsoft Edge, Opera, Brave, and TOR.

Arkei can also target 2FA extensions, a capability it has had roughly since the beginning of 2022. It's unclear how attackers are planning to use this data, but it's certain that this development could pose new risks for both corporate and private users.

The specific data types that the malware targets depend on its configuration file — a ​​Base64-encoded file with the .PHP extensions — and will vary from campaign to campaign. The attacker can use it to set Arkei's behavior with custom rules, and target specific information.

It is important to note that Arkei terminates execution on machines from the ex-USSR regions.

The stealer identifies the region by accessing the language identifier of the Region Format setting. This behavior is typical for malware originating from the ex-USSR territories, which gives an insight into Arkei’s origin.

Arkei is equipped with multiple evasion techniques that help it avoid detection. For example, it checks that the computer name is not set to ​ “”HAL9TH”” and the username to “”JohnDoe” — these are the default settings of the Windows Defender emulator. It also checks if several DLLs are loaded in a process against a list of antivirus and emulation software.

Once it's time to gather the data, Arkei compiles its findings into a .zip archive, gives it a random 12-character name, and sends it to its control server. In addition to the information specified by the config file, it captures a system screenshot and extracts system information.

How to get more information from Arkei malware

You can obtain Arkei’s malware configurations in the ANY.RUN's sample.

Malware configuration of Arkei stealer Figure 1: Arkei configuration automatically extracted by ANY.RUN

Users can access comprehensive malware configuration data on ANY.RUN interactive online sandbox in as little as 10 seconds after starting the sandbox. There's no need to wait for the emulation to finish running.

Arkei execution process

After a system is infected, a TCP connection is established with the hacker's remote server. The server sends encoded Base64 parameters to the malware, including search path templates and file search masks. Using these parameters, the malware determines which information it needs to steal from the victim's computer.

The malware then requests the libraries necessary for its operation from the remote server. These libraries are sent as ZIP archives.

Subsequent communication with the server involves sending stolen files to the C2 server. Some threat actors use packing techniques on Arkei samples (T1027.002) to avoid detection by signatures. An example of this behavior can be seen in this task we recorded in ANY.RUN.

After launching the packed sample, the AppLaunch.exe process is created in the system, which is part of the .NET Framework. The malicious code is then injected into this process.

Distribution of Arkei

Arkei finds its victims in a number of ways. It’s delivered with malicious email campaigns in infected attachments, distributed through malicious ads, and is sometimes found in cracked software.

Adversaries use trojan horse tactics to entice potential victims into installing Arkei to their systems: social engineering techniques can be utilized, such as offering a free version of a premium software.

Arkei has also been tied to campaigns utilizing SmokeLoader — an advanced modular malware used to gain an initial foothold in the system and drop other executables. Although Smoke Loader, as you probably have guessed from its name, is primarily used as a loader, it can be armed with information stealing functionality itself — double the threat, when used together with Arkei.

Conclusion

Arkei is a that poses a significant risk to users' sensitive data, particularly crypto wallets.

But users can keep their login and password information, files, and 2FA data secure by following these best practices:

  • Avoiding clicking on suspicious links
  • Being vigilant with emails from unknown senders
  • Staying clear from lurid ads
  • Being mindful where they download software from

You can identify and analyze threats like Arkei — and more — in a matter of minutes using ANY.RUN’s interactive sandbox. Sign up for a demo!

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Amadey screenshot
Amadey
amadey
Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks.
Read More
AsyncRAT screenshot
AsyncRAT
asyncrat
AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.
Read More
WarZone screenshot
WarZone
warzone avemaria stealer trojan rat
WarZone RAT is a remote access trojan, which is written in C++ and offered as a malware-as-a-service. It packs a wide range of capabilities, from stealing victims’ files and passwords to capturing desktop activities. WarZone RAT is primarily distributed via phishing emails and receives regular updates from its C2.
Read More
Azorult screenshot
Azorult
azorult trojan rat
AZORult can steal banking information, including passwords and credit card details, as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat.
Read More