File name: | b2753d2782d31f9b99932638271c4306ea84b61d38da3fe6468f5487b8508635 |
Full analysis: | https://app.any.run/tasks/b09641a8-a08e-40eb-ad1a-a1b4e60aefa1 |
Verdict: | Malicious activity |
Threats: | Arkei is a stealer type malware capable of collecting passwords, autosaved forms, cryptocurrency wallet credentials, and files. |
Analysis date: | October 05, 2022, 00:05:30 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows |
MD5: | B4A5E3D80219A9E039B322A30929E0E8 |
SHA1: | 49A86043BF2FB36C37EF1F8345FB1203788CFC4C |
SHA256: | B2753D2782D31F9B99932638271C4306EA84B61D38DA3FE6468F5487B8508635 |
SSDEEP: | 6144:wI4MeTYb8F4tbelpx8IpllwGxTQEAtYZ3S8E/woq/8YSBXxjdZmaxzM+0SR3YAQD:ig6SKlpx8I94YZ3CqExx0+0FpUUkrAP |
.exe | | | Generic CIL Executable (.NET, Mono, etc.) (72.2) |
---|---|---|
.scr | | | Windows screen saver (12.9) |
.dll | | | Win32 Dynamic Link Library (generic) (6.4) |
.exe | | | Win32 Executable (generic) (4.4) |
.exe | | | Generic Win/DOS Executable (1.9) |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 2022-Aug-01 02:27:35 |
Comments: | - |
CompanyName: | Builders Emporium |
FileDescription: | Kruskal |
FileVersion: | 1.0.0.1 |
InternalName: | ExceptionHandlingClauseOpti.exe |
LegalCopyright: | Builders Emporium 2022 (C) |
LegalTrademarks: | - |
OriginalFilename: | ExceptionHandlingClauseOpti.exe |
ProductName: | Kruskal |
ProductVersion: | 1.0.0.1 |
Assembly Version: | 1.0.0.0 |
e_magic: | MZ |
---|---|
e_cblp: | 144 |
e_cp: | 3 |
e_crlc: | - |
e_cparhdr: | 4 |
e_minalloc: | - |
e_maxalloc: | 65535 |
e_ss: | - |
e_sp: | 184 |
e_csum: | - |
e_ip: | - |
e_cs: | - |
e_ovno: | - |
e_oemid: | - |
e_oeminfo: | - |
e_lfanew: | 128 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
NumberofSections: | 3 |
TimeDateStamp: | 2022-Aug-01 02:27:35 |
PointerToSymbolTable: | - |
NumberOfSymbols: | - |
SizeOfOptionalHeader: | 224 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 8192 | 599784 | 600064 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 7.36273 |
.rsrc | 614400 | 7696 | 8192 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 7.14246 |
.reloc | 622592 | 12 | 512 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ | 0.10191 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 7.87768 | 5964 | UNKNOWN | UNKNOWN | RT_ICON |
32512 | 1.51664 | 20 | UNKNOWN | UNKNOWN | RT_GROUP_ICON |
1 (#2) | 3.34074 | 912 | UNKNOWN | UNKNOWN | RT_VERSION |
1 (#3) | 5.00112 | 490 | UNKNOWN | UNKNOWN | RT_MANIFEST |
mscoree.dll |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
1160 | "C:\Users\admin\AppData\Local\Temp\b2753d2782d31f9b99932638271c4306ea84b61d38da3fe6468f5487b8508635.exe" | C:\Users\admin\AppData\Local\Temp\b2753d2782d31f9b99932638271c4306ea84b61d38da3fe6468f5487b8508635.exe | Explorer.EXE | ||||||||||||
User: admin Company: Builders Emporium Integrity Level: MEDIUM Description: Kruskal Exit code: 0 Version: 1.0.0.1 Modules
| |||||||||||||||
3112 | "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dTxeIQQKn" /XML "C:\Users\admin\AppData\Local\Temp\tmp7309.tmp" | C:\Windows\System32\schtasks.exe | — | b2753d2782d31f9b99932638271c4306ea84b61d38da3fe6468f5487b8508635.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Manages scheduled tasks Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
1868 | "C:\Users\admin\AppData\Local\Temp\b2753d2782d31f9b99932638271c4306ea84b61d38da3fe6468f5487b8508635.exe" | C:\Users\admin\AppData\Local\Temp\b2753d2782d31f9b99932638271c4306ea84b61d38da3fe6468f5487b8508635.exe | b2753d2782d31f9b99932638271c4306ea84b61d38da3fe6468f5487b8508635.exe | ||||||||||||
User: admin Company: Builders Emporium Integrity Level: MEDIUM Description: Kruskal Version: 1.0.0.1 Modules
| |||||||||||||||
912 | C:\Windows\Explorer.EXE | C:\Windows\Explorer.EXE | — | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
|
(PID) Process: | (912) Explorer.EXE | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\16C\52C64B7E |
Operation: | write | Name: | LanguageList |
Value: en-US | |||
(PID) Process: | (912) Explorer.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\BagMRU |
Operation: | write | Name: | NodeSlots |
Value: 02 | |||
(PID) Process: | (912) Explorer.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\BagMRU |
Operation: | write | Name: | MRUListEx |
Value: FFFFFFFF | |||
(PID) Process: | (912) Explorer.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\Bags\1\Desktop |
Operation: | write | Name: | Mode |
Value: 1 | |||
(PID) Process: | (912) Explorer.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\Bags\1\Desktop |
Operation: | write | Name: | LogicalViewMode |
Value: 3 | |||
(PID) Process: | (912) Explorer.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\Bags\1\Desktop |
Operation: | write | Name: | FFlags |
Value: | |||
(PID) Process: | (912) Explorer.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\Bags\1\Desktop |
Operation: | write | Name: | IconSize |
Value: 48 | |||
(PID) Process: | (912) Explorer.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\Bags\1\Desktop |
Operation: | write | Name: | ColInfo |
Value: 00000000000000000000000000000000FDDFDFFD100000000000000000000000040000001800000030F125B7EF471A10A5F102608C9EEBAC0A000000A000000030F125B7EF471A10A5F102608C9EEBAC0C00000050000000A66A63283D95D211B5D600C04FD918D00B0000007800000030F125B7EF471A10A5F102608C9EEBAC0E00000078000000 | |||
(PID) Process: | (912) Explorer.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\Bags\1\Desktop |
Operation: | write | Name: | Sort |
Value: 000000000000000000000000000000000100000030F125B7EF471A10A5F102608C9EEBAC0A00000001000000 | |||
(PID) Process: | (912) Explorer.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\Bags\1\Desktop |
Operation: | write | Name: | GroupView |
Value: 0 |
PID | Process | Filename | Type | |
---|---|---|---|---|
1160 | b2753d2782d31f9b99932638271c4306ea84b61d38da3fe6468f5487b8508635.exe | C:\Users\admin\AppData\Roaming\dTxeIQQKn.exe | executable | |
MD5:B4A5E3D80219A9E039B322A30929E0E8 | SHA256:B2753D2782D31F9B99932638271C4306EA84B61D38DA3FE6468F5487B8508635 | |||
1160 | b2753d2782d31f9b99932638271c4306ea84b61d38da3fe6468f5487b8508635.exe | C:\Users\admin\AppData\Local\Temp\tmp7309.tmp | xml | |
MD5:FF2DF0DF151CACA338F80ED79AAA02FA | SHA256:B9CECBD03C3CB1901D262166CF549E84E254E392D0F0AD2B72995EBBB26DB005 |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
1868 | b2753d2782d31f9b99932638271c4306ea84b61d38da3fe6468f5487b8508635.exe | 76.8.53.138:1198 | — | D102-PHL-1 | US | malicious |