General
-
Target
945f16ba568f354266e21bbe20f7199c17d9a0068ed8b69b09abfb1d2e55e8bb
-
Size
332KB
-
Sample
220121-2j57vsbhgq
-
MD5
c901d2a9836c9f911e1d59a656c09b4a
-
SHA1
20fb92b3a220ca0ca23a49c6022c421310ac12c4
-
SHA256
945f16ba568f354266e21bbe20f7199c17d9a0068ed8b69b09abfb1d2e55e8bb
-
SHA512
44e556a100b31778e5132568d6ebb18b1cfb092e7e2805eb201eff69d5f74c1edf0aeefe1c11301fce545b04098e10a5ea656df4f86b4d3d3e4b5a87290afd33
Static task
static1
Malware Config
Extracted
arkei
Default
http://homesteadr.link/ggate.php
Targets
-
-
Target
945f16ba568f354266e21bbe20f7199c17d9a0068ed8b69b09abfb1d2e55e8bb
-
Size
332KB
-
MD5
c901d2a9836c9f911e1d59a656c09b4a
-
SHA1
20fb92b3a220ca0ca23a49c6022c421310ac12c4
-
SHA256
945f16ba568f354266e21bbe20f7199c17d9a0068ed8b69b09abfb1d2e55e8bb
-
SHA512
44e556a100b31778e5132568d6ebb18b1cfb092e7e2805eb201eff69d5f74c1edf0aeefe1c11301fce545b04098e10a5ea656df4f86b4d3d3e4b5a87290afd33
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Arkei Stealer Payload
-
Downloads MZ/PE file
-
Sets service image path in registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-