General
-
Target
156f73bb1241ddd75420fa0a99fb04eafe90a7f3aa7ad95dba1e42b0df995fcc
-
Size
269KB
-
Sample
220121-3szxwadhel
-
MD5
c79692868d54348d3606835ff47eb29d
-
SHA1
2342d85852a5f8094e55d30a6ea393cbcf675f1d
-
SHA256
156f73bb1241ddd75420fa0a99fb04eafe90a7f3aa7ad95dba1e42b0df995fcc
-
SHA512
53fb7fd37871f765905c22f34a208c15f0c0d91cb82f13bb5eefbdb2ba84dcf38eaf4e27cebe67822655578e7526f887090537709e7e77b4891c2916ac3e73dd
Static task
static1
Malware Config
Extracted
arkei
Default
http://homesteadr.link/ggate.php
Targets
-
-
Target
156f73bb1241ddd75420fa0a99fb04eafe90a7f3aa7ad95dba1e42b0df995fcc
-
Size
269KB
-
MD5
c79692868d54348d3606835ff47eb29d
-
SHA1
2342d85852a5f8094e55d30a6ea393cbcf675f1d
-
SHA256
156f73bb1241ddd75420fa0a99fb04eafe90a7f3aa7ad95dba1e42b0df995fcc
-
SHA512
53fb7fd37871f765905c22f34a208c15f0c0d91cb82f13bb5eefbdb2ba84dcf38eaf4e27cebe67822655578e7526f887090537709e7e77b4891c2916ac3e73dd
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil
suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil
-
Arkei Stealer Payload
-
Downloads MZ/PE file
-
Sets service image path in registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-