General
-
Target
d57c23fd77bf91045b7bb1ee51c17387d3573ed0160f760f3e33b0d4be14f061
-
Size
333KB
-
Sample
220121-r6apcshgh8
-
MD5
eaeec61c422f1ecd8a287a70a757f398
-
SHA1
4dd730ec9999670c2aa6331f0d0358a5383e3618
-
SHA256
d57c23fd77bf91045b7bb1ee51c17387d3573ed0160f760f3e33b0d4be14f061
-
SHA512
15e20c1dbe5fe9a74efa23c9ca2dc9d542b6b1de24ca79b7590c4cd76797a94221e86be8a3b84cc13f2b3fb081937a4840d21880c44ffcb662f37fbc281b0b21
Static task
static1
Malware Config
Extracted
arkei
Default
http://file-file-host4.com/tratata.php
Targets
-
-
Target
d57c23fd77bf91045b7bb1ee51c17387d3573ed0160f760f3e33b0d4be14f061
-
Size
333KB
-
MD5
eaeec61c422f1ecd8a287a70a757f398
-
SHA1
4dd730ec9999670c2aa6331f0d0358a5383e3618
-
SHA256
d57c23fd77bf91045b7bb1ee51c17387d3573ed0160f760f3e33b0d4be14f061
-
SHA512
15e20c1dbe5fe9a74efa23c9ca2dc9d542b6b1de24ca79b7590c4cd76797a94221e86be8a3b84cc13f2b3fb081937a4840d21880c44ffcb662f37fbc281b0b21
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Arkei Stealer Payload
-
Downloads MZ/PE file
-
Sets service image path in registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-