General
-
Target
3920501bc3dd2500e08f7db8baa048248c632832358932d0059474496082b2ae
-
Size
332KB
-
Sample
220121-x5rt5sagh8
-
MD5
cc4bce68bc6e83ee07c3e6daf9faa2e3
-
SHA1
dbcbe4d3c35e453aad4f11b50b25b015aa479728
-
SHA256
3920501bc3dd2500e08f7db8baa048248c632832358932d0059474496082b2ae
-
SHA512
a7f8a5832bd4d6fc2a8ebcf84b89b96b7df741355ab16f43c1e5993a71a897e6b7aa3b6bd21ef9b07d6b90a80a4cd3c0bca37c2b27072e568e044c71ef03829a
Static task
static1
Malware Config
Extracted
arkei
Default
http://file-file-host4.com/tratata.php
Targets
-
-
Target
3920501bc3dd2500e08f7db8baa048248c632832358932d0059474496082b2ae
-
Size
332KB
-
MD5
cc4bce68bc6e83ee07c3e6daf9faa2e3
-
SHA1
dbcbe4d3c35e453aad4f11b50b25b015aa479728
-
SHA256
3920501bc3dd2500e08f7db8baa048248c632832358932d0059474496082b2ae
-
SHA512
a7f8a5832bd4d6fc2a8ebcf84b89b96b7df741355ab16f43c1e5993a71a897e6b7aa3b6bd21ef9b07d6b90a80a4cd3c0bca37c2b27072e568e044c71ef03829a
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Arkei Stealer Payload
-
Downloads MZ/PE file
-
Sets service image path in registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-