General
-
Target
de70fcd3247b3a3d0a420caf3bf775c04ff8171e0986468b459fb4fdbd576c93
-
Size
332KB
-
Sample
220121-xp4trsagc8
-
MD5
29ba04f7551dfb642f9bf058b1aafe88
-
SHA1
8a491f03d776a58512a1f3cce133b8e8fed7759f
-
SHA256
de70fcd3247b3a3d0a420caf3bf775c04ff8171e0986468b459fb4fdbd576c93
-
SHA512
2414599e51b40ef3c6051d2a24580acc17e5f03e10b0b7f851b7f1f1a624bc289d4a49edce5910d25eb0de8b927427ea0636abdaee03b1125dcba09f85663299
Static task
static1
Malware Config
Extracted
arkei
Default
http://file-file-host4.com/tratata.php
Targets
-
-
Target
de70fcd3247b3a3d0a420caf3bf775c04ff8171e0986468b459fb4fdbd576c93
-
Size
332KB
-
MD5
29ba04f7551dfb642f9bf058b1aafe88
-
SHA1
8a491f03d776a58512a1f3cce133b8e8fed7759f
-
SHA256
de70fcd3247b3a3d0a420caf3bf775c04ff8171e0986468b459fb4fdbd576c93
-
SHA512
2414599e51b40ef3c6051d2a24580acc17e5f03e10b0b7f851b7f1f1a624bc289d4a49edce5910d25eb0de8b927427ea0636abdaee03b1125dcba09f85663299
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Arkei Stealer Payload
-
Downloads MZ/PE file
-
Sets service image path in registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-