General
-
Target
6b32726d67837d9481f11de1ee653d14b9a7c419bc3a295d1a2f2c81edda21df
-
Size
270KB
-
Sample
220122-1eg4ssdcb9
-
MD5
a3a3e225edb26e710ef5d008839bcc95
-
SHA1
3ba34a66482a45eb824a5c8a7e02362a88bef52d
-
SHA256
6b32726d67837d9481f11de1ee653d14b9a7c419bc3a295d1a2f2c81edda21df
-
SHA512
0a3dac8af140e440ce47f357efc498340e9f630f87f0b928a59d9ead4cdc97b5439edbf3c29a447a9e9141159b04fe9a12f795938de7cac93c25bae6eec39fbc
Static task
static1
Malware Config
Extracted
arkei
Default
http://homesteadr.link/ggate.php
Targets
-
-
Target
6b32726d67837d9481f11de1ee653d14b9a7c419bc3a295d1a2f2c81edda21df
-
Size
270KB
-
MD5
a3a3e225edb26e710ef5d008839bcc95
-
SHA1
3ba34a66482a45eb824a5c8a7e02362a88bef52d
-
SHA256
6b32726d67837d9481f11de1ee653d14b9a7c419bc3a295d1a2f2c81edda21df
-
SHA512
0a3dac8af140e440ce47f357efc498340e9f630f87f0b928a59d9ead4cdc97b5439edbf3c29a447a9e9141159b04fe9a12f795938de7cac93c25bae6eec39fbc
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Arkei Stealer Payload
-
Downloads MZ/PE file
-
Sets service image path in registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-