General
-
Target
556054f93158b8fc948bf415744e63f5ff5bf86be3ecc0b689c2e3805b7be847
-
Size
270KB
-
Sample
220122-dbp9nshegj
-
MD5
ec3a5295780b3ace65f07d1aa2ff9e68
-
SHA1
c1700bdee66806739763da5bdc52220ca1de45b8
-
SHA256
556054f93158b8fc948bf415744e63f5ff5bf86be3ecc0b689c2e3805b7be847
-
SHA512
091e1dbede8818869784ced80133e1353bc224a06d8f65982f3e1fc29e9bc7a04e9bde49aa2c3d84c16f90cf991fdab012c83bcc7a0e71bfd96e86c1c0df6728
Static task
static1
Malware Config
Extracted
arkei
Default
http://homesteadr.link/ggate.php
Targets
-
-
Target
556054f93158b8fc948bf415744e63f5ff5bf86be3ecc0b689c2e3805b7be847
-
Size
270KB
-
MD5
ec3a5295780b3ace65f07d1aa2ff9e68
-
SHA1
c1700bdee66806739763da5bdc52220ca1de45b8
-
SHA256
556054f93158b8fc948bf415744e63f5ff5bf86be3ecc0b689c2e3805b7be847
-
SHA512
091e1dbede8818869784ced80133e1353bc224a06d8f65982f3e1fc29e9bc7a04e9bde49aa2c3d84c16f90cf991fdab012c83bcc7a0e71bfd96e86c1c0df6728
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil
suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil
-
Arkei Stealer Payload
-
Downloads MZ/PE file
-
Sets service image path in registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-