General
-
Target
75676a789ead29e812b1fca070bc1d4a771eb78b52cc0cb07d713c786acf040a
-
Size
270KB
-
Sample
220122-w5j9maceg8
-
MD5
ff6ad44c43b91e55f25034ca5c9a6f96
-
SHA1
429c1594027521a8990e85ea3dfea05b151e90eb
-
SHA256
75676a789ead29e812b1fca070bc1d4a771eb78b52cc0cb07d713c786acf040a
-
SHA512
e09d614b2d09d0f7f40ba2225bdc29e2a0fc409347c91c76829c2ee1c6410ad5c9708565294bd6c1b00f528687688290038ca3dc6770f2846f572cce21d232b5
Static task
static1
Malware Config
Extracted
arkei
Default
http://homesteadr.link/ggate.php
Targets
-
-
Target
75676a789ead29e812b1fca070bc1d4a771eb78b52cc0cb07d713c786acf040a
-
Size
270KB
-
MD5
ff6ad44c43b91e55f25034ca5c9a6f96
-
SHA1
429c1594027521a8990e85ea3dfea05b151e90eb
-
SHA256
75676a789ead29e812b1fca070bc1d4a771eb78b52cc0cb07d713c786acf040a
-
SHA512
e09d614b2d09d0f7f40ba2225bdc29e2a0fc409347c91c76829c2ee1c6410ad5c9708565294bd6c1b00f528687688290038ca3dc6770f2846f572cce21d232b5
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Arkei Stealer Payload
-
Downloads MZ/PE file
-
Sets service image path in registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-