General
-
Target
b7f81c3639833e73edc017da64e789a24a2c1974a7a18e68f868bdd4a35865c4
-
Size
284KB
-
Sample
220123-226w4sgdgp
-
MD5
82cd807305553d350a17753d6201d3ce
-
SHA1
1eaaee1ca9eba9c56b4d8cdc796e96d4f7aa624c
-
SHA256
b7f81c3639833e73edc017da64e789a24a2c1974a7a18e68f868bdd4a35865c4
-
SHA512
eba0695016c42ffb99636d6bdc19bac97cadad8fa11dee8b3a2b947b64494e719f9a6852694b816db3813ac79fd3caf1b5e976b7a2a3f9adc1726260fbc9b36f
Static task
static1
Malware Config
Extracted
arkei
Default
http://homesteadr.link/ggate.php
Targets
-
-
Target
b7f81c3639833e73edc017da64e789a24a2c1974a7a18e68f868bdd4a35865c4
-
Size
284KB
-
MD5
82cd807305553d350a17753d6201d3ce
-
SHA1
1eaaee1ca9eba9c56b4d8cdc796e96d4f7aa624c
-
SHA256
b7f81c3639833e73edc017da64e789a24a2c1974a7a18e68f868bdd4a35865c4
-
SHA512
eba0695016c42ffb99636d6bdc19bac97cadad8fa11dee8b3a2b947b64494e719f9a6852694b816db3813ac79fd3caf1b5e976b7a2a3f9adc1726260fbc9b36f
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Arkei Stealer Payload
-
Downloads MZ/PE file
-
Sets service image path in registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-