General
-
Target
804b3aa21fe5c2bd6dfbf9174b9c5ece7b986981be8c901a422298de0996e3fa
-
Size
270KB
-
Sample
220123-frav2afaal
-
MD5
470d3ecde250c65b86e3f58fb954e7df
-
SHA1
e7ada9b64126de55ebaa82aa6975698ca221d85c
-
SHA256
804b3aa21fe5c2bd6dfbf9174b9c5ece7b986981be8c901a422298de0996e3fa
-
SHA512
3a3be4d615e1eb05041257eff9e350c55048de01329e4b833a5bafce637ec96c852fae0d9f078488895cc5074fae69b2794bf63dd501be0c57f23dc12bebe1b8
Static task
static1
Malware Config
Extracted
arkei
Default
http://homesteadr.link/ggate.php
Targets
-
-
Target
804b3aa21fe5c2bd6dfbf9174b9c5ece7b986981be8c901a422298de0996e3fa
-
Size
270KB
-
MD5
470d3ecde250c65b86e3f58fb954e7df
-
SHA1
e7ada9b64126de55ebaa82aa6975698ca221d85c
-
SHA256
804b3aa21fe5c2bd6dfbf9174b9c5ece7b986981be8c901a422298de0996e3fa
-
SHA512
3a3be4d615e1eb05041257eff9e350c55048de01329e4b833a5bafce637ec96c852fae0d9f078488895cc5074fae69b2794bf63dd501be0c57f23dc12bebe1b8
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Arkei Stealer Payload
-
Downloads MZ/PE file
-
Sets service image path in registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-