General
-
Target
8c9bac8acb30b32ee42a20b9c520c806bbe17c9c666b6d2ab03a4566f2c95cc0
-
Size
284KB
-
Sample
220124-ahl9tagfa6
-
MD5
73aa27714738718889d0e401c0a022c3
-
SHA1
7fb66980bf68069271698821b35e0de2968451d3
-
SHA256
8c9bac8acb30b32ee42a20b9c520c806bbe17c9c666b6d2ab03a4566f2c95cc0
-
SHA512
d6f631e956a93af20b597d88c5bd241365c60af84615d3de0160f8f669162335dc25ea910ae7de92997038b37544c5e34b638b4933e26e1683efd71a02b92f03
Static task
static1
Malware Config
Extracted
arkei
Default
http://coin-file-file-19.com/tratata.php
Targets
-
-
Target
8c9bac8acb30b32ee42a20b9c520c806bbe17c9c666b6d2ab03a4566f2c95cc0
-
Size
284KB
-
MD5
73aa27714738718889d0e401c0a022c3
-
SHA1
7fb66980bf68069271698821b35e0de2968451d3
-
SHA256
8c9bac8acb30b32ee42a20b9c520c806bbe17c9c666b6d2ab03a4566f2c95cc0
-
SHA512
d6f631e956a93af20b597d88c5bd241365c60af84615d3de0160f8f669162335dc25ea910ae7de92997038b37544c5e34b638b4933e26e1683efd71a02b92f03
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Arkei Stealer Payload
-
Downloads MZ/PE file
-
Sets service image path in registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-