General
-
Target
8ec118f1e1f0b80207b38ce9c47868a13e136e07fca2a39fcd7944ebb5b6d90b
-
Size
284KB
-
Sample
220124-bnazeahchn
-
MD5
859dd564770fd5d85f5ae3a337339f94
-
SHA1
31ffb57ec8c76bb54e072746f9fcd2635d430a3f
-
SHA256
8ec118f1e1f0b80207b38ce9c47868a13e136e07fca2a39fcd7944ebb5b6d90b
-
SHA512
f5d4d59c75cf536287a06af0a626ea17284b8d1a990405ccc0f00f5ecbebae9b28d1c9a1f3835c35048388fb54da91db89304335b948f28808535ae0c501c03e
Static task
static1
Malware Config
Extracted
arkei
Default
http://homesteadr.link/ggate.php
Targets
-
-
Target
8ec118f1e1f0b80207b38ce9c47868a13e136e07fca2a39fcd7944ebb5b6d90b
-
Size
284KB
-
MD5
859dd564770fd5d85f5ae3a337339f94
-
SHA1
31ffb57ec8c76bb54e072746f9fcd2635d430a3f
-
SHA256
8ec118f1e1f0b80207b38ce9c47868a13e136e07fca2a39fcd7944ebb5b6d90b
-
SHA512
f5d4d59c75cf536287a06af0a626ea17284b8d1a990405ccc0f00f5ecbebae9b28d1c9a1f3835c35048388fb54da91db89304335b948f28808535ae0c501c03e
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Arkei Stealer Payload
-
Downloads MZ/PE file
-
Sets service image path in registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-