General
-
Target
d2658e995c021d635a316cba2d201eb937207948bfe211aa1b9481bc5dcdb24c
-
Size
297KB
-
Sample
220125-vhevysbef4
-
MD5
6c0509aa249e7be165a27d32b138b265
-
SHA1
75fb22e8b592e9961d2fa399078972d2a942f961
-
SHA256
d2658e995c021d635a316cba2d201eb937207948bfe211aa1b9481bc5dcdb24c
-
SHA512
27bec0af0d5b50272e8cf82ac7eab72e1bde57765e2691e3e3a83c6ae26c54487ea599a72991f25431169df1782a015a3aefae3f54cd68eac796fb07760e3251
Static task
static1
Malware Config
Extracted
arkei
Default
http://coin-file-file-19.com/tratata.php
Targets
-
-
Target
d2658e995c021d635a316cba2d201eb937207948bfe211aa1b9481bc5dcdb24c
-
Size
297KB
-
MD5
6c0509aa249e7be165a27d32b138b265
-
SHA1
75fb22e8b592e9961d2fa399078972d2a942f961
-
SHA256
d2658e995c021d635a316cba2d201eb937207948bfe211aa1b9481bc5dcdb24c
-
SHA512
27bec0af0d5b50272e8cf82ac7eab72e1bde57765e2691e3e3a83c6ae26c54487ea599a72991f25431169df1782a015a3aefae3f54cd68eac796fb07760e3251
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Arkei Stealer Payload
-
Downloads MZ/PE file
-
Sets service image path in registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-