General
-
Target
0b32637010737e98ee8d1eb73537d7747d870e44e4c5e17d7ea562cf71605da8
-
Size
336KB
-
Sample
220126-nmd1wsccbl
-
MD5
728ea8a079304738242507b06624250b
-
SHA1
738d80874e0d46f910482c7291eb6db07692de23
-
SHA256
0b32637010737e98ee8d1eb73537d7747d870e44e4c5e17d7ea562cf71605da8
-
SHA512
04c6c8eb98ac610c3c08ff6dd09c272f416c764f6d551de59e259ec9348aac067f07323ecb8a532e6cccc4dcea232471e3e59bd92d56096b5b9ef9e8998c8108
Static task
static1
Malware Config
Extracted
arkei
Default
http://coin-file-file-19.com/tratata.php
Targets
-
-
Target
0b32637010737e98ee8d1eb73537d7747d870e44e4c5e17d7ea562cf71605da8
-
Size
336KB
-
MD5
728ea8a079304738242507b06624250b
-
SHA1
738d80874e0d46f910482c7291eb6db07692de23
-
SHA256
0b32637010737e98ee8d1eb73537d7747d870e44e4c5e17d7ea562cf71605da8
-
SHA512
04c6c8eb98ac610c3c08ff6dd09c272f416c764f6d551de59e259ec9348aac067f07323ecb8a532e6cccc4dcea232471e3e59bd92d56096b5b9ef9e8998c8108
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Arkei Stealer Payload
-
Downloads MZ/PE file
-
Sets service image path in registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-