General
-
Target
61450197a77e76502a34d0a9bbfdb2004905c563e34bac3c7d37d5e770b3bf60
-
Size
337KB
-
Sample
220126-w1tx9sgedk
-
MD5
25402edcf0c474b6bd2bc674b4612688
-
SHA1
c34dc1afd4d57050d9753e015098a7039f1d01e5
-
SHA256
61450197a77e76502a34d0a9bbfdb2004905c563e34bac3c7d37d5e770b3bf60
-
SHA512
befc27419e1a0eb3e1bdde5accb07c3de4b37dd8e4939c10ce304e99859a71f06a0505c4643408057f5a9cfaaa1643e5f6519b29b0361b61ec9f62669d91800b
Static task
static1
Malware Config
Extracted
arkei
Default
http://coin-file-file-19.com/tratata.php
Targets
-
-
Target
61450197a77e76502a34d0a9bbfdb2004905c563e34bac3c7d37d5e770b3bf60
-
Size
337KB
-
MD5
25402edcf0c474b6bd2bc674b4612688
-
SHA1
c34dc1afd4d57050d9753e015098a7039f1d01e5
-
SHA256
61450197a77e76502a34d0a9bbfdb2004905c563e34bac3c7d37d5e770b3bf60
-
SHA512
befc27419e1a0eb3e1bdde5accb07c3de4b37dd8e4939c10ce304e99859a71f06a0505c4643408057f5a9cfaaa1643e5f6519b29b0361b61ec9f62669d91800b
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil
suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil
-
Arkei Stealer Payload
-
Downloads MZ/PE file
-
Sets service image path in registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-