General
-
Target
3853494910312d9351224dc5001fc99db44b068417c8a90a5815e0fd53355bc3
-
Size
352KB
-
Sample
220129-fmecnaddbm
-
MD5
a2ceec05fd921ae5ff4829257f911442
-
SHA1
0a6d7854a5431910dc55c545129f4069e4ff47fd
-
SHA256
3853494910312d9351224dc5001fc99db44b068417c8a90a5815e0fd53355bc3
-
SHA512
880a89f8deca1c9067b7c2885dece333eed0372a29d4190c28857dd4563319a9da18bf05194d22b9deacd456fa14cf9383ccf1c3ff67643abeb62edf3f6e9732
Static task
static1
Malware Config
Extracted
arkei
Default
http://coin-file-file-19.com/tratata.php
Targets
-
-
Target
3853494910312d9351224dc5001fc99db44b068417c8a90a5815e0fd53355bc3
-
Size
352KB
-
MD5
a2ceec05fd921ae5ff4829257f911442
-
SHA1
0a6d7854a5431910dc55c545129f4069e4ff47fd
-
SHA256
3853494910312d9351224dc5001fc99db44b068417c8a90a5815e0fd53355bc3
-
SHA512
880a89f8deca1c9067b7c2885dece333eed0372a29d4190c28857dd4563319a9da18bf05194d22b9deacd456fa14cf9383ccf1c3ff67643abeb62edf3f6e9732
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil
suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil
-
Arkei Stealer Payload
-
Downloads MZ/PE file
-
Sets service image path in registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-