General
-
Target
2ea126f1ccaf54e9fcbf610e82561bcac077a17b9b389671e53bbce2a5df93b4
-
Size
351KB
-
Sample
220129-h4q4wsfdcn
-
MD5
7c14666aa7287967408b85ea07ca9443
-
SHA1
40f8098d44e142d0b553b2bff8fd50d4ca3a5677
-
SHA256
2ea126f1ccaf54e9fcbf610e82561bcac077a17b9b389671e53bbce2a5df93b4
-
SHA512
a892ca447c82c17671d61204b2d4b41066ed636650303c29deda55286948e003c650bfe698d669b0666829cd2e2d8da0ff23155c1dfd77dbb71cf9b6ea7e4ca0
Static task
static1
Malware Config
Extracted
arkei
Default
http://coin-file-file-19.com/tratata.php
Targets
-
-
Target
2ea126f1ccaf54e9fcbf610e82561bcac077a17b9b389671e53bbce2a5df93b4
-
Size
351KB
-
MD5
7c14666aa7287967408b85ea07ca9443
-
SHA1
40f8098d44e142d0b553b2bff8fd50d4ca3a5677
-
SHA256
2ea126f1ccaf54e9fcbf610e82561bcac077a17b9b389671e53bbce2a5df93b4
-
SHA512
a892ca447c82c17671d61204b2d4b41066ed636650303c29deda55286948e003c650bfe698d669b0666829cd2e2d8da0ff23155c1dfd77dbb71cf9b6ea7e4ca0
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Arkei Stealer Payload
-
Downloads MZ/PE file
-
Sets service image path in registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-