General
-
Target
205389d8d94a6fa6a3e88394b0cc0c1fbe6cfb5b33bf8f41960b103b2957036c
-
Size
351KB
-
Sample
220129-k1j8aahda3
-
MD5
a45555c7fec50bf3b09cfe1b96cc47e0
-
SHA1
d07a500c7d483b1805b4cdd13e8d826d5b783174
-
SHA256
205389d8d94a6fa6a3e88394b0cc0c1fbe6cfb5b33bf8f41960b103b2957036c
-
SHA512
48810ed5673aae5358d197d4abc5dac388e6a2642f0a465363c242aa8ba9a7c54f77b7798c4ea326ca4c942cfb2014764219f0ba6b8c65c8687c41064dbfecce
Static task
static1
Malware Config
Extracted
arkei
Default
http://coin-file-file-19.com/tratata.php
Targets
-
-
Target
205389d8d94a6fa6a3e88394b0cc0c1fbe6cfb5b33bf8f41960b103b2957036c
-
Size
351KB
-
MD5
a45555c7fec50bf3b09cfe1b96cc47e0
-
SHA1
d07a500c7d483b1805b4cdd13e8d826d5b783174
-
SHA256
205389d8d94a6fa6a3e88394b0cc0c1fbe6cfb5b33bf8f41960b103b2957036c
-
SHA512
48810ed5673aae5358d197d4abc5dac388e6a2642f0a465363c242aa8ba9a7c54f77b7798c4ea326ca4c942cfb2014764219f0ba6b8c65c8687c41064dbfecce
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Arkei Stealer Payload
-
Downloads MZ/PE file
-
Sets service image path in registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-