General
-
Target
8ffb6573ef6004fa8199d8ee775584e9d22f9da709cb46dcde3dd5b064b28eab
-
Size
266KB
-
Sample
220130-21198sbgek
-
MD5
6e11fa8458b4d6eb763bcf060f965633
-
SHA1
ede7f5f8c5a976510c9e53aba88ac86e13ffb60e
-
SHA256
8ffb6573ef6004fa8199d8ee775584e9d22f9da709cb46dcde3dd5b064b28eab
-
SHA512
f0ddfa6038cd776c06b8345f8952c687b298c091aec6cc23495ccae66ecf90da06d4b628a8d00cefd6c8fb1c81850fa83689a878d3db37ef99d871a02d992785
Static task
static1
Malware Config
Extracted
arkei
Default
http://coin-file-file-19.com/tratata.php
Targets
-
-
Target
8ffb6573ef6004fa8199d8ee775584e9d22f9da709cb46dcde3dd5b064b28eab
-
Size
266KB
-
MD5
6e11fa8458b4d6eb763bcf060f965633
-
SHA1
ede7f5f8c5a976510c9e53aba88ac86e13ffb60e
-
SHA256
8ffb6573ef6004fa8199d8ee775584e9d22f9da709cb46dcde3dd5b064b28eab
-
SHA512
f0ddfa6038cd776c06b8345f8952c687b298c091aec6cc23495ccae66ecf90da06d4b628a8d00cefd6c8fb1c81850fa83689a878d3db37ef99d871a02d992785
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Arkei Stealer Payload
-
Downloads MZ/PE file
-
Sets service image path in registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-