General
-
Target
52d3c8af3cabfedb2589968e9c2eae71358ccd4e2627b65e98e92d93f95fb3b5
-
Size
313KB
-
Sample
220201-j7g6tsbhd6
-
MD5
cc7701e63927544968221d78b4a42254
-
SHA1
38df6599802d171deca91fa7350a160ea8851f3a
-
SHA256
52d3c8af3cabfedb2589968e9c2eae71358ccd4e2627b65e98e92d93f95fb3b5
-
SHA512
749e17775654d5ebe8f808052bb84b50ba2dae33d835fce2db40db5d70da8844e9db75dfd409d19367024b4ca18ef43cb8dbb73909b6739661d433be1ecc61d5
Static task
static1
Malware Config
Extracted
arkei
Default
http://coin-file-file-19.com/tratata.php
Targets
-
-
Target
52d3c8af3cabfedb2589968e9c2eae71358ccd4e2627b65e98e92d93f95fb3b5
-
Size
313KB
-
MD5
cc7701e63927544968221d78b4a42254
-
SHA1
38df6599802d171deca91fa7350a160ea8851f3a
-
SHA256
52d3c8af3cabfedb2589968e9c2eae71358ccd4e2627b65e98e92d93f95fb3b5
-
SHA512
749e17775654d5ebe8f808052bb84b50ba2dae33d835fce2db40db5d70da8844e9db75dfd409d19367024b4ca18ef43cb8dbb73909b6739661d433be1ecc61d5
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Arkei Stealer Payload
-
Downloads MZ/PE file
-
Sets service image path in registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-