2022-12-29 (Thursday) - Getting ready to shut down for the evening, and I wanted to try one more time.

This time I set up my Windows lab computer as a Brazil host with Portuguese language.

I saw aanother Google ad, this time to a fake AnyDesk page at computer-remote[.]site.

This time the malware was an #ArkeiStealer variant (#Vidar/#OkiStealer/#MarsStealer/whatever its morphed into now).

Download link: hxxps://computer-remote[.]site/download.php

Download link redirects to aip file hosted on Dropbox at: hxxps://dl.dropboxusercontent[.]com/s/hpkf0my15vts98l/SetupMain.zip?dl=0

Couldn't get the full zip uploaded to Malware Bazaar, because it was too big. Got it sent to VirusTotal, though.

- https://virustotal.com/gui/file/501830f4752ee2d4edd8f74509c59e4ec41949a71d5300574b574e69974f3e5a

51.8 MB zip download, containing a bunch of crap and a 624 MB Windows EXE file.

I carved the extracted EXE to remove the padding, and the carved sample is available at: https://bazaar.abuse.ch/sample/2e25487

Analysis of the carved EXE:

- https://tria.ge/221230-fk3mgaa
- https://app.any.run/tasks/80236e10-6116-4b50-a1c1-58ac52b52a21

Even though my host was set up for Brazil Portuguese, the fake AnyDesk page and downloaded malware were in English.