Malware Analysis Report

2025-06-16 05:11

Sample ID 220419-bsmh1ahea2
Target 0f63b4b4659449eee766610af817b786e9cd7622743851cf7b71430613d7521b.exe
SHA256 0f63b4b4659449eee766610af817b786e9cd7622743851cf7b71430613d7521b
Tags
arkei redline 04062022 default infostealer stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0f63b4b4659449eee766610af817b786e9cd7622743851cf7b71430613d7521b

Threat Level: Known bad

The file 0f63b4b4659449eee766610af817b786e9cd7622743851cf7b71430613d7521b.exe was found to be: Known bad.

Malicious Activity Summary

arkei redline 04062022 default infostealer stealer

RedLine

Arkei

RedLine Payload

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious behavior: MapViewOfSection

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-04-19 01:24

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-04-19 01:24

Reported

2022-04-19 01:32

Platform

win7-20220414-en

Max time kernel

145s

Max time network

163s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0f63b4b4659449eee766610af817b786e9cd7622743851cf7b71430613d7521b.exe"

Signatures

Arkei

stealer arkei

RedLine

infostealer redline

RedLine Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fvdfggf.exe N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1120 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\0f63b4b4659449eee766610af817b786e9cd7622743851cf7b71430613d7521b.exe C:\Users\Admin\AppData\Local\Temp\Fvdfggf.exe
PID 1120 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\0f63b4b4659449eee766610af817b786e9cd7622743851cf7b71430613d7521b.exe C:\Users\Admin\AppData\Local\Temp\Fvdfggf.exe
PID 1120 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\0f63b4b4659449eee766610af817b786e9cd7622743851cf7b71430613d7521b.exe C:\Users\Admin\AppData\Local\Temp\Fvdfggf.exe
PID 1120 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\0f63b4b4659449eee766610af817b786e9cd7622743851cf7b71430613d7521b.exe C:\Users\Admin\AppData\Local\Temp\Fvdfggf.exe
PID 1120 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\0f63b4b4659449eee766610af817b786e9cd7622743851cf7b71430613d7521b.exe C:\Users\Admin\AppData\Local\Temp\0f63b4b4659449eee766610af817b786e9cd7622743851cf7b71430613d7521b.exe
PID 1120 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\0f63b4b4659449eee766610af817b786e9cd7622743851cf7b71430613d7521b.exe C:\Users\Admin\AppData\Local\Temp\0f63b4b4659449eee766610af817b786e9cd7622743851cf7b71430613d7521b.exe
PID 1120 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\0f63b4b4659449eee766610af817b786e9cd7622743851cf7b71430613d7521b.exe C:\Users\Admin\AppData\Local\Temp\0f63b4b4659449eee766610af817b786e9cd7622743851cf7b71430613d7521b.exe
PID 1120 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\0f63b4b4659449eee766610af817b786e9cd7622743851cf7b71430613d7521b.exe C:\Users\Admin\AppData\Local\Temp\0f63b4b4659449eee766610af817b786e9cd7622743851cf7b71430613d7521b.exe
PID 1120 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\0f63b4b4659449eee766610af817b786e9cd7622743851cf7b71430613d7521b.exe C:\Users\Admin\AppData\Local\Temp\0f63b4b4659449eee766610af817b786e9cd7622743851cf7b71430613d7521b.exe
PID 1484 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\Fvdfggf.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 1484 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\Fvdfggf.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 1484 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\Fvdfggf.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 1484 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\Fvdfggf.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 1484 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\Fvdfggf.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 1484 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\Fvdfggf.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 1484 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\Fvdfggf.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 1484 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\Fvdfggf.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0f63b4b4659449eee766610af817b786e9cd7622743851cf7b71430613d7521b.exe

"C:\Users\Admin\AppData\Local\Temp\0f63b4b4659449eee766610af817b786e9cd7622743851cf7b71430613d7521b.exe"

C:\Users\Admin\AppData\Local\Temp\Fvdfggf.exe

"C:\Users\Admin\AppData\Local\Temp\Fvdfggf.exe"

C:\Users\Admin\AppData\Local\Temp\0f63b4b4659449eee766610af817b786e9cd7622743851cf7b71430613d7521b.exe

"C:\Users\Admin\AppData\Local\Temp\0f63b4b4659449eee766610af817b786e9cd7622743851cf7b71430613d7521b.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"

Network

Country Destination Domain Proto
RU 62.204.41.166:27688 tcp
RU 62.204.41.69:80 62.204.41.69 tcp
RU 62.204.41.166:27688 tcp
RU 62.204.41.166:27688 tcp
RU 62.204.41.166:27688 tcp
RU 62.204.41.166:27688 tcp
RU 62.204.41.166:27688 tcp
RU 62.204.41.166:27688 tcp
RU 62.204.41.166:27688 tcp
RU 62.204.41.166:27688 tcp
RU 62.204.41.166:27688 tcp
RU 62.204.41.166:27688 tcp
RU 62.204.41.166:27688 tcp
RU 62.204.41.166:27688 tcp
RU 62.204.41.166:27688 tcp

Files

memory/1120-56-0x00000000753B1000-0x00000000753B3000-memory.dmp

\Users\Admin\AppData\Local\Temp\Fvdfggf.exe

MD5 e124d6fab64aa638922bc7861998fa8c
SHA1 3420d895a8ef834eaf85c800fb83b1eca0a7816e
SHA256 de8f8f5217cc3fca88d5261c8ad2c3115750ccf4f7bf3e7904760af2014959e3
SHA512 b456215751eeda2f5b633cd52b5b5d820d1dc96d9ec4f4f35fa4fa1c5859dd925c949f0f6270af80a12ede9f9ac45f4a979aea7f8d4da459ed05cd1b7bdd5ed7

memory/1484-59-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\Fvdfggf.exe

MD5 e124d6fab64aa638922bc7861998fa8c
SHA1 3420d895a8ef834eaf85c800fb83b1eca0a7816e
SHA256 de8f8f5217cc3fca88d5261c8ad2c3115750ccf4f7bf3e7904760af2014959e3
SHA512 b456215751eeda2f5b633cd52b5b5d820d1dc96d9ec4f4f35fa4fa1c5859dd925c949f0f6270af80a12ede9f9ac45f4a979aea7f8d4da459ed05cd1b7bdd5ed7

C:\Users\Admin\AppData\Local\Temp\Fvdfggf.exe

MD5 e124d6fab64aa638922bc7861998fa8c
SHA1 3420d895a8ef834eaf85c800fb83b1eca0a7816e
SHA256 de8f8f5217cc3fca88d5261c8ad2c3115750ccf4f7bf3e7904760af2014959e3
SHA512 b456215751eeda2f5b633cd52b5b5d820d1dc96d9ec4f4f35fa4fa1c5859dd925c949f0f6270af80a12ede9f9ac45f4a979aea7f8d4da459ed05cd1b7bdd5ed7

memory/1808-62-0x0000000000408430-mapping.dmp

memory/1120-65-0x0000000000550000-0x0000000000557000-memory.dmp

memory/1088-66-0x000000000041BC2E-mapping.dmp

memory/1088-68-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1088-69-0x0000000000400000-0x0000000000424000-memory.dmp

memory/1808-70-0x0000000000400000-0x000000000043C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-04-19 01:24

Reported

2022-04-19 01:32

Platform

win10v2004-20220414-en

Max time kernel

150s

Max time network

161s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0f63b4b4659449eee766610af817b786e9cd7622743851cf7b71430613d7521b.exe"

Signatures

Arkei

stealer arkei

RedLine

infostealer redline

RedLine Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fvdfggf.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\0f63b4b4659449eee766610af817b786e9cd7622743851cf7b71430613d7521b.exe N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4060 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\0f63b4b4659449eee766610af817b786e9cd7622743851cf7b71430613d7521b.exe C:\Users\Admin\AppData\Local\Temp\Fvdfggf.exe
PID 4060 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\0f63b4b4659449eee766610af817b786e9cd7622743851cf7b71430613d7521b.exe C:\Users\Admin\AppData\Local\Temp\Fvdfggf.exe
PID 4060 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\0f63b4b4659449eee766610af817b786e9cd7622743851cf7b71430613d7521b.exe C:\Users\Admin\AppData\Local\Temp\Fvdfggf.exe
PID 4060 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\0f63b4b4659449eee766610af817b786e9cd7622743851cf7b71430613d7521b.exe C:\Users\Admin\AppData\Local\Temp\0f63b4b4659449eee766610af817b786e9cd7622743851cf7b71430613d7521b.exe
PID 4060 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\0f63b4b4659449eee766610af817b786e9cd7622743851cf7b71430613d7521b.exe C:\Users\Admin\AppData\Local\Temp\0f63b4b4659449eee766610af817b786e9cd7622743851cf7b71430613d7521b.exe
PID 4060 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\0f63b4b4659449eee766610af817b786e9cd7622743851cf7b71430613d7521b.exe C:\Users\Admin\AppData\Local\Temp\0f63b4b4659449eee766610af817b786e9cd7622743851cf7b71430613d7521b.exe
PID 4060 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\0f63b4b4659449eee766610af817b786e9cd7622743851cf7b71430613d7521b.exe C:\Users\Admin\AppData\Local\Temp\0f63b4b4659449eee766610af817b786e9cd7622743851cf7b71430613d7521b.exe
PID 1508 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\Fvdfggf.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 1508 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\Fvdfggf.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 1508 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\Fvdfggf.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 1508 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\Fvdfggf.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0f63b4b4659449eee766610af817b786e9cd7622743851cf7b71430613d7521b.exe

"C:\Users\Admin\AppData\Local\Temp\0f63b4b4659449eee766610af817b786e9cd7622743851cf7b71430613d7521b.exe"

C:\Users\Admin\AppData\Local\Temp\Fvdfggf.exe

"C:\Users\Admin\AppData\Local\Temp\Fvdfggf.exe"

C:\Users\Admin\AppData\Local\Temp\0f63b4b4659449eee766610af817b786e9cd7622743851cf7b71430613d7521b.exe

"C:\Users\Admin\AppData\Local\Temp\0f63b4b4659449eee766610af817b786e9cd7622743851cf7b71430613d7521b.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"

Network

Country Destination Domain Proto
NL 104.110.191.133:80 tcp
NL 104.110.191.133:80 tcp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
RU 62.204.41.166:27688 tcp
US 104.208.16.90:443 tcp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
RU 62.204.41.69:80 tcp
US 93.184.221.240:80 tcp
RU 62.204.41.166:27688 tcp
RU 62.204.41.166:27688 tcp
RU 62.204.41.166:27688 tcp
RU 62.204.41.166:27688 tcp
RU 62.204.41.166:27688 tcp
RU 62.204.41.166:27688 tcp
RU 62.204.41.166:27688 tcp
RU 62.204.41.69:80 62.204.41.69 tcp
RU 62.204.41.166:27688 tcp
RU 62.204.41.166:27688 tcp
RU 62.204.41.166:27688 tcp
RU 62.204.41.166:27688 tcp
RU 62.204.41.166:27688 tcp
RU 62.204.41.166:27688 tcp
RU 62.204.41.166:27688 tcp

Files

memory/1508-132-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\Fvdfggf.exe

MD5 e124d6fab64aa638922bc7861998fa8c
SHA1 3420d895a8ef834eaf85c800fb83b1eca0a7816e
SHA256 de8f8f5217cc3fca88d5261c8ad2c3115750ccf4f7bf3e7904760af2014959e3
SHA512 b456215751eeda2f5b633cd52b5b5d820d1dc96d9ec4f4f35fa4fa1c5859dd925c949f0f6270af80a12ede9f9ac45f4a979aea7f8d4da459ed05cd1b7bdd5ed7

C:\Users\Admin\AppData\Local\Temp\Fvdfggf.exe

MD5 e124d6fab64aa638922bc7861998fa8c
SHA1 3420d895a8ef834eaf85c800fb83b1eca0a7816e
SHA256 de8f8f5217cc3fca88d5261c8ad2c3115750ccf4f7bf3e7904760af2014959e3
SHA512 b456215751eeda2f5b633cd52b5b5d820d1dc96d9ec4f4f35fa4fa1c5859dd925c949f0f6270af80a12ede9f9ac45f4a979aea7f8d4da459ed05cd1b7bdd5ed7

memory/1208-137-0x0000000000000000-mapping.dmp

memory/4060-138-0x0000000002AE0000-0x0000000002AE7000-memory.dmp

memory/2560-139-0x0000000000000000-mapping.dmp

memory/1208-141-0x0000000000400000-0x000000000043C000-memory.dmp

memory/2560-140-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2560-142-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2560-143-0x0000000005C90000-0x00000000062A8000-memory.dmp

memory/2560-144-0x0000000005710000-0x0000000005722000-memory.dmp

memory/2560-145-0x0000000005840000-0x000000000594A000-memory.dmp

memory/2560-146-0x0000000005770000-0x00000000057AC000-memory.dmp