Malware Analysis Report

2025-04-13 10:41

Sample ID 220507-b7gw3adefr
Target fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f.exe
SHA256 fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f
Tags
arkei redline 04062022 default infostealer stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f

Threat Level: Known bad

The file fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f.exe was found to be: Known bad.

Malicious Activity Summary

arkei redline 04062022 default infostealer stealer

RedLine

Arkei

RedLine Payload

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious behavior: MapViewOfSection

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-05-07 01:46

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-05-07 01:46

Reported

2022-05-07 01:55

Platform

win7-20220414-en

Max time kernel

150s

Max time network

160s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f.exe"

Signatures

Arkei

stealer arkei

RedLine

infostealer redline

RedLine Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\dcaqbmme.exe N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1640 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Local\Temp\fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f.exe C:\Users\Admin\AppData\Local\Temp\dcaqbmme.exe
PID 1640 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Local\Temp\fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f.exe C:\Users\Admin\AppData\Local\Temp\dcaqbmme.exe
PID 1640 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Local\Temp\fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f.exe C:\Users\Admin\AppData\Local\Temp\dcaqbmme.exe
PID 1640 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Local\Temp\fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f.exe C:\Users\Admin\AppData\Local\Temp\dcaqbmme.exe
PID 1640 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f.exe C:\Users\Admin\AppData\Local\Temp\fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f.exe
PID 1640 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f.exe C:\Users\Admin\AppData\Local\Temp\fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f.exe
PID 1640 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f.exe C:\Users\Admin\AppData\Local\Temp\fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f.exe
PID 1640 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f.exe C:\Users\Admin\AppData\Local\Temp\fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f.exe
PID 1640 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f.exe C:\Users\Admin\AppData\Local\Temp\fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f.exe
PID 1328 wrote to memory of 1124 N/A C:\Users\Admin\AppData\Local\Temp\dcaqbmme.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 1328 wrote to memory of 1124 N/A C:\Users\Admin\AppData\Local\Temp\dcaqbmme.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 1328 wrote to memory of 1124 N/A C:\Users\Admin\AppData\Local\Temp\dcaqbmme.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 1328 wrote to memory of 1124 N/A C:\Users\Admin\AppData\Local\Temp\dcaqbmme.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 1328 wrote to memory of 1124 N/A C:\Users\Admin\AppData\Local\Temp\dcaqbmme.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 1328 wrote to memory of 1124 N/A C:\Users\Admin\AppData\Local\Temp\dcaqbmme.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 1328 wrote to memory of 1124 N/A C:\Users\Admin\AppData\Local\Temp\dcaqbmme.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 1328 wrote to memory of 1124 N/A C:\Users\Admin\AppData\Local\Temp\dcaqbmme.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe

Processes

C:\Users\Admin\AppData\Local\Temp\fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f.exe

"C:\Users\Admin\AppData\Local\Temp\fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f.exe"

C:\Users\Admin\AppData\Local\Temp\dcaqbmme.exe

"C:\Users\Admin\AppData\Local\Temp\dcaqbmme.exe"

C:\Users\Admin\AppData\Local\Temp\fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f.exe

"C:\Users\Admin\AppData\Local\Temp\fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"

Network

Country Destination Domain Proto
RU 62.204.41.166:27688 tcp
RU 62.204.41.166:27688 tcp
RU 62.204.41.166:27688 tcp
RU 62.204.41.166:27688 tcp
RU 62.204.41.166:27688 tcp
RU 62.204.41.166:27688 tcp

Files

memory/1640-56-0x00000000762C1000-0x00000000762C3000-memory.dmp

\Users\Admin\AppData\Local\Temp\dcaqbmme.exe

MD5 2652215d4d7a57fc45691bb1d53fb6ce
SHA1 15838b55aa4b2dc05ca09b2b958056fcb17776bd
SHA256 326923ce18fd7a9c8210697d8ffab62481db036588c12f05a21798fcf67bd9a6
SHA512 f4694966c4beb4e9cca674b85311de400f7c9ebf7eb9e0e271074281447513d562757bb477a7884b02ba9cdc8caf9b3952afcc0e66b9a36c6c167aa5e731ca59

\Users\Admin\AppData\Local\Temp\dcaqbmme.exe

MD5 2652215d4d7a57fc45691bb1d53fb6ce
SHA1 15838b55aa4b2dc05ca09b2b958056fcb17776bd
SHA256 326923ce18fd7a9c8210697d8ffab62481db036588c12f05a21798fcf67bd9a6
SHA512 f4694966c4beb4e9cca674b85311de400f7c9ebf7eb9e0e271074281447513d562757bb477a7884b02ba9cdc8caf9b3952afcc0e66b9a36c6c167aa5e731ca59

memory/1328-59-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\dcaqbmme.exe

MD5 2652215d4d7a57fc45691bb1d53fb6ce
SHA1 15838b55aa4b2dc05ca09b2b958056fcb17776bd
SHA256 326923ce18fd7a9c8210697d8ffab62481db036588c12f05a21798fcf67bd9a6
SHA512 f4694966c4beb4e9cca674b85311de400f7c9ebf7eb9e0e271074281447513d562757bb477a7884b02ba9cdc8caf9b3952afcc0e66b9a36c6c167aa5e731ca59

memory/1120-64-0x0000000000408430-mapping.dmp

memory/1640-65-0x00000000024F0000-0x00000000024F7000-memory.dmp

memory/1124-66-0x000000000041BC2E-mapping.dmp

memory/1124-68-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1124-69-0x0000000000400000-0x0000000000424000-memory.dmp

memory/1120-70-0x0000000000400000-0x000000000043C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-05-07 01:46

Reported

2022-05-07 01:55

Platform

win10v2004-20220414-en

Max time kernel

149s

Max time network

162s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f.exe"

Signatures

Arkei

stealer arkei

RedLine

infostealer redline

RedLine Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\dcaqbmme.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f.exe N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3144 wrote to memory of 4356 N/A C:\Users\Admin\AppData\Local\Temp\fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f.exe C:\Users\Admin\AppData\Local\Temp\dcaqbmme.exe
PID 3144 wrote to memory of 4356 N/A C:\Users\Admin\AppData\Local\Temp\fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f.exe C:\Users\Admin\AppData\Local\Temp\dcaqbmme.exe
PID 3144 wrote to memory of 4356 N/A C:\Users\Admin\AppData\Local\Temp\fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f.exe C:\Users\Admin\AppData\Local\Temp\dcaqbmme.exe
PID 3144 wrote to memory of 4668 N/A C:\Users\Admin\AppData\Local\Temp\fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f.exe C:\Users\Admin\AppData\Local\Temp\fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f.exe
PID 3144 wrote to memory of 4668 N/A C:\Users\Admin\AppData\Local\Temp\fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f.exe C:\Users\Admin\AppData\Local\Temp\fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f.exe
PID 3144 wrote to memory of 4668 N/A C:\Users\Admin\AppData\Local\Temp\fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f.exe C:\Users\Admin\AppData\Local\Temp\fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f.exe
PID 3144 wrote to memory of 4668 N/A C:\Users\Admin\AppData\Local\Temp\fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f.exe C:\Users\Admin\AppData\Local\Temp\fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f.exe
PID 4356 wrote to memory of 4792 N/A C:\Users\Admin\AppData\Local\Temp\dcaqbmme.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 4356 wrote to memory of 4792 N/A C:\Users\Admin\AppData\Local\Temp\dcaqbmme.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 4356 wrote to memory of 4792 N/A C:\Users\Admin\AppData\Local\Temp\dcaqbmme.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 4356 wrote to memory of 4792 N/A C:\Users\Admin\AppData\Local\Temp\dcaqbmme.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 4356 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\dcaqbmme.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 4356 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\dcaqbmme.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 4356 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\dcaqbmme.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 4356 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\dcaqbmme.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe

Processes

C:\Users\Admin\AppData\Local\Temp\fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f.exe

"C:\Users\Admin\AppData\Local\Temp\fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f.exe"

C:\Users\Admin\AppData\Local\Temp\dcaqbmme.exe

"C:\Users\Admin\AppData\Local\Temp\dcaqbmme.exe"

C:\Users\Admin\AppData\Local\Temp\fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f.exe

"C:\Users\Admin\AppData\Local\Temp\fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"

Network

Country Destination Domain Proto
NL 8.238.23.254:80 tcp
IE 52.109.76.30:443 tcp
US 20.189.173.6:443 tcp
RU 62.204.41.166:27688 tcp
NL 8.238.23.254:80 tcp
NL 8.238.23.254:80 tcp
NL 8.238.23.254:80 tcp
RU 62.204.41.166:27688 tcp
RU 62.204.41.166:27688 tcp
RU 62.204.41.166:27688 tcp
RU 62.204.41.166:27688 tcp

Files

C:\Users\Admin\AppData\Local\Temp\dcaqbmme.exe

MD5 2652215d4d7a57fc45691bb1d53fb6ce
SHA1 15838b55aa4b2dc05ca09b2b958056fcb17776bd
SHA256 326923ce18fd7a9c8210697d8ffab62481db036588c12f05a21798fcf67bd9a6
SHA512 f4694966c4beb4e9cca674b85311de400f7c9ebf7eb9e0e271074281447513d562757bb477a7884b02ba9cdc8caf9b3952afcc0e66b9a36c6c167aa5e731ca59

C:\Users\Admin\AppData\Local\Temp\dcaqbmme.exe

MD5 2652215d4d7a57fc45691bb1d53fb6ce
SHA1 15838b55aa4b2dc05ca09b2b958056fcb17776bd
SHA256 326923ce18fd7a9c8210697d8ffab62481db036588c12f05a21798fcf67bd9a6
SHA512 f4694966c4beb4e9cca674b85311de400f7c9ebf7eb9e0e271074281447513d562757bb477a7884b02ba9cdc8caf9b3952afcc0e66b9a36c6c167aa5e731ca59

memory/4356-132-0x0000000000000000-mapping.dmp

memory/4668-137-0x0000000000000000-mapping.dmp

memory/3144-138-0x0000000002A20000-0x0000000002A27000-memory.dmp

memory/4792-139-0x0000000000000000-mapping.dmp

memory/2016-140-0x0000000000000000-mapping.dmp

memory/2016-141-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2016-142-0x0000000000400000-0x0000000000424000-memory.dmp

memory/4668-143-0x0000000000400000-0x000000000043C000-memory.dmp

memory/2016-144-0x0000000005450000-0x0000000005A68000-memory.dmp

memory/2016-145-0x0000000004EF0000-0x0000000004F02000-memory.dmp

memory/2016-146-0x0000000005020000-0x000000000512A000-memory.dmp

memory/2016-147-0x0000000004F50000-0x0000000004F8C000-memory.dmp