Malware Analysis Report

2025-04-13 10:41

Sample ID 220507-jmak9accd8
Target fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f.exe
SHA256 fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f
Tags
arkei redline 04062022 default infostealer stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f

Threat Level: Known bad

The file fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f.exe was found to be: Known bad.

Malicious Activity Summary

arkei redline 04062022 default infostealer stealer

RedLine

RedLine Payload

Arkei

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious behavior: MapViewOfSection

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-05-07 07:46

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-05-07 07:46

Reported

2022-05-07 07:54

Platform

win7-20220414-en

Max time kernel

128s

Max time network

142s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f.exe"

Signatures

Arkei

stealer arkei

RedLine

infostealer redline

RedLine Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\dcaqbmme.exe N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 948 wrote to memory of 952 N/A C:\Users\Admin\AppData\Local\Temp\fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f.exe C:\Users\Admin\AppData\Local\Temp\dcaqbmme.exe
PID 948 wrote to memory of 952 N/A C:\Users\Admin\AppData\Local\Temp\fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f.exe C:\Users\Admin\AppData\Local\Temp\dcaqbmme.exe
PID 948 wrote to memory of 952 N/A C:\Users\Admin\AppData\Local\Temp\fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f.exe C:\Users\Admin\AppData\Local\Temp\dcaqbmme.exe
PID 948 wrote to memory of 952 N/A C:\Users\Admin\AppData\Local\Temp\fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f.exe C:\Users\Admin\AppData\Local\Temp\dcaqbmme.exe
PID 948 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f.exe C:\Users\Admin\AppData\Local\Temp\fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f.exe
PID 948 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f.exe C:\Users\Admin\AppData\Local\Temp\fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f.exe
PID 948 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f.exe C:\Users\Admin\AppData\Local\Temp\fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f.exe
PID 948 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f.exe C:\Users\Admin\AppData\Local\Temp\fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f.exe
PID 948 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f.exe C:\Users\Admin\AppData\Local\Temp\fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f.exe
PID 952 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\dcaqbmme.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 952 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\dcaqbmme.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 952 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\dcaqbmme.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 952 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\dcaqbmme.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 952 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\dcaqbmme.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 952 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\dcaqbmme.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 952 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\dcaqbmme.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 952 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\dcaqbmme.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe

Processes

C:\Users\Admin\AppData\Local\Temp\fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f.exe

"C:\Users\Admin\AppData\Local\Temp\fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f.exe"

C:\Users\Admin\AppData\Local\Temp\dcaqbmme.exe

"C:\Users\Admin\AppData\Local\Temp\dcaqbmme.exe"

C:\Users\Admin\AppData\Local\Temp\fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f.exe

"C:\Users\Admin\AppData\Local\Temp\fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"

Network

Country Destination Domain Proto
RU 62.204.41.166:27688 tcp
RU 62.204.41.166:27688 tcp
RU 62.204.41.166:27688 tcp
RU 62.204.41.166:27688 tcp

Files

memory/948-56-0x0000000074F21000-0x0000000074F23000-memory.dmp

\Users\Admin\AppData\Local\Temp\dcaqbmme.exe

MD5 2652215d4d7a57fc45691bb1d53fb6ce
SHA1 15838b55aa4b2dc05ca09b2b958056fcb17776bd
SHA256 326923ce18fd7a9c8210697d8ffab62481db036588c12f05a21798fcf67bd9a6
SHA512 f4694966c4beb4e9cca674b85311de400f7c9ebf7eb9e0e271074281447513d562757bb477a7884b02ba9cdc8caf9b3952afcc0e66b9a36c6c167aa5e731ca59

memory/952-59-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\dcaqbmme.exe

MD5 2652215d4d7a57fc45691bb1d53fb6ce
SHA1 15838b55aa4b2dc05ca09b2b958056fcb17776bd
SHA256 326923ce18fd7a9c8210697d8ffab62481db036588c12f05a21798fcf67bd9a6
SHA512 f4694966c4beb4e9cca674b85311de400f7c9ebf7eb9e0e271074281447513d562757bb477a7884b02ba9cdc8caf9b3952afcc0e66b9a36c6c167aa5e731ca59

C:\Users\Admin\AppData\Local\Temp\dcaqbmme.exe

MD5 2652215d4d7a57fc45691bb1d53fb6ce
SHA1 15838b55aa4b2dc05ca09b2b958056fcb17776bd
SHA256 326923ce18fd7a9c8210697d8ffab62481db036588c12f05a21798fcf67bd9a6
SHA512 f4694966c4beb4e9cca674b85311de400f7c9ebf7eb9e0e271074281447513d562757bb477a7884b02ba9cdc8caf9b3952afcc0e66b9a36c6c167aa5e731ca59

memory/1828-64-0x0000000000408430-mapping.dmp

memory/948-65-0x00000000003F0000-0x00000000003F7000-memory.dmp

memory/2000-66-0x000000000041BC2E-mapping.dmp

memory/1828-67-0x0000000000400000-0x000000000043C000-memory.dmp

memory/2000-69-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2000-70-0x0000000000400000-0x0000000000420000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-05-07 07:46

Reported

2022-05-07 07:54

Platform

win10v2004-20220414-en

Max time kernel

147s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f.exe"

Signatures

Arkei

stealer arkei

RedLine

infostealer redline

RedLine Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\dcaqbmme.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f.exe N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1512 wrote to memory of 3272 N/A C:\Users\Admin\AppData\Local\Temp\fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f.exe C:\Users\Admin\AppData\Local\Temp\dcaqbmme.exe
PID 1512 wrote to memory of 3272 N/A C:\Users\Admin\AppData\Local\Temp\fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f.exe C:\Users\Admin\AppData\Local\Temp\dcaqbmme.exe
PID 1512 wrote to memory of 3272 N/A C:\Users\Admin\AppData\Local\Temp\fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f.exe C:\Users\Admin\AppData\Local\Temp\dcaqbmme.exe
PID 3272 wrote to memory of 3704 N/A C:\Users\Admin\AppData\Local\Temp\dcaqbmme.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 3272 wrote to memory of 3704 N/A C:\Users\Admin\AppData\Local\Temp\dcaqbmme.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 3272 wrote to memory of 3704 N/A C:\Users\Admin\AppData\Local\Temp\dcaqbmme.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 3272 wrote to memory of 3704 N/A C:\Users\Admin\AppData\Local\Temp\dcaqbmme.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 1512 wrote to memory of 3392 N/A C:\Users\Admin\AppData\Local\Temp\fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f.exe C:\Users\Admin\AppData\Local\Temp\fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f.exe
PID 1512 wrote to memory of 3392 N/A C:\Users\Admin\AppData\Local\Temp\fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f.exe C:\Users\Admin\AppData\Local\Temp\fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f.exe
PID 1512 wrote to memory of 3392 N/A C:\Users\Admin\AppData\Local\Temp\fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f.exe C:\Users\Admin\AppData\Local\Temp\fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f.exe
PID 1512 wrote to memory of 3392 N/A C:\Users\Admin\AppData\Local\Temp\fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f.exe C:\Users\Admin\AppData\Local\Temp\fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f.exe

Processes

C:\Users\Admin\AppData\Local\Temp\fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f.exe

"C:\Users\Admin\AppData\Local\Temp\fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f.exe"

C:\Users\Admin\AppData\Local\Temp\dcaqbmme.exe

"C:\Users\Admin\AppData\Local\Temp\dcaqbmme.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"

C:\Users\Admin\AppData\Local\Temp\fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f.exe

"C:\Users\Admin\AppData\Local\Temp\fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f.exe"

Network

Country Destination Domain Proto
NL 20.190.160.73:443 tcp
NL 20.190.160.73:443 tcp
NL 20.190.160.73:443 tcp
NL 20.190.160.129:443 tcp
NL 20.190.160.129:443 tcp
NL 20.190.160.129:443 tcp
US 20.42.65.85:443 tcp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
NL 20.190.160.6:443 tcp
NL 20.190.160.6:443 tcp
NL 20.190.160.6:443 tcp
NL 20.190.160.69:443 tcp
NL 20.190.160.69:443 tcp
NL 20.190.160.69:443 tcp
NL 20.190.160.4:443 tcp
NL 20.190.160.4:443 tcp
NL 20.190.160.4:443 tcp
RU 62.204.41.166:27688 tcp
NL 20.190.160.71:443 tcp
NL 20.190.160.71:443 tcp
US 13.107.42.16:443 tcp
NL 20.190.160.71:443 tcp
RU 62.204.41.166:27688 tcp
RU 62.204.41.166:27688 tcp

Files

memory/3272-132-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\dcaqbmme.exe

MD5 2652215d4d7a57fc45691bb1d53fb6ce
SHA1 15838b55aa4b2dc05ca09b2b958056fcb17776bd
SHA256 326923ce18fd7a9c8210697d8ffab62481db036588c12f05a21798fcf67bd9a6
SHA512 f4694966c4beb4e9cca674b85311de400f7c9ebf7eb9e0e271074281447513d562757bb477a7884b02ba9cdc8caf9b3952afcc0e66b9a36c6c167aa5e731ca59

C:\Users\Admin\AppData\Local\Temp\dcaqbmme.exe

MD5 2652215d4d7a57fc45691bb1d53fb6ce
SHA1 15838b55aa4b2dc05ca09b2b958056fcb17776bd
SHA256 326923ce18fd7a9c8210697d8ffab62481db036588c12f05a21798fcf67bd9a6
SHA512 f4694966c4beb4e9cca674b85311de400f7c9ebf7eb9e0e271074281447513d562757bb477a7884b02ba9cdc8caf9b3952afcc0e66b9a36c6c167aa5e731ca59

memory/3704-137-0x0000000000000000-mapping.dmp

memory/3392-138-0x0000000000000000-mapping.dmp

memory/3272-139-0x0000000000610000-0x0000000000617000-memory.dmp

memory/3392-140-0x0000000000400000-0x000000000043C000-memory.dmp

memory/3704-141-0x0000000000400000-0x0000000000424000-memory.dmp

memory/3704-142-0x0000000000400000-0x0000000000420000-memory.dmp

memory/3704-143-0x0000000006050000-0x0000000006668000-memory.dmp

memory/3704-144-0x0000000005AF0000-0x0000000005B02000-memory.dmp

memory/3704-145-0x0000000005C20000-0x0000000005D2A000-memory.dmp

memory/3704-146-0x0000000005B50000-0x0000000005B8C000-memory.dmp