Malware Analysis Report

2025-04-13 10:41

Sample ID 220507-q28vxscfb5
Target fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f.exe
SHA256 fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f
Tags
arkei redline 04062022 default infostealer stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f

Threat Level: Known bad

The file fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f.exe was found to be: Known bad.

Malicious Activity Summary

arkei redline 04062022 default infostealer stealer

RedLine

Arkei

RedLine Payload

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious behavior: MapViewOfSection

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-05-07 13:46

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-05-07 13:46

Reported

2022-05-07 13:54

Platform

win7-20220414-en

Max time kernel

147s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f.exe"

Signatures

Arkei

stealer arkei

RedLine

infostealer redline

RedLine Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\dcaqbmme.exe N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1488 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f.exe C:\Users\Admin\AppData\Local\Temp\dcaqbmme.exe
PID 1488 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f.exe C:\Users\Admin\AppData\Local\Temp\dcaqbmme.exe
PID 1488 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f.exe C:\Users\Admin\AppData\Local\Temp\dcaqbmme.exe
PID 1488 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f.exe C:\Users\Admin\AppData\Local\Temp\dcaqbmme.exe
PID 1488 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f.exe C:\Users\Admin\AppData\Local\Temp\fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f.exe
PID 1488 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f.exe C:\Users\Admin\AppData\Local\Temp\fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f.exe
PID 1488 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f.exe C:\Users\Admin\AppData\Local\Temp\fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f.exe
PID 1488 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f.exe C:\Users\Admin\AppData\Local\Temp\fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f.exe
PID 1488 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f.exe C:\Users\Admin\AppData\Local\Temp\fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f.exe
PID 1984 wrote to memory of 948 N/A C:\Users\Admin\AppData\Local\Temp\dcaqbmme.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 1984 wrote to memory of 948 N/A C:\Users\Admin\AppData\Local\Temp\dcaqbmme.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 1984 wrote to memory of 948 N/A C:\Users\Admin\AppData\Local\Temp\dcaqbmme.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 1984 wrote to memory of 948 N/A C:\Users\Admin\AppData\Local\Temp\dcaqbmme.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 1984 wrote to memory of 948 N/A C:\Users\Admin\AppData\Local\Temp\dcaqbmme.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 1984 wrote to memory of 948 N/A C:\Users\Admin\AppData\Local\Temp\dcaqbmme.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 1984 wrote to memory of 948 N/A C:\Users\Admin\AppData\Local\Temp\dcaqbmme.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 1984 wrote to memory of 948 N/A C:\Users\Admin\AppData\Local\Temp\dcaqbmme.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe

Processes

C:\Users\Admin\AppData\Local\Temp\fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f.exe

"C:\Users\Admin\AppData\Local\Temp\fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f.exe"

C:\Users\Admin\AppData\Local\Temp\dcaqbmme.exe

"C:\Users\Admin\AppData\Local\Temp\dcaqbmme.exe"

C:\Users\Admin\AppData\Local\Temp\fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f.exe

"C:\Users\Admin\AppData\Local\Temp\fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"

Network

Country Destination Domain Proto
RU 62.204.41.166:27688 tcp
RU 62.204.41.166:27688 tcp
RU 62.204.41.166:27688 tcp
RU 62.204.41.166:27688 tcp
RU 62.204.41.166:27688 tcp
RU 62.204.41.166:27688 tcp

Files

memory/1488-56-0x0000000076C81000-0x0000000076C83000-memory.dmp

\Users\Admin\AppData\Local\Temp\dcaqbmme.exe

MD5 2652215d4d7a57fc45691bb1d53fb6ce
SHA1 15838b55aa4b2dc05ca09b2b958056fcb17776bd
SHA256 326923ce18fd7a9c8210697d8ffab62481db036588c12f05a21798fcf67bd9a6
SHA512 f4694966c4beb4e9cca674b85311de400f7c9ebf7eb9e0e271074281447513d562757bb477a7884b02ba9cdc8caf9b3952afcc0e66b9a36c6c167aa5e731ca59

\Users\Admin\AppData\Local\Temp\dcaqbmme.exe

MD5 2652215d4d7a57fc45691bb1d53fb6ce
SHA1 15838b55aa4b2dc05ca09b2b958056fcb17776bd
SHA256 326923ce18fd7a9c8210697d8ffab62481db036588c12f05a21798fcf67bd9a6
SHA512 f4694966c4beb4e9cca674b85311de400f7c9ebf7eb9e0e271074281447513d562757bb477a7884b02ba9cdc8caf9b3952afcc0e66b9a36c6c167aa5e731ca59

memory/1984-59-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\dcaqbmme.exe

MD5 2652215d4d7a57fc45691bb1d53fb6ce
SHA1 15838b55aa4b2dc05ca09b2b958056fcb17776bd
SHA256 326923ce18fd7a9c8210697d8ffab62481db036588c12f05a21798fcf67bd9a6
SHA512 f4694966c4beb4e9cca674b85311de400f7c9ebf7eb9e0e271074281447513d562757bb477a7884b02ba9cdc8caf9b3952afcc0e66b9a36c6c167aa5e731ca59

memory/1996-64-0x0000000000408430-mapping.dmp

memory/1488-65-0x00000000008F0000-0x00000000008F7000-memory.dmp

memory/948-66-0x000000000041BC2E-mapping.dmp

memory/948-68-0x0000000000400000-0x0000000000424000-memory.dmp

memory/1996-69-0x0000000000400000-0x000000000043C000-memory.dmp

memory/948-70-0x0000000000400000-0x0000000000420000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-05-07 13:46

Reported

2022-05-07 13:55

Platform

win10v2004-20220414-en

Max time kernel

157s

Max time network

168s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f.exe"

Signatures

Arkei

stealer arkei

RedLine

infostealer redline

RedLine Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\dcaqbmme.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f.exe N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4292 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f.exe C:\Users\Admin\AppData\Local\Temp\dcaqbmme.exe
PID 4292 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f.exe C:\Users\Admin\AppData\Local\Temp\dcaqbmme.exe
PID 4292 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f.exe C:\Users\Admin\AppData\Local\Temp\dcaqbmme.exe
PID 3028 wrote to memory of 5088 N/A C:\Users\Admin\AppData\Local\Temp\dcaqbmme.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 3028 wrote to memory of 5088 N/A C:\Users\Admin\AppData\Local\Temp\dcaqbmme.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 3028 wrote to memory of 5088 N/A C:\Users\Admin\AppData\Local\Temp\dcaqbmme.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 4292 wrote to memory of 4792 N/A C:\Users\Admin\AppData\Local\Temp\fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f.exe C:\Users\Admin\AppData\Local\Temp\fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f.exe
PID 4292 wrote to memory of 4792 N/A C:\Users\Admin\AppData\Local\Temp\fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f.exe C:\Users\Admin\AppData\Local\Temp\fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f.exe
PID 4292 wrote to memory of 4792 N/A C:\Users\Admin\AppData\Local\Temp\fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f.exe C:\Users\Admin\AppData\Local\Temp\fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f.exe
PID 3028 wrote to memory of 5088 N/A C:\Users\Admin\AppData\Local\Temp\dcaqbmme.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 4292 wrote to memory of 4792 N/A C:\Users\Admin\AppData\Local\Temp\fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f.exe C:\Users\Admin\AppData\Local\Temp\fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f.exe

Processes

C:\Users\Admin\AppData\Local\Temp\fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f.exe

"C:\Users\Admin\AppData\Local\Temp\fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f.exe"

C:\Users\Admin\AppData\Local\Temp\dcaqbmme.exe

"C:\Users\Admin\AppData\Local\Temp\dcaqbmme.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"

C:\Users\Admin\AppData\Local\Temp\fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f.exe

"C:\Users\Admin\AppData\Local\Temp\fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f.exe"

Network

Country Destination Domain Proto
US 52.168.117.170:443 tcp
BE 67.27.153.254:80 tcp
BE 67.27.153.254:80 tcp
NL 88.221.144.179:80 tcp
RU 62.204.41.166:27688 tcp
RU 62.204.41.166:27688 tcp
RU 62.204.41.166:27688 tcp
RU 62.204.41.166:27688 tcp
RU 62.204.41.166:27688 tcp

Files

memory/3028-133-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\dcaqbmme.exe

MD5 2652215d4d7a57fc45691bb1d53fb6ce
SHA1 15838b55aa4b2dc05ca09b2b958056fcb17776bd
SHA256 326923ce18fd7a9c8210697d8ffab62481db036588c12f05a21798fcf67bd9a6
SHA512 f4694966c4beb4e9cca674b85311de400f7c9ebf7eb9e0e271074281447513d562757bb477a7884b02ba9cdc8caf9b3952afcc0e66b9a36c6c167aa5e731ca59

C:\Users\Admin\AppData\Local\Temp\dcaqbmme.exe

MD5 2652215d4d7a57fc45691bb1d53fb6ce
SHA1 15838b55aa4b2dc05ca09b2b958056fcb17776bd
SHA256 326923ce18fd7a9c8210697d8ffab62481db036588c12f05a21798fcf67bd9a6
SHA512 f4694966c4beb4e9cca674b85311de400f7c9ebf7eb9e0e271074281447513d562757bb477a7884b02ba9cdc8caf9b3952afcc0e66b9a36c6c167aa5e731ca59

memory/5088-138-0x0000000000000000-mapping.dmp

memory/4792-139-0x0000000000000000-mapping.dmp

memory/3028-140-0x0000000001FC0000-0x0000000001FC7000-memory.dmp

memory/5088-141-0x0000000000400000-0x0000000000420000-memory.dmp

memory/5088-142-0x0000000000400000-0x0000000000424000-memory.dmp

memory/4792-143-0x0000000000400000-0x000000000043C000-memory.dmp

memory/5088-144-0x0000000005580000-0x0000000005B98000-memory.dmp

memory/5088-145-0x0000000005020000-0x0000000005032000-memory.dmp

memory/5088-146-0x0000000005150000-0x000000000525A000-memory.dmp

memory/5088-147-0x00000000050A0000-0x00000000050DC000-memory.dmp