Malware Analysis Report

2025-04-13 10:41

Sample ID 220507-yhvg7afgbj
Target fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f.exe
SHA256 fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f
Tags
arkei redline 04062022 default infostealer stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f

Threat Level: Known bad

The file fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f.exe was found to be: Known bad.

Malicious Activity Summary

arkei redline 04062022 default infostealer stealer

RedLine

RedLine Payload

Arkei

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious behavior: MapViewOfSection

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-05-07 19:47

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-05-07 19:47

Reported

2022-05-07 19:55

Platform

win7-20220414-en

Max time kernel

153s

Max time network

140s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f.exe"

Signatures

Arkei

stealer arkei

RedLine

infostealer redline

RedLine Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\dcaqbmme.exe N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1900 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f.exe C:\Users\Admin\AppData\Local\Temp\dcaqbmme.exe
PID 1900 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f.exe C:\Users\Admin\AppData\Local\Temp\dcaqbmme.exe
PID 1900 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f.exe C:\Users\Admin\AppData\Local\Temp\dcaqbmme.exe
PID 1900 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f.exe C:\Users\Admin\AppData\Local\Temp\dcaqbmme.exe
PID 1900 wrote to memory of 620 N/A C:\Users\Admin\AppData\Local\Temp\fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f.exe C:\Users\Admin\AppData\Local\Temp\fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f.exe
PID 1900 wrote to memory of 620 N/A C:\Users\Admin\AppData\Local\Temp\fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f.exe C:\Users\Admin\AppData\Local\Temp\fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f.exe
PID 1900 wrote to memory of 620 N/A C:\Users\Admin\AppData\Local\Temp\fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f.exe C:\Users\Admin\AppData\Local\Temp\fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f.exe
PID 1900 wrote to memory of 620 N/A C:\Users\Admin\AppData\Local\Temp\fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f.exe C:\Users\Admin\AppData\Local\Temp\fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f.exe
PID 1900 wrote to memory of 620 N/A C:\Users\Admin\AppData\Local\Temp\fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f.exe C:\Users\Admin\AppData\Local\Temp\fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f.exe
PID 1440 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\dcaqbmme.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 1440 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\dcaqbmme.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 1440 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\dcaqbmme.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 1440 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\dcaqbmme.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 1440 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\dcaqbmme.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 1440 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\dcaqbmme.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 1440 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\dcaqbmme.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 1440 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\dcaqbmme.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe

Processes

C:\Users\Admin\AppData\Local\Temp\fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f.exe

"C:\Users\Admin\AppData\Local\Temp\fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f.exe"

C:\Users\Admin\AppData\Local\Temp\dcaqbmme.exe

"C:\Users\Admin\AppData\Local\Temp\dcaqbmme.exe"

C:\Users\Admin\AppData\Local\Temp\fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f.exe

"C:\Users\Admin\AppData\Local\Temp\fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"

Network

Country Destination Domain Proto
RU 62.204.41.166:27688 tcp
RU 62.204.41.166:27688 tcp
RU 62.204.41.166:27688 tcp
RU 62.204.41.166:27688 tcp
RU 62.204.41.166:27688 tcp
RU 62.204.41.166:27688 tcp

Files

memory/1900-56-0x0000000076011000-0x0000000076013000-memory.dmp

\Users\Admin\AppData\Local\Temp\dcaqbmme.exe

MD5 2652215d4d7a57fc45691bb1d53fb6ce
SHA1 15838b55aa4b2dc05ca09b2b958056fcb17776bd
SHA256 326923ce18fd7a9c8210697d8ffab62481db036588c12f05a21798fcf67bd9a6
SHA512 f4694966c4beb4e9cca674b85311de400f7c9ebf7eb9e0e271074281447513d562757bb477a7884b02ba9cdc8caf9b3952afcc0e66b9a36c6c167aa5e731ca59

\Users\Admin\AppData\Local\Temp\dcaqbmme.exe

MD5 2652215d4d7a57fc45691bb1d53fb6ce
SHA1 15838b55aa4b2dc05ca09b2b958056fcb17776bd
SHA256 326923ce18fd7a9c8210697d8ffab62481db036588c12f05a21798fcf67bd9a6
SHA512 f4694966c4beb4e9cca674b85311de400f7c9ebf7eb9e0e271074281447513d562757bb477a7884b02ba9cdc8caf9b3952afcc0e66b9a36c6c167aa5e731ca59

memory/1440-59-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\dcaqbmme.exe

MD5 2652215d4d7a57fc45691bb1d53fb6ce
SHA1 15838b55aa4b2dc05ca09b2b958056fcb17776bd
SHA256 326923ce18fd7a9c8210697d8ffab62481db036588c12f05a21798fcf67bd9a6
SHA512 f4694966c4beb4e9cca674b85311de400f7c9ebf7eb9e0e271074281447513d562757bb477a7884b02ba9cdc8caf9b3952afcc0e66b9a36c6c167aa5e731ca59

memory/620-64-0x0000000000408430-mapping.dmp

memory/1900-65-0x00000000005C0000-0x00000000005C7000-memory.dmp

memory/620-66-0x0000000000400000-0x000000000043C000-memory.dmp

memory/1432-67-0x000000000041BC2E-mapping.dmp

memory/1432-69-0x0000000000400000-0x0000000000424000-memory.dmp

memory/1432-70-0x0000000000400000-0x0000000000420000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-05-07 19:47

Reported

2022-05-07 19:55

Platform

win10v2004-20220414-en

Max time kernel

152s

Max time network

162s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f.exe"

Signatures

Arkei

stealer arkei

RedLine

infostealer redline

RedLine Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\dcaqbmme.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f.exe N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1416 wrote to memory of 3912 N/A C:\Users\Admin\AppData\Local\Temp\fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f.exe C:\Users\Admin\AppData\Local\Temp\dcaqbmme.exe
PID 1416 wrote to memory of 3912 N/A C:\Users\Admin\AppData\Local\Temp\fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f.exe C:\Users\Admin\AppData\Local\Temp\dcaqbmme.exe
PID 1416 wrote to memory of 3912 N/A C:\Users\Admin\AppData\Local\Temp\fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f.exe C:\Users\Admin\AppData\Local\Temp\dcaqbmme.exe
PID 1416 wrote to memory of 3984 N/A C:\Users\Admin\AppData\Local\Temp\fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f.exe C:\Users\Admin\AppData\Local\Temp\fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f.exe
PID 1416 wrote to memory of 3984 N/A C:\Users\Admin\AppData\Local\Temp\fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f.exe C:\Users\Admin\AppData\Local\Temp\fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f.exe
PID 1416 wrote to memory of 3984 N/A C:\Users\Admin\AppData\Local\Temp\fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f.exe C:\Users\Admin\AppData\Local\Temp\fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f.exe
PID 1416 wrote to memory of 3984 N/A C:\Users\Admin\AppData\Local\Temp\fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f.exe C:\Users\Admin\AppData\Local\Temp\fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f.exe
PID 3912 wrote to memory of 360 N/A C:\Users\Admin\AppData\Local\Temp\dcaqbmme.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 3912 wrote to memory of 360 N/A C:\Users\Admin\AppData\Local\Temp\dcaqbmme.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 3912 wrote to memory of 360 N/A C:\Users\Admin\AppData\Local\Temp\dcaqbmme.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 3912 wrote to memory of 360 N/A C:\Users\Admin\AppData\Local\Temp\dcaqbmme.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe

Processes

C:\Users\Admin\AppData\Local\Temp\fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f.exe

"C:\Users\Admin\AppData\Local\Temp\fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f.exe"

C:\Users\Admin\AppData\Local\Temp\dcaqbmme.exe

"C:\Users\Admin\AppData\Local\Temp\dcaqbmme.exe"

C:\Users\Admin\AppData\Local\Temp\fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f.exe

"C:\Users\Admin\AppData\Local\Temp\fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"

Network

Country Destination Domain Proto
US 8.253.135.241:80 tcp
US 20.189.173.12:443 tcp
RU 62.204.41.166:27688 tcp
NL 104.110.191.140:80 tcp
NL 104.110.191.140:80 tcp
NL 178.79.208.1:80 tcp
RU 62.204.41.166:27688 tcp
RU 62.204.41.166:27688 tcp
RU 62.204.41.166:27688 tcp
RU 62.204.41.166:27688 tcp

Files

memory/3912-132-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\dcaqbmme.exe

MD5 2652215d4d7a57fc45691bb1d53fb6ce
SHA1 15838b55aa4b2dc05ca09b2b958056fcb17776bd
SHA256 326923ce18fd7a9c8210697d8ffab62481db036588c12f05a21798fcf67bd9a6
SHA512 f4694966c4beb4e9cca674b85311de400f7c9ebf7eb9e0e271074281447513d562757bb477a7884b02ba9cdc8caf9b3952afcc0e66b9a36c6c167aa5e731ca59

C:\Users\Admin\AppData\Local\Temp\dcaqbmme.exe

MD5 2652215d4d7a57fc45691bb1d53fb6ce
SHA1 15838b55aa4b2dc05ca09b2b958056fcb17776bd
SHA256 326923ce18fd7a9c8210697d8ffab62481db036588c12f05a21798fcf67bd9a6
SHA512 f4694966c4beb4e9cca674b85311de400f7c9ebf7eb9e0e271074281447513d562757bb477a7884b02ba9cdc8caf9b3952afcc0e66b9a36c6c167aa5e731ca59

memory/3984-137-0x0000000000000000-mapping.dmp

memory/360-138-0x0000000000000000-mapping.dmp

memory/3984-140-0x0000000000400000-0x000000000043C000-memory.dmp

memory/360-141-0x0000000000400000-0x0000000000424000-memory.dmp

memory/3912-139-0x0000000000610000-0x0000000000617000-memory.dmp

memory/360-142-0x0000000000400000-0x0000000000420000-memory.dmp

memory/360-143-0x0000000005540000-0x0000000005B58000-memory.dmp

memory/360-144-0x0000000004FB0000-0x0000000004FC2000-memory.dmp

memory/360-145-0x00000000050E0000-0x00000000051EA000-memory.dmp

memory/360-146-0x0000000005010000-0x000000000504C000-memory.dmp