Overview

overview

10

Static

static

0f63b4b465...1b.exe

windows7_x64

10

0f63b4b465...1b.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    167s
  • max time network
    173s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    21-05-2022 07:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0f63b4b4659449eee766610af817b786e9cd7622743851cf7b71430613d7521b.exe

  • Size

    392KB

  • MD5

    5fea51478a01f10a78d428751e973aba

  • SHA1

    cb7f1e3acc3636a6f890edb8c44d0abe2674ec1c

  • SHA256

    0f63b4b4659449eee766610af817b786e9cd7622743851cf7b71430613d7521b

  • SHA512

    47ea5c07b4d9d2bd5f9045906da94961f9d7d64e55c992435bdae2d21334daed98f096892da46f2bd18637f48ecac6bc80d6531c5a1cacceb7f3a46182e103c6

Score
10/10
arkeiredline04062022defaultinfostealerstealer

Malware Config

Extracted

Family

redline

Botnet

04062022

C2

62.204.41.166:27688

Attributes
  • auth_value

    48182fe753fa2aff7472da064aa2a5d9

Extracted

Family

arkei

Botnet

Default

C2

http://62.204.41.69/p8jG9WvgbE.php

Signatures

  • Arkei

    Arkei is an infostealer written in C++.

    stealerarkei
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine Payload 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0f63b4b4659449eee766610af817b786e9cd7622743851cf7b71430613d7521b.exe
    "C:\Users\Admin\AppData\Local\Temp\0f63b4b4659449eee766610af817b786e9cd7622743851cf7b71430613d7521b.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4108
    • C:\Users\Admin\AppData\Local\Temp\Fvdfggf.exe
      "C:\Users\Admin\AppData\Local\Temp\Fvdfggf.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1664
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
        3⤵
          PID:3368
      • C:\Users\Admin\AppData\Local\Temp\0f63b4b4659449eee766610af817b786e9cd7622743851cf7b71430613d7521b.exe
        "C:\Users\Admin\AppData\Local\Temp\0f63b4b4659449eee766610af817b786e9cd7622743851cf7b71430613d7521b.exe"
        2⤵
          PID:1060

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\Fvdfggf.exe
        Filesize

        172KB

        MD5

        e124d6fab64aa638922bc7861998fa8c

        SHA1

        3420d895a8ef834eaf85c800fb83b1eca0a7816e

        SHA256

        de8f8f5217cc3fca88d5261c8ad2c3115750ccf4f7bf3e7904760af2014959e3

        SHA512

        b456215751eeda2f5b633cd52b5b5d820d1dc96d9ec4f4f35fa4fa1c5859dd925c949f0f6270af80a12ede9f9ac45f4a979aea7f8d4da459ed05cd1b7bdd5ed7

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Fvdfggf.exe
        Filesize

        172KB

        MD5

        e124d6fab64aa638922bc7861998fa8c

        SHA1

        3420d895a8ef834eaf85c800fb83b1eca0a7816e

        SHA256

        de8f8f5217cc3fca88d5261c8ad2c3115750ccf4f7bf3e7904760af2014959e3

        SHA512

        b456215751eeda2f5b633cd52b5b5d820d1dc96d9ec4f4f35fa4fa1c5859dd925c949f0f6270af80a12ede9f9ac45f4a979aea7f8d4da459ed05cd1b7bdd5ed7

        Download Submit

      • memory/1060-140-0x0000000000000000-mapping.dmp

        Download

      • memory/1060-142-0x0000000000400000-0x000000000043C000-memory.dmp

        Filesize

        240KB

        Download

      • memory/1664-132-0x0000000000000000-mapping.dmp

        Download

      • memory/1664-138-0x00000000008E0000-0x00000000008E7000-memory.dmp

        Filesize

        28KB

        Download

      • memory/3368-137-0x0000000000000000-mapping.dmp

        Download

      • memory/3368-141-0x0000000000400000-0x0000000000424000-memory.dmp

        Filesize

        144KB

        Download

      • memory/3368-139-0x0000000000400000-0x0000000000420000-memory.dmp

        Filesize

        128KB

        Download

      • memory/3368-143-0x0000000005BE0000-0x00000000061F8000-memory.dmp

        Filesize

        6.1MB

        Download

      • memory/3368-144-0x0000000005620000-0x0000000005632000-memory.dmp

        Filesize

        72KB

        Download

      • memory/3368-145-0x0000000005750000-0x000000000585A000-memory.dmp

        Filesize

        1.0MB

        Download

      • memory/3368-146-0x0000000005680000-0x00000000056BC000-memory.dmp

        Filesize

        240KB

        Download