arkei | 0f63b4b4659449eee766610af817b786e9cd7622743851cf7b71430613d7521b

General

Target

0f63b4b4659449eee766610af817b786e9cd7622743851cf7b71430613d7521b.exe
Size

392KB
MD5

5fea51478a01f10a78d428751e973aba
SHA1

cb7f1e3acc3636a6f890edb8c44d0abe2674ec1c
SHA256

0f63b4b4659449eee766610af817b786e9cd7622743851cf7b71430613d7521b
SHA512

47ea5c07b4d9d2bd5f9045906da94961f9d7d64e55c992435bdae2d21334daed98f096892da46f2bd18637f48ecac6bc80d6531c5a1cacceb7f3a46182e103c6

Score

10^/10

arkei redline infostealer stealer

Malware Config

Signatures

Arkei
Arkei is an infostealer written in C++.
stealer arkei
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 1 IoCs

resource	yara_rule
behavioral1/memory/1088-69-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
624	0f63b4b4659449eee766610af817b786e9cd7622743851cf7b71430613d7521b.exe

C:\Users\Admin\AppData\Local\Temp\0f63b4b4659449eee766610af817b786e9cd7622743851cf7b71430613d7521b.exe
"C:\Users\Admin\AppData\Local\Temp\0f63b4b4659449eee766610af817b786e9cd7622743851cf7b71430613d7521b.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:624
- C:\Users\Admin\AppData\Local\Temp\0f63b4b4659449eee766610af817b786e9cd7622743851cf7b71430613d7521b.exe
  "C:\Users\Admin\AppData\Local\Temp\0f63b4b4659449eee766610af817b786e9cd7622743851cf7b71430613d7521b.exe"
  2⤵
  PID:1624
- C:\Users\Admin\AppData\Local\Temp\Fvdfggf.exe
  "C:\Users\Admin\AppData\Local\Temp\Fvdfggf.exe"
  2⤵
  PID:948

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
1⤵
PID:1088

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Fvdfggf.exe

Filesize
92KB

MD5
65366db7a058a8f1f49b8012bb350b8b

SHA1
50aa1421ca2de96d96e275ccea85a6be74c91613

SHA256
7e1602d2fd9e56c97a2fc627d36bbea6324c36757722c1739c4d71bf9044bb60

SHA512
661042dd321184100807d82ae4078f3e19d8dd17b5b151e81c11341534dbc1d4753c0ea5f67a5dd017e6ce99d4ef5f08f08ec5bee64f5f24d5f6753801368e27

Download Submit
\Users\Admin\AppData\Local\Temp\Fvdfggf.exe

Filesize
54KB

MD5
acaa04356f2742b4b0c38bfeed410efd

SHA1
4065a3186197e88ababe47783d0802be79f204ac

SHA256
6ccd93423409fff82844491967f9def12f3befdf1075d468efa7169f4b56151a

SHA512
5811e891b374ae65b79520a5e9a3eff4a872d404971f2344b7e713d0c9428311b2ed92fa884a5220979f997af244f0744ad13250f8e17527b2d07ac6bc632abb

Download Submit
\Users\Admin\AppData\Local\Temp\Fvdfggf.exe

Filesize
102KB

MD5
798499b406e715d79eaaba2643726b25

SHA1
34b214230b8f35cb76a44e22fee3672f7d1991a8

SHA256
19ace5ab0fa3ec03106545da85db62cbe17e689abfb3240b686449d2f6c26ad3

SHA512
9acd28b0dcb8678cbd6e9be71f1df9169ca9465de2e3dbe41c5601a2cee01aab5bf169d65b896515f4e7ccb4adcb87c3d2e4963905aee7b2b274e72bbea69f14

Download Submit
memory/624-56-0x00000000769D1000-0x00000000769D3000-memory.dmp

Filesize
8KB

Download
memory/624-65-0x0000000002450000-0x0000000002457000-memory.dmp

Filesize
28KB

Download
memory/1088-69-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1088-70-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1624-68-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download

Analysis

Sharing