arkei | fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f

General

Target

fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f.exe
Size

692KB
MD5

837547af8d2a1f60f8bbe09066f0ffa2
SHA1

727421a8ea79d0c0562870c33d055224c7c9a4bc
SHA256

fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f
SHA512

579fe72723076eb6605660258caf1b8b2a2cf4f05c50f15c0a6a1d8226c13eb847ade0230e5bb1ba21c820e6b2ae0662b33725e65f7b43e0fb2f98c4e41d6961

Score

10^/10

arkei redline 04062022 infostealer stealer

Malware Config

Extracted

Family

redline

Botnet

04062022

C2

62.204.41.166:27688

Attributes

auth_value
48182fe753fa2aff7472da064aa2a5d9

Signatures

Arkei
Arkei is an infostealer written in C++.
stealer arkei
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 1 IoCs

resource	yara_rule
behavioral2/memory/4728-142-0x0000000000400000-0x0000000000424000-memory.dmp	family_redline

Executes dropped EXE 1 IoCs

pid	Process
1928	dcaqbmme.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 5012 set thread context of 4492	5012	fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f.exe	85
PID 1928 set thread context of 4728	1928	dcaqbmme.exe	84

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
5012	fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f.exe
1928	dcaqbmme.exe
1928	dcaqbmme.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
5012	fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f.exe
1928	dcaqbmme.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 5012 wrote to memory of 1928	5012	fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f.exe	80
PID 5012 wrote to memory of 1928	5012	fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f.exe	80
PID 5012 wrote to memory of 1928	5012	fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f.exe	80
PID 5012 wrote to memory of 4492	5012	fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f.exe	85
PID 5012 wrote to memory of 4492	5012	fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f.exe	85
PID 5012 wrote to memory of 4492	5012	fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f.exe	85
PID 5012 wrote to memory of 4492	5012	fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f.exe	85
PID 1928 wrote to memory of 4692	1928	dcaqbmme.exe	83
PID 1928 wrote to memory of 4692	1928	dcaqbmme.exe	83
PID 1928 wrote to memory of 4692	1928	dcaqbmme.exe	83
PID 1928 wrote to memory of 4692	1928	dcaqbmme.exe	83
PID 1928 wrote to memory of 4728	1928	dcaqbmme.exe	84
PID 1928 wrote to memory of 4728	1928	dcaqbmme.exe	84
PID 1928 wrote to memory of 4728	1928	dcaqbmme.exe	84
PID 1928 wrote to memory of 4728	1928	dcaqbmme.exe	84

C:\Users\Admin\AppData\Local\Temp\fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f.exe
"C:\Users\Admin\AppData\Local\Temp\fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5012
- C:\Users\Admin\AppData\Local\Temp\dcaqbmme.exe
  "C:\Users\Admin\AppData\Local\Temp\dcaqbmme.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1928
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
    3⤵
    PID:4692
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
    3⤵
    PID:4728
- C:\Users\Admin\AppData\Local\Temp\fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f.exe
  "C:\Users\Admin\AppData\Local\Temp\fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f.exe"
  2⤵
  PID:4492

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\dcaqbmme.exe

Filesize
96KB

MD5
e480b292e4fd5ee642cf3c2f80c694db

SHA1
d60ed8658e3adacb99608634f5204b19c17913b4

SHA256
9c5d14eb0adb7d6299c8ab560be48e40f41b3119dc4eb107012131cb37164d0b

SHA512
fdba7293b6d73103bfc6b36279a3d0b8c3aef6987c82a565d293e69b9b4ba9402461d07bef12d9289b58a14a74c326eda9981affa0dadfbbfdd8dcdba7d71ece

Download Submit
C:\Users\Admin\AppData\Local\Temp\dcaqbmme.exe

Filesize
79KB

MD5
1a92b5a7332c516fb550f3f02d56cbba

SHA1
885ebe9245ac1e58bf1a58dbabfb5a2092ea5995

SHA256
fef665fb38bbaafdb11aa53e045729bb434b302768a99a4d721561b622af3c9a

SHA512
12b0be4db790f1e2014259bd1a937c5a700f122c1c1735f5ef3b59c98a431c665dd6f6a674df645bdbe86a508cdc3c9723ac68b92af06b4fd372d542f67d692b

Download Submit
memory/4492-143-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4728-141-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4728-142-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4728-145-0x0000000005090000-0x00000000050A2000-memory.dmp

Filesize
72KB

Download
memory/4728-146-0x00000000051C0000-0x00000000052CA000-memory.dmp

Filesize
1.0MB

Download
memory/4728-144-0x00000000055F0000-0x0000000005C08000-memory.dmp

Filesize
6.1MB

Download
memory/4728-147-0x00000000050F0000-0x000000000512C000-memory.dmp

Filesize
240KB

Download
memory/5012-138-0x0000000002B70000-0x0000000002B77000-memory.dmp

Filesize
28KB

Download

Analysis

Sharing