redline | 07de0324fd15b8dab3b0c9e4345a2ecc0d2bc0c806f6702cda99e480e9d6506c

Analysis

max time kernel
113s
max time network
136s
platform
windows10_x64
resource
win10-en-20211014
submitted
05-12-2021 14:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Fortnite Hack Mod v1.4.exe
Size

6.0MB
MD5

2bc87a9ad768070676676654252ebdae
SHA1

e769f41e2b36b7326b692c27fa8555d55e3fdcb4
SHA256

07de0324fd15b8dab3b0c9e4345a2ecc0d2bc0c806f6702cda99e480e9d6506c
SHA512

ef86cec20badf91e48e9ce60d93618235dcd3fcc274d463b2950c5ed81cbcf8fc8268efd9493a5257783497c547c298ca64ab620fad11c3be24b2f03c7e14418

Score

10^/10

redline discovery evasion infostealer spyware stealer trojan

Malware Config

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/780-135-0x0000000000400000-0x00000000007FA000-memory.dmp	family_redline

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Executes dropped EXE 3 IoCs

Processes:

Congesting.exejavaw.exejava.exe

pid process

3748 Congesting.exe
3104 javaw.exe
780 java.exe

pid	process
3748	Congesting.exe
3104	javaw.exe
780	java.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

java.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	java.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	java.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

java.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA java.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3044 3748 WerFault.exe Congesting.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	java.exe

pid	pid_target	process	target process
3044	3748	WerFault.exe	Congesting.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

java.exeWerFault.exe

pid	process
780	java.exe
3044	WerFault.exe
3044	WerFault.exe
3044	WerFault.exe
3044	WerFault.exe
3044	WerFault.exe
3044	WerFault.exe
3044	WerFault.exe
3044	WerFault.exe
3044	WerFault.exe
3044	WerFault.exe
3044	WerFault.exe
3044	WerFault.exe
3044	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

Congesting.exejava.exeWerFault.exe

description pid process

Token: SeDebugPrivilege 3748 Congesting.exe
Token: SeDebugPrivilege 780 java.exe
Token: SeDebugPrivilege 3044 WerFault.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

javaw.exe

pid process

3104 javaw.exe

description	pid	process
Token: SeDebugPrivilege	3748	Congesting.exe
Token: SeDebugPrivilege	780	java.exe
Token: SeDebugPrivilege	3044	WerFault.exe

pid	process
3104	javaw.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

Fortnite Hack Mod v1.4.exe

description	pid	process	target process
PID 2680 wrote to memory of 3748	2680	Fortnite Hack Mod v1.4.exe	Congesting.exe
PID 2680 wrote to memory of 3748	2680	Fortnite Hack Mod v1.4.exe	Congesting.exe
PID 2680 wrote to memory of 3104	2680	Fortnite Hack Mod v1.4.exe	javaw.exe
PID 2680 wrote to memory of 3104	2680	Fortnite Hack Mod v1.4.exe	javaw.exe
PID 2680 wrote to memory of 3104	2680	Fortnite Hack Mod v1.4.exe	javaw.exe
PID 2680 wrote to memory of 780	2680	Fortnite Hack Mod v1.4.exe	java.exe
PID 2680 wrote to memory of 780	2680	Fortnite Hack Mod v1.4.exe	java.exe
PID 2680 wrote to memory of 780	2680	Fortnite Hack Mod v1.4.exe	java.exe

C:\Users\Admin\AppData\Local\Temp\Fortnite Hack Mod v1.4.exe
"C:\Users\Admin\AppData\Local\Temp\Fortnite Hack Mod v1.4.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2680

C:\Users\Admin\AppData\Local\Temp\Congesting.exe
C:\Users\Admin\AppData\Local\Temp\Congesting.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3748

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3748 -s 1820
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3044

C:\Users\Admin\AppData\Local\Temp\javaw.exe
C:\Users\Admin\AppData\Local\Temp\javaw.exe
2⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
PID:3104

C:\Users\Admin\AppData\Local\Temp\java.exe
C:\Users\Admin\AppData\Local\Temp\java.exe
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:780

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Congesting.exe
MD5
2ee996faa790c2821670171b5490c56f

SHA1
17bcaccd81b0ef7c63a3592c0e89af27c4942da3

SHA256
d0ee041513449f1031438a83dc4a6887163749e91696c92c5c817491ccf5b9df

SHA512
7808fcbbacae6419e68f6f70d76c72e0b244426a3b958bdd608b4d36881cba67b45fdfe6bc22077411c86d4d476624bb953bbc1b5b993fda5d86a66bcaca4ace

Download Submit
C:\Users\Admin\AppData\Local\Temp\Congesting.exe
MD5
2ee996faa790c2821670171b5490c56f

SHA1
17bcaccd81b0ef7c63a3592c0e89af27c4942da3

SHA256
d0ee041513449f1031438a83dc4a6887163749e91696c92c5c817491ccf5b9df

SHA512
7808fcbbacae6419e68f6f70d76c72e0b244426a3b958bdd608b4d36881cba67b45fdfe6bc22077411c86d4d476624bb953bbc1b5b993fda5d86a66bcaca4ace

Download Submit
C:\Users\Admin\AppData\Local\Temp\java.exe
MD5
841e8b6539f418f8cc7b9566a45f19f5

SHA1
26bad956926563754b636e042213184a93cd7c5e

SHA256
7c1193ebfa8ab0f0a05b2ab94fa30e431099d0d551b5d14182e7840b5557c12a

SHA512
ff7e7e3758b0f25e9638b85764b3dc430c60ac01eeb2691121d25fb6bd344f8ca28b53fdcb1a08c2ff542ad857c2770512a05742ee54c3711b25c6f5e4ddeade

Download Submit
C:\Users\Admin\AppData\Local\Temp\java.exe
MD5
841e8b6539f418f8cc7b9566a45f19f5

SHA1
26bad956926563754b636e042213184a93cd7c5e

SHA256
7c1193ebfa8ab0f0a05b2ab94fa30e431099d0d551b5d14182e7840b5557c12a

SHA512
ff7e7e3758b0f25e9638b85764b3dc430c60ac01eeb2691121d25fb6bd344f8ca28b53fdcb1a08c2ff542ad857c2770512a05742ee54c3711b25c6f5e4ddeade

Download Submit
C:\Users\Admin\AppData\Local\Temp\javaw.exe
MD5
17395fa4bf13115cae562e20dcbaa416

SHA1
fcb7fffbacc018aa4a4b53421ffea690e17654aa

SHA256
74ab5feadb4a5a70e1a398d5080ec6bb79de16ad58a76b0dda62926219a0d76c

SHA512
b050524790bda93d84b5dc3abc2742fcbac3f99b6d0a818eed23dc69e6e52da0c9751d3aadb2cd0827e48b43f100f4d835846e0ee2f099d8246421e52c53874a

Download Submit
C:\Users\Admin\AppData\Local\Temp\javaw.exe
MD5
17395fa4bf13115cae562e20dcbaa416

SHA1
fcb7fffbacc018aa4a4b53421ffea690e17654aa

SHA256
74ab5feadb4a5a70e1a398d5080ec6bb79de16ad58a76b0dda62926219a0d76c

SHA512
b050524790bda93d84b5dc3abc2742fcbac3f99b6d0a818eed23dc69e6e52da0c9751d3aadb2cd0827e48b43f100f4d835846e0ee2f099d8246421e52c53874a

Download Submit
memory/780-161-0x0000000000D70000-0x0000000000D71000-memory.dmp

Filesize
4KB

Download
memory/780-189-0x00000000066F0000-0x00000000066F1000-memory.dmp

Filesize
4KB

Download
memory/780-127-0x0000000002890000-0x0000000002891000-memory.dmp

Filesize
4KB

Download
memory/780-128-0x00000000028A0000-0x00000000028A1000-memory.dmp

Filesize
4KB

Download
memory/780-129-0x0000000002850000-0x0000000002851000-memory.dmp

Filesize
4KB

Download
memory/780-130-0x00000000028C0000-0x00000000028C1000-memory.dmp

Filesize
4KB

Download
memory/780-131-0x0000000002880000-0x0000000002881000-memory.dmp

Filesize
4KB

Download
memory/780-132-0x0000000002870000-0x0000000002871000-memory.dmp

Filesize
4KB

Download
memory/780-135-0x0000000000400000-0x00000000007FA000-memory.dmp

Filesize
4.0MB

Download
memory/780-134-0x00000000028B0000-0x00000000028B1000-memory.dmp

Filesize
4KB

Download
memory/780-136-0x0000000003580000-0x0000000003581000-memory.dmp

Filesize
4KB

Download
memory/780-137-0x0000000003570000-0x0000000003571000-memory.dmp

Filesize
4KB

Download
memory/780-133-0x00000000028E0000-0x00000000028E1000-memory.dmp

Filesize
4KB

Download
memory/780-138-0x0000000003570000-0x0000000003571000-memory.dmp

Filesize
4KB

Download
memory/780-139-0x0000000003570000-0x0000000003571000-memory.dmp

Filesize
4KB

Download
memory/780-141-0x0000000000DC0000-0x0000000000DC1000-memory.dmp

Filesize
4KB

Download
memory/780-140-0x0000000003570000-0x0000000003571000-memory.dmp

Filesize
4KB

Download
memory/780-142-0x0000000000DE0000-0x0000000000DE1000-memory.dmp

Filesize
4KB

Download
memory/780-145-0x0000000000E00000-0x0000000000E01000-memory.dmp

Filesize
4KB

Download
memory/780-144-0x0000000000DA0000-0x0000000000DA1000-memory.dmp

Filesize
4KB

Download
memory/780-146-0x0000000000E20000-0x0000000000E21000-memory.dmp

Filesize
4KB

Download
memory/780-143-0x0000000000D80000-0x0000000000D81000-memory.dmp

Filesize
4KB

Download
memory/780-147-0x0000000003570000-0x0000000003571000-memory.dmp

Filesize
4KB

Download
memory/780-148-0x0000000003570000-0x0000000003571000-memory.dmp

Filesize
4KB

Download
memory/780-149-0x00000000027E0000-0x00000000027E1000-memory.dmp

Filesize
4KB

Download
memory/780-150-0x00000000027F0000-0x00000000027F1000-memory.dmp

Filesize
4KB

Download
memory/780-153-0x00000000027D0000-0x00000000027D1000-memory.dmp

Filesize
4KB

Download
memory/780-151-0x00000000027A0000-0x00000000027A1000-memory.dmp

Filesize
4KB

Download
memory/780-152-0x0000000002810000-0x0000000002811000-memory.dmp

Filesize
4KB

Download
memory/780-163-0x0000000002950000-0x0000000002951000-memory.dmp

Filesize
4KB

Download
memory/780-155-0x0000000002830000-0x0000000002831000-memory.dmp

Filesize
4KB

Download
memory/780-156-0x0000000003570000-0x0000000003571000-memory.dmp

Filesize
4KB

Download
memory/780-157-0x0000000003570000-0x0000000003571000-memory.dmp

Filesize
4KB

Download
memory/780-158-0x0000000003570000-0x0000000003571000-memory.dmp

Filesize
4KB

Download
memory/780-165-0x0000000002970000-0x0000000002971000-memory.dmp

Filesize
4KB

Download
memory/780-160-0x0000000003570000-0x0000000003571000-memory.dmp

Filesize
4KB

Download
memory/780-122-0x0000000000000000-mapping.dmp

Download
memory/780-162-0x0000000002940000-0x0000000002941000-memory.dmp

Filesize
4KB

Download
memory/780-154-0x00000000027C0000-0x00000000027C1000-memory.dmp

Filesize
4KB

Download
memory/780-126-0x0000000000CF0000-0x0000000000D50000-memory.dmp

Filesize
384KB

Download
memory/780-159-0x0000000003570000-0x0000000003571000-memory.dmp

Filesize
4KB

Download
memory/780-166-0x0000000000400000-0x0000000000402000-memory.dmp

Filesize
8KB

Download
memory/780-167-0x0000000002930000-0x0000000002931000-memory.dmp

Filesize
4KB

Download
memory/780-170-0x0000000002990000-0x0000000002991000-memory.dmp

Filesize
4KB

Download
memory/780-168-0x0000000002920000-0x0000000002921000-memory.dmp

Filesize
4KB

Download
memory/780-172-0x0000000000D70000-0x0000000000D71000-memory.dmp

Filesize
4KB

Download
memory/780-171-0x0000000000D70000-0x0000000000D71000-memory.dmp

Filesize
4KB

Download
memory/780-173-0x0000000002980000-0x0000000002981000-memory.dmp

Filesize
4KB

Download
memory/780-174-0x0000000000E30000-0x0000000000E31000-memory.dmp

Filesize
4KB

Download
memory/780-175-0x0000000000D70000-0x0000000000D71000-memory.dmp

Filesize
4KB

Download
memory/780-176-0x0000000000D70000-0x0000000000D71000-memory.dmp

Filesize
4KB

Download
memory/780-177-0x0000000005C70000-0x0000000005C71000-memory.dmp

Filesize
4KB

Download
memory/780-178-0x0000000006310000-0x0000000006311000-memory.dmp

Filesize
4KB

Download
memory/780-179-0x0000000006340000-0x0000000006341000-memory.dmp

Filesize
4KB

Download
memory/780-180-0x0000000006450000-0x0000000006451000-memory.dmp

Filesize
4KB

Download
memory/780-181-0x00000000064D0000-0x00000000064D1000-memory.dmp

Filesize
4KB

Download
memory/780-182-0x0000000006530000-0x0000000006531000-memory.dmp

Filesize
4KB

Download
memory/780-195-0x0000000007ED0000-0x0000000007ED1000-memory.dmp

Filesize
4KB

Download
memory/780-194-0x0000000007770000-0x0000000007771000-memory.dmp

Filesize
4KB

Download
memory/780-193-0x0000000007590000-0x0000000007591000-memory.dmp

Filesize
4KB

Download
memory/780-192-0x0000000007100000-0x0000000007101000-memory.dmp

Filesize
4KB

Download
memory/780-191-0x0000000006D90000-0x0000000006D91000-memory.dmp

Filesize
4KB

Download
memory/780-190-0x0000000006790000-0x0000000006791000-memory.dmp

Filesize
4KB

Download
memory/780-164-0x0000000002900000-0x0000000002901000-memory.dmp

Filesize
4KB

Download
memory/780-188-0x0000000006670000-0x0000000006671000-memory.dmp

Filesize
4KB

Download
memory/3104-118-0x0000000000000000-mapping.dmp

Download
memory/3748-184-0x000002145BB40000-0x000002145BB42000-memory.dmp

Filesize
8KB

Download
memory/3748-186-0x000002145BB45000-0x000002145BB47000-memory.dmp

Filesize
8KB

Download
memory/3748-115-0x0000000000000000-mapping.dmp

Download
memory/3748-183-0x0000021474260000-0x00000214745C3000-memory.dmp

Filesize
3.4MB

Download
memory/3748-185-0x000002145BB42000-0x000002145BB44000-memory.dmp

Filesize
8KB

Download
memory/3748-120-0x0000021459750000-0x0000021459751000-memory.dmp

Filesize
4KB

Download
memory/3748-197-0x0000021400350000-0x00000214005C0000-memory.dmp

Filesize
2.4MB

Download
memory/3748-196-0x0000021403060000-0x00000214033B5000-memory.dmp

Filesize
3.3MB

Download
memory/3748-187-0x000002145BB44000-0x000002145BB45000-memory.dmp

Filesize
4KB

Download
memory/3748-198-0x0000021400780000-0x0000021400781000-memory.dmp

Filesize
4KB

Download
memory/3748-199-0x0000021403890000-0x0000021403891000-memory.dmp

Filesize
4KB

Download
memory/3748-201-0x00007FFDD2250000-0x00007FFDD242B000-memory.dmp

Filesize
1.9MB

Download