General
-
Target
SynapseFortnite.zip
-
Size
513KB
-
Sample
211230-m1xvgsedbj
-
MD5
9bae6b54f6ca0806d765726b44beedd8
-
SHA1
398ade2627d3ebee540d9a118f2f87fbc45f9e97
-
SHA256
e514b4e46887403b0cd8e03f1fc1c2e97ac526949595dc89bb90fea24dec0c0f
-
SHA512
e446e1076807dfd5a47d1cec72f707b7b70e7690226cfef35458edccf4eeb4b55deb9194921e24b3609db3b1597c2f22cf20780b170e84ede5ab6fb3a6d0fc98
Static task
static1
Behavioral task
behavioral1
Sample
SynapseFortnite/Synapse Fortnite.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
SynapseFortnite/Synapse Fortnite.exe
Resource
win10-en-20211208
Behavioral task
behavioral3
Sample
SynapseFortnite/debug.dll
Resource
win7-en-20211208
Behavioral task
behavioral4
Sample
SynapseFortnite/debug.dll
Resource
win10-en-20211208
Behavioral task
behavioral5
Sample
SynapseFortnite/libEGL.dll
Resource
win7-en-20211208
Behavioral task
behavioral6
Sample
SynapseFortnite/libEGL.dll
Resource
win10-en-20211208
Malware Config
Extracted
redline
49.12.47.66:27973
Extracted
redline
cheat
45.147.196.146:6213
Extracted
raccoon
e9f10fade0328e7cef5c9f5bf00076086ba5a8a1
-
url4cnc
http://91.219.236.18/baldandbankrupt1
http://194.180.174.41/baldandbankrupt1
http://91.219.236.148/baldandbankrupt1
https://t.me/baldandbankrupt1
Targets
-
-
Target
SynapseFortnite/Synapse Fortnite.exe
-
Size
962KB
-
MD5
6697fab57c2d1bd545ed4ff377ac3f28
-
SHA1
c4e2849a522d5509c03ac76cdcae1f5e775a9535
-
SHA256
9de0798bf7328f2bcb11fbc584da890fe04f998dd393f03390f455d142c5a6f1
-
SHA512
1b855d1eaf027e81b3c272521308daff5a1fe8e9b52a133fa839b95c3735b5ec837976711c57bfd4b28c38c6cde56759966414cdc259bf3178a3b86ca28a2bb1
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
-
-
Target
SynapseFortnite/debug.dll
-
Size
140B
-
MD5
f8d0b4805818eea04fe89393dd1bbe8c
-
SHA1
c685b7e7eac766a9e070e7ee01a721b495aea98c
-
SHA256
ff273dcbc136f98497c1b6e72ab22dc2efaed5b2dcaa24037f9eb28b4d5a3560
-
SHA512
72abcd97d83a80e2ed805bdb5b504fa1c964622975d1cf767141845ec2dc599f29dc987732ee42dd11d62b20c1f9bb229e304f0a1bf449e1be40dccf7ec407b4
Score1/10 -
-
-
Target
SynapseFortnite/libEGL.dll
-
Size
307KB
-
MD5
37c7e6132ee3bab93da29633cbfa92a9
-
SHA1
74181f6a4a5990c6247fce39d7546b403271ecf1
-
SHA256
0601fa20464102a2fe8e2fbfef7654bc748083b0ef48bc9359bd380d4edcb7e1
-
SHA512
755058175b7a6a21d08319194b30fc90d5079e1484597b620f36310fcf3269205230f35d96bd42056216528614585b50d2c6044a9bdb6e6f80268cd94f64e228
Score3/10 -