redline | 847cdb293e5ebd178f6a96bf6ab1d42a19a8e1fe7f95cd7858e6c06f9383fa3c

Analysis

max time kernel
89s
max time network
107s
platform
windows7_x64
resource
win7-20220718-en
resource tags

arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system
submitted
28/07/2022, 19:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Fortnite Hack.exe
Size

1.2MB
MD5

55b26a60484194685f548c1c9fd4a688
SHA1

13f143a185813088b5f504b0ea0062ba8f4d414e
SHA256

847cdb293e5ebd178f6a96bf6ab1d42a19a8e1fe7f95cd7858e6c06f9383fa3c
SHA512

56d1f66f0cf9aaa5b59443708a4e6924f6c9719f78a672f871c1ec03509a89d219fa65e36078752c493b18849003ff24fffe0fadc0462147bcc0b915ef2a4494

Score

10^/10

redline ytstealer infostealer spyware stealer upx

Malware Config

Extracted

Family

redline

62.204.41.141:24758

Attributes

auth_value
b60ab0a77cd51a54dec9018aa7c54ea1

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 4 IoCs

resource	yara_rule
behavioral1/memory/164232-56-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral1/memory/164232-61-0x000000000041B53E-mapping.dmp	family_redline
behavioral1/memory/164232-62-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral1/memory/164232-63-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline

YTStealer
YTStealer is a malware designed to steal YouTube authentication cookies.
stealer ytstealer

YTStealer payload 1 IoCs

resource	yara_rule
behavioral1/memory/164680-85-0x00000000002E0000-0x00000000010B9000-memory.dmp	family_ytstealer

Downloads MZ/PE file

Executes dropped EXE 3 IoCs

pid	Process
164552	MainModule.exe
164680	start.exe
164796	crypted.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0012000000014161-72.dat	upx
behavioral1/files/0x0012000000014161-75.dat	upx
behavioral1/files/0x0012000000014161-73.dat	upx
behavioral1/memory/164680-78-0x00000000002E0000-0x00000000010B9000-memory.dmp	upx
behavioral1/memory/164680-85-0x00000000002E0000-0x00000000010B9000-memory.dmp	upx

Loads dropped DLL 5 IoCs

pid	Process
164232	AppLaunch.exe
164232	AppLaunch.exe
164232	AppLaunch.exe
164232	AppLaunch.exe
164232	AppLaunch.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 956 set thread context of 164232	956	Fortnite Hack.exe	28

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
164232	AppLaunch.exe
164552	MainModule.exe
164680	start.exe
164680	start.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	164232	AppLaunch.exe
Token: SeDebugPrivilege	164552	MainModule.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 956 wrote to memory of 164232	956	Fortnite Hack.exe	28
PID 956 wrote to memory of 164232	956	Fortnite Hack.exe	28
PID 956 wrote to memory of 164232	956	Fortnite Hack.exe	28
PID 956 wrote to memory of 164232	956	Fortnite Hack.exe	28
PID 956 wrote to memory of 164232	956	Fortnite Hack.exe	28
PID 956 wrote to memory of 164232	956	Fortnite Hack.exe	28
PID 956 wrote to memory of 164232	956	Fortnite Hack.exe	28
PID 956 wrote to memory of 164232	956	Fortnite Hack.exe	28
PID 956 wrote to memory of 164232	956	Fortnite Hack.exe	28
PID 164232 wrote to memory of 164552	164232	AppLaunch.exe	30
PID 164232 wrote to memory of 164552	164232	AppLaunch.exe	30
PID 164232 wrote to memory of 164552	164232	AppLaunch.exe	30
PID 164232 wrote to memory of 164552	164232	AppLaunch.exe	30
PID 164232 wrote to memory of 164552	164232	AppLaunch.exe	30
PID 164232 wrote to memory of 164552	164232	AppLaunch.exe	30
PID 164232 wrote to memory of 164552	164232	AppLaunch.exe	30
PID 164232 wrote to memory of 164680	164232	AppLaunch.exe	31
PID 164232 wrote to memory of 164680	164232	AppLaunch.exe	31
PID 164232 wrote to memory of 164680	164232	AppLaunch.exe	31
PID 164232 wrote to memory of 164680	164232	AppLaunch.exe	31
PID 164232 wrote to memory of 164796	164232	AppLaunch.exe	32
PID 164232 wrote to memory of 164796	164232	AppLaunch.exe	32
PID 164232 wrote to memory of 164796	164232	AppLaunch.exe	32
PID 164232 wrote to memory of 164796	164232	AppLaunch.exe	32
PID 164232 wrote to memory of 164796	164232	AppLaunch.exe	32
PID 164232 wrote to memory of 164796	164232	AppLaunch.exe	32
PID 164232 wrote to memory of 164796	164232	AppLaunch.exe	32
PID 164680 wrote to memory of 164252	164680	start.exe	34
PID 164680 wrote to memory of 164252	164680	start.exe	34
PID 164680 wrote to memory of 164252	164680	start.exe	34
PID 164252 wrote to memory of 1736	164252	cmd.exe	35
PID 164252 wrote to memory of 1736	164252	cmd.exe	35
PID 164252 wrote to memory of 1736	164252	cmd.exe	35

C:\Users\Admin\AppData\Local\Temp\Fortnite Hack.exe
"C:\Users\Admin\AppData\Local\Temp\Fortnite Hack.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:956
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:164232
- - C:\Users\Admin\AppData\Local\Temp\MainModule.exe
    "C:\Users\Admin\AppData\Local\Temp\MainModule.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:164552
- - C:\Users\Admin\AppData\Local\Temp\start.exe
    "C:\Users\Admin\AppData\Local\Temp\start.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:164680
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /C choice /C Y /N /D Y /T 0 &Del C:\Users\Admin\AppData\Local\Temp\start.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:164252
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 0
        5⤵
        
        PID:1736
- - C:\Users\Admin\AppData\Local\Temp\crypted.exe
    "C:\Users\Admin\AppData\Local\Temp\crypted.exe"
    3⤵
    - Executes dropped EXE
    PID:164796

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MainModule.exe

Filesize
71KB

MD5
f558323a0bd928b28d92886c451422af

SHA1
f8fea1577dde45a7e64beb369c7dd5a82f4e63b0

SHA256
1c1b228eb1b74e7e6145bda0fbbfc085bd8161246261b86c2accc74c3db5cdce

SHA512
29081513b01c9e477c1c5c27b7e31900a78ad6644f88d5d8923b386574628ad5180cbfb0d57f8cc6d339adfa425fc0f1231f4285a33d033ea18373cdd1273465

Download Submit
C:\Users\Admin\AppData\Local\Temp\MainModule.exe

Filesize
71KB

MD5
f558323a0bd928b28d92886c451422af

SHA1
f8fea1577dde45a7e64beb369c7dd5a82f4e63b0

SHA256
1c1b228eb1b74e7e6145bda0fbbfc085bd8161246261b86c2accc74c3db5cdce

SHA512
29081513b01c9e477c1c5c27b7e31900a78ad6644f88d5d8923b386574628ad5180cbfb0d57f8cc6d339adfa425fc0f1231f4285a33d033ea18373cdd1273465

Download Submit
C:\Users\Admin\AppData\Local\Temp\crypted.exe

Filesize
616KB

MD5
d95f63fa0b502ae717230d7392179e4b

SHA1
a8ea7f062f82967b349034d6e5879689dfe0785a

SHA256
3d7b54951fa0e3d98601ddde73932d4f0d0f82da51501266d6b7f78af3e12f04

SHA512
d8a82eb0468d9feec9d55bd9e0f71eec72f951144b0c4ca16b90d782029b94279d4647de8106f3740ec7cdc4a1bc92c66f73096c8a051aef2c2646914156defa

Download Submit
C:\Users\Admin\AppData\Local\Temp\start.exe

Filesize
4.0MB

MD5
06103d1e931ea83afb5cac974113c513

SHA1
ef70b042a19addb747697ee3270e1723ff988f5c

SHA256
5fdd4b20a3a14e37444235668e7f641e776e76104db82a17608d6ab283057b63

SHA512
f97ea97ef1431baef2372a7499a76a1edd9494ea31d6544b456d77d18120b4fb73dbc494a36f022b13613c4c636beb59cfb23f96a3386e3f39e9be0e14e1060f

Download Submit
\Users\Admin\AppData\Local\Temp\MainModule.exe

Filesize
71KB

MD5
f558323a0bd928b28d92886c451422af

SHA1
f8fea1577dde45a7e64beb369c7dd5a82f4e63b0

SHA256
1c1b228eb1b74e7e6145bda0fbbfc085bd8161246261b86c2accc74c3db5cdce

SHA512
29081513b01c9e477c1c5c27b7e31900a78ad6644f88d5d8923b386574628ad5180cbfb0d57f8cc6d339adfa425fc0f1231f4285a33d033ea18373cdd1273465

Download Submit
\Users\Admin\AppData\Local\Temp\crypted.exe

Filesize
616KB

MD5
d95f63fa0b502ae717230d7392179e4b

SHA1
a8ea7f062f82967b349034d6e5879689dfe0785a

SHA256
3d7b54951fa0e3d98601ddde73932d4f0d0f82da51501266d6b7f78af3e12f04

SHA512
d8a82eb0468d9feec9d55bd9e0f71eec72f951144b0c4ca16b90d782029b94279d4647de8106f3740ec7cdc4a1bc92c66f73096c8a051aef2c2646914156defa

Download Submit
\Users\Admin\AppData\Local\Temp\crypted.exe

Filesize
616KB

MD5
d95f63fa0b502ae717230d7392179e4b

SHA1
a8ea7f062f82967b349034d6e5879689dfe0785a

SHA256
3d7b54951fa0e3d98601ddde73932d4f0d0f82da51501266d6b7f78af3e12f04

SHA512
d8a82eb0468d9feec9d55bd9e0f71eec72f951144b0c4ca16b90d782029b94279d4647de8106f3740ec7cdc4a1bc92c66f73096c8a051aef2c2646914156defa

Download Submit
\Users\Admin\AppData\Local\Temp\start.exe

Filesize
4.0MB

MD5
06103d1e931ea83afb5cac974113c513

SHA1
ef70b042a19addb747697ee3270e1723ff988f5c

SHA256
5fdd4b20a3a14e37444235668e7f641e776e76104db82a17608d6ab283057b63

SHA512
f97ea97ef1431baef2372a7499a76a1edd9494ea31d6544b456d77d18120b4fb73dbc494a36f022b13613c4c636beb59cfb23f96a3386e3f39e9be0e14e1060f

Download Submit
\Users\Admin\AppData\Local\Temp\start.exe

Filesize
4.0MB

MD5
06103d1e931ea83afb5cac974113c513

SHA1
ef70b042a19addb747697ee3270e1723ff988f5c

SHA256
5fdd4b20a3a14e37444235668e7f641e776e76104db82a17608d6ab283057b63

SHA512
f97ea97ef1431baef2372a7499a76a1edd9494ea31d6544b456d77d18120b4fb73dbc494a36f022b13613c4c636beb59cfb23f96a3386e3f39e9be0e14e1060f

Download Submit
memory/164232-64-0x0000000074F01000-0x0000000074F03000-memory.dmp

Filesize
8KB

Download
memory/164232-54-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/164232-76-0x0000000007A10000-0x00000000087E9000-memory.dmp

Filesize
13.8MB

Download
memory/164232-77-0x0000000007A10000-0x00000000087E9000-memory.dmp

Filesize
13.8MB

Download
memory/164232-88-0x0000000007A10000-0x00000000087E9000-memory.dmp

Filesize
13.8MB

Download
memory/164232-63-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/164232-62-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/164232-56-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/164552-71-0x00000000003E0000-0x00000000003E6000-memory.dmp

Filesize
24KB

Download
memory/164552-70-0x0000000001330000-0x0000000001348000-memory.dmp

Filesize
96KB

Download
memory/164680-85-0x00000000002E0000-0x00000000010B9000-memory.dmp

Filesize
13.8MB

Download
memory/164680-78-0x00000000002E0000-0x00000000010B9000-memory.dmp

Filesize
13.8MB

Download
memory/164796-87-0x0000000000230000-0x0000000000239000-memory.dmp

Filesize
36KB

Download
memory/164796-89-0x000000000A8F0000-0x000000000A8F8000-memory.dmp

Filesize
32KB

Download
memory/164796-90-0x0000000000230000-0x0000000000239000-memory.dmp

Filesize
36KB

Download