General

  • Target

    144aa886104c213107df71c74a78b6ac8e73763ac7424dbe85b2f1b3c5c09532.zip

  • Size

    44.5MB

  • Sample

    240618-smsaqsygla

  • MD5

    87e2993ec3c2f91feedeac9b5f54ac4e

  • SHA1

    4e8d05b4d10816266bdb7f3f1cd3d89e2a25d294

  • SHA256

    144aa886104c213107df71c74a78b6ac8e73763ac7424dbe85b2f1b3c5c09532

  • SHA512

    ee48f7ed7a4e40c4a01ee933b80f55f937ab87fb38cb9d42d253d196923fca6ac045af7e3693db131e4023ecd4f9bcbd491cc00b8fc6ea5f8e91b91b40c81c22

  • SSDEEP

    786432:BB3D+rUg5I4qcuBXol2Y5apnaUjP6QkHoEbRTeHsaCxoxOy6qrfE9/jH6kis4Txg:BVD+rG4qjXolN2OQZqReHW2rfE9B4Txg

Malware Config

Extracted

Family

redline

Botnet

@kaLmar322

C2

147.45.47.93:80

Targets

    • Target

      Fortnite Arcane Legit/Fortnite Arcane Legit.exe

    • Size

      615KB

    • MD5

      5327185de407b2d6291ff2f14b15d214

    • SHA1

      bcabecf5e85bae77a2f1b445efbee26071b16d6a

    • SHA256

      e059e9e4ed922b0a87f744aded8b13c73cdad171cd0d10a1b4c033ef068a1a5b

    • SHA512

      1546c2e90e242bffcb84724690ce79a4cbe7c1f2b5bbcab65a3c5fa848fa23fc21050bf97f11792f831827b7dfe0f4cc7b7787d28ca43a1b012ebd5d7c7b0264

    • SSDEEP

      12288:LPWtiIK5b9R6gi+PIVFi0HmcL6tAtP1kO1B3SxufbcJW/2t1rkKQlEtG6j7PhlCN:LPW4l9xPIL

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Loads dropped DLL

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Suspicious use of SetThreadContext

    • Target

      Fortnite Arcane Legit/bin/AccessibleHandler.dll

    • Size

      339KB

    • MD5

      e8688be89671c227bb7f28e268298dd5

    • SHA1

      afc2b49472fa08d2308821be9ffa532a6175c17f

    • SHA256

      7b55754848846948064e06184f670ca884e5fdb8edcec4b1d285e13546ee811d

    • SHA512

      7f3b7ad877373002bcb70c749139027137afff829b3254edbabfc6704adac97031e5f6346e2945ab0e8f0c997b5cf0f6ce5a97fdbf6b603e69c27584c62eac59

    • SSDEEP

      6144:v30JdZEC6FJ4caCoZwEZGwVMMA4hMmLa0R9bHGsxL6hc0e/OeBI5B85zv7pu:vAC5EZGehMmLRxj

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    • Target

      Fortnite Arcane Legit/bin/AccessibleMarshal.dll

    • Size

      25KB

    • MD5

      95f2596d0250deb7318ed8e177e64781

    • SHA1

      0f216d7548257770c68972ec849041434e3b863e

    • SHA256

      5f24fb5e3ff66bb1d82ee3ca5045244ad989be9f289e032d528b273a358289a9

    • SHA512

      0d0a040cd1d2d3c94ece74b5f6306549a03e32ac72b726111af02674387ce6a8ee0c77bcd6fba565d158d54ea8704b5479dbf2d2603b32b0678c785454dfe62e

    • SSDEEP

      384:crpvH++2YlNFY7zDF9NCpeEOPu7uZuWMDdpJ854yEv9M0P8Jj5ycDieco:cld2a0zspeEOPGY2JqE30JjDD1

    Score
    1/10
    • Target

      Fortnite Arcane Legit/bin/data/FLEngine_x64.dll

    • Size

      49.7MB

    • MD5

      bbe92690771bd4d9daba74b8f6d2c7d5

    • SHA1

      7b87c002ce2348d212cbba0e15ed8cf5108f4a82

    • SHA256

      05a5bf1b5dfb06f9b535cd08c90aec5f4fdb57522c5ffb86bdd4f16416afcfa8

    • SHA512

      b8b823349514096765ee4c0f8bf7f3ea503100a358cf169bab5df4305e0357bbffc710c69ca82269c5ec276bb1ccf546286886eb626f4de9981c6deff17b8ceb

    • SSDEEP

      786432:VngHeeLMrsbHvtWOaOisyPG7RZkY+NAGztV+NsMjwpy1oUDQq0yj91A:kQMlWO7PD7RZ7+2GR3mwo27q0yp1A

    Score
    1/10
    • Target

      Fortnite Arcane Legit/bin/dbghelp.dll

    • Size

      1.4MB

    • MD5

      893ec728b6fa9d7277963847bd408f4f

    • SHA1

      99d461999f631457b38df82d849d81b8fad946aa

    • SHA256

      21c398a2292f04652795c7d4ee7890bb62ac7039e58ac04ece91ff05ee0801ee

    • SHA512

      44d6b3073e2363e0cf8a8aec7384a5a386d2a8eb21716640569a2eb00ad5dd75d1b6d159aa59cea9e60d5b4305573f206a85e54b40d2160d2d2416d2882b6a76

    • SSDEEP

      24576:8p8iMrylctFcscX1ZxgCf0a+hGxSUwqK6Zq3OUkcgp0OT:C8UzHXT0a+hGxSUs3OUVy1

    Score
    1/10

MITRE ATT&CK Matrix ATT&CK v13

Persistence

Event Triggered Execution

1
T1546

Component Object Model Hijacking

1
T1546.015

Privilege Escalation

Event Triggered Execution

1
T1546

Component Object Model Hijacking

1
T1546.015

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Collection

Data from Local System

1
T1005

Tasks