Analysis
-
max time kernel
123s -
max time network
159s -
platform
windows10-2004_x64 -
resource
win10v2004-20240704-en -
resource tags
arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system -
submitted
07-07-2024 02:06
Static task
static1
Behavioral task
behavioral1
Sample
Fortnite Cheat.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
Fortnite Cheat.exe
Resource
win10v2004-20240704-en
General
-
Target
Fortnite Cheat.exe
-
Size
50.6MB
-
MD5
1ef6777b30bf94b13789fd4366421c62
-
SHA1
59a335c36a77cc8be226073cc75d78bd95409d2e
-
SHA256
e6fba68c13f806f95d4482c74428a3289a04c0d77662adb96d15bde315f57d15
-
SHA512
b006f3cf53c7789f12bfb9afdb528f845b8e1eb1319727adf930652bc6ed89ca289d4bb00057be945d3495ac5c3979f580fe929dda4dda05a00415b7ad486a57
-
SSDEEP
12288:NNv86NgnNyjZONdGjD2NkdO6zr+8ooqtzqLoaa97DB+QYC1DWc6gSM3S+9GaKLWI:NZIO
Malware Config
Extracted
redline
77.91.77.6:24186
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
resource yara_rule behavioral2/memory/3848-9-0x0000000000420000-0x0000000000470000-memory.dmp family_redline -
Loads dropped DLL 1 IoCs
pid Process 2864 Fortnite Cheat.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2864 set thread context of 3848 2864 Fortnite Cheat.exe 86 -
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 3848 MSBuild.exe 3848 MSBuild.exe 3848 MSBuild.exe 3848 MSBuild.exe 3848 MSBuild.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3848 MSBuild.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2864 wrote to memory of 3848 2864 Fortnite Cheat.exe 86 PID 2864 wrote to memory of 3848 2864 Fortnite Cheat.exe 86 PID 2864 wrote to memory of 3848 2864 Fortnite Cheat.exe 86 PID 2864 wrote to memory of 3848 2864 Fortnite Cheat.exe 86 PID 2864 wrote to memory of 3848 2864 Fortnite Cheat.exe 86 PID 2864 wrote to memory of 3848 2864 Fortnite Cheat.exe 86 PID 2864 wrote to memory of 3848 2864 Fortnite Cheat.exe 86 PID 2864 wrote to memory of 3848 2864 Fortnite Cheat.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\Fortnite Cheat.exe"C:\Users\Admin\AppData\Local\Temp\Fortnite Cheat.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3848
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:3548
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
434KB
MD5e70a4cefbe4bbb61b231a6da9c9d249a
SHA1310e4c01db4989ab719c1c13ad9641899c823a71
SHA2564506abd94f90753f44820ee3aa8ec2178f112f7e4871e0e4b21f57ec842588d8
SHA51201956544a9ee45f51c919aa8ce9e8460243c8517021d9ded04c785dcea6079f55ae3062dabda54f042bc364651687183e16b7dff245b1c5aaa5c439773ce1563