redline | 119b5e6609d9e4b0d67eaec8c670c4ab3ba957f45fc19918f4e72095cc747dc3

General

Target

Fortnite Hack v3.0.exe
Size

1.5MB
MD5

fcfde04d923f7cf7ab3fd2386dc86664
SHA1

c38f90e846815800ef9a4a70eeed5ad40b1406d4
SHA256

1c37bb084606972c2b52abd675e81a7ce129fad41d5f684ee459012de7bb2875
SHA512

a45e689eef3b279558204ef9de9c8a68e279155eb62e220279f3f49ced69e3ac136cd6f9717fda1868353c374df04eb0800b3eee19ca3f6997d25e6f2d63af79
SSDEEP

12288:Akvni7EZYZWTehf95eA1Gon0C3RX7aBfn4IfVLbO/2FKG6o:Lizl133

Score

10^/10

redline sectoprat @hensssy discovery infostealer rat trojan

Malware Config

Extracted

Family

redline

Botnet

@hensssy

C2

uspeelayla.xyz:80

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 5 IoCs

resource	yara_rule
behavioral1/memory/2420-11-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/2420-16-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/2420-13-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/2420-8-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/2420-7-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline

Redline family
redline
SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 5 IoCs

resource	yara_rule
behavioral1/memory/2420-11-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/2420-16-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/2420-13-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/2420-8-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/2420-7-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat

Sectoprat family
sectoprat

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3052 set thread context of 2420	3052	Fortnite Hack v3.0.exe	31

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fortnite Hack v3.0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fortnite Hack v3.0.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2420	Fortnite Hack v3.0.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3052 wrote to memory of 2420	3052	Fortnite Hack v3.0.exe	31
PID 3052 wrote to memory of 2420	3052	Fortnite Hack v3.0.exe	31
PID 3052 wrote to memory of 2420	3052	Fortnite Hack v3.0.exe	31
PID 3052 wrote to memory of 2420	3052	Fortnite Hack v3.0.exe	31
PID 3052 wrote to memory of 2420	3052	Fortnite Hack v3.0.exe	31
PID 3052 wrote to memory of 2420	3052	Fortnite Hack v3.0.exe	31
PID 3052 wrote to memory of 2420	3052	Fortnite Hack v3.0.exe	31
PID 3052 wrote to memory of 2420	3052	Fortnite Hack v3.0.exe	31
PID 3052 wrote to memory of 2420	3052	Fortnite Hack v3.0.exe	31

C:\Users\Admin\AppData\Local\Temp\Fortnite Hack v3.0.exe
"C:\Users\Admin\AppData\Local\Temp\Fortnite Hack v3.0.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3052
- C:\Users\Admin\AppData\Local\Temp\Fortnite Hack v3.0.exe
  "C:\Users\Admin\AppData\Local\Temp\Fortnite Hack v3.0.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2420

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2420-13-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2420-8-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2420-21-0x0000000074AC0000-0x00000000751AE000-memory.dmp

Filesize
6.9MB

Download
memory/2420-3-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2420-20-0x0000000074AC0000-0x00000000751AE000-memory.dmp

Filesize
6.9MB

Download
memory/2420-19-0x0000000074AC0000-0x00000000751AE000-memory.dmp

Filesize
6.9MB

Download
memory/2420-5-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2420-17-0x0000000074AC0000-0x00000000751AE000-memory.dmp

Filesize
6.9MB

Download
memory/2420-11-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2420-9-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2420-16-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2420-7-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3052-1-0x0000000000D90000-0x0000000000E2A000-memory.dmp

Filesize
616KB

Download
memory/3052-18-0x0000000074AC0000-0x00000000751AE000-memory.dmp

Filesize
6.9MB

Download
memory/3052-0-0x0000000074ACE000-0x0000000074ACF000-memory.dmp

Filesize
4KB

Download
memory/3052-2-0x0000000074AC0000-0x00000000751AE000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing