redline | 5ca193b352da1a6f1cbabd4ae82e97c93adae48ba20f108b7012e0840b288cee

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
26-12-2024 09:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Installer_Fortnite_Hack_v2.0.1.rar
Size

75.5MB
MD5

698dd9643ed99e5321ff2b8db5b4dd2d
SHA1

04ff05755a41ed420d4f68fef180a2aad2760921
SHA256

5ca193b352da1a6f1cbabd4ae82e97c93adae48ba20f108b7012e0840b288cee
SHA512

0f67019105697a76e32f22736d61839766056c492ccbab5a1e5ae6449240a2df41db4583b1ffbf50255a83fc575eb42d977e6eea88a127334f10828610c71d87
SSDEEP

1572864:pC9wlubstiS0XbBGNAz7SWEX7k5H2NC5lv1wTd7mlMdRPEXZo:PlubU6bBRXErk5W851smSB

Score

10^/10

redline @massaruboss discovery infostealer

Malware Config

Extracted

Family

redline

Botnet

@massaruboss

185.215.113.22:80

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 5 IoCs

resource	yara_rule
behavioral1/memory/2852-24-0x0000000000400000-0x0000000000452000-memory.dmp	family_redline
behavioral1/memory/2852-25-0x0000000000400000-0x0000000000452000-memory.dmp	family_redline
behavioral1/memory/2852-23-0x0000000000400000-0x0000000000452000-memory.dmp	family_redline
behavioral1/memory/2852-20-0x0000000000400000-0x0000000000452000-memory.dmp	family_redline
behavioral1/memory/2852-18-0x0000000000400000-0x0000000000452000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 2 IoCs

pid	Process
2784	Loader_Hack_v2.0.1.exe
236	Loader_Hack_v2.0.1.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2784 set thread context of 2852	2784	Loader_Hack_v2.0.1.exe	34
PID 236 set thread context of 2148	236	Loader_Hack_v2.0.1.exe	38

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Loader_Hack_v2.0.1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Loader_Hack_v2.0.1.exe

Modifies registry class 10 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\class_auto_file\	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\.class\ = "class_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\class_auto_file\shell	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\class_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\class_auto_file	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\.class	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\class_auto_file\shell\Read	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\class_auto_file\shell\Read\command	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_Classes\Local Settings	rundll32.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064	RegAsm.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61	RegAsm.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2544	7zFM.exe
2544	7zFM.exe
2544	7zFM.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2544	7zFM.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeRestorePrivilege	2544	7zFM.exe
Token: 35	2544	7zFM.exe
Token: SeSecurityPrivilege	2544	7zFM.exe
Token: SeSecurityPrivilege	2544	7zFM.exe
Token: SeSecurityPrivilege	2544	7zFM.exe
Token: SeSecurityPrivilege	2544	7zFM.exe
Token: SeSecurityPrivilege	2544	7zFM.exe
Token: SeSecurityPrivilege	2544	7zFM.exe
Token: SeSecurityPrivilege	2544	7zFM.exe
Token: SeSecurityPrivilege	2544	7zFM.exe
Token: SeSecurityPrivilege	2544	7zFM.exe

Suspicious use of FindShellTrayWindow 17 IoCs

pid	Process
2544	7zFM.exe
2544	7zFM.exe
2544	7zFM.exe
2544	7zFM.exe
2544	7zFM.exe
2544	7zFM.exe
2544	7zFM.exe
2544	7zFM.exe
2544	7zFM.exe
2544	7zFM.exe
2544	7zFM.exe
2544	7zFM.exe
2544	7zFM.exe
2544	7zFM.exe
2544	7zFM.exe
2544	7zFM.exe
2544	7zFM.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
836	AcroRd32.exe
836	AcroRd32.exe

Suspicious use of WriteProcessMemory 49 IoCs

description	pid	Process	procid_target
PID 2544 wrote to memory of 2784	2544	7zFM.exe	31
PID 2544 wrote to memory of 2784	2544	7zFM.exe	31
PID 2544 wrote to memory of 2784	2544	7zFM.exe	31
PID 2544 wrote to memory of 2784	2544	7zFM.exe	31
PID 2784 wrote to memory of 2512	2784	Loader_Hack_v2.0.1.exe	33
PID 2784 wrote to memory of 2512	2784	Loader_Hack_v2.0.1.exe	33
PID 2784 wrote to memory of 2512	2784	Loader_Hack_v2.0.1.exe	33
PID 2784 wrote to memory of 2512	2784	Loader_Hack_v2.0.1.exe	33
PID 2784 wrote to memory of 2512	2784	Loader_Hack_v2.0.1.exe	33
PID 2784 wrote to memory of 2512	2784	Loader_Hack_v2.0.1.exe	33
PID 2784 wrote to memory of 2512	2784	Loader_Hack_v2.0.1.exe	33
PID 2784 wrote to memory of 2852	2784	Loader_Hack_v2.0.1.exe	34
PID 2784 wrote to memory of 2852	2784	Loader_Hack_v2.0.1.exe	34
PID 2784 wrote to memory of 2852	2784	Loader_Hack_v2.0.1.exe	34
PID 2784 wrote to memory of 2852	2784	Loader_Hack_v2.0.1.exe	34
PID 2784 wrote to memory of 2852	2784	Loader_Hack_v2.0.1.exe	34
PID 2784 wrote to memory of 2852	2784	Loader_Hack_v2.0.1.exe	34
PID 2784 wrote to memory of 2852	2784	Loader_Hack_v2.0.1.exe	34
PID 2784 wrote to memory of 2852	2784	Loader_Hack_v2.0.1.exe	34
PID 2784 wrote to memory of 2852	2784	Loader_Hack_v2.0.1.exe	34
PID 2784 wrote to memory of 2852	2784	Loader_Hack_v2.0.1.exe	34
PID 2784 wrote to memory of 2852	2784	Loader_Hack_v2.0.1.exe	34
PID 2784 wrote to memory of 2852	2784	Loader_Hack_v2.0.1.exe	34
PID 2544 wrote to memory of 236	2544	7zFM.exe	36
PID 2544 wrote to memory of 236	2544	7zFM.exe	36
PID 2544 wrote to memory of 236	2544	7zFM.exe	36
PID 2544 wrote to memory of 236	2544	7zFM.exe	36
PID 236 wrote to memory of 2148	236	Loader_Hack_v2.0.1.exe	38
PID 236 wrote to memory of 2148	236	Loader_Hack_v2.0.1.exe	38
PID 236 wrote to memory of 2148	236	Loader_Hack_v2.0.1.exe	38
PID 236 wrote to memory of 2148	236	Loader_Hack_v2.0.1.exe	38
PID 236 wrote to memory of 2148	236	Loader_Hack_v2.0.1.exe	38
PID 236 wrote to memory of 2148	236	Loader_Hack_v2.0.1.exe	38
PID 236 wrote to memory of 2148	236	Loader_Hack_v2.0.1.exe	38
PID 236 wrote to memory of 2148	236	Loader_Hack_v2.0.1.exe	38
PID 236 wrote to memory of 2148	236	Loader_Hack_v2.0.1.exe	38
PID 236 wrote to memory of 2148	236	Loader_Hack_v2.0.1.exe	38
PID 236 wrote to memory of 2148	236	Loader_Hack_v2.0.1.exe	38
PID 236 wrote to memory of 2148	236	Loader_Hack_v2.0.1.exe	38
PID 2544 wrote to memory of 1900	2544	7zFM.exe	40
PID 2544 wrote to memory of 1900	2544	7zFM.exe	40
PID 2544 wrote to memory of 1900	2544	7zFM.exe	40
PID 2544 wrote to memory of 2456	2544	7zFM.exe	41
PID 2544 wrote to memory of 2456	2544	7zFM.exe	41
PID 2544 wrote to memory of 2456	2544	7zFM.exe	41
PID 2456 wrote to memory of 836	2456	rundll32.exe	42
PID 2456 wrote to memory of 836	2456	rundll32.exe	42
PID 2456 wrote to memory of 836	2456	rundll32.exe	42
PID 2456 wrote to memory of 836	2456	rundll32.exe	42

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Installer_Fortnite_Hack_v2.0.1.rar"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2544
- C:\Users\Admin\AppData\Local\Temp\7zO0F989327\Loader_Hack_v2.0.1.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO0F989327\Loader_Hack_v2.0.1.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2784
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:2512
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies system certificate store
    PID:2852
- C:\Users\Admin\AppData\Local\Temp\7zO0F9F4948\Loader_Hack_v2.0.1.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO0F9F4948\Loader_Hack_v2.0.1.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:236
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2148
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\7zO0F973EC8\Provider.class
  2⤵
  - Modifies registry class
  PID:1900
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\7zO0F9261C8\X509ExtendedTrustManager.class
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2456
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\7zO0F9261C8\X509ExtendedTrustManager.class"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zO0F9261C8\X509ExtendedTrustManager.class

Filesize
439B

MD5
6c3247d6ff72589f546b57ff2f9a9f29

SHA1
07c36c61e9492ca6a953081defd643a7336d638b

SHA256
a4579dfdf03c2715ed8e1c264f448e5c2677460bbe5c63c92694977aa23589cb

SHA512
7daf6d197ba1cf7fbd46bfdea92b6ed8d51aee1ca70324009392e03e14f0bd204d12b2043e6bdc0c226eaa1fb339c0339caa1d24a5182bc31e0db6e9c28fb067

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tmp1804.tmp

Filesize
2KB

MD5
1420d30f964eac2c85b2ccfe968eebce

SHA1
bdf9a6876578a3e38079c4f8cf5d6c79687ad750

SHA256
f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9

SHA512
6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
4d87e6873ec4e789bbfc157b7e80360e

SHA1
77d9449a31a625308eb7347caa07f629e382e11d

SHA256
bf6ad01ab7090e307dbb9a3cd2f71611117541c41a3bb1f75d99805cf8cf353c

SHA512
4f4a59afed224a39bf1d458cf3d6b85a9e95d841a3b399a42e5fa2936c92dfeee9c57468a9ab299baf3df1dac17ad80f3be054648c843d3e767774d9e7974153

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-312935884-697965778-3955649944-1000\76b53b3ec448f7ccdda2063b15d2bfc3_1defa0c0-fc04-4155-83bc-b490dbaa3679

Filesize
2KB

MD5
44b3f8dc6103c0f4be2646e47e98b855

SHA1
d981d22a1357edd343e8aaca8cfe7829f135bd7c

SHA256
5e604d64a9af7141538bbaaca5b7d7e52f4a8eb0e1ebcfce592a527e210a679f

SHA512
2036dd53e20bb9028f3ddb0c91cf12f7d4ce42c1cd7d0d4c9d45c86af9cce71ca00f49380df1aa0a6e628f95ac3a12fd47f85fda5dc66d20a02dc0dd675215e6

Download Submit
C:\Users\Public\Desktop\Google Chrome.lnk

Filesize
2KB

MD5
54de4d7ec60ede898ea6a3ad2611f4c7

SHA1
e73c8cacf2a48de986a3332ed66922b78b502a1f

SHA256
0a44d810a18c00ab6b688c11874b00b861ac8c22e5f1b5ac62ee2747a51b4f60

SHA512
6b020ef703d89ee7eef97d6f38ed328423649136e135ea2b600e48d97632bc8f5f3c75a14ba942e14e1d3fa87f808dda9f945fc5b719e028e637f9e9ae14e056

Download Submit
memory/236-52-0x00000000003E0000-0x0000000000434000-memory.dmp

Filesize
336KB

Download
memory/2148-62-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2784-12-0x0000000001300000-0x0000000001354000-memory.dmp

Filesize
336KB

Download
memory/2852-25-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2852-17-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2852-18-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2852-20-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2852-23-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2852-24-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2852-14-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2852-22-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download