MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 57f8f1739037c713eac962b1a690490e645f402a3f0dd3309d65bf5292f7c6c1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 6


Intelligence 6 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 57f8f1739037c713eac962b1a690490e645f402a3f0dd3309d65bf5292f7c6c1
SHA3-384 hash: 52088740057e80df6a3669c854e771f937a3bf7fa40ec896f9575d9346e1bd26e7b88f0e75d010b3d8efd88e21b8fbe7
SHA1 hash: 87056638a08660cee518023c2854a30f1225f40d
MD5 hash: 7d6775e24b910e93c3846efeaf91263f
humanhash: hot-maine-magnesium-lemon
File name:Fortnite hack.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:5'393'226 bytes
First seen:2021-09-11 20:09:13 UTC
Last seen:2021-09-11 21:12:38 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash a56f115ee5ef2625bd949acaeec66b76 (53 x Stealc, 47 x PureHVNC, 28 x RedLineStealer)
ssdeep 98304:AwCNchJA3DsUYk9EAl/OU3x2N43ASjWpnC9RmIg4qL9VMQ0YjFzAj:vdhmTzX04B9R9G9VtZG
Threatray 2 similar samples on MalwareBazaar
TLSH T1534633747D42B6EFD01B433C963E6F12AB2037456EEA4B45EED82363C2DA4B4AE51434
Reporter Anonymous
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
144
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Fortnite hack.exe
Verdict:
No threats detected
Analysis date:
2021-09-11 20:11:43 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/e3d26659-ce74-4180-a050-4fb6f8558461

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/187099/
Detection(s):
SecuriteInfo.com.Variant.Razy.919820.8441.31352.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for analyzing tools
Searching for the window
Creating a file in the %temp% directory
Enabling the 'hidden' option for files in the %temp% directory
Creating a process from a recently created file
Creating a window
Launching a process
Creating a process with a hidden window
Connection attempt
Sending a custom TCP request
Using the Windows Management Instrumentation requests
DNS request
Deleting a recently created file
Reading critical registry keys
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Stealing user critical data
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6a807674-a1ab-44b5-a0db-5196d09b6e6d
Result
Threat name:
RedLine Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/849266
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Changes security center settings (notifications, updates, antivirus, firewall)
Connects to many ports of the same IP (likely port scanning)
Contains functionality to capture screen (.Net source)
Detected unpacking (changes PE section rights)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sigma detected: Powershell Defender Exclusion
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses powershell Test-Connection to delay payload execution;
Yara detected Costura Assembly Loader
Yara detected RedLine Stealer
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 481697 Sample: Fortnite hack.exe Startdate: 11/09/2021 Architecture: WINDOWS Score: 100 78 65.21.218.128, 42806, 49809 CP-ASDE United States 2->78 80 5.188.119.156, 49808, 52352 SELECTELRU Russian Federation 2->80 82 16 other IPs or domains 2->82 110 Antivirus / Scanner detection for submitted sample 2->110 112 Multi AV Scanner detection for submitted file 2->112 114 Detected unpacking (changes PE section rights) 2->114 116 16 other signatures 2->116 9 Fortnite hack.exe 8 2->9         started        13 svchost.exe 2->13         started        15 svchost.exe 2->15         started        18 9 other processes 2->18 signatures3 process4 dnsIp5 70 C:\Users\user\AppData\Local\...\ohykdelP.exe, PE32 9->70 dropped 72 C:\Users\user\AppData\Local\...\nokito1.exe, PE32 9->72 dropped 74 C:\Users\user\AppData\Local\...\@nokito12.exe, PE32 9->74 dropped 76 2 other malicious files 9->76 dropped 132 Query firmware table information (likely to detect VMs) 9->132 134 Hides threads from debuggers 9->134 136 Hides that the sample has been downloaded from the Internet (zone.identifier) 9->136 138 Tries to detect sandboxes / dynamic malware analysis system (registry check) 9->138 20 ohykdelP.exe 15 35 9->20         started        25 nokito1.exe 4 9->25         started        27 @nokito12.exe 4 9->27         started        29 @nokito1.exe 2 9->29         started        140 Changes security center settings (notifications, updates, antivirus, firewall) 13->140 90 127.0.0.1 unknown unknown 15->90 file6 signatures7 process8 dnsIp9 84 f0579030.xsph.ru 141.8.192.151, 49746, 80 SPRINTHOSTRU Russian Federation 20->84 86 45.137.190.170, 19896, 49739 BITWEB-ASRU Russian Federation 20->86 88 api.ip.sb 20->88 68 C:\Users\user\AppData\Local\Temp\fl.exe, PE32+ 20->68 dropped 118 Antivirus detection for dropped file 20->118 120 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 20->120 122 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 20->122 130 2 other signatures 20->130 124 Machine Learning detection for dropped file 25->124 126 Uses powershell Test-Connection to delay payload execution; 25->126 128 Injects a PE file into a foreign processes 25->128 31 powershell.exe 25->31         started        34 powershell.exe 25->34         started        36 powershell.exe 25->36         started        44 2 other processes 25->44 38 powershell.exe 27->38         started        40 powershell.exe 27->40         started        42 powershell.exe 27->42         started        46 2 other processes 27->46 48 2 other processes 29->48 file10 signatures11 process12 dnsIp13 102 2 other IPs or domains 31->102 50 conhost.exe 31->50         started        92 google.com 34->92 52 conhost.exe 34->52         started        94 google.com 36->94 54 conhost.exe 36->54         started        104 2 other IPs or domains 38->104 56 conhost.exe 38->56         started        96 google.com 40->96 58 conhost.exe 40->58         started        98 google.com 42->98 60 conhost.exe 42->60         started        106 2 other IPs or domains 44->106 62 conhost.exe 44->62         started        64 conhost.exe 44->64         started        108 2 other IPs or domains 46->108 66 conhost.exe 46->66         started        100 95.213.216.158, 49740, 49741, 49745 SELECTELRU Russian Federation 48->100 process14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/57f8f1739037c713eac962b1a690490e645f402a3f0dd3309d65bf5292f7c6c1/
Threat name:
ByteCode-MSIL.Infostealer.Reline
Create hunting rule
Status:
Malicious
First seen:
2021-09-11 20:10:01 UTC
AV detection:
11 of 45 (24.44%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
3a78a3a475ff61cc48c9cf5b07b67cd05d0cb7c0fc719b2f7e7a579648caeda2
RedLineStealer
9debd5d7a5f7cf87a37d1f1432878baa0ac7cf6ecca5b4bfdcfa1163f07a6953
RedLineStealer
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:@nokito1 discovery evasion infostealer spyware stealer themida trojan
Link:
https://tria.ge/reports/210911-yxpv9abfh6/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Checks BIOS information in registry
Drops startup file
Loads dropped DLL
Reads user/profile data of web browsers
Themida packer
Downloads MZ/PE file
Executes dropped EXE
Identifies VirtualBox via ACPI registry values (likely anti-VM)
RedLine
RedLine Payload
Malware Config
C2 Extraction:
45.137.190.170:19896
95.213.216.158:80
65.21.218.128:42806
5.188.119.156:52352
Unpacked files
SH256 hash:
57f8f1739037c713eac962b1a690490e645f402a3f0dd3309d65bf5292f7c6c1
MD5 hash:
7d6775e24b910e93c3846efeaf91263f
SHA1 hash:
87056638a08660cee518023c2854a30f1225f40d
Link:
https://www.unpac.me/results/7dc7083a-8c9c-4d64-b5db-67b8205b94b0/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/57f8f1739037/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.14
Link:
https://yomi.yoroi.company/submissions/57f8f1739037c713eac962b1a690490e645f402a3f0dd3309d65bf5292f7c6c1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_Themida
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with Themida

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/187099/

Comments