Static task
static1
Behavioral task
behavioral1
Sample
delete fortnie cheat + spoofer/deletefortnitecheat.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
delete fortnie cheat + spoofer/deletefortnitecheat.exe
Resource
win10v2004-en-20220112
Behavioral task
behavioral3
Sample
delete fortnie cheat + spoofer/deletespoofer.exe
Resource
win7-en-20211208
Behavioral task
behavioral4
Sample
delete fortnie cheat + spoofer/deletespoofer.exe
Resource
win10v2004-en-20220113
General
-
Target
delete_fortnie_cheat__spoofer_1.rar
-
Size
156KB
-
MD5
102bd07e7adcf58e2298d103062e1092
-
SHA1
1d69e070f3fc4e6971642840f67dd6c575ef858f
-
SHA256
20afc142a26c094db25ede02fc13e99acc4a4431db32ecd2d3be05b9e3f852bc
-
SHA512
95d12cb0523aa466a268762f7787dfd4c13474b7d27d51a1f511add3be9b2823ca2476a75c5e95aff3719d4f88111286d18b18fc6168b575d69f32bbf669f769
-
SSDEEP
3072:8EayPypUU/iydmEKpSygLR4ptup+7AfMksNCjb0xuMlu:ZaFpUaiyxb+7A0kfb0xNlu
Malware Config
Extracted
mercurialgrabber
https://discord.com/api/webhooks/937359785945366559/J6k4-uE14Tm7_e8Kdub2q5IcQ50XeCeCv3DsHpMWPXIXgj1gX1vrX4wXRd1eyEkT6348
Signatures
-
Mercurialgrabber family
Files
-
delete_fortnie_cheat__spoofer_1.rar.rar
-
delete fortnie cheat + spoofer/deletefortnitecheat.exe.exe windows x64
17f03d29d77e9cc9ea8d9554d7e61c10
Code Sign
Headers
DLL Characteristics
IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
File Characteristics
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
Imports
dwmapi
DwmExtendFrameIntoClientArea
kernel32
Process32First
SetConsoleTextAttribute
SetConsoleTitleA
GetStdHandle
DeviceIoControl
CreateToolhelp32Snapshot
Sleep
Process32Next
CloseHandle
CreateThread
GetProcAddress
CreateProcessA
GetCurrentProcess
CreateFileA
QueryPerformanceCounter
QueryPerformanceFrequency
InitializeCriticalSectionAndSpinCount
DeleteCriticalSection
SetEvent
ResetEvent
WaitForSingleObjectEx
CreateEventW
GetModuleHandleW
RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
UnhandledExceptionFilter
SetUnhandledExceptionFilter
TerminateProcess
IsProcessorFeaturePresent
IsDebuggerPresent
GetCurrentProcessId
GetCurrentThreadId
GetSystemTimeAsFileTime
InitializeSListHead
GlobalUnlock
GlobalLock
GlobalFree
GlobalAlloc
EnterCriticalSection
LeaveCriticalSection
user32
GetWindowThreadProcessId
GetWindow
DispatchMessageA
GetWindowRect
GetClientRect
DestroyWindow
SetWindowPos
ShowWindow
GetAsyncKeyState
SetWindowLongA
GetWindowLongA
MessageBoxA
GetForegroundWindow
MoveWindow
DefWindowProcA
CreateWindowExA
TranslateMessage
mouse_event
PeekMessageA
ReleaseCapture
SetCursor
SetCapture
SetClipboardData
GetClipboardData
ClientToScreen
GetCapture
SetCursorPos
GetActiveWindow
ScreenToClient
LoadCursorA
GetKeyState
UpdateWindow
RegisterClassExA
EmptyClipboard
FindWindowA
PostQuitMessage
GetCursorPos
OpenClipboard
CloseClipboard
advapi32
GetTokenInformation
OpenProcessToken
GetUserNameA
imm32
ImmReleaseContext
ImmGetContext
ImmSetCompositionWindow
msvcp140
_Query_perf_frequency
_Thrd_sleep
_Query_perf_counter
_Xtime_get_ticks
?uncaught_exceptions@std@@YAHXZ
?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A
?_Random_device@std@@YAIXZ
?_Xlength_error@std@@YAXPEBD@Z
?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ
?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ
?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z
d3d9
Direct3DCreate9Ex
vcruntime140_1
__CxxFrameHandler4
vcruntime140
__std_exception_copy
__std_terminate
strstr
memmove
memcpy
memchr
_CxxThrowException
__C_specific_handler
__current_exception_context
__std_exception_destroy
__current_exception
_purecall
memset
api-ms-win-crt-stdio-l1-1-0
__acrt_iob_func
ftell
__p__commode
fflush
_set_fmode
__stdio_common_vsprintf_s
fclose
fseek
__stdio_common_vsscanf
fread
__stdio_common_vsprintf
_wfopen
fwrite
__stdio_common_vfprintf
api-ms-win-crt-string-l1-1-0
isprint
strcmp
strncpy
api-ms-win-crt-utility-l1-1-0
qsort
api-ms-win-crt-heap-l1-1-0
_set_new_mode
_callnewh
free
malloc
api-ms-win-crt-convert-l1-1-0
atof
api-ms-win-crt-runtime-l1-1-0
_seh_filter_exe
_set_app_type
_get_initial_narrow_environment
_initterm
_initterm_e
_exit
system
__p___argc
__p___argv
_c_exit
_register_thread_local_exe_atexit_callback
_crt_atexit
_invalid_parameter_noinfo_noreturn
terminate
_cexit
_register_onexit_function
_initialize_onexit_table
_configure_narrow_argv
_initialize_narrow_environment
exit
api-ms-win-crt-locale-l1-1-0
_configthreadlocale
api-ms-win-crt-math-l1-1-0
pow
powf
cosf
sinf
fmodf
floorf
sqrt
asinf
tanf
sqrtf
__setusermatherr
ceilf
Sections
.text Size: 212KB - Virtual size: 212KB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
.rdata Size: 44KB - Virtual size: 44KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.data Size: 3KB - Virtual size: 6KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
.pdata Size: 9KB - Virtual size: 8KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.rsrc Size: 512B - Virtual size: 488B
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.reloc Size: 512B - Virtual size: 436B
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
-
delete fortnie cheat + spoofer/deletespoofer.exe.exe windows x86
f34d5f2d4577ed6d9ceec516c1f5a744
Code Sign
Headers
DLL Characteristics
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
File Characteristics
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
Imports
mscoree
_CorExeMain
Sections
.text Size: 39KB - Virtual size: 39KB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
.rsrc Size: 1KB - Virtual size: 1KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.reloc Size: 512B - Virtual size: 12B
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
-
delete fortnie cheat + spoofer/key.txt
-
delete fortnie cheat + spoofer/read me (instructions).txt