General
-
Target
inject_fortniteV3.0.exe
-
Size
3.1MB
-
Sample
230125-t9jgsaae8t
-
MD5
20442abc1fd9cf9d34a54aed6ec06a1f
-
SHA1
b623b106f07257bc7187428b48769b5df89ffccb
-
SHA256
5f44a568a45580bb598b8a5a81ca26e74e3cea5b78689ed715ab0c8848673541
-
SHA512
a63349720b7c98ca5a1e9f4138ded365fd971210608ab5666a3870107509d5b68cf90e945996d0a346352c7204b8cdf872d4c3ec283368a8ae96425eb995254e
-
SSDEEP
49152:AbA3i4CGZQFM1jq6t6aHad355B8MzzgGa0RBAreWjDu/dHnZGxIGcAXI21I9S:AbCZQFMRq6pM3bcjCBibDqHIxIGWXU
Behavioral task
behavioral1
Sample
inject_fortniteV3.0.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
inject_fortniteV3.0.exe
Resource
win10v2004-20220812-en
Malware Config
Targets
-
-
Target
inject_fortniteV3.0.exe
-
Size
3.1MB
-
MD5
20442abc1fd9cf9d34a54aed6ec06a1f
-
SHA1
b623b106f07257bc7187428b48769b5df89ffccb
-
SHA256
5f44a568a45580bb598b8a5a81ca26e74e3cea5b78689ed715ab0c8848673541
-
SHA512
a63349720b7c98ca5a1e9f4138ded365fd971210608ab5666a3870107509d5b68cf90e945996d0a346352c7204b8cdf872d4c3ec283368a8ae96425eb995254e
-
SSDEEP
49152:AbA3i4CGZQFM1jq6t6aHad355B8MzzgGa0RBAreWjDu/dHnZGxIGcAXI21I9S:AbCZQFMRq6pM3bcjCBibDqHIxIGWXU
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Modifies WinLogon for persistence
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Disables Task Manager via registry modification
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-