General
-
Target
Fortnite.exe
-
Size
1MB
-
Sample
230604-2gzmasea29
-
MD5
f795b0bb519a53aa55f3a1f8b421708d
-
SHA1
18b0c53280f120d18e224ef389e21a09902da4f4
-
SHA256
0102ee1516fd47fc9cb7ffb31c922e747cc5ce638e2fb0d5e133275e271cd492
-
SHA512
d3a1908461508c6bf322e1aa809b6b04ed27e0722957fcdf5d4f828060f4d4ba76d415ba56b8dad1d9d07129603590fc75699d98014fd79f3bfb8ea051e70180
-
SSDEEP
24576:U2G/nvxW3Ww0tEiau4VjR/qCUzDG6bNUa1BMJWl:UbA30klYS6b26
Malware Config
Targets
-
-
Target
Fortnite.exe
-
Size
1MB
-
MD5
f795b0bb519a53aa55f3a1f8b421708d
-
SHA1
18b0c53280f120d18e224ef389e21a09902da4f4
-
SHA256
0102ee1516fd47fc9cb7ffb31c922e747cc5ce638e2fb0d5e133275e271cd492
-
SHA512
d3a1908461508c6bf322e1aa809b6b04ed27e0722957fcdf5d4f828060f4d4ba76d415ba56b8dad1d9d07129603590fc75699d98014fd79f3bfb8ea051e70180
-
SSDEEP
24576:U2G/nvxW3Ww0tEiau4VjR/qCUzDG6bNUa1BMJWl:UbA30klYS6b26
Score10/10-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Modifies WinLogon for persistence
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
DCRat payload
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Disables Task Manager via registry modification
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-