General
-
Target
FortniteClient-Win64-Shipping_BE.exe
-
Size
223KB
-
Sample
230718-by8nesgd9t
-
MD5
138b9702b1163a9ea21688640955479c
-
SHA1
245083872ab5fc45961c6d2f5772172b61db008d
-
SHA256
6c26664ce65b4a3602fdc8fd21fb53b82498712bb602773e6747bc68d5b980ed
-
SHA512
46230a4bddb6d34767c0cae223cf28f5d0eac1cd16ae1aea734ae99761df4474e340bc257b7519dfabe6594e2674c18779000c5a09211289ecbd83781b639d5f
-
SSDEEP
1536:ijnFF/DXXXnHJXXXnHmH3pH3MoM0NxHKb0gR:iDFFIH3pH3M4HKb0g
Static task
static1
Behavioral task
behavioral1
Sample
FortniteClient-Win64-Shipping_BE.exe
Resource
win10-20230703-en
Behavioral task
behavioral2
Sample
FortniteClient-Win64-Shipping_BE.exe
Resource
win10v2004-20230703-en
Malware Config
Extracted
vidar
4.8
https://t.me/sundayevent
https://t.me/sundayevent
https://steamcommunity.com/profiles/76561198982268531
-
profile_id_v2
https://t.me/sundayevent
-
user_agent
Mozilla/5.0 (X11; Linux 3.5.4-1-ARCH i686; es) KHTML/4.9.1 (like Gecko) Konqueror/4.9
Extracted
laplas
http://185.209.161.89
-
api_key
6a2714906f1325d666e4cf9f6269c2352ccfb7e7f1a23c114287dc69ddf27cb0
Targets
-
-
Target
FortniteClient-Win64-Shipping_BE.exe
-
Size
223KB
-
MD5
138b9702b1163a9ea21688640955479c
-
SHA1
245083872ab5fc45961c6d2f5772172b61db008d
-
SHA256
6c26664ce65b4a3602fdc8fd21fb53b82498712bb602773e6747bc68d5b980ed
-
SHA512
46230a4bddb6d34767c0cae223cf28f5d0eac1cd16ae1aea734ae99761df4474e340bc257b7519dfabe6594e2674c18779000c5a09211289ecbd83781b639d5f
-
SSDEEP
1536:ijnFF/DXXXnHJXXXnHmH3pH3MoM0NxHKb0gR:iDFFIH3pH3M4HKb0g
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Contacts a large (517) amount of remote hosts
This may indicate a network scan to discover remotely running services.
-
Downloads MZ/PE file
-
Drops file in Drivers directory
-
Modifies Installed Components in the registry
-
Stops running service(s)
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops desktop.ini file(s)
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-