General

  • Target

    Fortnite‮nls.SCr

  • Size

    149KB

  • Sample

    230718-wk6bcsdg6w

  • MD5

    141bf998683fbd8da1dd106562844695

  • SHA1

    37e11fe2d414045d3c315029eaa26da4793530e2

  • SHA256

    ca488f8b7b1918330e11260aff4fc2b353413f10b7390bb6f8d5437f4d5bf2d2

  • SHA512

    66269b42a3b1eae9c963a0d97df1759fa29576ac3be8cb4b82c78b5e1eb255cfa69070afd58aeb72f07c80a62acf83fd85b94f1fd9fa5f3e6b76d8e03fd9f110

  • SSDEEP

    768:sQ51nPEgDGJ61ktbP13fGrfX+9wqmE/q5/Vj/iF//hKGk4HU3rgJNIIaKTvqXF0x:bDnV261C6X4NmoFEgJycuoGs

Malware Config

Extracted

Family

stealerium

C2

https://discord.com/api/webhooks/1130093797292900402/tYB3leEFtzF4RkxtyISBBD8JoyElTZ84y-J-gnLkl0c03Bo__qhxshnX3-NkcqxMwsJv

Extracted

Family

njrat

Version

0.7d

Botnet

ffg

C2

runtimebroker.ddns.net:8080

Mutex

9cd48799f48622358d39e92cf2b76213

Attributes
  • reg_key

    9cd48799f48622358d39e92cf2b76213

  • splitter

    Y262SUCZ4UJJ

Targets

    • Target

      Fortnite‮nls.SCr

    • Size

      149KB

    • MD5

      141bf998683fbd8da1dd106562844695

    • SHA1

      37e11fe2d414045d3c315029eaa26da4793530e2

    • SHA256

      ca488f8b7b1918330e11260aff4fc2b353413f10b7390bb6f8d5437f4d5bf2d2

    • SHA512

      66269b42a3b1eae9c963a0d97df1759fa29576ac3be8cb4b82c78b5e1eb255cfa69070afd58aeb72f07c80a62acf83fd85b94f1fd9fa5f3e6b76d8e03fd9f110

    • SSDEEP

      768:sQ51nPEgDGJ61ktbP13fGrfX+9wqmE/q5/Vj/iF//hKGk4HU3rgJNIIaKTvqXF0x:bDnV261C6X4NmoFEgJycuoGs

    • Stealerium

      An open source info stealer written in C# first seen in May 2022.

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Downloads MZ/PE file

    • Modifies Windows Firewall

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v6

Tasks