Malware Analysis Report

2025-01-03 06:41

Sample ID 230828-t8596ada35
Target Fortnite Checker V4.1 by ODAKU.zip
SHA256 031befba18fa50131197835fee61080852bfd9bb9818606ad786681e49bce7fa
Tags
rat default asyncrat stormkitty spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

031befba18fa50131197835fee61080852bfd9bb9818606ad786681e49bce7fa

Threat Level: Known bad

The file Fortnite Checker V4.1 by ODAKU.zip was found to be: Known bad.

Malicious Activity Summary

rat default asyncrat stormkitty spyware stealer

Stormkitty family

AsyncRat

Asyncrat family

Async RAT payload

StormKitty payload

StormKitty

Async RAT payload

Reads user/profile data of web browsers

Drops desktop.ini file(s)

Looks up geolocation information via web service

Looks up external IP address via web service

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-08-28 16:44

Signatures

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Asyncrat family

asyncrat

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A

Stormkitty family

stormkitty

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-08-28 16:44

Reported

2023-08-28 16:46

Platform

win10-20230703-en

Max time kernel

59s

Max time network

33s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Valorant Checker V1.3 by COPRO.exe"

Signatures

AsyncRat

rat asyncrat

StormKitty

stealer stormkitty

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Local\58c333bedcaa0acd798c524e736a7369\Admin@ABECIELQ_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\Valorant Checker V1.3 by COPRO.exe N/A
File created C:\Users\Admin\AppData\Local\58c333bedcaa0acd798c524e736a7369\Admin@ABECIELQ_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\Valorant Checker V1.3 by COPRO.exe N/A
File created C:\Users\Admin\AppData\Local\58c333bedcaa0acd798c524e736a7369\Admin@ABECIELQ_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\Valorant Checker V1.3 by COPRO.exe N/A
File created C:\Users\Admin\AppData\Local\58c333bedcaa0acd798c524e736a7369\Admin@ABECIELQ_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\AppData\Local\Temp\Valorant Checker V1.3 by COPRO.exe N/A
File created C:\Users\Admin\AppData\Local\58c333bedcaa0acd798c524e736a7369\Admin@ABECIELQ_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\Valorant Checker V1.3 by COPRO.exe N/A
File created C:\Users\Admin\AppData\Local\58c333bedcaa0acd798c524e736a7369\Admin@ABECIELQ_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\Valorant Checker V1.3 by COPRO.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\58c333bedcaa0acd798c524e736a7369\Admin@ABECIELQ_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\Valorant Checker V1.3 by COPRO.exe N/A
File created C:\Users\Admin\AppData\Local\58c333bedcaa0acd798c524e736a7369\Admin@ABECIELQ_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\Valorant Checker V1.3 by COPRO.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A icanhazip.com N/A N/A

Looks up geolocation information via web service

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Valorant Checker V1.3 by COPRO.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2084 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\Valorant Checker V1.3 by COPRO.exe C:\Windows\SysWOW64\cmd.exe
PID 2084 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\Valorant Checker V1.3 by COPRO.exe C:\Windows\SysWOW64\cmd.exe
PID 2084 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\Valorant Checker V1.3 by COPRO.exe C:\Windows\SysWOW64\cmd.exe
PID 2136 wrote to memory of 888 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2136 wrote to memory of 888 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2136 wrote to memory of 888 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2136 wrote to memory of 3628 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 2136 wrote to memory of 3628 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 2136 wrote to memory of 3628 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 2136 wrote to memory of 4448 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2136 wrote to memory of 4448 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2136 wrote to memory of 4448 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2084 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Local\Temp\Valorant Checker V1.3 by COPRO.exe C:\Windows\SysWOW64\cmd.exe
PID 2084 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Local\Temp\Valorant Checker V1.3 by COPRO.exe C:\Windows\SysWOW64\cmd.exe
PID 2084 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Local\Temp\Valorant Checker V1.3 by COPRO.exe C:\Windows\SysWOW64\cmd.exe
PID 5020 wrote to memory of 3560 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 5020 wrote to memory of 3560 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 5020 wrote to memory of 3560 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 5020 wrote to memory of 2644 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 5020 wrote to memory of 2644 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 5020 wrote to memory of 2644 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Valorant Checker V1.3 by COPRO.exe

"C:\Users\Admin\AppData\Local\Temp\Valorant Checker V1.3 by COPRO.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\netsh.exe

netsh wlan show profile

C:\Windows\SysWOW64\findstr.exe

findstr All

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\netsh.exe

netsh wlan show networks mode=bssid

Network

Country Destination Domain Proto
US 8.8.8.8:53 icanhazip.com udp
US 104.18.114.97:80 icanhazip.com tcp
US 8.8.8.8:53 api.mylnikov.org udp
US 172.67.196.114:443 api.mylnikov.org tcp
US 8.8.8.8:53 97.114.18.104.in-addr.arpa udp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 114.196.67.172.in-addr.arpa udp
NL 149.154.167.220:443 api.telegram.org tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:7707 tcp

Files

memory/2084-0-0x0000000000760000-0x0000000000790000-memory.dmp

memory/2084-1-0x0000000073E70000-0x000000007455E000-memory.dmp

memory/2084-2-0x0000000005090000-0x00000000050A0000-memory.dmp

memory/2084-3-0x00000000052A0000-0x0000000005306000-memory.dmp

memory/2084-54-0x0000000073E70000-0x000000007455E000-memory.dmp

memory/2084-69-0x0000000005090000-0x00000000050A0000-memory.dmp

C:\Users\Admin\AppData\Local\58c333bedcaa0acd798c524e736a7369\Admin@ABECIELQ_en-US\System\Process.txt

MD5 5bff95ca279f06951bf457025deb163c
SHA1 9c656931e684f27104747e8f83a02e776c91bc66
SHA256 08830c580333b854baaafe2b120e4e3866beb7c6cb4cd5fa409ef3ebd121563c
SHA512 7986a04694fbc644c20d2ad65f46dd6694852f003d1b162b2aa001b5018e80d064c6b3d6a6781ac961b9bddff75230f50094100404bc31bfc60d652e23e264e2

memory/2084-118-0x0000000005090000-0x00000000050A0000-memory.dmp

memory/2084-119-0x0000000005EB0000-0x0000000005F42000-memory.dmp

memory/2084-120-0x0000000006450000-0x000000000694E000-memory.dmp

memory/2084-124-0x0000000005FB0000-0x0000000005FBA000-memory.dmp

C:\Users\Admin\AppData\Local\da939ef69dfa1bd35e86ca8786e767bb\msgid.dat

MD5 d38901788c533e8286cb6400b40b386d
SHA1 b5507c7ca8cfa4c51b7c97843e5e4525ed1ad06d
SHA256 8de143c7e8ffc2a50d4910226e43210686863274cb0435990149fdecb0163dd8
SHA512 f13fb6c29f508a2feb4be586fcb6e60d10fa78d2bc821db7877bf581afeee59205598e8ca80fc8c5a49b21f258ad58431b70d0cad7bb1c7b121f0feefd1ff82c

memory/2084-130-0x0000000005FC0000-0x0000000005FD2000-memory.dmp

memory/2084-154-0x0000000005090000-0x00000000050A0000-memory.dmp