Analysis Overview
SHA256
031befba18fa50131197835fee61080852bfd9bb9818606ad786681e49bce7fa
Threat Level: Known bad
The file Fortnite Checker V4.1 by ODAKU.zip was found to be: Known bad.
Malicious Activity Summary
Stormkitty family
AsyncRat
Asyncrat family
Async RAT payload
StormKitty payload
StormKitty
Async RAT payload
Reads user/profile data of web browsers
Drops desktop.ini file(s)
Looks up geolocation information via web service
Looks up external IP address via web service
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-08-28 16:44
Signatures
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Asyncrat family
StormKitty payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Stormkitty family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-08-28 16:44
Reported
2023-08-28 16:46
Platform
win10-20230703-en
Max time kernel
59s
Max time network
33s
Command Line
Signatures
AsyncRat
StormKitty
StormKitty payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Reads user/profile data of web browsers
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Local\58c333bedcaa0acd798c524e736a7369\Admin@ABECIELQ_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Valorant Checker V1.3 by COPRO.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\58c333bedcaa0acd798c524e736a7369\Admin@ABECIELQ_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Valorant Checker V1.3 by COPRO.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\58c333bedcaa0acd798c524e736a7369\Admin@ABECIELQ_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Valorant Checker V1.3 by COPRO.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\58c333bedcaa0acd798c524e736a7369\Admin@ABECIELQ_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Valorant Checker V1.3 by COPRO.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\58c333bedcaa0acd798c524e736a7369\Admin@ABECIELQ_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Valorant Checker V1.3 by COPRO.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\58c333bedcaa0acd798c524e736a7369\Admin@ABECIELQ_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Valorant Checker V1.3 by COPRO.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\58c333bedcaa0acd798c524e736a7369\Admin@ABECIELQ_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Valorant Checker V1.3 by COPRO.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\58c333bedcaa0acd798c524e736a7369\Admin@ABECIELQ_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Valorant Checker V1.3 by COPRO.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | icanhazip.com | N/A | N/A |
Looks up geolocation information via web service
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Valorant Checker V1.3 by COPRO.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Valorant Checker V1.3 by COPRO.exe
"C:\Users\Admin\AppData\Local\Temp\Valorant Checker V1.3 by COPRO.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\netsh.exe
netsh wlan show profile
C:\Windows\SysWOW64\findstr.exe
findstr All
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\netsh.exe
netsh wlan show networks mode=bssid
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | icanhazip.com | udp |
| US | 104.18.114.97:80 | icanhazip.com | tcp |
| US | 8.8.8.8:53 | api.mylnikov.org | udp |
| US | 172.67.196.114:443 | api.mylnikov.org | tcp |
| US | 8.8.8.8:53 | 97.114.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | 220.167.154.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 114.196.67.172.in-addr.arpa | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:7707 | tcp |
Files
memory/2084-0-0x0000000000760000-0x0000000000790000-memory.dmp
memory/2084-1-0x0000000073E70000-0x000000007455E000-memory.dmp
memory/2084-2-0x0000000005090000-0x00000000050A0000-memory.dmp
memory/2084-3-0x00000000052A0000-0x0000000005306000-memory.dmp
memory/2084-54-0x0000000073E70000-0x000000007455E000-memory.dmp
memory/2084-69-0x0000000005090000-0x00000000050A0000-memory.dmp
C:\Users\Admin\AppData\Local\58c333bedcaa0acd798c524e736a7369\Admin@ABECIELQ_en-US\System\Process.txt
| MD5 | 5bff95ca279f06951bf457025deb163c |
| SHA1 | 9c656931e684f27104747e8f83a02e776c91bc66 |
| SHA256 | 08830c580333b854baaafe2b120e4e3866beb7c6cb4cd5fa409ef3ebd121563c |
| SHA512 | 7986a04694fbc644c20d2ad65f46dd6694852f003d1b162b2aa001b5018e80d064c6b3d6a6781ac961b9bddff75230f50094100404bc31bfc60d652e23e264e2 |
memory/2084-118-0x0000000005090000-0x00000000050A0000-memory.dmp
memory/2084-119-0x0000000005EB0000-0x0000000005F42000-memory.dmp
memory/2084-120-0x0000000006450000-0x000000000694E000-memory.dmp
memory/2084-124-0x0000000005FB0000-0x0000000005FBA000-memory.dmp
C:\Users\Admin\AppData\Local\da939ef69dfa1bd35e86ca8786e767bb\msgid.dat
| MD5 | d38901788c533e8286cb6400b40b386d |
| SHA1 | b5507c7ca8cfa4c51b7c97843e5e4525ed1ad06d |
| SHA256 | 8de143c7e8ffc2a50d4910226e43210686863274cb0435990149fdecb0163dd8 |
| SHA512 | f13fb6c29f508a2feb4be586fcb6e60d10fa78d2bc821db7877bf581afeee59205598e8ca80fc8c5a49b21f258ad58431b70d0cad7bb1c7b121f0feefd1ff82c |
memory/2084-130-0x0000000005FC0000-0x0000000005FD2000-memory.dmp
memory/2084-154-0x0000000005090000-0x00000000050A0000-memory.dmp