General

  • Target

    fortnite.exe

  • Size

    1.1MB

  • Sample

    231205-pr1wwsba2s

  • MD5

    aa3751f140fc329f8392080511978b7f

  • SHA1

    086f32d869ae62d4b38d513ef166b3b64d52d451

  • SHA256

    f08f8588f39f06b56e5ba34374d4467b53d8fb12f1c748774cf551f00f556964

  • SHA512

    c2f840ac553ace50be09ab4c05d53f9aa73015df0fd664808c1e6d5a17b05b00629524916c567f250cb05e4acbbdd9f1aa17420bcb3cbe8bfaa14fb94608c32c

  • SSDEEP

    24576:U2G/nvxW3Ww0twLIMZrCKGhf1Pfg5f0LOwSvxd5Qq:UbA30pMxC1RSF1

Malware Config

Targets

    • Target

      fortnite.exe

    • Size

      1.1MB

    • MD5

      aa3751f140fc329f8392080511978b7f

    • SHA1

      086f32d869ae62d4b38d513ef166b3b64d52d451

    • SHA256

      f08f8588f39f06b56e5ba34374d4467b53d8fb12f1c748774cf551f00f556964

    • SHA512

      c2f840ac553ace50be09ab4c05d53f9aa73015df0fd664808c1e6d5a17b05b00629524916c567f250cb05e4acbbdd9f1aa17420bcb3cbe8bfaa14fb94608c32c

    • SSDEEP

      24576:U2G/nvxW3Ww0twLIMZrCKGhf1Pfg5f0LOwSvxd5Qq:UbA30pMxC1RSF1

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Downloads MZ/PE file

    • Modifies Installed Components in the registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

MITRE ATT&CK Enterprise v15

Tasks