Overview

overview

10

Static

static

3

Fortnite Checker.exe

windows7-x64

10

Fortnite Checker.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20240419-en
  • resource tags

    arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
  • submitted
    27-04-2024 19:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Fortnite Checker.exe

  • Size

    883KB

  • MD5

    5ff30ec323f9e6ec632ea3b2180a1cbc

  • SHA1

    aba95d8f4f7f634170cbad0461a3e6e0a4574059

  • SHA256

    d548ea85db4681de9393a4bd8369283db49f9f0525356d15f8ca06259e4fa930

  • SHA512

    e990b1de0d4f6c2f830bca0ddea747ab733289f8fc45f2da1b9e20128b9eabb51c8f2ed62ca0346bdbb20ca73b4ab871e2a0298e1f4df9d559d4bbee41cce66c

  • SSDEEP

    12288:GToPWBv/cpGrU3ywFm/byWr+5q+LViWdEVr9WoMwtubIwyqd7zw:GTbBv5rU4/b9SDmVr98w009qdHw

Score
10/10
vanillaratpersistencerat

Malware Config

Signatures

  • VanillaRat

    VanillaRat is an advanced remote administration tool coded in C#.

    ratvanillarat
  • Vanilla Rat payload 2 IoCs
    rat
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 8 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 34 IoCs
    adwarespyware
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Fortnite Checker.exe
    "C:\Users\Admin\AppData\Local\Temp\Fortnite Checker.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1996
    • C:\Users\Admin\AppData\Roaming\Fortnite.exe
      "C:\Users\Admin\AppData\Roaming\Fortnite.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      PID:2292
    • C:\Users\Admin\AppData\Roaming\FortniteChecker.exe
      "C:\Users\Admin\AppData\Roaming\FortniteChecker.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2760
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch&plcid=0x409&o1=.NETFramework,Version=v4.8&processName=FortniteChecker.exe&platform=0009&osver=5&isServer=0&shimver=4.0.30319.0
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2668
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2668 CREDAT:275457 /prefetch:2
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:2516

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

2
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Fortnite.exe
    Filesize

    114KB

    MD5

    4bd20275a3148a44bf040367a43f6fe2

    SHA1

    4faa5b6fca5f3b31b00995b4372f635b1ed3a019

    SHA256

    98efc33ad38ab3a913716402cb445a25e5e578bdd379494c0188b30028430336

    SHA512

    ba5477c92038704feea1988228b25c82107f1803a3a331ba4337ae48dcdd019b6fc9f3e7fc14ace08b6637ce85ae4ad029a6d1d60ee4daac6a82c0cc1466bc66

    Download Submit
  • C:\Users\Admin\AppData\Roaming\FortniteChecker.exe.config
    Filesize

    184B

    MD5

    13ff21470b63470978e08e4933eb8e56

    SHA1

    3fa7077272c55e85141236d90d302975e3d14b2e

    SHA256

    16286566d54d81c3721f7ecf7f426d965de364e9be2f9e628d7363b684b6fe6a

    SHA512

    56d0e52874744df091ba8421eeda9c37854ece32a826bd251f74b88b6334df69736b8cd97104e6e7b2279ef01d2144fee100392744cc1afb7025ebbad5c307a8

    Download Submit
  • \Users\Admin\AppData\Roaming\FortniteChecker.exe
    Filesize

    83KB

    MD5

    f5d8bedb9dcc17a0a356f2f3f621971e

    SHA1

    76ed7763602cc198be87b3eb51949f54ae9c0f9b

    SHA256

    355ae598c711cf98fb78b485fe2bf351233e81d5b98ffd3c81b20470182e6ebe

    SHA512

    ee5c55a562259481199def67fba592bfa1b524fc4eaa5c9b558f6fbb9609542b0f1a915768f79662a6b7fd2f8127c013aa2fb08a249f5bba89aafad03c9e99eb

    Download Submit
  • memory/2292-46-0x0000000000C70000-0x0000000000C92000-memory.dmp
    Filesize

    136KB

    Download
  • memory/2292-47-0x0000000073D60000-0x000000007444E000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/2292-48-0x0000000073D60000-0x000000007444E000-memory.dmp
    Filesize

    6.9MB

    Download