Overview

overview

10

Static

static

3

Fortnite Checker.exe

windows7-x64

10

Fortnite Checker.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240419-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-04-2024 19:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Fortnite Checker.exe

  • Size

    883KB

  • MD5

    5ff30ec323f9e6ec632ea3b2180a1cbc

  • SHA1

    aba95d8f4f7f634170cbad0461a3e6e0a4574059

  • SHA256

    d548ea85db4681de9393a4bd8369283db49f9f0525356d15f8ca06259e4fa930

  • SHA512

    e990b1de0d4f6c2f830bca0ddea747ab733289f8fc45f2da1b9e20128b9eabb51c8f2ed62ca0346bdbb20ca73b4ab871e2a0298e1f4df9d559d4bbee41cce66c

  • SSDEEP

    12288:GToPWBv/cpGrU3ywFm/byWr+5q+LViWdEVr9WoMwtubIwyqd7zw:GTbBv5rU4/b9SDmVr98w009qdHw

Score
10/10
vanillaratpersistencerat

Malware Config

Signatures

  • VanillaRat

    VanillaRat is an advanced remote administration tool coded in C#.

    ratvanillarat
  • Vanilla Rat payload 3 IoCs
    rat
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Fortnite Checker.exe
    "C:\Users\Admin\AppData\Local\Temp\Fortnite Checker.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4372
    • C:\Users\Admin\AppData\Roaming\Fortnite.exe
      "C:\Users\Admin\AppData\Roaming\Fortnite.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      PID:3416
    • C:\Users\Admin\AppData\Roaming\FortniteChecker.exe
      "C:\Users\Admin\AppData\Roaming\FortniteChecker.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of FindShellTrayWindow
      PID:2308
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /4
    1⤵
    • Checks SCSI registry key(s)
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:1036
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:1164

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Initial Access

    Execution

    Persistence

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Privilege Escalation

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    Query Registry

    2
    T1012

    System Information Discovery

    3
    T1082

    Peripheral Device Discovery

    1
    T1120

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Resource Development

    Reconnaissance

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\CsvHelper.dll
      Filesize

      133KB

      MD5

      c0b9e366d95e367ea4330187439b711b

      SHA1

      4674c657037b891f2f0cd3977976ef71b578b1b3

      SHA256

      dffad53f0349e00a1444f71465d7c66aa8758644879d9f628677d5ba8307322a

      SHA512

      dbd75f3f700f316eabf237235bb148e6098e9ccc313e215922f4b2f6adceea4f4dfb22f933bae6bf6c8693e9387f4dd94aedc8a650e4d8379f70038a7da2afc5

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Fortnite.exe
      Filesize

      114KB

      MD5

      4bd20275a3148a44bf040367a43f6fe2

      SHA1

      4faa5b6fca5f3b31b00995b4372f635b1ed3a019

      SHA256

      98efc33ad38ab3a913716402cb445a25e5e578bdd379494c0188b30028430336

      SHA512

      ba5477c92038704feea1988228b25c82107f1803a3a331ba4337ae48dcdd019b6fc9f3e7fc14ace08b6637ce85ae4ad029a6d1d60ee4daac6a82c0cc1466bc66

      Download Submit
    • C:\Users\Admin\AppData\Roaming\FortniteChecker.exe
      Filesize

      83KB

      MD5

      f5d8bedb9dcc17a0a356f2f3f621971e

      SHA1

      76ed7763602cc198be87b3eb51949f54ae9c0f9b

      SHA256

      355ae598c711cf98fb78b485fe2bf351233e81d5b98ffd3c81b20470182e6ebe

      SHA512

      ee5c55a562259481199def67fba592bfa1b524fc4eaa5c9b558f6fbb9609542b0f1a915768f79662a6b7fd2f8127c013aa2fb08a249f5bba89aafad03c9e99eb

      Download Submit
    • C:\Users\Admin\AppData\Roaming\FortniteChecker.exe.config
      Filesize

      184B

      MD5

      13ff21470b63470978e08e4933eb8e56

      SHA1

      3fa7077272c55e85141236d90d302975e3d14b2e

      SHA256

      16286566d54d81c3721f7ecf7f426d965de364e9be2f9e628d7363b684b6fe6a

      SHA512

      56d0e52874744df091ba8421eeda9c37854ece32a826bd251f74b88b6334df69736b8cd97104e6e7b2279ef01d2144fee100392744cc1afb7025ebbad5c307a8

      Download Submit
    • memory/1036-60-0x00000282B2A90000-0x00000282B2A91000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1036-61-0x00000282B2A90000-0x00000282B2A91000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1036-58-0x00000282B2A90000-0x00000282B2A91000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1036-59-0x00000282B2A90000-0x00000282B2A91000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1036-62-0x00000282B2A90000-0x00000282B2A91000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1036-63-0x00000282B2A90000-0x00000282B2A91000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1036-64-0x00000282B2A90000-0x00000282B2A91000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1036-53-0x00000282B2A90000-0x00000282B2A91000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1036-54-0x00000282B2A90000-0x00000282B2A91000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1036-52-0x00000282B2A90000-0x00000282B2A91000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2308-41-0x00000000004B0000-0x00000000004CC000-memory.dmp
      Filesize

      112KB

      Download
    • memory/2308-51-0x00000000061C0000-0x00000000061E8000-memory.dmp
      Filesize

      160KB

      Download
    • memory/2308-67-0x0000000005070000-0x0000000005080000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2308-46-0x0000000005070000-0x0000000005080000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2308-45-0x0000000002830000-0x000000000283A000-memory.dmp
      Filesize

      40KB

      Download
    • memory/2308-66-0x00000000732C0000-0x0000000073A70000-memory.dmp
      Filesize

      7.7MB

      Download
    • memory/2308-42-0x00000000732C0000-0x0000000073A70000-memory.dmp
      Filesize

      7.7MB

      Download
    • memory/3416-39-0x0000000000910000-0x0000000000932000-memory.dmp
      Filesize

      136KB

      Download
    • memory/3416-65-0x00000000732C0000-0x0000000073A70000-memory.dmp
      Filesize

      7.7MB

      Download
    • memory/3416-40-0x00000000732C0000-0x0000000073A70000-memory.dmp
      Filesize

      7.7MB

      Download
    • memory/3416-43-0x0000000005890000-0x0000000005E34000-memory.dmp
      Filesize

      5.6MB

      Download
    • memory/3416-44-0x00000000051E0000-0x0000000005272000-memory.dmp
      Filesize

      584KB

      Download
    • memory/3416-47-0x0000000005190000-0x00000000051A0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3416-68-0x0000000005190000-0x00000000051A0000-memory.dmp
      Filesize

      64KB

      Download