General

  • Target

    fortnite-external.exe

  • Size

    392KB

  • Sample

    240921-btxelayekf

  • MD5

    450270d6a68cf6364e98f16b917a84e6

  • SHA1

    3e89467c9cbc12a76ab77c50913ee45420e16ccc

  • SHA256

    30a300329684903e2ca4a937aacbfb337ab30474aadd40e473ca544e8069c52d

  • SHA512

    27c7b9c03a026ba578d6c71f6805d07a702740ce21f2e738cadb7fd2d455d6b1abf620c5b147ee018494a33376ff4e907bdf8ce0fa76f7970abe6cd03da6b4b6

  • SSDEEP

    6144:whcdTWDsDiY4ElESAtEnESbkaXOahqJiSxRODbGWrZjkmn35GYrZ8RA:fdxE7xr4kmnJ

Malware Config

Targets

    • Target

      fortnite-external.exe

    • Size

      392KB

    • MD5

      450270d6a68cf6364e98f16b917a84e6

    • SHA1

      3e89467c9cbc12a76ab77c50913ee45420e16ccc

    • SHA256

      30a300329684903e2ca4a937aacbfb337ab30474aadd40e473ca544e8069c52d

    • SHA512

      27c7b9c03a026ba578d6c71f6805d07a702740ce21f2e738cadb7fd2d455d6b1abf620c5b147ee018494a33376ff4e907bdf8ce0fa76f7970abe6cd03da6b4b6

    • SSDEEP

      6144:whcdTWDsDiY4ElESAtEnESbkaXOahqJiSxRODbGWrZjkmn35GYrZ8RA:fdxE7xr4kmnJ

    • Modifies WinLogon for persistence

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.