Overview

overview

10

Static

static

3

Fortnite Checker.exe

windows7-x64

10

Fortnite Checker.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15-10-2024 20:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Fortnite Checker.exe

  • Size

    883KB

  • MD5

    5ff30ec323f9e6ec632ea3b2180a1cbc

  • SHA1

    aba95d8f4f7f634170cbad0461a3e6e0a4574059

  • SHA256

    d548ea85db4681de9393a4bd8369283db49f9f0525356d15f8ca06259e4fa930

  • SHA512

    e990b1de0d4f6c2f830bca0ddea747ab733289f8fc45f2da1b9e20128b9eabb51c8f2ed62ca0346bdbb20ca73b4ab871e2a0298e1f4df9d559d4bbee41cce66c

  • SSDEEP

    12288:GToPWBv/cpGrU3ywFm/byWr+5q+LViWdEVr9WoMwtubIwyqd7zw:GTbBv5rU4/b9SDmVr98w009qdHw

Score
10/10
vanillaratdiscoverypersistencerat

Malware Config

Signatures

  • VanillaRat

    VanillaRat is an advanced remote administration tool coded in C#.

    ratvanillarat
  • Vanilla Rat payload 2 IoCs
    rat
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Fortnite Checker.exe
    "C:\Users\Admin\AppData\Local\Temp\Fortnite Checker.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4672
    • C:\Users\Admin\AppData\Roaming\Fortnite.exe
      "C:\Users\Admin\AppData\Roaming\Fortnite.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      PID:4456
    • C:\Users\Admin\AppData\Roaming\FortniteChecker.exe
      "C:\Users\Admin\AppData\Roaming\FortniteChecker.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:768

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\CsvHelper.dll
    Filesize

    133KB

    MD5

    c0b9e366d95e367ea4330187439b711b

    SHA1

    4674c657037b891f2f0cd3977976ef71b578b1b3

    SHA256

    dffad53f0349e00a1444f71465d7c66aa8758644879d9f628677d5ba8307322a

    SHA512

    dbd75f3f700f316eabf237235bb148e6098e9ccc313e215922f4b2f6adceea4f4dfb22f933bae6bf6c8693e9387f4dd94aedc8a650e4d8379f70038a7da2afc5

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Fortnite.exe
    Filesize

    114KB

    MD5

    4bd20275a3148a44bf040367a43f6fe2

    SHA1

    4faa5b6fca5f3b31b00995b4372f635b1ed3a019

    SHA256

    98efc33ad38ab3a913716402cb445a25e5e578bdd379494c0188b30028430336

    SHA512

    ba5477c92038704feea1988228b25c82107f1803a3a331ba4337ae48dcdd019b6fc9f3e7fc14ace08b6637ce85ae4ad029a6d1d60ee4daac6a82c0cc1466bc66

    Download Submit

  • C:\Users\Admin\AppData\Roaming\FortniteChecker.exe
    Filesize

    83KB

    MD5

    f5d8bedb9dcc17a0a356f2f3f621971e

    SHA1

    76ed7763602cc198be87b3eb51949f54ae9c0f9b

    SHA256

    355ae598c711cf98fb78b485fe2bf351233e81d5b98ffd3c81b20470182e6ebe

    SHA512

    ee5c55a562259481199def67fba592bfa1b524fc4eaa5c9b558f6fbb9609542b0f1a915768f79662a6b7fd2f8127c013aa2fb08a249f5bba89aafad03c9e99eb

    Download Submit

  • C:\Users\Admin\AppData\Roaming\FortniteChecker.exe.config
    Filesize

    184B

    MD5

    13ff21470b63470978e08e4933eb8e56

    SHA1

    3fa7077272c55e85141236d90d302975e3d14b2e

    SHA256

    16286566d54d81c3721f7ecf7f426d965de364e9be2f9e628d7363b684b6fe6a

    SHA512

    56d0e52874744df091ba8421eeda9c37854ece32a826bd251f74b88b6334df69736b8cd97104e6e7b2279ef01d2144fee100392744cc1afb7025ebbad5c307a8

    Download Submit

  • memory/768-41-0x0000000000330000-0x000000000034C000-memory.dmp

    Filesize

    112KB

    Download

  • memory/768-42-0x0000000072AC0000-0x0000000073270000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/768-43-0x0000000005310000-0x00000000058B4000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/768-47-0x0000000072AC0000-0x0000000073270000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/768-51-0x00000000060A0000-0x00000000060C8000-memory.dmp

    Filesize

    160KB

    Download

  • memory/768-53-0x0000000072AC0000-0x0000000073270000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4456-40-0x0000000000330000-0x0000000000352000-memory.dmp

    Filesize

    136KB

    Download

  • memory/4456-44-0x0000000004D80000-0x0000000004E12000-memory.dmp

    Filesize

    584KB

    Download

  • memory/4456-45-0x0000000072AC0000-0x0000000073270000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4456-46-0x0000000004E20000-0x0000000004E2A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/4456-39-0x0000000072ACE000-0x0000000072ACF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4456-52-0x0000000072ACE000-0x0000000072ACF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4456-54-0x0000000072AC0000-0x0000000073270000-memory.dmp

    Filesize

    7.7MB

    Download