Malware Analysis Report

2024-10-23 20:57

Sample ID 241015-y44b8ayhnr
Target Fortnite Checker.exe
SHA256 d548ea85db4681de9393a4bd8369283db49f9f0525356d15f8ca06259e4fa930
Tags
vanillarat discovery persistence rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d548ea85db4681de9393a4bd8369283db49f9f0525356d15f8ca06259e4fa930

Threat Level: Known bad

The file Fortnite Checker.exe was found to be: Known bad.

Malicious Activity Summary

vanillarat discovery persistence rat

VanillaRat

Vanilla Rat payload

Loads dropped DLL

Checks computer location settings

Executes dropped EXE

Adds Run key to start application

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of WriteProcessMemory

Modifies Internet Explorer settings

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-15 20:21

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-15 20:21

Reported

2024-10-15 20:23

Platform

win7-20240729-en

Max time kernel

149s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Fortnite Checker.exe"

Signatures

VanillaRat

rat vanillarat

Vanilla Rat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Fortnite.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\FortniteChecker.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\Fortnite = "C:\\Users\\Admin\\AppData\\Roaming\\Fortnite.exe" C:\Users\Admin\AppData\Roaming\Fortnite.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Fortnite Checker.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Fortnite.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\FortniteChecker.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 001f36e23f1fdb01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004961a9603b5d8740891a04601e8b8fb900000000020000000000106600000001000020000000bbcfe2add3bf2d83f363a4cea5599c3f88e0acbc2aa0bdec5513277e95587d70000000000e8000000002000020000000cce5007efd52976076accbe68adba65740471bf95f533f69e2b11eeccb2cf40990000000ae0c2c7e20d1d6896f149919d927d80cb26635aca3f3725f6d6a6412b6bc0365331b179df78804a6b62deb2ddb3f689b46b61059b0f77ebff5673de01402f48a2775cb1e89b98a3dfd94f03164bb2d6f6daafc9a3a2a90ba0a7aaa5ac5bb9b5364210edba66df3c5eb2fd0d78c4187f9293addbefe7771c77e9b2e1167ab54f8c6c72ca61f569c665c2dabfcbf29d2e540000000016293d264d7b1fd568a7db2a89022d464e2782f04d3c32d9a917c4d75f86dedcc277a28f8c0dade89987dbd20849aef78a4648ef235db19b101891258aa14be C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\MINIE C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "435185562" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{1333E601-8B33-11EF-A5E9-FE7389BE724D} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004961a9603b5d8740891a04601e8b8fb900000000020000000000106600000001000020000000479e488cf5b56fd307f70e7d1b38c3a34ba1a12e9e8abf817581d533fcaa1896000000000e800000000200002000000076e5267229f1339ff2c052f71cd40117bf54edc199bd3edc7f2654444732ae0e200000001efae71e928ee376bc08aca10efda4671bb7264cfffa33d9cd01e993ba78170a4000000068f48d22de8d8f0ac9af7ab81046b11d94abfbd150c33a80ac0c118711a077d68980961e55a20aa81b715c9704ff66c3abc9e58a65325c5fed06607121c4d2f5 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2296 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\Fortnite Checker.exe C:\Users\Admin\AppData\Roaming\Fortnite.exe
PID 2296 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\Fortnite Checker.exe C:\Users\Admin\AppData\Roaming\Fortnite.exe
PID 2296 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\Fortnite Checker.exe C:\Users\Admin\AppData\Roaming\Fortnite.exe
PID 2296 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\Fortnite Checker.exe C:\Users\Admin\AppData\Roaming\Fortnite.exe
PID 2296 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\Fortnite Checker.exe C:\Users\Admin\AppData\Roaming\FortniteChecker.exe
PID 2296 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\Fortnite Checker.exe C:\Users\Admin\AppData\Roaming\FortniteChecker.exe
PID 2296 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\Fortnite Checker.exe C:\Users\Admin\AppData\Roaming\FortniteChecker.exe
PID 2296 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\Fortnite Checker.exe C:\Users\Admin\AppData\Roaming\FortniteChecker.exe
PID 2824 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Roaming\FortniteChecker.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2824 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Roaming\FortniteChecker.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2824 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Roaming\FortniteChecker.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2824 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Roaming\FortniteChecker.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2720 wrote to memory of 2740 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2720 wrote to memory of 2740 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2720 wrote to memory of 2740 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2720 wrote to memory of 2740 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\Fortnite Checker.exe

"C:\Users\Admin\AppData\Local\Temp\Fortnite Checker.exe"

C:\Users\Admin\AppData\Roaming\Fortnite.exe

"C:\Users\Admin\AppData\Roaming\Fortnite.exe"

C:\Users\Admin\AppData\Roaming\FortniteChecker.exe

"C:\Users\Admin\AppData\Roaming\FortniteChecker.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch&plcid=0x409&o1=.NETFramework,Version=v4.8&processName=FortniteChecker.exe&platform=0009&osver=5&isServer=0&shimver=4.0.30319.0

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2720 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
DE 138.68.84.55:3086 tcp
DE 138.68.84.55:3086 tcp
US 8.8.8.8:53 dotnet.microsoft.com udp
US 13.107.246.64:443 dotnet.microsoft.com tcp
US 13.107.246.64:443 dotnet.microsoft.com tcp
US 13.107.246.64:443 dotnet.microsoft.com tcp
US 13.107.246.64:443 dotnet.microsoft.com tcp
US 13.107.246.64:443 dotnet.microsoft.com tcp
US 13.107.246.64:443 dotnet.microsoft.com tcp
US 13.107.246.64:443 dotnet.microsoft.com tcp
DE 138.68.84.55:3086 tcp
DE 138.68.84.55:3086 tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
DE 138.68.84.55:3086 tcp
DE 138.68.84.55:3086 tcp
DE 138.68.84.55:3086 tcp
DE 138.68.84.55:3086 tcp

Files

\Users\Admin\AppData\Roaming\Fortnite.exe

MD5 4bd20275a3148a44bf040367a43f6fe2
SHA1 4faa5b6fca5f3b31b00995b4372f635b1ed3a019
SHA256 98efc33ad38ab3a913716402cb445a25e5e578bdd379494c0188b30028430336
SHA512 ba5477c92038704feea1988228b25c82107f1803a3a331ba4337ae48dcdd019b6fc9f3e7fc14ace08b6637ce85ae4ad029a6d1d60ee4daac6a82c0cc1466bc66

\Users\Admin\AppData\Roaming\FortniteChecker.exe

MD5 f5d8bedb9dcc17a0a356f2f3f621971e
SHA1 76ed7763602cc198be87b3eb51949f54ae9c0f9b
SHA256 355ae598c711cf98fb78b485fe2bf351233e81d5b98ffd3c81b20470182e6ebe
SHA512 ee5c55a562259481199def67fba592bfa1b524fc4eaa5c9b558f6fbb9609542b0f1a915768f79662a6b7fd2f8127c013aa2fb08a249f5bba89aafad03c9e99eb

C:\Users\Admin\AppData\Roaming\FortniteChecker.exe.config

MD5 13ff21470b63470978e08e4933eb8e56
SHA1 3fa7077272c55e85141236d90d302975e3d14b2e
SHA256 16286566d54d81c3721f7ecf7f426d965de364e9be2f9e628d7363b684b6fe6a
SHA512 56d0e52874744df091ba8421eeda9c37854ece32a826bd251f74b88b6334df69736b8cd97104e6e7b2279ef01d2144fee100392744cc1afb7025ebbad5c307a8

memory/2876-46-0x000000007428E000-0x000000007428F000-memory.dmp

memory/2876-47-0x0000000000EA0000-0x0000000000EC2000-memory.dmp

memory/2876-55-0x000000007428E000-0x000000007428F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabDBFF.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\TarDC21.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6093d8c5bafd005c09eca149fd223e00
SHA1 eae39068acfed3dba1928862b5989862a2785bef
SHA256 29e724b8797ae6e3a0f3c6da876c2709eb9efeab632683bf8a5e761f1164f1d8
SHA512 0db903e24ba7ca002b7f7abd498e339a222269dff7fe2817caba7b36dc28d3e2e19c0f00a7c2735a4b38981c08ac2f4393cf1e0e2f5b4c89f7ce372c85da1efc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f42cf977162b5f7227977466b88ef524
SHA1 83f712b1ab4500b132f5cca7f1ab4ec263d64e93
SHA256 316b3013c0731ba3655bbec503f8685fcc5abf37881d7c4a7dee27d4917a48ef
SHA512 3d2ea6313741ce5d5f31d3b6f32ea64f6430f86fdec8e2dc7db2b69b3c0a66a894e58d0c9e70a1076afe9ab669d65f02a871d344a773315c269b43bb3694f08a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 394211f6972bfd483cef9b7f4c79ea29
SHA1 0b63489d11ab3eb49701d4ecffa0cac946db681e
SHA256 b25766e594649f32c2394b641fe2d36be0fa5447eacba7d43d546962cdf21dd8
SHA512 279a8b39e88e39fb4dbdf48b39344ac74ca7036e3da28f1b49b3e5c67eba15711bb76d6a2897b1db8524763db447014471f0653b15f96f19f9e30d86872c67eb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9553480b87b8340e1d74673127bb4be6
SHA1 9da7640258d92f48f2ce939bf541561445ca2c44
SHA256 7840ea30dcadaa8e68815abe4d1509b5ce2d931b5f149cfa5fa60f2848eade9b
SHA512 f92a2fcd589d9d711b8c53526a316caae2d9d74c5b39574d0e089f05e27c367ce912666c74b2e0891a41b90f0827336c5605a8fd4d6c9f5e545302cf8a1df54b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 54e0c490986ed18f4c81e9fd860f8677
SHA1 d5a9d630f6052e3caf9a375dc36553130a4ca4d7
SHA256 39eb6766c24e9cc556f1f4559b8f4726049496aaa89fa46918af6ebf08367970
SHA512 605f3c0f09844a096695cee0aa1430d52f7a7d94bbfed85d284e635c542fde161b8d87451ea64b77b1ee9c1164d3c247729edf5704fe834710fecf8aa94b84dd

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f64ecd52f4267673ec5026944e2b844c
SHA1 98ec308f316312ead35e747fd0d8b27bf17d5d90
SHA256 4c1ad7963d97758791447458bd6f3c749b022a334fc3707f89015a58a2131ff4
SHA512 78754bd9bb6d9c4a003b54269187a0eaf9874de7d9337b5c780f650857dde3ed2b78f7477922b546d178966e5c40f96d088400c2455a0a37eee26c6a95b0ed05

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4a2a232e0707be0e84405d801e3ae574
SHA1 0101eb7674919e898bc3ce2e662e5ae7f1c83dbd
SHA256 ed18217295e68863632c7a327fcc709bbef5e6c99b0492f5f14c9dfee920075b
SHA512 e799ed73e4be055768d3f48147fd3f896b8ea1876cd73d277d92d5a2b8eb425ebbcee1b6d9a0aa94263c4ac5c085893a31745beac52dd732f64d6c05c06c7d64

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b72fe316720797bf18139543451025bb
SHA1 9bd0fefdb1500714b73d42b778bc60685d65d2fb
SHA256 ba26c50bce8f64dea9283e51b85a352581e979be294a4f3de831d0bd5eb06a36
SHA512 3e7ae5b3454b1ee65c3e58812ecb3bf2263719fff243541e92cbbc57fd6958a0c880c28cd03eed0bf801ffc61f7159df8e8013ace10cb426d33b1f4a943a97b1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 383f2eedeb64aa77140006c4a0cb01e6
SHA1 ab9b9f8778414f4637615de35f710e029290673a
SHA256 94e0b18a67132b896c3dfb1495c8614c0a23a1c5f0541f69037e706b0828f0d3
SHA512 ecc7f016266d6d166d6c3453774da90057d5368a7b13a6629d111f19dc3da47b310f6459d4922bee182ffc2ccab94d64c32439d38a48794f8e8e23159ee867bc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7551eb25ecc5f6ae38aaf802a45b8f63
SHA1 b5117d92500c1e7d9827fd0370960f115a61e199
SHA256 dcad8171e963281b4990f08cecf07cf137cc9ef53165e2925479f4c7a5af7b8a
SHA512 05698f2bd392dbd667bbf7b69604a1d91cb2978a8cf28570ac325f927fe8eefe9d2b93d720a7f6b46e52849c39d774e049a685e639e63fc0be3735e9c28ceb8f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bf7dd58764ef8e7e93449bf6a4cc3db4
SHA1 07dc04f4947c24cfac2cb32a60039f575f20f62b
SHA256 19b5ff52634ad96b9dfb0cb03cf2fa740de3c5eb8f57d3eb7ec1274298d41fca
SHA512 c6b58ad44b5154dd4919fbf84ee88e34f20c65168e343c1cccbc91024a445c885bbd10b068bf886d660fde9b18d7c92667b2803d4c4d3d2994f0ead98d339d2b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 981d2912fc74c5b3817d2ee14d4b2e8b
SHA1 93e984757c69f5feb6e4e3f1edc687d5d584c1db
SHA256 1c3de498bb77a1da6146030376bc1b77b01de5c9486ca2cec4b5c258ec0e8547
SHA512 3d24f0a764a0f2027b0d1924caa262f98543eb2a55f1fd8cd2dc57dd7e1261da7ac59aa201152e06425107c7487b6e1b1e7295698ea64af2b9c5c2dcd97e66b9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b6357f08cd07135f6f0699bfda19692b
SHA1 623c9bb7a26cb3f9027d9d5f1d28285c55eaf971
SHA256 c0b0af7e6a36c15a8edf1a4817e30e4cbfba8516feff66dfa2bd7808796cea57
SHA512 377665bb991fa029990d9226b4d4ecb9679460ffb1a612b043422ee6a627dd38164a1a8be73791b7086d51f9c596c3ea480f79c5d26d75f8666d600b5e46494e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 27eda772fd65ce873b1e9463481785dc
SHA1 25db5367eec1843e306716855d1746a7824fd4cf
SHA256 bbf334c86f01420b3c04acbfa7894260aef212f54792261a5a3679601ece3e2e
SHA512 cca87b694af937a633845f9a7faf17953a37dbae14fd3e83078a2bfbef13cd772f9f6fbee8ff48897272855b11ffe877aad0ff56b7d8b3da687b77df644692fa

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9a6d2b917c058da27a48f9db31982dc3
SHA1 89f406e013531ce69ea5ff9fcfff7d404f6e6e3c
SHA256 cc1c314f90ee6b3b3a174d716832e9b30b9f71c67aa0df7addf67e9cbb71f907
SHA512 48a2c99d9cc2ada2e9134123a5e2a4bf98b6152036a1d33813523654e0a83c68ed2712339f4bfdf2553f700f4b385f820ebe8bcd23ed2b5acc959eca67741efd

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5a3a0cb97c081ef08479b2d1107232ef
SHA1 d823f65232aea8c0c4b2453be623b92752b6b669
SHA256 9d0d74819a66307307b42e0f9ae096dd21cdf8ad9a9e764f7f4e519114261378
SHA512 03148ef05844beee744959089453facf746ee1e79f5ba5d8c59742d1eb388496aba44d4bb093255eb9716962b21eccb17e5380e66ddf9c9c2d384d00c661f996

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c53797992d48439383f8fd1c3183d2e8
SHA1 c273230d5c23c771fcfc6d450050d36a1c54d8a3
SHA256 91d22e317b119e73b845d27181465ff0a81aae9b382ac960b12e5e90420143f2
SHA512 5b8f1dd92e31cec9e23d4fc81548ce3ed31af2dfefae1b041d94050f3e340ca4a86bef8dd97e2541130d3cd236a12078ebbce80eb242b71d105ceaed5de71268

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 22a3c45edad0d38e7b3c1381a0df48a4
SHA1 d035bb598c219ea262d774458c9acde5a2215582
SHA256 952e764ca6ec1244461b89bc0e22955a6863f07cf5629942f3318c4bdba1b668
SHA512 ddcb116426a4bee13a1e21b2d7cb067cdbe7f7e56d719f1972137062c75fa7d31e7794b877423a58741dc0e3bc7ff30405f37318e4e4b173a2db48ceb009132b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bd89a588f125ae548e731d183ae99a0c
SHA1 cb0cbc10627828d94d50e94cdfb79c2fef3701d6
SHA256 788dedd93f343740da913e90fd5f45d9550e47621418ba3a9f6c6ab5f1bafb95
SHA512 3f5769af5387b3549223afcb3e6a3fe7c89b0c8f4b3625ae3f3e952680feead3264456a694fdc97d5f43e41b286b5c7a636e1f4c02c0e88ad07c8a4bd9e27fc7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9c47c181d904435ab19b3e69e89940b0
SHA1 ddce0e0ae0fa6694afa79bde5659d938e6df1d7f
SHA256 04f728acb70088f8d77687ddab333ad6216e64113def2162bfafe1ea77325140
SHA512 12fa92f04c4863a5beee041777260b65dcd86840fbbce85440f6717b0040993fb5e60bb80246d4f91c53a8a8525706765c4f413b36cabb5b688664efbc99bd8c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5d9aa0a317c37cb7a3798a04b279b762
SHA1 ddcf4d2f49d177552068b7977e0982a86994a8fa
SHA256 0f413e5d46e729c295a0fa4c226a5c32926670cdb1c599bc516db852950e251b
SHA512 1fffd681bdbdc9bb4d7c9b2036d6d85041600a8ace5bd18c03cf1507ec2e4044ed6d3f74f932ded4225b152c1f16bee63d67f78209ecb2f0d86c2eb6feaadbb7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fa4fb64925224725a71bfc695ead7be4
SHA1 d8838ad43763580018f117a0f34801add86e7a04
SHA256 587a0425e9163bb87b0bcd8f07bb8975224d092df34d704ed9e9f514a1903c32
SHA512 30ac98b88f00a69ed69f4a2d6609f10f39695a974145be313446aaa6034f284ce42ebb2adf052cc443c8ab4c3066e5cc8d05ef108488d1ee0514755cf2a58c0f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 58dab959dee30e9467132ce14fd9d224
SHA1 56f844be4f8512b5331bd08174cac2f05cd09ed3
SHA256 6e794b48f15fa1b998cdf15dc204c46b2341955209e0b0a8b0a6fd22165aab19
SHA512 10bee1b8e2cafe9fe9f3b71677dc8bbb834dfa72e09b5c06251fa58b53ebd355bdde4542f3a25730bfe60cefdb666a68247ef047f56d59de91aab3b658f23e85

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 45711a7ea582f42d49197fd50c9abdae
SHA1 de9718d11baa03619f6dec48cb9656e1176866cc
SHA256 26a36f92de325958c5c240e5b176b36d7ea11678a8729c958d478cfd1c4073e8
SHA512 7420a9853adb8398290cfdbdbec4fb19480f2a500d4ff56252cc4b5ebbabec89c54478aa5e48057f67a6724ba7dd764388ff1316194719574f97ad55ad4c6b5c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8b6300a2f55e6cf0e8ded67226f105fc
SHA1 26cf8d0af87ce751d278a17731b1417a85696fe5
SHA256 d02c4ca4fd13e27284d35a9dfa9ae29c8638f9c05cde43c47a30040a1ea1d531
SHA512 e766513d9cd90e5008b30d739564bb093a4056a933569c95990ea26cf75d542e4f2bbd5f000235bee0701e74b9fae08cd08b4b6ee69ab196802645198e1d6bb9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a7a4c44225eaa4cec0230e5f2475f29c
SHA1 81616dfd93314f90634b31d86444d97779f74d51
SHA256 151bb3667618e1e815017ba82b286774a21cca8b44f75b70e4d76a94d7fa80a6
SHA512 97eeb7154634cc985ffa5449b1798ca36f6c0abf4da53e11ee8cc8709de8896bdb6a37d2d608d8ec0c9a23e375d1058f9bf4197c0bfad0b4dbb6efd40b8f33b5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2205455ac0d5506b9a6d87a236cf1cec
SHA1 61b919bcc20fb89cc7372e1c7fd0bac976214259
SHA256 b85cc685fb41ab424ed4c53d9ffa071adfb1fad30b5a98eef65e4c9f639b0413
SHA512 59c6ce078ddefb75609c9a7aa67b511e708a92f37731e2ba6cccd41fa0da78e4f2780091a29f418e4624c8c178d85b24b26d878d074f5a2a4bb16a8e5e60d393

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2bbf6eed0539a4947463ebdcb59af9bf
SHA1 dbfaaae75510a3e2caa86fadba5d57f9f9cd7c1c
SHA256 e584cbb047ad7af2963d70d646f1a87391354463263652284484877402882582
SHA512 4e9d3bde0f37dc2b39fcfd8e9c0f5e6e8f6b300f84d7cb90b55e57945083c57f58f57d1ae329b7d84fe0367eb1dbecfe6be55944d3231507ae656206d6ec35f7

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-15 20:21

Reported

2024-10-15 20:23

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Fortnite Checker.exe"

Signatures

VanillaRat

rat vanillarat

Vanilla Rat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Fortnite Checker.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Fortnite.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\FortniteChecker.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\FortniteChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\FortniteChecker.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Fortnite = "C:\\Users\\Admin\\AppData\\Roaming\\Fortnite.exe" C:\Users\Admin\AppData\Roaming\Fortnite.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Fortnite Checker.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Fortnite.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\FortniteChecker.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Fortnite Checker.exe

"C:\Users\Admin\AppData\Local\Temp\Fortnite Checker.exe"

C:\Users\Admin\AppData\Roaming\Fortnite.exe

"C:\Users\Admin\AppData\Roaming\Fortnite.exe"

C:\Users\Admin\AppData\Roaming\FortniteChecker.exe

"C:\Users\Admin\AppData\Roaming\FortniteChecker.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 133.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
DE 138.68.84.55:3086 tcp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
DE 138.68.84.55:3086 tcp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 102.209.201.84.in-addr.arpa udp
DE 138.68.84.55:3086 tcp
US 8.8.8.8:53 134.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
DE 138.68.84.55:3086 tcp
DE 138.68.84.55:3086 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
DE 138.68.84.55:3086 tcp
DE 138.68.84.55:3086 tcp
US 8.8.8.8:53 udp

Files

C:\Users\Admin\AppData\Roaming\Fortnite.exe

MD5 4bd20275a3148a44bf040367a43f6fe2
SHA1 4faa5b6fca5f3b31b00995b4372f635b1ed3a019
SHA256 98efc33ad38ab3a913716402cb445a25e5e578bdd379494c0188b30028430336
SHA512 ba5477c92038704feea1988228b25c82107f1803a3a331ba4337ae48dcdd019b6fc9f3e7fc14ace08b6637ce85ae4ad029a6d1d60ee4daac6a82c0cc1466bc66

C:\Users\Admin\AppData\Roaming\FortniteChecker.exe

MD5 f5d8bedb9dcc17a0a356f2f3f621971e
SHA1 76ed7763602cc198be87b3eb51949f54ae9c0f9b
SHA256 355ae598c711cf98fb78b485fe2bf351233e81d5b98ffd3c81b20470182e6ebe
SHA512 ee5c55a562259481199def67fba592bfa1b524fc4eaa5c9b558f6fbb9609542b0f1a915768f79662a6b7fd2f8127c013aa2fb08a249f5bba89aafad03c9e99eb

C:\Users\Admin\AppData\Roaming\FortniteChecker.exe.config

MD5 13ff21470b63470978e08e4933eb8e56
SHA1 3fa7077272c55e85141236d90d302975e3d14b2e
SHA256 16286566d54d81c3721f7ecf7f426d965de364e9be2f9e628d7363b684b6fe6a
SHA512 56d0e52874744df091ba8421eeda9c37854ece32a826bd251f74b88b6334df69736b8cd97104e6e7b2279ef01d2144fee100392744cc1afb7025ebbad5c307a8

memory/4456-39-0x0000000072ACE000-0x0000000072ACF000-memory.dmp

memory/768-41-0x0000000000330000-0x000000000034C000-memory.dmp

memory/4456-40-0x0000000000330000-0x0000000000352000-memory.dmp

memory/768-42-0x0000000072AC0000-0x0000000073270000-memory.dmp

memory/768-43-0x0000000005310000-0x00000000058B4000-memory.dmp

memory/4456-44-0x0000000004D80000-0x0000000004E12000-memory.dmp

memory/4456-45-0x0000000072AC0000-0x0000000073270000-memory.dmp

memory/4456-46-0x0000000004E20000-0x0000000004E2A000-memory.dmp

memory/768-47-0x0000000072AC0000-0x0000000073270000-memory.dmp

C:\Users\Admin\AppData\Roaming\CsvHelper.dll

MD5 c0b9e366d95e367ea4330187439b711b
SHA1 4674c657037b891f2f0cd3977976ef71b578b1b3
SHA256 dffad53f0349e00a1444f71465d7c66aa8758644879d9f628677d5ba8307322a
SHA512 dbd75f3f700f316eabf237235bb148e6098e9ccc313e215922f4b2f6adceea4f4dfb22f933bae6bf6c8693e9387f4dd94aedc8a650e4d8379f70038a7da2afc5

memory/768-51-0x00000000060A0000-0x00000000060C8000-memory.dmp

memory/4456-52-0x0000000072ACE000-0x0000000072ACF000-memory.dmp

memory/768-53-0x0000000072AC0000-0x0000000073270000-memory.dmp

memory/4456-54-0x0000000072AC0000-0x0000000073270000-memory.dmp