General
-
Target
fortnite.exe
-
Size
1.2MB
-
Sample
241117-xlp67svrew
-
MD5
4ce2034a29fa1119013b35414ac146c8
-
SHA1
1bc3b7ff47f254f3058f8030e7081d48e762b1fc
-
SHA256
01d4438ab4eb34157102cef468aeafe178500b30a557efb0a14bcf117e7eeb8f
-
SHA512
9ff48316eff7b1cf2317ce9c363b596a42100c0f2ff3c17f06c3efe8f3f4b8de93072f594c4dfc7f7cdbf9b4c768643448141ca78bab4db28122f88d3ad64e27
-
SSDEEP
24576:zMbpm9Z/zQfnkuGKF7rlpC+bKlAtc06Du:PrQnIGz
Static task
static1
Malware Config
Targets
-
-
Target
fortnite.exe
-
Size
1.2MB
-
MD5
4ce2034a29fa1119013b35414ac146c8
-
SHA1
1bc3b7ff47f254f3058f8030e7081d48e762b1fc
-
SHA256
01d4438ab4eb34157102cef468aeafe178500b30a557efb0a14bcf117e7eeb8f
-
SHA512
9ff48316eff7b1cf2317ce9c363b596a42100c0f2ff3c17f06c3efe8f3f4b8de93072f594c4dfc7f7cdbf9b4c768643448141ca78bab4db28122f88d3ad64e27
-
SSDEEP
24576:zMbpm9Z/zQfnkuGKF7rlpC+bKlAtc06Du:PrQnIGz
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Drops file in System32 directory
-
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1