Resubmissions

17-11-2024 21:13

241117-z2qh1sxqhv 10

17-11-2024 21:12

241117-z2agssxqgw 8

General

  • Target

    fortnite.exe

  • Size

    1.2MB

  • Sample

    241117-z2qh1sxqhv

  • MD5

    36f5b50cb7cf5c1eb050ce5bb6357519

  • SHA1

    ffc7f0f226809fc0a8e14f40dff4f39de8eea0bf

  • SHA256

    ec3e0efe8027c3aabae9ccd394fc40c87c8a6a0ff563730c8796abc31202c26b

  • SHA512

    64291ce8e927281d205706ccfe8fa22580c82ff060e479c2206158e14ab0a2f40d9498cb063038505ab32135513893406922ef488dfa1bb3998cc49fe8a4550e

  • SSDEEP

    24576:5xbn0OetgzfnkuGKFI+lpC+bKlAtc064:0p2n2Gz

Malware Config

Targets

    • Target

      fortnite.exe

    • Size

      1.2MB

    • MD5

      36f5b50cb7cf5c1eb050ce5bb6357519

    • SHA1

      ffc7f0f226809fc0a8e14f40dff4f39de8eea0bf

    • SHA256

      ec3e0efe8027c3aabae9ccd394fc40c87c8a6a0ff563730c8796abc31202c26b

    • SHA512

      64291ce8e927281d205706ccfe8fa22580c82ff060e479c2206158e14ab0a2f40d9498cb063038505ab32135513893406922ef488dfa1bb3998cc49fe8a4550e

    • SSDEEP

      24576:5xbn0OetgzfnkuGKFI+lpC+bKlAtc064:0p2n2Gz

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Dcrat family

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks