Analysis Overview
SHA256
3bf9012b5ddf0f59083f046cc19fd42c899f71070e1d90c35820dfc23359bce9
Threat Level: Known bad
The file FortniteBurger_v2.zip was found to be: Known bad.
Malicious Activity Summary
Detect ZGRat V2
ZGRat
Zgrat family
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
Legitimate hosting services abused for malware hosting/C2
Suspicious use of NtSetInformationThreadHideFromDebugger
Enumerates physical storage devices
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Modifies system certificate store
Suspicious use of SetWindowsHookEx
Suspicious use of AdjustPrivilegeToken
Modifies registry class
Suspicious use of SendNotifyMessage
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V16
Analysis: static1
Detonation Overview
Reported
2025-05-18 17:02
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-05-18 17:02
Reported
2025-05-18 17:03
Platform
win10v2004-20250502-en
Max time kernel
46s
Max time network
69s
Command Line
Signatures
Detect ZGRat V2
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
ZGRat
Zgrat family
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\FortniteBurger2\Run\bcc73083789d4ef3911062cf77f0f0f6.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\FortniteBurger2\Run\FortniteBurger_v2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\FortniteBurger2\Run\bcc73083789d4ef3911062cf77f0f0f6.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FortniteBurger_v2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FortniteBurger_v2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\FortniteBurger2\Run\FortniteBurger_v2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\FortniteBurger2\Run\FortniteBurger_v2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\FortniteBurger2\Run\bcc73083789d4ef3911062cf77f0f0f6.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\FortniteBurger2\Run\bcc73083789d4ef3911062cf77f0f0f6.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\FortniteBurger2\Run\bcc73083789d4ef3911062cf77f0f0f6.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\C1D39B518B07FA46034EF27E20249D54D3E5E73F | C:\Users\Admin\AppData\Local\FortniteBurger2\Run\bcc73083789d4ef3911062cf77f0f0f6.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\C1D39B518B07FA46034EF27E20249D54D3E5E73F\Blob = 030000000100000014000000c1d39b518b07fa46034ef27e20249d54d3e5e73f2000000001000000930300003082038f30820277a003020102021000ec852b34650d1c829ce54e546a065b300d06092a864886f70d01010b05003060312b3029060355040b0c224372656174656420627920687474703a2f2f7777772e666964646c6572322e636f6d31183016060355040a0c0f444f5f4e4f545f54525553545f42433117301506035504030c0e466f72746e697465427572676572301e170d3235303531313030303030305a170d3335303531383137303330375a3060312b3029060355040b0c224372656174656420627920687474703a2f2f7777772e666964646c6572322e636f6d31183016060355040a0c0f444f5f4e4f545f54525553545f42433117301506035504030c0e466f72746e69746542757267657230820122300d06092a864886f70d01010105000382010f003082010a0282010100aa98e8ad3c3af6a8bd5f0f31e51324e0591fb18f5545000f28856901442806ef859eaaa950bdeb5dc43f5808cb182c95b1e26dd9c4e195a0b91a12013a440528eaf3f737e7f96ebfe5296b3f308b77b7433974ebdb33c3330570dcf15a4f468d487cce886ca74d6203dbbb0f2db2974e906fe94d95ff0eee8b293a7679ec4e8178da7ea04cc584e24f9cf9ea69cf5a0b77aca0e08fa69e7e40479132a35197a268971df4ecc52b3b7c34a648973a57829421d9341599032dab9e7d576b966cc3760a0385db87803fd676ab114d70cb71e9f83089df093f8ebdc67b5d56d4b9590a21fc3f1f249f1ce25d5a576e58192da332e913dd6cee1be61f4831351c7eb90203010001a345304330120603551d130101ff040830060101ff020100300e0603551d0f0101ff040403020204301d0603551d0e04160414bfee9f09ab65093b8e652810cbbce8f7736a9275300d06092a864886f70d01010b05000382010100117d670036e6421d4de076d104bab060ceaa3397153f3f47963cd5e1e3d64d0896a24771ca7a71ec4cb09ae2409ac4955b804f559fd4c7620166d8442b5d92cdfb7902f5847ff3920bd0a7d2aab9215b787ea7787f4ed3f985283ddf7ae2b3cc0786dce551ab53bf5e7ad470167d01a734e14bfcae42946e564fd58f2d1a44a21eeb3881a0b02071d8511d593b596f7f87fbcaf6afe4c2fbefb33a2d92b223c736539c479b5251b3263ee86a29e73ca7966e84b3e8ca06447d20d388ec7d2c26c2d288290f482f5890d9c5f9f38a8fb192e5887f2458b96850ad3aca98828529cd5ecc5120f58ce58954d8262f7f1f3aa968e170ec8e517eed8fecb90bfcf01a | C:\Users\Admin\AppData\Local\FortniteBurger2\Run\bcc73083789d4ef3911062cf77f0f0f6.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\C1D39B518B07FA46034EF27E20249D54D3E5E73F\Blob = 040000000100000010000000058a7a4e348673aff3efc819c4cea745140000000100000014000000bfee9f09ab65093b8e652810cbbce8f7736a9275030000000100000014000000c1d39b518b07fa46034ef27e20249d54d3e5e73f0f00000001000000200000009f4eb246671f03186186d369c88b575a681146ee8e697f3898928caa6a8e0512190000000100000010000000cd2ae34d560f5cf43cb5d087cf379ab42000000001000000930300003082038f30820277a003020102021000ec852b34650d1c829ce54e546a065b300d06092a864886f70d01010b05003060312b3029060355040b0c224372656174656420627920687474703a2f2f7777772e666964646c6572322e636f6d31183016060355040a0c0f444f5f4e4f545f54525553545f42433117301506035504030c0e466f72746e697465427572676572301e170d3235303531313030303030305a170d3335303531383137303330375a3060312b3029060355040b0c224372656174656420627920687474703a2f2f7777772e666964646c6572322e636f6d31183016060355040a0c0f444f5f4e4f545f54525553545f42433117301506035504030c0e466f72746e69746542757267657230820122300d06092a864886f70d01010105000382010f003082010a0282010100aa98e8ad3c3af6a8bd5f0f31e51324e0591fb18f5545000f28856901442806ef859eaaa950bdeb5dc43f5808cb182c95b1e26dd9c4e195a0b91a12013a440528eaf3f737e7f96ebfe5296b3f308b77b7433974ebdb33c3330570dcf15a4f468d487cce886ca74d6203dbbb0f2db2974e906fe94d95ff0eee8b293a7679ec4e8178da7ea04cc584e24f9cf9ea69cf5a0b77aca0e08fa69e7e40479132a35197a268971df4ecc52b3b7c34a648973a57829421d9341599032dab9e7d576b966cc3760a0385db87803fd676ab114d70cb71e9f83089df093f8ebdc67b5d56d4b9590a21fc3f1f249f1ce25d5a576e58192da332e913dd6cee1be61f4831351c7eb90203010001a345304330120603551d130101ff040830060101ff020100300e0603551d0f0101ff040403020204301d0603551d0e04160414bfee9f09ab65093b8e652810cbbce8f7736a9275300d06092a864886f70d01010b05000382010100117d670036e6421d4de076d104bab060ceaa3397153f3f47963cd5e1e3d64d0896a24771ca7a71ec4cb09ae2409ac4955b804f559fd4c7620166d8442b5d92cdfb7902f5847ff3920bd0a7d2aab9215b787ea7787f4ed3f985283ddf7ae2b3cc0786dce551ab53bf5e7ad470167d01a734e14bfcae42946e564fd58f2d1a44a21eeb3881a0b02071d8511d593b596f7f87fbcaf6afe4c2fbefb33a2d92b223c736539c479b5251b3263ee86a29e73ca7966e84b3e8ca06447d20d388ec7d2c26c2d288290f482f5890d9c5f9f38a8fb192e5887f2458b96850ad3aca98828529cd5ecc5120f58ce58954d8262f7f1f3aa968e170ec8e517eed8fecb90bfcf01a | C:\Users\Admin\AppData\Local\FortniteBurger2\Run\bcc73083789d4ef3911062cf77f0f0f6.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\C1D39B518B07FA46034EF27E20249D54D3E5E73F\Blob = 5c000000010000000400000000080000190000000100000010000000cd2ae34d560f5cf43cb5d087cf379ab40f00000001000000200000009f4eb246671f03186186d369c88b575a681146ee8e697f3898928caa6a8e0512030000000100000014000000c1d39b518b07fa46034ef27e20249d54d3e5e73f140000000100000014000000bfee9f09ab65093b8e652810cbbce8f7736a9275040000000100000010000000058a7a4e348673aff3efc819c4cea7452000000001000000930300003082038f30820277a003020102021000ec852b34650d1c829ce54e546a065b300d06092a864886f70d01010b05003060312b3029060355040b0c224372656174656420627920687474703a2f2f7777772e666964646c6572322e636f6d31183016060355040a0c0f444f5f4e4f545f54525553545f42433117301506035504030c0e466f72746e697465427572676572301e170d3235303531313030303030305a170d3335303531383137303330375a3060312b3029060355040b0c224372656174656420627920687474703a2f2f7777772e666964646c6572322e636f6d31183016060355040a0c0f444f5f4e4f545f54525553545f42433117301506035504030c0e466f72746e69746542757267657230820122300d06092a864886f70d01010105000382010f003082010a0282010100aa98e8ad3c3af6a8bd5f0f31e51324e0591fb18f5545000f28856901442806ef859eaaa950bdeb5dc43f5808cb182c95b1e26dd9c4e195a0b91a12013a440528eaf3f737e7f96ebfe5296b3f308b77b7433974ebdb33c3330570dcf15a4f468d487cce886ca74d6203dbbb0f2db2974e906fe94d95ff0eee8b293a7679ec4e8178da7ea04cc584e24f9cf9ea69cf5a0b77aca0e08fa69e7e40479132a35197a268971df4ecc52b3b7c34a648973a57829421d9341599032dab9e7d576b966cc3760a0385db87803fd676ab114d70cb71e9f83089df093f8ebdc67b5d56d4b9590a21fc3f1f249f1ce25d5a576e58192da332e913dd6cee1be61f4831351c7eb90203010001a345304330120603551d130101ff040830060101ff020100300e0603551d0f0101ff040403020204301d0603551d0e04160414bfee9f09ab65093b8e652810cbbce8f7736a9275300d06092a864886f70d01010b05000382010100117d670036e6421d4de076d104bab060ceaa3397153f3f47963cd5e1e3d64d0896a24771ca7a71ec4cb09ae2409ac4955b804f559fd4c7620166d8442b5d92cdfb7902f5847ff3920bd0a7d2aab9215b787ea7787f4ed3f985283ddf7ae2b3cc0786dce551ab53bf5e7ad470167d01a734e14bfcae42946e564fd58f2d1a44a21eeb3881a0b02071d8511d593b596f7f87fbcaf6afe4c2fbefb33a2d92b223c736539c479b5251b3263ee86a29e73ca7966e84b3e8ca06447d20d388ec7d2c26c2d288290f482f5890d9c5f9f38a8fb192e5887f2458b96850ad3aca98828529cd5ecc5120f58ce58954d8262f7f1f3aa968e170ec8e517eed8fecb90bfcf01a | C:\Users\Admin\AppData\Local\FortniteBurger2\Run\bcc73083789d4ef3911062cf77f0f0f6.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\FortniteBurger2\Run\bcc73083789d4ef3911062cf77f0f0f6.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\FortniteBurger2\Run\bcc73083789d4ef3911062cf77f0f0f6.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\FortniteBurger2\Run\bcc73083789d4ef3911062cf77f0f0f6.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\FortniteBurger2\Run\bcc73083789d4ef3911062cf77f0f0f6.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\FortniteBurger2\Run\bcc73083789d4ef3911062cf77f0f0f6.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\FortniteBurger2\Run\bcc73083789d4ef3911062cf77f0f0f6.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\FortniteBurger2\Run\bcc73083789d4ef3911062cf77f0f0f6.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\FortniteBurger2\Run\bcc73083789d4ef3911062cf77f0f0f6.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\FortniteBurger2\Run\bcc73083789d4ef3911062cf77f0f0f6.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4072 wrote to memory of 2044 | N/A | C:\Users\Admin\AppData\Local\Temp\FortniteBurger_v2.exe | C:\Users\Admin\AppData\Local\FortniteBurger2\Run\FortniteBurger_v2.exe |
| PID 4072 wrote to memory of 2044 | N/A | C:\Users\Admin\AppData\Local\Temp\FortniteBurger_v2.exe | C:\Users\Admin\AppData\Local\FortniteBurger2\Run\FortniteBurger_v2.exe |
| PID 2044 wrote to memory of 4420 | N/A | C:\Users\Admin\AppData\Local\FortniteBurger2\Run\FortniteBurger_v2.exe | C:\Users\Admin\AppData\Local\FortniteBurger2\Run\bcc73083789d4ef3911062cf77f0f0f6.exe |
| PID 2044 wrote to memory of 4420 | N/A | C:\Users\Admin\AppData\Local\FortniteBurger2\Run\FortniteBurger_v2.exe | C:\Users\Admin\AppData\Local\FortniteBurger2\Run\bcc73083789d4ef3911062cf77f0f0f6.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\FortniteBurger_v2.exe
"C:\Users\Admin\AppData\Local\Temp\FortniteBurger_v2.exe"
C:\Users\Admin\AppData\Local\FortniteBurger2\Run\FortniteBurger_v2.exe
"C:\Users\Admin\AppData\Local\FortniteBurger2\Run\FortniteBurger_v2.exe" --continue
C:\Users\Admin\AppData\Local\FortniteBurger2\Run\bcc73083789d4ef3911062cf77f0f0f6.exe
"C:\Users\Admin\AppData\Local\FortniteBurger2\Run\bcc73083789d4ef3911062cf77f0f0f6.exe" --continue
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | sisolutions.vip | udp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| DK | 93.191.156.20:443 | sisolutions.vip | tcp |
| DK | 93.191.156.20:443 | sisolutions.vip | tcp |
| DK | 93.191.156.20:443 | sisolutions.vip | tcp |
| SE | 184.31.15.193:443 | tcp | |
| SE | 184.31.15.193:443 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | api.github.com | udp |
| GB | 20.26.156.210:443 | api.github.com | tcp |
| US | 8.8.8.8:53 | ssl.google-analytics.com | udp |
| GB | 216.58.204.72:443 | ssl.google-analytics.com | tcp |
| GB | 216.58.204.72:443 | ssl.google-analytics.com | tcp |
| GB | 216.58.204.72:443 | ssl.google-analytics.com | tcp |
| GB | 216.58.204.72:443 | ssl.google-analytics.com | tcp |
| GB | 216.58.204.72:443 | ssl.google-analytics.com | tcp |
| GB | 216.58.204.72:443 | ssl.google-analytics.com | tcp |
| GB | 216.58.204.72:443 | ssl.google-analytics.com | tcp |
| N/A | 127.0.0.1:8096 | tcp | |
| N/A | 224.0.0.251:5353 | udp | |
| N/A | 127.0.0.1:8096 | tcp | |
| N/A | 127.0.0.1:8096 | tcp | |
| N/A | 127.0.0.1:8096 | tcp | |
| N/A | 127.0.0.1:8096 | tcp | |
| N/A | 127.0.0.1:8096 | tcp | |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.178.3:80 | c.pki.goog | tcp |
Files
memory/4072-57-0x00007FFF6CB0B000-0x00007FFF6CB0C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\.net\FortniteBurger_v2\jG4I8EjH2Uht_bQwKhDNlmHg04VYWFo=\svchost.dll
| MD5 | d34da837298440c94597fc11e35d8eac |
| SHA1 | 074c8a4eebaff81019bce8eb5f25efdc54d7400c |
| SHA256 | e0b0c4da536b40be97aa04da748bc64b28c19ef7898f053c8e9f07db9fd7559a |
| SHA512 | bdf5ce3e07118773aaa7d6ff75ac3c5e71263e612da3c691d25d225f66a16fd8f8089d41a466e04e5677b1288ee4b1719eb200f5ed5c5c1dc05c49a59561b501 |
C:\Users\Admin\AppData\Local\FortniteBurger2\Run\FortniteBurger_v2.exe
| MD5 | e1727f481fd66463ed281daaeeaf675b |
| SHA1 | 641e44acf38b4272f2d37a824c9764fe1310b3fc |
| SHA256 | 7ab735a88ae95c23810f69d18ee078a19de1894d3beb1e2a512e0688d21c43bc |
| SHA512 | 23504a336dff888eeb9fd84d85dcf7ee434c41db8eec701473f06df06a62683a947d836b81f7a8de923b682cac769a2566870392ae5b834b9a48cb20e35e95e8 |
memory/2044-69-0x00007FFF6C9B0000-0x00007FFF6CEAE000-memory.dmp
C:\Users\Admin\AppData\Local\FortniteBurger2\Run\bcc73083789d4ef3911062cf77f0f0f6.exe
| MD5 | 17811026ab6ada96515b958286d69eaf |
| SHA1 | c133865230d9d670edeee90688c49d577a38c6a5 |
| SHA256 | a1e6277d87881c2109438af85fa21ff12c399c0b8b3c54b06f742ae3c51db938 |
| SHA512 | cbbb56e1bc29fc7b6d59d10aedbcda5697c408f39166ef874d991f1b8edbd8ad2efcc1bed147656589edec6abb6deb4b606c1b7fa45355b26425c565ba141a46 |
memory/2044-132-0x00007FFF6C9B0000-0x00007FFF6CEAE000-memory.dmp
C:\Users\Admin\AppData\Local\FortniteBurger2\Profiles\MarketWithPerks.json
| MD5 | 84e6bd98e70d333ea1186bf123930781 |
| SHA1 | a4eb740e713cfe5650ce2b86c1b4b219822d19df |
| SHA256 | 5cf88cff4dfcce99457e26bb87d4e1e885747d7e54ee24df2e731b79893be388 |
| SHA512 | 54aa8a7bf4be7cad3e5e1c67ed9f6403592382b45ebe75b7898687b2818921d7fc0e97de69041265c864172590f3175ac9e1ced81c0ab9fbd7abef601b7bc0f6 |
memory/4420-171-0x00007FFF6C47B000-0x00007FFF6C47C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Tmp1558.tmp
| MD5 | 3cd6a58a453dce2cf18c22e58e16ab57 |
| SHA1 | 99f5a00d4b9add52100602e1bad473c5c81bde1f |
| SHA256 | 92bfcd9bcdd45a4ea4e0e9f58e83503854c5e681ccd19d1c0e4529f33091bf6e |
| SHA512 | 661b009954226062e0079dacddc3132ab6f13ed91a00f9d1482930e78a24feb0c51add77c71749b765612fe2735ed5b5c41d004c8cc397a4cec0eefb5a8ce5cd |
C:\Users\Admin\AppData\Local\Temp\Tmp2595.tmp
| MD5 | 2cb51f0857e95ad6fe402ae7cb23b6d7 |
| SHA1 | 9d2eedc7403c9c13c2ceb40bc821d83265219d81 |
| SHA256 | fe39523c06c8e5a6d0a8a489f2b3f051f4e665200b264168c28339f6938820d5 |
| SHA512 | ee893dd1d3e576be0b1a76ad7ccc2ab10ad2e3cab8c82ac8248d855cac062864a0dc1dd7940f9bb50250d995e103ea6daf5050a484f6967cd184117a6eaf20cc |