Malware Analysis Report

2025-05-28 17:20

Sample ID 250518-vkblbahp9w
Target FortniteBurger_v2.zip
SHA256 3bf9012b5ddf0f59083f046cc19fd42c899f71070e1d90c35820dfc23359bce9
Tags
zgrat rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3bf9012b5ddf0f59083f046cc19fd42c899f71070e1d90c35820dfc23359bce9

Threat Level: Known bad

The file FortniteBurger_v2.zip was found to be: Known bad.

Malicious Activity Summary

zgrat rat

Detect ZGRat V2

ZGRat

Zgrat family

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Legitimate hosting services abused for malware hosting/C2

Suspicious use of NtSetInformationThreadHideFromDebugger

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Modifies system certificate store

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Modifies registry class

Suspicious use of SendNotifyMessage

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-05-18 17:02

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-05-18 17:02

Reported

2025-05-18 17:03

Platform

win10v2004-20250502-en

Max time kernel

46s

Max time network

69s

Command Line

"C:\Users\Admin\AppData\Local\Temp\FortniteBurger_v2.exe"

Signatures

Detect ZGRat V2

Description Indicator Process Target
N/A N/A N/A N/A

ZGRat

rat zgrat

Zgrat family

zgrat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\FortniteBurger2\Run\bcc73083789d4ef3911062cf77f0f0f6.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\FortniteBurger2\Run\bcc73083789d4ef3911062cf77f0f0f6.exe N/A

Modifies system certificate store

defense_evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\C1D39B518B07FA46034EF27E20249D54D3E5E73F C:\Users\Admin\AppData\Local\FortniteBurger2\Run\bcc73083789d4ef3911062cf77f0f0f6.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\C1D39B518B07FA46034EF27E20249D54D3E5E73F\Blob = 030000000100000014000000c1d39b518b07fa46034ef27e20249d54d3e5e73f2000000001000000930300003082038f30820277a003020102021000ec852b34650d1c829ce54e546a065b300d06092a864886f70d01010b05003060312b3029060355040b0c224372656174656420627920687474703a2f2f7777772e666964646c6572322e636f6d31183016060355040a0c0f444f5f4e4f545f54525553545f42433117301506035504030c0e466f72746e697465427572676572301e170d3235303531313030303030305a170d3335303531383137303330375a3060312b3029060355040b0c224372656174656420627920687474703a2f2f7777772e666964646c6572322e636f6d31183016060355040a0c0f444f5f4e4f545f54525553545f42433117301506035504030c0e466f72746e69746542757267657230820122300d06092a864886f70d01010105000382010f003082010a0282010100aa98e8ad3c3af6a8bd5f0f31e51324e0591fb18f5545000f28856901442806ef859eaaa950bdeb5dc43f5808cb182c95b1e26dd9c4e195a0b91a12013a440528eaf3f737e7f96ebfe5296b3f308b77b7433974ebdb33c3330570dcf15a4f468d487cce886ca74d6203dbbb0f2db2974e906fe94d95ff0eee8b293a7679ec4e8178da7ea04cc584e24f9cf9ea69cf5a0b77aca0e08fa69e7e40479132a35197a268971df4ecc52b3b7c34a648973a57829421d9341599032dab9e7d576b966cc3760a0385db87803fd676ab114d70cb71e9f83089df093f8ebdc67b5d56d4b9590a21fc3f1f249f1ce25d5a576e58192da332e913dd6cee1be61f4831351c7eb90203010001a345304330120603551d130101ff040830060101ff020100300e0603551d0f0101ff040403020204301d0603551d0e04160414bfee9f09ab65093b8e652810cbbce8f7736a9275300d06092a864886f70d01010b05000382010100117d670036e6421d4de076d104bab060ceaa3397153f3f47963cd5e1e3d64d0896a24771ca7a71ec4cb09ae2409ac4955b804f559fd4c7620166d8442b5d92cdfb7902f5847ff3920bd0a7d2aab9215b787ea7787f4ed3f985283ddf7ae2b3cc0786dce551ab53bf5e7ad470167d01a734e14bfcae42946e564fd58f2d1a44a21eeb3881a0b02071d8511d593b596f7f87fbcaf6afe4c2fbefb33a2d92b223c736539c479b5251b3263ee86a29e73ca7966e84b3e8ca06447d20d388ec7d2c26c2d288290f482f5890d9c5f9f38a8fb192e5887f2458b96850ad3aca98828529cd5ecc5120f58ce58954d8262f7f1f3aa968e170ec8e517eed8fecb90bfcf01a C:\Users\Admin\AppData\Local\FortniteBurger2\Run\bcc73083789d4ef3911062cf77f0f0f6.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\C1D39B518B07FA46034EF27E20249D54D3E5E73F\Blob = 040000000100000010000000058a7a4e348673aff3efc819c4cea745140000000100000014000000bfee9f09ab65093b8e652810cbbce8f7736a9275030000000100000014000000c1d39b518b07fa46034ef27e20249d54d3e5e73f0f00000001000000200000009f4eb246671f03186186d369c88b575a681146ee8e697f3898928caa6a8e0512190000000100000010000000cd2ae34d560f5cf43cb5d087cf379ab42000000001000000930300003082038f30820277a003020102021000ec852b34650d1c829ce54e546a065b300d06092a864886f70d01010b05003060312b3029060355040b0c224372656174656420627920687474703a2f2f7777772e666964646c6572322e636f6d31183016060355040a0c0f444f5f4e4f545f54525553545f42433117301506035504030c0e466f72746e697465427572676572301e170d3235303531313030303030305a170d3335303531383137303330375a3060312b3029060355040b0c224372656174656420627920687474703a2f2f7777772e666964646c6572322e636f6d31183016060355040a0c0f444f5f4e4f545f54525553545f42433117301506035504030c0e466f72746e69746542757267657230820122300d06092a864886f70d01010105000382010f003082010a0282010100aa98e8ad3c3af6a8bd5f0f31e51324e0591fb18f5545000f28856901442806ef859eaaa950bdeb5dc43f5808cb182c95b1e26dd9c4e195a0b91a12013a440528eaf3f737e7f96ebfe5296b3f308b77b7433974ebdb33c3330570dcf15a4f468d487cce886ca74d6203dbbb0f2db2974e906fe94d95ff0eee8b293a7679ec4e8178da7ea04cc584e24f9cf9ea69cf5a0b77aca0e08fa69e7e40479132a35197a268971df4ecc52b3b7c34a648973a57829421d9341599032dab9e7d576b966cc3760a0385db87803fd676ab114d70cb71e9f83089df093f8ebdc67b5d56d4b9590a21fc3f1f249f1ce25d5a576e58192da332e913dd6cee1be61f4831351c7eb90203010001a345304330120603551d130101ff040830060101ff020100300e0603551d0f0101ff040403020204301d0603551d0e04160414bfee9f09ab65093b8e652810cbbce8f7736a9275300d06092a864886f70d01010b05000382010100117d670036e6421d4de076d104bab060ceaa3397153f3f47963cd5e1e3d64d0896a24771ca7a71ec4cb09ae2409ac4955b804f559fd4c7620166d8442b5d92cdfb7902f5847ff3920bd0a7d2aab9215b787ea7787f4ed3f985283ddf7ae2b3cc0786dce551ab53bf5e7ad470167d01a734e14bfcae42946e564fd58f2d1a44a21eeb3881a0b02071d8511d593b596f7f87fbcaf6afe4c2fbefb33a2d92b223c736539c479b5251b3263ee86a29e73ca7966e84b3e8ca06447d20d388ec7d2c26c2d288290f482f5890d9c5f9f38a8fb192e5887f2458b96850ad3aca98828529cd5ecc5120f58ce58954d8262f7f1f3aa968e170ec8e517eed8fecb90bfcf01a C:\Users\Admin\AppData\Local\FortniteBurger2\Run\bcc73083789d4ef3911062cf77f0f0f6.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\C1D39B518B07FA46034EF27E20249D54D3E5E73F\Blob = 5c000000010000000400000000080000190000000100000010000000cd2ae34d560f5cf43cb5d087cf379ab40f00000001000000200000009f4eb246671f03186186d369c88b575a681146ee8e697f3898928caa6a8e0512030000000100000014000000c1d39b518b07fa46034ef27e20249d54d3e5e73f140000000100000014000000bfee9f09ab65093b8e652810cbbce8f7736a9275040000000100000010000000058a7a4e348673aff3efc819c4cea7452000000001000000930300003082038f30820277a003020102021000ec852b34650d1c829ce54e546a065b300d06092a864886f70d01010b05003060312b3029060355040b0c224372656174656420627920687474703a2f2f7777772e666964646c6572322e636f6d31183016060355040a0c0f444f5f4e4f545f54525553545f42433117301506035504030c0e466f72746e697465427572676572301e170d3235303531313030303030305a170d3335303531383137303330375a3060312b3029060355040b0c224372656174656420627920687474703a2f2f7777772e666964646c6572322e636f6d31183016060355040a0c0f444f5f4e4f545f54525553545f42433117301506035504030c0e466f72746e69746542757267657230820122300d06092a864886f70d01010105000382010f003082010a0282010100aa98e8ad3c3af6a8bd5f0f31e51324e0591fb18f5545000f28856901442806ef859eaaa950bdeb5dc43f5808cb182c95b1e26dd9c4e195a0b91a12013a440528eaf3f737e7f96ebfe5296b3f308b77b7433974ebdb33c3330570dcf15a4f468d487cce886ca74d6203dbbb0f2db2974e906fe94d95ff0eee8b293a7679ec4e8178da7ea04cc584e24f9cf9ea69cf5a0b77aca0e08fa69e7e40479132a35197a268971df4ecc52b3b7c34a648973a57829421d9341599032dab9e7d576b966cc3760a0385db87803fd676ab114d70cb71e9f83089df093f8ebdc67b5d56d4b9590a21fc3f1f249f1ce25d5a576e58192da332e913dd6cee1be61f4831351c7eb90203010001a345304330120603551d130101ff040830060101ff020100300e0603551d0f0101ff040403020204301d0603551d0e04160414bfee9f09ab65093b8e652810cbbce8f7736a9275300d06092a864886f70d01010b05000382010100117d670036e6421d4de076d104bab060ceaa3397153f3f47963cd5e1e3d64d0896a24771ca7a71ec4cb09ae2409ac4955b804f559fd4c7620166d8442b5d92cdfb7902f5847ff3920bd0a7d2aab9215b787ea7787f4ed3f985283ddf7ae2b3cc0786dce551ab53bf5e7ad470167d01a734e14bfcae42946e564fd58f2d1a44a21eeb3881a0b02071d8511d593b596f7f87fbcaf6afe4c2fbefb33a2d92b223c736539c479b5251b3263ee86a29e73ca7966e84b3e8ca06447d20d388ec7d2c26c2d288290f482f5890d9c5f9f38a8fb192e5887f2458b96850ad3aca98828529cd5ecc5120f58ce58954d8262f7f1f3aa968e170ec8e517eed8fecb90bfcf01a C:\Users\Admin\AppData\Local\FortniteBurger2\Run\bcc73083789d4ef3911062cf77f0f0f6.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\FortniteBurger2\Run\bcc73083789d4ef3911062cf77f0f0f6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\FortniteBurger2\Run\bcc73083789d4ef3911062cf77f0f0f6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\FortniteBurger2\Run\bcc73083789d4ef3911062cf77f0f0f6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\FortniteBurger2\Run\bcc73083789d4ef3911062cf77f0f0f6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\FortniteBurger2\Run\bcc73083789d4ef3911062cf77f0f0f6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\FortniteBurger2\Run\bcc73083789d4ef3911062cf77f0f0f6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\FortniteBurger2\Run\bcc73083789d4ef3911062cf77f0f0f6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\FortniteBurger2\Run\bcc73083789d4ef3911062cf77f0f0f6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\FortniteBurger2\Run\bcc73083789d4ef3911062cf77f0f0f6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\FortniteBurger2\Run\bcc73083789d4ef3911062cf77f0f0f6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\FortniteBurger2\Run\bcc73083789d4ef3911062cf77f0f0f6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\FortniteBurger2\Run\bcc73083789d4ef3911062cf77f0f0f6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\FortniteBurger2\Run\bcc73083789d4ef3911062cf77f0f0f6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\FortniteBurger2\Run\bcc73083789d4ef3911062cf77f0f0f6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\FortniteBurger2\Run\bcc73083789d4ef3911062cf77f0f0f6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\FortniteBurger2\Run\bcc73083789d4ef3911062cf77f0f0f6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\FortniteBurger2\Run\bcc73083789d4ef3911062cf77f0f0f6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\FortniteBurger2\Run\bcc73083789d4ef3911062cf77f0f0f6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\FortniteBurger2\Run\bcc73083789d4ef3911062cf77f0f0f6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\FortniteBurger2\Run\bcc73083789d4ef3911062cf77f0f0f6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\FortniteBurger2\Run\bcc73083789d4ef3911062cf77f0f0f6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\FortniteBurger2\Run\bcc73083789d4ef3911062cf77f0f0f6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\FortniteBurger2\Run\bcc73083789d4ef3911062cf77f0f0f6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\FortniteBurger2\Run\bcc73083789d4ef3911062cf77f0f0f6.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\FortniteBurger2\Run\bcc73083789d4ef3911062cf77f0f0f6.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\FortniteBurger_v2.exe

"C:\Users\Admin\AppData\Local\Temp\FortniteBurger_v2.exe"

C:\Users\Admin\AppData\Local\FortniteBurger2\Run\FortniteBurger_v2.exe

"C:\Users\Admin\AppData\Local\FortniteBurger2\Run\FortniteBurger_v2.exe" --continue

C:\Users\Admin\AppData\Local\FortniteBurger2\Run\bcc73083789d4ef3911062cf77f0f0f6.exe

"C:\Users\Admin\AppData\Local\FortniteBurger2\Run\bcc73083789d4ef3911062cf77f0f0f6.exe" --continue

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 sisolutions.vip udp
US 185.199.110.133:443 raw.githubusercontent.com tcp
DK 93.191.156.20:443 sisolutions.vip tcp
DK 93.191.156.20:443 sisolutions.vip tcp
DK 93.191.156.20:443 sisolutions.vip tcp
SE 184.31.15.193:443 tcp
SE 184.31.15.193:443 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 api.github.com udp
GB 20.26.156.210:443 api.github.com tcp
US 8.8.8.8:53 ssl.google-analytics.com udp
GB 216.58.204.72:443 ssl.google-analytics.com tcp
GB 216.58.204.72:443 ssl.google-analytics.com tcp
GB 216.58.204.72:443 ssl.google-analytics.com tcp
GB 216.58.204.72:443 ssl.google-analytics.com tcp
GB 216.58.204.72:443 ssl.google-analytics.com tcp
GB 216.58.204.72:443 ssl.google-analytics.com tcp
GB 216.58.204.72:443 ssl.google-analytics.com tcp
N/A 127.0.0.1:8096 tcp
N/A 224.0.0.251:5353 udp
N/A 127.0.0.1:8096 tcp
N/A 127.0.0.1:8096 tcp
N/A 127.0.0.1:8096 tcp
N/A 127.0.0.1:8096 tcp
N/A 127.0.0.1:8096 tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.178.3:80 c.pki.goog tcp

Files

memory/4072-57-0x00007FFF6CB0B000-0x00007FFF6CB0C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\.net\FortniteBurger_v2\jG4I8EjH2Uht_bQwKhDNlmHg04VYWFo=\svchost.dll

MD5 d34da837298440c94597fc11e35d8eac
SHA1 074c8a4eebaff81019bce8eb5f25efdc54d7400c
SHA256 e0b0c4da536b40be97aa04da748bc64b28c19ef7898f053c8e9f07db9fd7559a
SHA512 bdf5ce3e07118773aaa7d6ff75ac3c5e71263e612da3c691d25d225f66a16fd8f8089d41a466e04e5677b1288ee4b1719eb200f5ed5c5c1dc05c49a59561b501

C:\Users\Admin\AppData\Local\FortniteBurger2\Run\FortniteBurger_v2.exe

MD5 e1727f481fd66463ed281daaeeaf675b
SHA1 641e44acf38b4272f2d37a824c9764fe1310b3fc
SHA256 7ab735a88ae95c23810f69d18ee078a19de1894d3beb1e2a512e0688d21c43bc
SHA512 23504a336dff888eeb9fd84d85dcf7ee434c41db8eec701473f06df06a62683a947d836b81f7a8de923b682cac769a2566870392ae5b834b9a48cb20e35e95e8

memory/2044-69-0x00007FFF6C9B0000-0x00007FFF6CEAE000-memory.dmp

C:\Users\Admin\AppData\Local\FortniteBurger2\Run\bcc73083789d4ef3911062cf77f0f0f6.exe

MD5 17811026ab6ada96515b958286d69eaf
SHA1 c133865230d9d670edeee90688c49d577a38c6a5
SHA256 a1e6277d87881c2109438af85fa21ff12c399c0b8b3c54b06f742ae3c51db938
SHA512 cbbb56e1bc29fc7b6d59d10aedbcda5697c408f39166ef874d991f1b8edbd8ad2efcc1bed147656589edec6abb6deb4b606c1b7fa45355b26425c565ba141a46

memory/2044-132-0x00007FFF6C9B0000-0x00007FFF6CEAE000-memory.dmp

C:\Users\Admin\AppData\Local\FortniteBurger2\Profiles\MarketWithPerks.json

MD5 84e6bd98e70d333ea1186bf123930781
SHA1 a4eb740e713cfe5650ce2b86c1b4b219822d19df
SHA256 5cf88cff4dfcce99457e26bb87d4e1e885747d7e54ee24df2e731b79893be388
SHA512 54aa8a7bf4be7cad3e5e1c67ed9f6403592382b45ebe75b7898687b2818921d7fc0e97de69041265c864172590f3175ac9e1ced81c0ab9fbd7abef601b7bc0f6

memory/4420-171-0x00007FFF6C47B000-0x00007FFF6C47C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Tmp1558.tmp

MD5 3cd6a58a453dce2cf18c22e58e16ab57
SHA1 99f5a00d4b9add52100602e1bad473c5c81bde1f
SHA256 92bfcd9bcdd45a4ea4e0e9f58e83503854c5e681ccd19d1c0e4529f33091bf6e
SHA512 661b009954226062e0079dacddc3132ab6f13ed91a00f9d1482930e78a24feb0c51add77c71749b765612fe2735ed5b5c41d004c8cc397a4cec0eefb5a8ce5cd

C:\Users\Admin\AppData\Local\Temp\Tmp2595.tmp

MD5 2cb51f0857e95ad6fe402ae7cb23b6d7
SHA1 9d2eedc7403c9c13c2ceb40bc821d83265219d81
SHA256 fe39523c06c8e5a6d0a8a489f2b3f051f4e665200b264168c28339f6938820d5
SHA512 ee893dd1d3e576be0b1a76ad7ccc2ab10ad2e3cab8c82ac8248d855cac062864a0dc1dd7940f9bb50250d995e103ea6daf5050a484f6967cd184117a6eaf20cc