Analysis
-
max time kernel
61s -
max time network
101s -
platform
windows11-21h2_x64 -
resource
win11-20250502-en -
resource tags
arch:x64arch:x86image:win11-20250502-enlocale:en-usos:windows11-21h2-x64system -
submitted
18/05/2025, 17:04
Static task
static1
Behavioral task
behavioral1
Sample
FortniteBurger_v2.exe
Resource
win10v2004-20250502-en
General
-
Target
FortniteBurger_v2.exe
-
Size
12.1MB
-
MD5
e1727f481fd66463ed281daaeeaf675b
-
SHA1
641e44acf38b4272f2d37a824c9764fe1310b3fc
-
SHA256
7ab735a88ae95c23810f69d18ee078a19de1894d3beb1e2a512e0688d21c43bc
-
SHA512
23504a336dff888eeb9fd84d85dcf7ee434c41db8eec701473f06df06a62683a947d836b81f7a8de923b682cac769a2566870392ae5b834b9a48cb20e35e95e8
-
SSDEEP
98304:6ls29qm/Y3mDDDy/WTAjM7iHbaldePP84H+4jcFYT1iJFz8tgPv:6lZA3mDDDy/WTALOg8o+9qpiJFz8tgv
Malware Config
Signatures
-
Detect ZGRat V2 1 IoCs
resource yara_rule behavioral2/files/0x001900000002b0f0-58.dat family_zgrat_v2 -
Zgrat family
-
Executes dropped EXE 2 IoCs
pid Process 6036 FortniteBurger_v2.exe 3972 2403bb5a8f8f4d16bd8051d7d0404996.exe -
Loads dropped DLL 6 IoCs
pid Process 2692 FortniteBurger_v2.exe 2692 FortniteBurger_v2.exe 6036 FortniteBurger_v2.exe 6036 FortniteBurger_v2.exe 3972 2403bb5a8f8f4d16bd8051d7d0404996.exe 3972 2403bb5a8f8f4d16bd8051d7d0404996.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
flow ioc 1 raw.githubusercontent.com 2 raw.githubusercontent.com 3 raw.githubusercontent.com -
Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs
pid Process 3972 2403bb5a8f8f4d16bd8051d7d0404996.exe 3972 2403bb5a8f8f4d16bd8051d7d0404996.exe 3972 2403bb5a8f8f4d16bd8051d7d0404996.exe 3972 2403bb5a8f8f4d16bd8051d7d0404996.exe 3972 2403bb5a8f8f4d16bd8051d7d0404996.exe 3972 2403bb5a8f8f4d16bd8051d7d0404996.exe 3972 2403bb5a8f8f4d16bd8051d7d0404996.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3972 2403bb5a8f8f4d16bd8051d7d0404996.exe 3972 2403bb5a8f8f4d16bd8051d7d0404996.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3972 2403bb5a8f8f4d16bd8051d7d0404996.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
pid Process 3972 2403bb5a8f8f4d16bd8051d7d0404996.exe 3972 2403bb5a8f8f4d16bd8051d7d0404996.exe 3972 2403bb5a8f8f4d16bd8051d7d0404996.exe 3972 2403bb5a8f8f4d16bd8051d7d0404996.exe -
Suspicious use of SendNotifyMessage 4 IoCs
pid Process 3972 2403bb5a8f8f4d16bd8051d7d0404996.exe 3972 2403bb5a8f8f4d16bd8051d7d0404996.exe 3972 2403bb5a8f8f4d16bd8051d7d0404996.exe 3972 2403bb5a8f8f4d16bd8051d7d0404996.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2692 wrote to memory of 6036 2692 FortniteBurger_v2.exe 78 PID 2692 wrote to memory of 6036 2692 FortniteBurger_v2.exe 78 PID 6036 wrote to memory of 3972 6036 FortniteBurger_v2.exe 79 PID 6036 wrote to memory of 3972 6036 FortniteBurger_v2.exe 79
Processes
-
C:\Users\Admin\AppData\Local\Temp\FortniteBurger_v2.exe"C:\Users\Admin\AppData\Local\Temp\FortniteBurger_v2.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Users\Admin\AppData\Local\FortniteBurger2\Run\FortniteBurger_v2.exe"C:\Users\Admin\AppData\Local\FortniteBurger2\Run\FortniteBurger_v2.exe" --continue2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:6036 -
C:\Users\Admin\AppData\Local\FortniteBurger2\Run\2403bb5a8f8f4d16bd8051d7d0404996.exe"C:\Users\Admin\AppData\Local\FortniteBurger2\Run\2403bb5a8f8f4d16bd8051d7d0404996.exe" --continue3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3972
-
-
Network
MITRE ATT&CK Enterprise v16
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
926KB
MD5a8a705381e73bc7beba7532818e2767b
SHA1386b8e6b4dae114414ba91e44c346275864ae6b6
SHA256796242d7cddd0c96e1c05f93406ec5c84d80033b97b4e02da5526a98fb9c0808
SHA5127645e7e642c48c19e73c84f2bcdd5b1ad6f29f280369baa26363a217a0dd9bd6db890e73a166fc1a66983b210a32b94971c22301605ce04e7e52f476b80d793c
-
Filesize
12.1MB
MD55a16b8338fe420c587114c6f877d80cf
SHA1e7e8506e12b50fdc80831fbca2d0e47262a3c058
SHA256ad9a50e9f323843ffed7af90be9f7398b785325d39e1fcf6a2d2f7eadc62b44d
SHA512f2daefdb9b8fc61098bdf500cf986a88d96894a2c0e98af1a3b15989baeed49beff46b9867c49aa2b3b4ea0204080d907986822b79810487c4867bef52fe3137
-
Filesize
12.1MB
MD5e1727f481fd66463ed281daaeeaf675b
SHA1641e44acf38b4272f2d37a824c9764fe1310b3fc
SHA2567ab735a88ae95c23810f69d18ee078a19de1894d3beb1e2a512e0688d21c43bc
SHA51223504a336dff888eeb9fd84d85dcf7ee434c41db8eec701473f06df06a62683a947d836b81f7a8de923b682cac769a2566870392ae5b834b9a48cb20e35e95e8
-
C:\Users\Admin\AppData\Local\Temp\.net\FortniteBurger_v2\jG4I8EjH2Uht_bQwKhDNlmHg04VYWFo=\svchost.dll
Filesize522KB
MD5d34da837298440c94597fc11e35d8eac
SHA1074c8a4eebaff81019bce8eb5f25efdc54d7400c
SHA256e0b0c4da536b40be97aa04da748bc64b28c19ef7898f053c8e9f07db9fd7559a
SHA512bdf5ce3e07118773aaa7d6ff75ac3c5e71263e612da3c691d25d225f66a16fd8f8089d41a466e04e5677b1288ee4b1719eb200f5ed5c5c1dc05c49a59561b501