fatalrat | 86a1d63a26d15531238d62e231261dc73d3a1a1342bd037630890332d0bcdab5

Resubmissions

03-07-2021 10:50

210703-jh2cb389k6 10

01-07-2021 14:19

210701-xnbfc8bzks 10

Analysis

max time kernel
330s
max time network
1790s
platform
windows10_x64
resource
win10v20210410
submitted
03-07-2021 10:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2d9002135a5b85b3f3962eab45859f1e59d20ded771b94f0e1127c6c162cb0f4.exe
Size

622KB
MD5

d96987f5e2f64b880cfb3a7de05ff0ef
SHA1

edd15437be63392c7cd332919c332029a2240dd0
SHA256

2d9002135a5b85b3f3962eab45859f1e59d20ded771b94f0e1127c6c162cb0f4
SHA512

226329ad4d9684a0ef0cfdb80450f9006a9d0f88007b3f31d4bfa6f258c94fdc06262f560327511acb49847729875ee9e80f327f32f9b23a75ec0eb1ffa6090b

Score

10^/10

fatalrat infostealer rat

Malware Config

Signatures

FatalRat
FatalRat is a modular infostealer family written in C++ first appearing in June 2021.
infostealer rat fatalrat

Fatal Rat Payload 2 IoCs

rat infostealer

resource	yara_rule
behavioral2/memory/3948-114-0x0000000010000000-0x000000001002A000-memory.dmp	fatalrat
behavioral2/memory/1220-119-0x0000000010000000-0x000000001002A000-memory.dmp	fatalrat

Executes dropped EXE 2 IoCs

pid	Process
1220	Vwxyab.exe
1780	Vwxyab.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\Vwxyab.exe	2d9002135a5b85b3f3962eab45859f1e59d20ded771b94f0e1127c6c162cb0f4.exe
File opened for modification	C:\Windows\Vwxyab.exe	2d9002135a5b85b3f3962eab45859f1e59d20ded771b94f0e1127c6c162cb0f4.exe
File opened for modification	C:\Windows\Vwxyab.exe	Vwxyab.exe
File created	C:\Windows\Vwxyab.exe	Vwxyab.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Vwxyab.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Vwxyab.exe

Modifies data under HKEY_USERS 21 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	Vwxyab.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\System	Vwxyab.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM	Vwxyab.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	Vwxyab.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\System	Vwxyab.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	Vwxyab.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableLockWorkstation = "1"	Vwxyab.exe
Key created	\REGISTRY\USER\.DEFAULT\System\CurrentControlSet\Services	Vwxyab.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\System\CurrentControlSet\Services\Vwxyab Defghijk\InstallTime = "2021-07-03 10:53"	Vwxyab.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum	Vwxyab.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	Vwxyab.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	Vwxyab.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	Vwxyab.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum\Version = "7"	Vwxyab.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies	Vwxyab.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Services\Vwxyab Defghijk	Vwxyab.exe
Key created	\REGISTRY\USER\.DEFAULT\System\CurrentControlSet\Services\Vwxyab Defghijk	Vwxyab.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	Vwxyab.exe
Key created	\REGISTRY\USER\.DEFAULT\System\CurrentControlSet	Vwxyab.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\System\CurrentControlSet\Services\Vwxyab Defghijk\Group = "Fatal"	Vwxyab.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableLockWorkstation = "1"	Vwxyab.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1780	Vwxyab.exe
1780	Vwxyab.exe
1780	Vwxyab.exe
1780	Vwxyab.exe
1780	Vwxyab.exe
1780	Vwxyab.exe
1780	Vwxyab.exe
1780	Vwxyab.exe
1780	Vwxyab.exe
1780	Vwxyab.exe
1780	Vwxyab.exe
1780	Vwxyab.exe
1780	Vwxyab.exe
1780	Vwxyab.exe
1780	Vwxyab.exe
1780	Vwxyab.exe
1780	Vwxyab.exe
1780	Vwxyab.exe
1780	Vwxyab.exe
1780	Vwxyab.exe
1780	Vwxyab.exe
1780	Vwxyab.exe
1780	Vwxyab.exe
1780	Vwxyab.exe
1780	Vwxyab.exe
1780	Vwxyab.exe
1780	Vwxyab.exe
1780	Vwxyab.exe
1780	Vwxyab.exe
1780	Vwxyab.exe
1780	Vwxyab.exe
1780	Vwxyab.exe
1780	Vwxyab.exe
1780	Vwxyab.exe
1780	Vwxyab.exe
1780	Vwxyab.exe
1780	Vwxyab.exe
1780	Vwxyab.exe
1780	Vwxyab.exe
1780	Vwxyab.exe
1780	Vwxyab.exe
1780	Vwxyab.exe
1780	Vwxyab.exe
1780	Vwxyab.exe
1780	Vwxyab.exe
1780	Vwxyab.exe
1780	Vwxyab.exe
1780	Vwxyab.exe
1780	Vwxyab.exe
1780	Vwxyab.exe
1780	Vwxyab.exe
1780	Vwxyab.exe
1780	Vwxyab.exe
1780	Vwxyab.exe
1780	Vwxyab.exe
1780	Vwxyab.exe
1780	Vwxyab.exe
1780	Vwxyab.exe
1780	Vwxyab.exe
1780	Vwxyab.exe
1780	Vwxyab.exe
1780	Vwxyab.exe
1780	Vwxyab.exe
1780	Vwxyab.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	3948	2d9002135a5b85b3f3962eab45859f1e59d20ded771b94f0e1127c6c162cb0f4.exe
Token: SeDebugPrivilege	1220	Vwxyab.exe
Token: SeDebugPrivilege	1780	Vwxyab.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1220 wrote to memory of 1780	1220	Vwxyab.exe	75
PID 1220 wrote to memory of 1780	1220	Vwxyab.exe	75
PID 1220 wrote to memory of 1780	1220	Vwxyab.exe	75

C:\Users\Admin\AppData\Local\Temp\2d9002135a5b85b3f3962eab45859f1e59d20ded771b94f0e1127c6c162cb0f4.exe
"C:\Users\Admin\AppData\Local\Temp\2d9002135a5b85b3f3962eab45859f1e59d20ded771b94f0e1127c6c162cb0f4.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3948

C:\Windows\Vwxyab.exe
C:\Windows\Vwxyab.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1220
- C:\Windows\Vwxyab.exe
  C:\Windows\Vwxyab.exe Win7
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Checks processor information in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1780

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1220-119-0x0000000010000000-0x000000001002A000-memory.dmp

Filesize
168KB

Download
memory/3948-114-0x0000000010000000-0x000000001002A000-memory.dmp

Filesize
168KB

Download