fatalrat | 0eb4d9c7cd03194dbf3a720ff95f5ca37701ea0e5b883eaf1c1aa4a4b5ccd57b | Triage

Submit
Reports

Overview

overview

Static

static

0eb4d9c7cd...7b.exe

windows7-x64

1

0eb4d9c7cd...7b.exe

windows10-2004-x64

Sharing

General

Target

0eb4d9c7cd03194dbf3a720ff95f5ca37701ea0e5b883eaf1c1aa4a4b5ccd57b
Size

796KB
Sample

221126-mh78hach2z
MD5

33d718ac5be926a35cb3e071714f6ae5
SHA1

8c1f0ef438faadf7ae18bd5f3687bfd82373a37a
SHA256

0eb4d9c7cd03194dbf3a720ff95f5ca37701ea0e5b883eaf1c1aa4a4b5ccd57b
SHA512

8da87b4652bf6bcff41da4080f9b1dd0df23830a3b278257a870ecfde2915b5e384a7e07da3de323cfae490b92fcc3633c26cdd34dff6d022b8cfcf6a1183415
SSDEEP

12288:8iCpVtxXhYqyZeM3y5x1Y92J1LhlHXRaml7luo+UdBP+z07hRLhWRQgYBY+c8iga:lCVxQt3sx2AJZhTamvdmz6cagYB9xix

Score

10^/10

fatalrat infostealer persistence rat vmprotect

Static task

static1

Behavioral task

behavioral1

Sample

0eb4d9c7cd03194dbf3a720ff95f5ca37701ea0e5b883eaf1c1aa4a4b5ccd57b.exe

Resource

win7-20221111-en

windows7-x64

1 signatures

150 seconds

Behavioral task

behavioral2

Sample

0eb4d9c7cd03194dbf3a720ff95f5ca37701ea0e5b883eaf1c1aa4a4b5ccd57b.exe

Resource

win10v2004-20220812-en

fatalrat infostealer persistence rat vmprotect

windows10-2004-x64

16 signatures

150 seconds

Malware Config

Targets

- Target
  
  0eb4d9c7cd03194dbf3a720ff95f5ca37701ea0e5b883eaf1c1aa4a4b5ccd57b
- Size
  
  796KB
- MD5
  
  33d718ac5be926a35cb3e071714f6ae5
- SHA1
  
  8c1f0ef438faadf7ae18bd5f3687bfd82373a37a
- SHA256
  
  0eb4d9c7cd03194dbf3a720ff95f5ca37701ea0e5b883eaf1c1aa4a4b5ccd57b
- SHA512
  
  8da87b4652bf6bcff41da4080f9b1dd0df23830a3b278257a870ecfde2915b5e384a7e07da3de323cfae490b92fcc3633c26cdd34dff6d022b8cfcf6a1183415
- SSDEEP
  
  12288:8iCpVtxXhYqyZeM3y5x1Y92J1LhlHXRaml7luo+UdBP+z07hRLhWRQgYBY+c8iga:lCVxQt3sx2AJZhTamvdmz6cagYB9xix
Score

10^/10

fatalrat infostealer persistence rat vmprotect
- FatalRat
  FatalRat is a modular infostealer family written in C++ first appearing in June 2021.
  infostealer rat fatalrat
- Fatal Rat payload
  rat infostealer
- Executes dropped EXE
- VMProtect packed file
  Detects executables packed with VMProtect commercial packer.
  vmprotect
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

fatalratinfostealerpersistenceratvmprotect

© 2018-2024

Terms | Privacy