fatalrat | 0eb4d9c7cd03194dbf3a720ff95f5ca37701ea0e5b883eaf1c1aa4a4b5ccd57b

General

Target

0eb4d9c7cd03194dbf3a720ff95f5ca37701ea0e5b883eaf1c1aa4a4b5ccd57b.exe
Size

796KB
MD5

33d718ac5be926a35cb3e071714f6ae5
SHA1

8c1f0ef438faadf7ae18bd5f3687bfd82373a37a
SHA256

0eb4d9c7cd03194dbf3a720ff95f5ca37701ea0e5b883eaf1c1aa4a4b5ccd57b
SHA512

8da87b4652bf6bcff41da4080f9b1dd0df23830a3b278257a870ecfde2915b5e384a7e07da3de323cfae490b92fcc3633c26cdd34dff6d022b8cfcf6a1183415
SSDEEP

12288:8iCpVtxXhYqyZeM3y5x1Y92J1LhlHXRaml7luo+UdBP+z07hRLhWRQgYBY+c8iga:lCVxQt3sx2AJZhTamvdmz6cagYB9xix

Score

10^/10

fatalrat infostealer persistence rat vmprotect

Malware Config

Signatures

FatalRat
FatalRat is a modular infostealer family written in C++ first appearing in June 2021.
infostealer rat fatalrat

Fatal Rat payload 1 IoCs

rat infostealer

Processes:

resource	yara_rule
behavioral2/memory/5024-151-0x0000000010000000-0x000000001001C000-memory.dmp	fatalrat

Executes dropped EXE 3 IoCs

Processes:

Aggregatorhost.exeAggregatorhost.exeAggregatorhost.exe

pid process

4424 Aggregatorhost.exe
5024 Aggregatorhost.exe
2232 Aggregatorhost.exe

pid	process
4424	Aggregatorhost.exe
5024	Aggregatorhost.exe
2232	Aggregatorhost.exe

VMProtect packed file 4 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
C:\Users\Public\Downloads\Tencente\lmfzxn\libcef.dll	vmprotect
C:\Users\Public\Downloads\Tencente\lmfzxn\libcef.dll	vmprotect
behavioral2/memory/4424-138-0x0000000010000000-0x0000000010076000-memory.dmp	vmprotect
behavioral2/memory/4424-157-0x0000000010000000-0x0000000010076000-memory.dmp	vmprotect

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

0eb4d9c7cd03194dbf3a720ff95f5ca37701ea0e5b883eaf1c1aa4a4b5ccd57b.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	0eb4d9c7cd03194dbf3a720ff95f5ca37701ea0e5b883eaf1c1aa4a4b5ccd57b.exe

Loads dropped DLL 1 IoCs

Processes:

Aggregatorhost.exe

pid process

4424 Aggregatorhost.exe

pid	process
4424	Aggregatorhost.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Aggregatorhost.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	Aggregatorhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Aggregatorhost.exe = "C:\\Users\\Public\\Downloads\\Tencente\\lmfzxn\\Aggregatorhost.exe"	Aggregatorhost.exe

Drops file in System32 directory 3 IoCs

Processes:

0eb4d9c7cd03194dbf3a720ff95f5ca37701ea0e5b883eaf1c1aa4a4b5ccd57b.exe

description	ioc	process
File created	C:\Windows\SysWOW64\Aggregatorhost.exe	0eb4d9c7cd03194dbf3a720ff95f5ca37701ea0e5b883eaf1c1aa4a4b5ccd57b.exe
File created	C:\Windows\SysWOW64\libcef.dll	0eb4d9c7cd03194dbf3a720ff95f5ca37701ea0e5b883eaf1c1aa4a4b5ccd57b.exe
File created	C:\Windows\SysWOW64\Enpud.png	0eb4d9c7cd03194dbf3a720ff95f5ca37701ea0e5b883eaf1c1aa4a4b5ccd57b.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

Aggregatorhost.exe

description	pid	process	target process
PID 4424 set thread context of 5024	4424	Aggregatorhost.exe	Aggregatorhost.exe
PID 4424 set thread context of 2232	4424	Aggregatorhost.exe	Aggregatorhost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Aggregatorhost.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Aggregatorhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Aggregatorhost.exe

Modifies registry class 1 IoCs

Processes:

0eb4d9c7cd03194dbf3a720ff95f5ca37701ea0e5b883eaf1c1aa4a4b5ccd57b.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	0eb4d9c7cd03194dbf3a720ff95f5ca37701ea0e5b883eaf1c1aa4a4b5ccd57b.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Aggregatorhost.exe

pid	process
5024	Aggregatorhost.exe
5024	Aggregatorhost.exe
5024	Aggregatorhost.exe
5024	Aggregatorhost.exe
5024	Aggregatorhost.exe
5024	Aggregatorhost.exe
5024	Aggregatorhost.exe
5024	Aggregatorhost.exe
5024	Aggregatorhost.exe
5024	Aggregatorhost.exe
5024	Aggregatorhost.exe
5024	Aggregatorhost.exe
5024	Aggregatorhost.exe
5024	Aggregatorhost.exe
5024	Aggregatorhost.exe
5024	Aggregatorhost.exe
5024	Aggregatorhost.exe
5024	Aggregatorhost.exe
5024	Aggregatorhost.exe
5024	Aggregatorhost.exe
5024	Aggregatorhost.exe
5024	Aggregatorhost.exe
5024	Aggregatorhost.exe
5024	Aggregatorhost.exe
5024	Aggregatorhost.exe
5024	Aggregatorhost.exe
5024	Aggregatorhost.exe
5024	Aggregatorhost.exe
5024	Aggregatorhost.exe
5024	Aggregatorhost.exe
5024	Aggregatorhost.exe
5024	Aggregatorhost.exe
5024	Aggregatorhost.exe
5024	Aggregatorhost.exe
5024	Aggregatorhost.exe
5024	Aggregatorhost.exe
5024	Aggregatorhost.exe
5024	Aggregatorhost.exe
5024	Aggregatorhost.exe
5024	Aggregatorhost.exe
5024	Aggregatorhost.exe
5024	Aggregatorhost.exe
5024	Aggregatorhost.exe
5024	Aggregatorhost.exe
5024	Aggregatorhost.exe
5024	Aggregatorhost.exe
5024	Aggregatorhost.exe
5024	Aggregatorhost.exe
5024	Aggregatorhost.exe
5024	Aggregatorhost.exe
5024	Aggregatorhost.exe
5024	Aggregatorhost.exe
5024	Aggregatorhost.exe
5024	Aggregatorhost.exe
5024	Aggregatorhost.exe
5024	Aggregatorhost.exe
5024	Aggregatorhost.exe
5024	Aggregatorhost.exe
5024	Aggregatorhost.exe
5024	Aggregatorhost.exe
5024	Aggregatorhost.exe
5024	Aggregatorhost.exe
5024	Aggregatorhost.exe
5024	Aggregatorhost.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Aggregatorhost.exeAggregatorhost.exe

description pid process

Token: SeDebugPrivilege 5024 Aggregatorhost.exe
Token: SeDebugPrivilege 2232 Aggregatorhost.exe

description	pid	process
Token: SeDebugPrivilege	5024	Aggregatorhost.exe
Token: SeDebugPrivilege	2232	Aggregatorhost.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

0eb4d9c7cd03194dbf3a720ff95f5ca37701ea0e5b883eaf1c1aa4a4b5ccd57b.exe

pid	process
4808	0eb4d9c7cd03194dbf3a720ff95f5ca37701ea0e5b883eaf1c1aa4a4b5ccd57b.exe
4808	0eb4d9c7cd03194dbf3a720ff95f5ca37701ea0e5b883eaf1c1aa4a4b5ccd57b.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

Aggregatorhost.exe0eb4d9c7cd03194dbf3a720ff95f5ca37701ea0e5b883eaf1c1aa4a4b5ccd57b.exe

description	pid	process	target process
PID 4424 wrote to memory of 5024	4424	Aggregatorhost.exe	Aggregatorhost.exe
PID 4424 wrote to memory of 5024	4424	Aggregatorhost.exe	Aggregatorhost.exe
PID 4424 wrote to memory of 5024	4424	Aggregatorhost.exe	Aggregatorhost.exe
PID 4424 wrote to memory of 5024	4424	Aggregatorhost.exe	Aggregatorhost.exe
PID 4424 wrote to memory of 5024	4424	Aggregatorhost.exe	Aggregatorhost.exe
PID 4424 wrote to memory of 5024	4424	Aggregatorhost.exe	Aggregatorhost.exe
PID 4424 wrote to memory of 5024	4424	Aggregatorhost.exe	Aggregatorhost.exe
PID 4424 wrote to memory of 5024	4424	Aggregatorhost.exe	Aggregatorhost.exe
PID 4424 wrote to memory of 2232	4424	Aggregatorhost.exe	Aggregatorhost.exe
PID 4424 wrote to memory of 2232	4424	Aggregatorhost.exe	Aggregatorhost.exe
PID 4424 wrote to memory of 2232	4424	Aggregatorhost.exe	Aggregatorhost.exe
PID 4424 wrote to memory of 2232	4424	Aggregatorhost.exe	Aggregatorhost.exe
PID 4424 wrote to memory of 2232	4424	Aggregatorhost.exe	Aggregatorhost.exe
PID 4424 wrote to memory of 2232	4424	Aggregatorhost.exe	Aggregatorhost.exe
PID 4424 wrote to memory of 2232	4424	Aggregatorhost.exe	Aggregatorhost.exe
PID 4424 wrote to memory of 2232	4424	Aggregatorhost.exe	Aggregatorhost.exe
PID 4808 wrote to memory of 3208	4808	0eb4d9c7cd03194dbf3a720ff95f5ca37701ea0e5b883eaf1c1aa4a4b5ccd57b.exe	WScript.exe
PID 4808 wrote to memory of 3208	4808	0eb4d9c7cd03194dbf3a720ff95f5ca37701ea0e5b883eaf1c1aa4a4b5ccd57b.exe	WScript.exe
PID 4808 wrote to memory of 3208	4808	0eb4d9c7cd03194dbf3a720ff95f5ca37701ea0e5b883eaf1c1aa4a4b5ccd57b.exe	WScript.exe

C:\Users\Admin\AppData\Local\Temp\0eb4d9c7cd03194dbf3a720ff95f5ca37701ea0e5b883eaf1c1aa4a4b5ccd57b.exe
"C:\Users\Admin\AppData\Local\Temp\0eb4d9c7cd03194dbf3a720ff95f5ca37701ea0e5b883eaf1c1aa4a4b5ccd57b.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4808

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\tem.vbs"
2⤵
PID:3208

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2408

C:\Users\Public\Downloads\Tencente\lmfzxn\Aggregatorhost.exe
"C:\Users\Public\Downloads\Tencente\lmfzxn\Aggregatorhost.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4424

C:\Users\Public\Downloads\Tencente\lmfzxn\Aggregatorhost.exe
C:\Users\Public\Downloads\Tencente\lmfzxn\Aggregatorhost.exe
2⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5024

C:\Users\Public\Downloads\Tencente\lmfzxn\Aggregatorhost.exe
C:\Users\Public\Downloads\Tencente\lmfzxn\Aggregatorhost.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2232

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tem.vbs
Filesize
275B

MD5
0e80256756b38f7b554ff8a605abab5c

SHA1
f86509dfe6751d47d1f623c7b7884372d297b963

SHA256
2326bffaf843da489b514d2cfa13b3efd815353e45b9eb3ac84ac32281010247

SHA512
39dacd85532603b01854632f4e32c8c8614fa17812d7148f71ed18f4488f0c734e9a682c8332f47bdda112bacfa34981e394912aa554adfbec30074282769c93

Download Submit
C:\Users\Public\Downloads\Tencente\lmfzxn\Aggregatorhost.exe
Filesize
439KB

MD5
dd9bbcda5dc4ac0be23e57b36bc3840e

SHA1
fcd4ae6f7d8660cd1a7d4da18c3ec6bbe7a5cfd6

SHA256
e9be44b199d99d7175280ec398cd59b636584226469cb9b87e2507cdddaf0ce2

SHA512
a517fde70fe501829b9d7b7a3cc61cb396c5a7d111bea2c14f9d92a9186804f4fac9a5396c57934f132d42de1b1e24186a348f6b5c868332393161474af7573f

Download Submit
C:\Users\Public\Downloads\Tencente\lmfzxn\Aggregatorhost.exe
Filesize
439KB

MD5
dd9bbcda5dc4ac0be23e57b36bc3840e

SHA1
fcd4ae6f7d8660cd1a7d4da18c3ec6bbe7a5cfd6

SHA256
e9be44b199d99d7175280ec398cd59b636584226469cb9b87e2507cdddaf0ce2

SHA512
a517fde70fe501829b9d7b7a3cc61cb396c5a7d111bea2c14f9d92a9186804f4fac9a5396c57934f132d42de1b1e24186a348f6b5c868332393161474af7573f

Download Submit
C:\Users\Public\Downloads\Tencente\lmfzxn\Aggregatorhost.exe
Filesize
439KB

MD5
dd9bbcda5dc4ac0be23e57b36bc3840e

SHA1
fcd4ae6f7d8660cd1a7d4da18c3ec6bbe7a5cfd6

SHA256
e9be44b199d99d7175280ec398cd59b636584226469cb9b87e2507cdddaf0ce2

SHA512
a517fde70fe501829b9d7b7a3cc61cb396c5a7d111bea2c14f9d92a9186804f4fac9a5396c57934f132d42de1b1e24186a348f6b5c868332393161474af7573f

Download Submit
C:\Users\Public\Downloads\Tencente\lmfzxn\Aggregatorhost.exe
Filesize
439KB

MD5
dd9bbcda5dc4ac0be23e57b36bc3840e

SHA1
fcd4ae6f7d8660cd1a7d4da18c3ec6bbe7a5cfd6

SHA256
e9be44b199d99d7175280ec398cd59b636584226469cb9b87e2507cdddaf0ce2

SHA512
a517fde70fe501829b9d7b7a3cc61cb396c5a7d111bea2c14f9d92a9186804f4fac9a5396c57934f132d42de1b1e24186a348f6b5c868332393161474af7573f

Download Submit
C:\Users\Public\Downloads\Tencente\lmfzxn\Enpud.png
Filesize
114KB

MD5
e6f7f2ca163859afca5b3468b099d152

SHA1
a15cfdf0361c36e7a58c2ee7eb722e56d75719c4

SHA256
9384ee2860d6967d153aa3f88b4e77e76c1397f908b9327ded268e0b87a5ab6d

SHA512
5c99c0e2781f8f2eeb5ad2c0e6ddd19e8fa7d8b4e0aa2bc2e3ce9c7efecd2aa1ffc93711f2323992d72ea8d84a41fcc7ae5715d44c5de47fddc630812bfb1084

Download Submit
C:\Users\Public\Downloads\Tencente\lmfzxn\libcef.dll
Filesize
196KB

MD5
7e2bce3a9a392104cd673ac7d1049fe0

SHA1
bad43a694da265194ad0b35cdf92407a3a5732bb

SHA256
6fed3b7a74baa7c34e5112b897de63289b3bdb284986ee59d35eba197b16bcbb

SHA512
4c95e193fd3d1f66008d0f1cb1d719a4ff910982dde24ccabb27dc785ebcf1193fda7afa4ed352c0dbaaaa52859b1e86df26dc592b64da5c2d3161c9d393b0f3

Download Submit
C:\Users\Public\Downloads\Tencente\lmfzxn\libcef.dll
Filesize
196KB

MD5
7e2bce3a9a392104cd673ac7d1049fe0

SHA1
bad43a694da265194ad0b35cdf92407a3a5732bb

SHA256
6fed3b7a74baa7c34e5112b897de63289b3bdb284986ee59d35eba197b16bcbb

SHA512
4c95e193fd3d1f66008d0f1cb1d719a4ff910982dde24ccabb27dc785ebcf1193fda7afa4ed352c0dbaaaa52859b1e86df26dc592b64da5c2d3161c9d393b0f3

Download Submit
memory/2232-146-0x0000000000000000-mapping.dmp

Download
memory/3208-158-0x0000000000000000-mapping.dmp

Download
memory/4424-138-0x0000000010000000-0x0000000010076000-memory.dmp

Filesize
472KB

Download
memory/4424-157-0x0000000010000000-0x0000000010076000-memory.dmp

Filesize
472KB

Download
memory/4808-132-0x0000000000400000-0x0000000000583000-memory.dmp

Filesize
1.5MB

Download
memory/4808-159-0x0000000000400000-0x0000000000583000-memory.dmp

Filesize
1.5MB

Download
memory/4808-133-0x0000000000400000-0x0000000000583000-memory.dmp

Filesize
1.5MB

Download
memory/5024-142-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/5024-141-0x0000000000000000-mapping.dmp

Download
memory/5024-145-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/5024-151-0x0000000010000000-0x000000001001C000-memory.dmp

Filesize
112KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads