Analysis
-
max time kernel
148s -
max time network
204s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
26-11-2022 10:29
General
-
Target
0eb4d9c7cd03194dbf3a720ff95f5ca37701ea0e5b883eaf1c1aa4a4b5ccd57b.exe
-
Size
796KB
-
MD5
33d718ac5be926a35cb3e071714f6ae5
-
SHA1
8c1f0ef438faadf7ae18bd5f3687bfd82373a37a
-
SHA256
0eb4d9c7cd03194dbf3a720ff95f5ca37701ea0e5b883eaf1c1aa4a4b5ccd57b
-
SHA512
8da87b4652bf6bcff41da4080f9b1dd0df23830a3b278257a870ecfde2915b5e384a7e07da3de323cfae490b92fcc3633c26cdd34dff6d022b8cfcf6a1183415
-
SSDEEP
12288:8iCpVtxXhYqyZeM3y5x1Y92J1LhlHXRaml7luo+UdBP+z07hRLhWRQgYBY+c8iga:lCVxQt3sx2AJZhTamvdmz6cagYB9xix
Malware Config
Signatures
-
FatalRat
FatalRat is a modular infostealer family written in C++ first appearing in June 2021.
-
Fatal Rat payload 1 IoCs
-
Executes dropped EXE 3 IoCs
-
VMProtect packed file 4 IoCs
Detects executables packed with VMProtect commercial packer.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL 1 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Drops file in System32 directory 3 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies registry class 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 19 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\0eb4d9c7cd03194dbf3a720ff95f5ca37701ea0e5b883eaf1c1aa4a4b5ccd57b.exe"C:\Users\Admin\AppData\Local\Temp\0eb4d9c7cd03194dbf3a720ff95f5ca37701ea0e5b883eaf1c1aa4a4b5ccd57b.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\tem.vbs"2⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Public\Downloads\Tencente\lmfzxn\Aggregatorhost.exe"C:\Users\Public\Downloads\Tencente\lmfzxn\Aggregatorhost.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\Downloads\Tencente\lmfzxn\Aggregatorhost.exeC:\Users\Public\Downloads\Tencente\lmfzxn\Aggregatorhost.exe2⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Public\Downloads\Tencente\lmfzxn\Aggregatorhost.exeC:\Users\Public\Downloads\Tencente\lmfzxn\Aggregatorhost.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
275B
MD50e80256756b38f7b554ff8a605abab5c
SHA1f86509dfe6751d47d1f623c7b7884372d297b963
SHA2562326bffaf843da489b514d2cfa13b3efd815353e45b9eb3ac84ac32281010247
SHA51239dacd85532603b01854632f4e32c8c8614fa17812d7148f71ed18f4488f0c734e9a682c8332f47bdda112bacfa34981e394912aa554adfbec30074282769c93
-
Filesize
439KB
MD5dd9bbcda5dc4ac0be23e57b36bc3840e
SHA1fcd4ae6f7d8660cd1a7d4da18c3ec6bbe7a5cfd6
SHA256e9be44b199d99d7175280ec398cd59b636584226469cb9b87e2507cdddaf0ce2
SHA512a517fde70fe501829b9d7b7a3cc61cb396c5a7d111bea2c14f9d92a9186804f4fac9a5396c57934f132d42de1b1e24186a348f6b5c868332393161474af7573f
-
Filesize
439KB
MD5dd9bbcda5dc4ac0be23e57b36bc3840e
SHA1fcd4ae6f7d8660cd1a7d4da18c3ec6bbe7a5cfd6
SHA256e9be44b199d99d7175280ec398cd59b636584226469cb9b87e2507cdddaf0ce2
SHA512a517fde70fe501829b9d7b7a3cc61cb396c5a7d111bea2c14f9d92a9186804f4fac9a5396c57934f132d42de1b1e24186a348f6b5c868332393161474af7573f
-
Filesize
439KB
MD5dd9bbcda5dc4ac0be23e57b36bc3840e
SHA1fcd4ae6f7d8660cd1a7d4da18c3ec6bbe7a5cfd6
SHA256e9be44b199d99d7175280ec398cd59b636584226469cb9b87e2507cdddaf0ce2
SHA512a517fde70fe501829b9d7b7a3cc61cb396c5a7d111bea2c14f9d92a9186804f4fac9a5396c57934f132d42de1b1e24186a348f6b5c868332393161474af7573f
-
Filesize
439KB
MD5dd9bbcda5dc4ac0be23e57b36bc3840e
SHA1fcd4ae6f7d8660cd1a7d4da18c3ec6bbe7a5cfd6
SHA256e9be44b199d99d7175280ec398cd59b636584226469cb9b87e2507cdddaf0ce2
SHA512a517fde70fe501829b9d7b7a3cc61cb396c5a7d111bea2c14f9d92a9186804f4fac9a5396c57934f132d42de1b1e24186a348f6b5c868332393161474af7573f
-
Filesize
114KB
MD5e6f7f2ca163859afca5b3468b099d152
SHA1a15cfdf0361c36e7a58c2ee7eb722e56d75719c4
SHA2569384ee2860d6967d153aa3f88b4e77e76c1397f908b9327ded268e0b87a5ab6d
SHA5125c99c0e2781f8f2eeb5ad2c0e6ddd19e8fa7d8b4e0aa2bc2e3ce9c7efecd2aa1ffc93711f2323992d72ea8d84a41fcc7ae5715d44c5de47fddc630812bfb1084
-
Filesize
196KB
MD57e2bce3a9a392104cd673ac7d1049fe0
SHA1bad43a694da265194ad0b35cdf92407a3a5732bb
SHA2566fed3b7a74baa7c34e5112b897de63289b3bdb284986ee59d35eba197b16bcbb
SHA5124c95e193fd3d1f66008d0f1cb1d719a4ff910982dde24ccabb27dc785ebcf1193fda7afa4ed352c0dbaaaa52859b1e86df26dc592b64da5c2d3161c9d393b0f3
-
Filesize
196KB
MD57e2bce3a9a392104cd673ac7d1049fe0
SHA1bad43a694da265194ad0b35cdf92407a3a5732bb
SHA2566fed3b7a74baa7c34e5112b897de63289b3bdb284986ee59d35eba197b16bcbb
SHA5124c95e193fd3d1f66008d0f1cb1d719a4ff910982dde24ccabb27dc785ebcf1193fda7afa4ed352c0dbaaaa52859b1e86df26dc592b64da5c2d3161c9d393b0f3
-
-
-
Filesize
472KB
-
Filesize
472KB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
144KB
-
-
Filesize
144KB
-
Filesize
112KB
