fatalrat | b836e32aa5e2dbb9b4e0eddceb16368d49141f0b6121155dcc9a265cae190b61

Analysis

max time kernel
31s
max time network
148s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
16-12-2022 20:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b836e32aa5e2dbb9b4e0eddceb16368d49141f0b6121155dcc9a265cae190b61.exe
Size

14KB
MD5

21d7012f9c6415a9bc619e8109eb6ed0
SHA1

d0d3005f658cf68f6c31193afc40efed39575687
SHA256

b836e32aa5e2dbb9b4e0eddceb16368d49141f0b6121155dcc9a265cae190b61
SHA512

e585f31fb29e799f4e1b77eb2b539f424e0ff17d4c1bade99be926a45d2ee300df086271d8391e9cb5b6e8b8ba34ca6e0752997d049d178cc3f5429f449bc92b
SSDEEP

384:zpHp2Eu6+DOUW7GaAxLr6+Y9PffPzoWWX8:zpHpe6NUW7GdxybProo

Score

10^/10

fatalrat infostealer rat

Malware Config

Signatures

FatalRat
FatalRat is a modular infostealer family written in C++ first appearing in June 2021.
infostealer rat fatalrat

Fatal Rat payload 2 IoCs

rat infostealer

resource	yara_rule
behavioral1/memory/1956-68-0x0000000010000000-0x0000000010028000-memory.dmp	fatalrat
behavioral1/memory/1956-71-0x0000000001F20000-0x000000000207C000-memory.dmp	fatalrat

Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
1956	11-22-19-03.exe
1668	JIkhh.exe

Loads dropped DLL 3 IoCs

pid	Process
1856	cmd.exe
1856	cmd.exe
240	cmd.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	11-22-19-03.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	11-22-19-03.exe

Suspicious behavior: EnumeratesProcesses 52 IoCs

pid	Process
1668	JIkhh.exe
1956	11-22-19-03.exe
1956	11-22-19-03.exe
1956	11-22-19-03.exe
1956	11-22-19-03.exe
1956	11-22-19-03.exe
1956	11-22-19-03.exe
1956	11-22-19-03.exe
1956	11-22-19-03.exe
1956	11-22-19-03.exe
1956	11-22-19-03.exe
1956	11-22-19-03.exe
1956	11-22-19-03.exe
1956	11-22-19-03.exe
1956	11-22-19-03.exe
1956	11-22-19-03.exe
1956	11-22-19-03.exe
1956	11-22-19-03.exe
1956	11-22-19-03.exe
1956	11-22-19-03.exe
1956	11-22-19-03.exe
1956	11-22-19-03.exe
1956	11-22-19-03.exe
1956	11-22-19-03.exe
1956	11-22-19-03.exe
1956	11-22-19-03.exe
1956	11-22-19-03.exe
1956	11-22-19-03.exe
1956	11-22-19-03.exe
1956	11-22-19-03.exe
1956	11-22-19-03.exe
1956	11-22-19-03.exe
1956	11-22-19-03.exe
1956	11-22-19-03.exe
1956	11-22-19-03.exe
1956	11-22-19-03.exe
1956	11-22-19-03.exe
1956	11-22-19-03.exe
1956	11-22-19-03.exe
1956	11-22-19-03.exe
1956	11-22-19-03.exe
1956	11-22-19-03.exe
1956	11-22-19-03.exe
1956	11-22-19-03.exe
1956	11-22-19-03.exe
1956	11-22-19-03.exe
1956	11-22-19-03.exe
1956	11-22-19-03.exe
1956	11-22-19-03.exe
1956	11-22-19-03.exe
1956	11-22-19-03.exe
1956	11-22-19-03.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1668	JIkhh.exe
Token: SeDebugPrivilege	1668	JIkhh.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1956	11-22-19-03.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 624 wrote to memory of 1856	624	b836e32aa5e2dbb9b4e0eddceb16368d49141f0b6121155dcc9a265cae190b61.exe	30
PID 624 wrote to memory of 1856	624	b836e32aa5e2dbb9b4e0eddceb16368d49141f0b6121155dcc9a265cae190b61.exe	30
PID 624 wrote to memory of 1856	624	b836e32aa5e2dbb9b4e0eddceb16368d49141f0b6121155dcc9a265cae190b61.exe	30
PID 624 wrote to memory of 1856	624	b836e32aa5e2dbb9b4e0eddceb16368d49141f0b6121155dcc9a265cae190b61.exe	30
PID 1856 wrote to memory of 1956	1856	cmd.exe	32
PID 1856 wrote to memory of 1956	1856	cmd.exe	32
PID 1856 wrote to memory of 1956	1856	cmd.exe	32
PID 1856 wrote to memory of 1956	1856	cmd.exe	32
PID 624 wrote to memory of 240	624	b836e32aa5e2dbb9b4e0eddceb16368d49141f0b6121155dcc9a265cae190b61.exe	33
PID 624 wrote to memory of 240	624	b836e32aa5e2dbb9b4e0eddceb16368d49141f0b6121155dcc9a265cae190b61.exe	33
PID 624 wrote to memory of 240	624	b836e32aa5e2dbb9b4e0eddceb16368d49141f0b6121155dcc9a265cae190b61.exe	33
PID 624 wrote to memory of 240	624	b836e32aa5e2dbb9b4e0eddceb16368d49141f0b6121155dcc9a265cae190b61.exe	33
PID 240 wrote to memory of 1668	240	cmd.exe	35
PID 240 wrote to memory of 1668	240	cmd.exe	35
PID 240 wrote to memory of 1668	240	cmd.exe	35
PID 240 wrote to memory of 1668	240	cmd.exe	35

C:\Users\Admin\AppData\Local\Temp\b836e32aa5e2dbb9b4e0eddceb16368d49141f0b6121155dcc9a265cae190b61.exe
"C:\Users\Admin\AppData\Local\Temp\b836e32aa5e2dbb9b4e0eddceb16368d49141f0b6121155dcc9a265cae190b61.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:624
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Public\QQ\11-22-19-03.exe
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1856
- - C:\Users\Public\QQ\11-22-19-03.exe
    C:\Users\Public\QQ\11-22-19-03.exe
    3⤵
    - Executes dropped EXE
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1956
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Public\QQ\JIkhh.exe
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:240
- - C:\Users\Public\QQ\JIkhh.exe
    C:\Users\Public\QQ\JIkhh.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1668

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\QQ\11-22-19-03.exe

Filesize
60KB

MD5
8e946f74815696883edc7ce2011bf251

SHA1
8b3edd2008ce20c3a625223e6df981537580c6ba

SHA256
a6845c976c3fdeb0750f291d9f6da7aeb2261d25a3e1839af4c5b16944cbeba7

SHA512
4dc55e5a9e79b26ee21fa2d456942e93a1c4b9b0d0239b3610710f2171d850b0c1ddfff077cb8c75f49193c758b10880cdc638a8c6726dda441c18c6d1b51b7c

Download Submit
C:\Users\Public\QQ\11-22-19-03.exe

Filesize
60KB

MD5
8e946f74815696883edc7ce2011bf251

SHA1
8b3edd2008ce20c3a625223e6df981537580c6ba

SHA256
a6845c976c3fdeb0750f291d9f6da7aeb2261d25a3e1839af4c5b16944cbeba7

SHA512
4dc55e5a9e79b26ee21fa2d456942e93a1c4b9b0d0239b3610710f2171d850b0c1ddfff077cb8c75f49193c758b10880cdc638a8c6726dda441c18c6d1b51b7c

Download Submit
C:\Users\Public\QQ\JIkhh.exe

Filesize
18KB

MD5
8abe970e0508e068d9da7c0ab91e4ead

SHA1
7a22be3320a4238eee2882976cb5a704c97313f2

SHA256
5319bde2c5bfdbac46d1c3f212a312ea94c200c83e8a929f86196fd17caac376

SHA512
86f238ac19465c20b9a0141a5f6b1ea631e879f9bddd68ca4289b9806e80c5fe9b89feb009976457cb8b3559f1b4f9ac76a89f0aec0e62783012d426e2783597

Download Submit
C:\Users\Public\QQ\JIkhh.exe

Filesize
18KB

MD5
8abe970e0508e068d9da7c0ab91e4ead

SHA1
7a22be3320a4238eee2882976cb5a704c97313f2

SHA256
5319bde2c5bfdbac46d1c3f212a312ea94c200c83e8a929f86196fd17caac376

SHA512
86f238ac19465c20b9a0141a5f6b1ea631e879f9bddd68ca4289b9806e80c5fe9b89feb009976457cb8b3559f1b4f9ac76a89f0aec0e62783012d426e2783597

Download Submit
\Users\Public\QQ\11-22-19-03.exe

Filesize
60KB

MD5
8e946f74815696883edc7ce2011bf251

SHA1
8b3edd2008ce20c3a625223e6df981537580c6ba

SHA256
a6845c976c3fdeb0750f291d9f6da7aeb2261d25a3e1839af4c5b16944cbeba7

SHA512
4dc55e5a9e79b26ee21fa2d456942e93a1c4b9b0d0239b3610710f2171d850b0c1ddfff077cb8c75f49193c758b10880cdc638a8c6726dda441c18c6d1b51b7c

Download Submit
\Users\Public\QQ\11-22-19-03.exe

Filesize
60KB

MD5
8e946f74815696883edc7ce2011bf251

SHA1
8b3edd2008ce20c3a625223e6df981537580c6ba

SHA256
a6845c976c3fdeb0750f291d9f6da7aeb2261d25a3e1839af4c5b16944cbeba7

SHA512
4dc55e5a9e79b26ee21fa2d456942e93a1c4b9b0d0239b3610710f2171d850b0c1ddfff077cb8c75f49193c758b10880cdc638a8c6726dda441c18c6d1b51b7c

Download Submit
\Users\Public\QQ\JIkhh.exe

Filesize
18KB

MD5
8abe970e0508e068d9da7c0ab91e4ead

SHA1
7a22be3320a4238eee2882976cb5a704c97313f2

SHA256
5319bde2c5bfdbac46d1c3f212a312ea94c200c83e8a929f86196fd17caac376

SHA512
86f238ac19465c20b9a0141a5f6b1ea631e879f9bddd68ca4289b9806e80c5fe9b89feb009976457cb8b3559f1b4f9ac76a89f0aec0e62783012d426e2783597

Download Submit
memory/624-54-0x0000000075F01000-0x0000000075F03000-memory.dmp

Filesize
8KB

Download
memory/624-55-0x0000000000AA0000-0x0000000000AA9000-memory.dmp

Filesize
36KB

Download
memory/1956-68-0x0000000010000000-0x0000000010028000-memory.dmp

Filesize
160KB

Download
memory/1956-71-0x0000000001F20000-0x000000000207C000-memory.dmp

Filesize
1.4MB

Download