fatalrat | 34c70475f657861d20276abb440d9c8d02ad393e7f0769ad3a74c1cdc8f2b289

General

Target

34c70475f657861d20276abb440d9c8d02ad393e7f0769ad3a74c1cdc8f2b289.exe
Size

176KB
MD5

b51790ddbba1775b3d4a2c2d21f8b138
SHA1

b118e50acb76fc7078a28d68260972d594e75bb3
SHA256

34c70475f657861d20276abb440d9c8d02ad393e7f0769ad3a74c1cdc8f2b289
SHA512

3981108313ac2f5fdebe062f11c6e6297de589de4adf1e4307a300e4bb4fb1d1d8b994acf0ee4f11c6a0a0351f600f17afa2107a47bec58d8caa6510fc36750e
SSDEEP

3072:ZU+rdTSw8IPpU+FsXdmH64W/qNEwwCioeFNdRFjHUGkKsWJcdKi7IW8:ZjrdWmPCBA6YHHcF6WGdKCP

Score

10^/10

fatalrat aspackv2 infostealer rat

Malware Config

Signatures

FatalRat
FatalRat is a modular infostealer family written in C++ first appearing in June 2021.
infostealer rat fatalrat

Fatal Rat payload 3 IoCs

rat infostealer

Processes:

resource	yara_rule
behavioral1/memory/1324-72-0x0000000010000000-0x0000000010028000-memory.dmp	fatalrat
behavioral1/memory/1324-75-0x0000000002AF0000-0x0000000002C4C000-memory.dmp	fatalrat
behavioral1/memory/1324-76-0x0000000002AF0000-0x0000000002C4C000-memory.dmp	fatalrat

Downloads MZ/PE file

ASPack v2.12-2.42 3 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
\Users\Public\QQ\Application.exe	aspack_v212_v242
C:\Users\Public\QQ\Application.exe	aspack_v212_v242
C:\Users\Public\QQ\Application.exe	aspack_v212_v242

Executes dropped EXE 2 IoCs

Processes:

Updaater.exeApplication.exe

pid process

1324 Updaater.exe
696 Application.exe
Loads dropped DLL 3 IoCs

Processes:

cmd.execmd.exe

pid process

980 cmd.exe
980 cmd.exe
1352 cmd.exe

pid	process
1324	Updaater.exe
696	Application.exe

pid	process
980	cmd.exe
980	cmd.exe
1352	cmd.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Updaater.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Updaater.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Updaater.exe

Suspicious behavior: EnumeratesProcesses 56 IoCs

Processes:

34c70475f657861d20276abb440d9c8d02ad393e7f0769ad3a74c1cdc8f2b289.exeApplication.exeUpdaater.exe

pid	process
1468	34c70475f657861d20276abb440d9c8d02ad393e7f0769ad3a74c1cdc8f2b289.exe
1468	34c70475f657861d20276abb440d9c8d02ad393e7f0769ad3a74c1cdc8f2b289.exe
696	Application.exe
696	Application.exe
696	Application.exe
1324	Updaater.exe
1324	Updaater.exe
1324	Updaater.exe
1324	Updaater.exe
1324	Updaater.exe
1324	Updaater.exe
1324	Updaater.exe
1324	Updaater.exe
1324	Updaater.exe
1324	Updaater.exe
1324	Updaater.exe
1324	Updaater.exe
1324	Updaater.exe
1324	Updaater.exe
1324	Updaater.exe
1324	Updaater.exe
1324	Updaater.exe
1324	Updaater.exe
1324	Updaater.exe
1324	Updaater.exe
1324	Updaater.exe
1324	Updaater.exe
1324	Updaater.exe
1324	Updaater.exe
1324	Updaater.exe
1324	Updaater.exe
1324	Updaater.exe
1324	Updaater.exe
1324	Updaater.exe
1324	Updaater.exe
1324	Updaater.exe
1324	Updaater.exe
1324	Updaater.exe
1324	Updaater.exe
1324	Updaater.exe
1324	Updaater.exe
1324	Updaater.exe
1324	Updaater.exe
1324	Updaater.exe
1324	Updaater.exe
1324	Updaater.exe
1324	Updaater.exe
1324	Updaater.exe
1324	Updaater.exe
1324	Updaater.exe
1324	Updaater.exe
1324	Updaater.exe
1324	Updaater.exe
1324	Updaater.exe
1324	Updaater.exe
1324	Updaater.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Application.exe

description pid process

Token: SeDebugPrivilege 696 Application.exe
Token: SeDebugPrivilege 696 Application.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Updaater.exe

pid process

1324 Updaater.exe

description	pid	process
Token: SeDebugPrivilege	696	Application.exe
Token: SeDebugPrivilege	696	Application.exe

pid	process
1324	Updaater.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

34c70475f657861d20276abb440d9c8d02ad393e7f0769ad3a74c1cdc8f2b289.execmd.execmd.exe

description	pid	process	target process
PID 1468 wrote to memory of 980	1468	34c70475f657861d20276abb440d9c8d02ad393e7f0769ad3a74c1cdc8f2b289.exe	cmd.exe
PID 1468 wrote to memory of 980	1468	34c70475f657861d20276abb440d9c8d02ad393e7f0769ad3a74c1cdc8f2b289.exe	cmd.exe
PID 1468 wrote to memory of 980	1468	34c70475f657861d20276abb440d9c8d02ad393e7f0769ad3a74c1cdc8f2b289.exe	cmd.exe
PID 1468 wrote to memory of 980	1468	34c70475f657861d20276abb440d9c8d02ad393e7f0769ad3a74c1cdc8f2b289.exe	cmd.exe
PID 980 wrote to memory of 1324	980	cmd.exe	Updaater.exe
PID 980 wrote to memory of 1324	980	cmd.exe	Updaater.exe
PID 980 wrote to memory of 1324	980	cmd.exe	Updaater.exe
PID 980 wrote to memory of 1324	980	cmd.exe	Updaater.exe
PID 1468 wrote to memory of 1352	1468	34c70475f657861d20276abb440d9c8d02ad393e7f0769ad3a74c1cdc8f2b289.exe	cmd.exe
PID 1468 wrote to memory of 1352	1468	34c70475f657861d20276abb440d9c8d02ad393e7f0769ad3a74c1cdc8f2b289.exe	cmd.exe
PID 1468 wrote to memory of 1352	1468	34c70475f657861d20276abb440d9c8d02ad393e7f0769ad3a74c1cdc8f2b289.exe	cmd.exe
PID 1468 wrote to memory of 1352	1468	34c70475f657861d20276abb440d9c8d02ad393e7f0769ad3a74c1cdc8f2b289.exe	cmd.exe
PID 1352 wrote to memory of 696	1352	cmd.exe	Application.exe
PID 1352 wrote to memory of 696	1352	cmd.exe	Application.exe
PID 1352 wrote to memory of 696	1352	cmd.exe	Application.exe
PID 1352 wrote to memory of 696	1352	cmd.exe	Application.exe

C:\Users\Admin\AppData\Local\Temp\34c70475f657861d20276abb440d9c8d02ad393e7f0769ad3a74c1cdc8f2b289.exe
"C:\Users\Admin\AppData\Local\Temp\34c70475f657861d20276abb440d9c8d02ad393e7f0769ad3a74c1cdc8f2b289.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1468

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c start C:\Users\Public\QQ\Updaater.exe
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:980

C:\Users\Public\QQ\Updaater.exe
C:\Users\Public\QQ\Updaater.exe
3⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1324

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c start C:\Users\Public\QQ\Application.exe
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1352

C:\Users\Public\QQ\Application.exe
C:\Users\Public\QQ\Application.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:696

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\QQ\Application.exe
Filesize
87KB

MD5
940ab9fc18380a00dd82e1c6328fa92f

SHA1
dfe975d50d5c190c0666332740b3ed2747e9eaf6

SHA256
8367c91c8ad10fe8de7b166c9644fab7c577ba68f79c6ebfde9e6d8f3f917d6b

SHA512
bf3db349476bcafada7e9f7fd0a7bee19b6e3e089e90c87beedabc65e7c96006f2091625d87ec5d5337a4475d05f046ef24b4397911f71110921d04df962a433

Download Submit
C:\Users\Public\QQ\Application.exe
Filesize
87KB

MD5
940ab9fc18380a00dd82e1c6328fa92f

SHA1
dfe975d50d5c190c0666332740b3ed2747e9eaf6

SHA256
8367c91c8ad10fe8de7b166c9644fab7c577ba68f79c6ebfde9e6d8f3f917d6b

SHA512
bf3db349476bcafada7e9f7fd0a7bee19b6e3e089e90c87beedabc65e7c96006f2091625d87ec5d5337a4475d05f046ef24b4397911f71110921d04df962a433

Download Submit
C:\Users\Public\QQ\Updaater.exe
Filesize
176KB

MD5
9ca0b6d4b98cd17fd73617442d4fdbd3

SHA1
0e19d4b8d05b9b4517121157cdca8f31ececc9c3

SHA256
84397eb06ac563cfc61c29ca0545e93a03335a289976faa254d63cebb8779687

SHA512
8550cf667efa26a74c42ab1e8e8cb646c997a3918246b45720c1bec917c902382856cd952d3adbc6939f8d1d2ada21241e1752f4840bd8331345d4bc99370201

Download Submit
C:\Users\Public\QQ\Updaater.exe
Filesize
176KB

MD5
9ca0b6d4b98cd17fd73617442d4fdbd3

SHA1
0e19d4b8d05b9b4517121157cdca8f31ececc9c3

SHA256
84397eb06ac563cfc61c29ca0545e93a03335a289976faa254d63cebb8779687

SHA512
8550cf667efa26a74c42ab1e8e8cb646c997a3918246b45720c1bec917c902382856cd952d3adbc6939f8d1d2ada21241e1752f4840bd8331345d4bc99370201

Download Submit
\Users\Public\QQ\Application.exe
Filesize
87KB

MD5
940ab9fc18380a00dd82e1c6328fa92f

SHA1
dfe975d50d5c190c0666332740b3ed2747e9eaf6

SHA256
8367c91c8ad10fe8de7b166c9644fab7c577ba68f79c6ebfde9e6d8f3f917d6b

SHA512
bf3db349476bcafada7e9f7fd0a7bee19b6e3e089e90c87beedabc65e7c96006f2091625d87ec5d5337a4475d05f046ef24b4397911f71110921d04df962a433

Download Submit
\Users\Public\QQ\Updaater.exe
Filesize
176KB

MD5
9ca0b6d4b98cd17fd73617442d4fdbd3

SHA1
0e19d4b8d05b9b4517121157cdca8f31ececc9c3

SHA256
84397eb06ac563cfc61c29ca0545e93a03335a289976faa254d63cebb8779687

SHA512
8550cf667efa26a74c42ab1e8e8cb646c997a3918246b45720c1bec917c902382856cd952d3adbc6939f8d1d2ada21241e1752f4840bd8331345d4bc99370201

Download Submit
\Users\Public\QQ\Updaater.exe
Filesize
176KB

MD5
9ca0b6d4b98cd17fd73617442d4fdbd3

SHA1
0e19d4b8d05b9b4517121157cdca8f31ececc9c3

SHA256
84397eb06ac563cfc61c29ca0545e93a03335a289976faa254d63cebb8779687

SHA512
8550cf667efa26a74c42ab1e8e8cb646c997a3918246b45720c1bec917c902382856cd952d3adbc6939f8d1d2ada21241e1752f4840bd8331345d4bc99370201

Download Submit
memory/696-71-0x00000000002D0000-0x00000000002FE000-memory.dmp

Filesize
184KB

Download
memory/696-68-0x0000000000000000-mapping.dmp

Download
memory/980-58-0x0000000000000000-mapping.dmp

Download
memory/1324-62-0x0000000000000000-mapping.dmp

Download
memory/1324-72-0x0000000010000000-0x0000000010028000-memory.dmp

Filesize
160KB

Download
memory/1324-75-0x0000000002AF0000-0x0000000002C4C000-memory.dmp

Filesize
1.4MB

Download
memory/1324-76-0x0000000002AF0000-0x0000000002C4C000-memory.dmp

Filesize
1.4MB

Download
memory/1352-64-0x0000000000000000-mapping.dmp

Download
memory/1468-70-0x0000000000030000-0x00000000000AE000-memory.dmp

Filesize
504KB

Download
memory/1468-55-0x0000000000030000-0x00000000000AE000-memory.dmp

Filesize
504KB

Download
memory/1468-57-0x0000000000030000-0x00000000000AE000-memory.dmp

Filesize
504KB

Download
memory/1468-56-0x0000000075761000-0x0000000075763000-memory.dmp

Filesize
8KB

Download
memory/1468-54-0x0000000000030000-0x00000000000AE000-memory.dmp

Filesize
504KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads