Overview

overview

10

Static

static

7

34c70475f6...89.exe

windows7-x64

10

34c70475f6...89.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    91s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17-02-2023 20:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    34c70475f657861d20276abb440d9c8d02ad393e7f0769ad3a74c1cdc8f2b289.exe

  • Size

    176KB

  • MD5

    b51790ddbba1775b3d4a2c2d21f8b138

  • SHA1

    b118e50acb76fc7078a28d68260972d594e75bb3

  • SHA256

    34c70475f657861d20276abb440d9c8d02ad393e7f0769ad3a74c1cdc8f2b289

  • SHA512

    3981108313ac2f5fdebe062f11c6e6297de589de4adf1e4307a300e4bb4fb1d1d8b994acf0ee4f11c6a0a0351f600f17afa2107a47bec58d8caa6510fc36750e

  • SSDEEP

    3072:ZU+rdTSw8IPpU+FsXdmH64W/qNEwwCioeFNdRFjHUGkKsWJcdKi7IW8:ZjrdWmPCBA6YHHcF6WGdKCP

Score
10/10
fatalrataspackv2infostealerrat

Malware Config

Signatures

  • FatalRat

    FatalRat is a modular infostealer family written in C++ first appearing in June 2021.

    infostealerratfatalrat
  • Fatal Rat payload 2 IoCs
    ratinfostealer
  • Downloads MZ/PE file
  • ASPack v2.12-2.42 2 IoCs

    Detects executables packed with ASPack v2.12-2.42

    aspackv2
  • Executes dropped EXE 2 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\34c70475f657861d20276abb440d9c8d02ad393e7f0769ad3a74c1cdc8f2b289.exe
    "C:\Users\Admin\AppData\Local\Temp\34c70475f657861d20276abb440d9c8d02ad393e7f0769ad3a74c1cdc8f2b289.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4876
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Public\QQ\Updaater.exe
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2932
      • C:\Users\Public\QQ\Updaater.exe
        C:\Users\Public\QQ\Updaater.exe
        3⤵
        • Executes dropped EXE
        • Checks processor information in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        PID:4388
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Public\QQ\Application.exe
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3216
      • C:\Users\Public\QQ\Application.exe
        C:\Users\Public\QQ\Application.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4588

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Public\QQ\Application.exe
    Filesize

    87KB

    MD5

    940ab9fc18380a00dd82e1c6328fa92f

    SHA1

    dfe975d50d5c190c0666332740b3ed2747e9eaf6

    SHA256

    8367c91c8ad10fe8de7b166c9644fab7c577ba68f79c6ebfde9e6d8f3f917d6b

    SHA512

    bf3db349476bcafada7e9f7fd0a7bee19b6e3e089e90c87beedabc65e7c96006f2091625d87ec5d5337a4475d05f046ef24b4397911f71110921d04df962a433

    Download Submit
  • C:\Users\Public\QQ\Application.exe
    Filesize

    87KB

    MD5

    940ab9fc18380a00dd82e1c6328fa92f

    SHA1

    dfe975d50d5c190c0666332740b3ed2747e9eaf6

    SHA256

    8367c91c8ad10fe8de7b166c9644fab7c577ba68f79c6ebfde9e6d8f3f917d6b

    SHA512

    bf3db349476bcafada7e9f7fd0a7bee19b6e3e089e90c87beedabc65e7c96006f2091625d87ec5d5337a4475d05f046ef24b4397911f71110921d04df962a433

    Download Submit
  • C:\Users\Public\QQ\Updaater.exe
    Filesize

    176KB

    MD5

    9ca0b6d4b98cd17fd73617442d4fdbd3

    SHA1

    0e19d4b8d05b9b4517121157cdca8f31ececc9c3

    SHA256

    84397eb06ac563cfc61c29ca0545e93a03335a289976faa254d63cebb8779687

    SHA512

    8550cf667efa26a74c42ab1e8e8cb646c997a3918246b45720c1bec917c902382856cd952d3adbc6939f8d1d2ada21241e1752f4840bd8331345d4bc99370201

    Download Submit
  • C:\Users\Public\QQ\Updaater.exe
    Filesize

    176KB

    MD5

    9ca0b6d4b98cd17fd73617442d4fdbd3

    SHA1

    0e19d4b8d05b9b4517121157cdca8f31ececc9c3

    SHA256

    84397eb06ac563cfc61c29ca0545e93a03335a289976faa254d63cebb8779687

    SHA512

    8550cf667efa26a74c42ab1e8e8cb646c997a3918246b45720c1bec917c902382856cd952d3adbc6939f8d1d2ada21241e1752f4840bd8331345d4bc99370201

    Download Submit
  • memory/2932-135-0x0000000000000000-mapping.dmp
    Download
  • memory/3216-139-0x0000000000000000-mapping.dmp
    Download
  • memory/4388-149-0x00000000050F0000-0x000000000513E000-memory.dmp
    Filesize

    312KB

    Download
  • memory/4388-146-0x0000000004EB0000-0x0000000004ED8000-memory.dmp
    Filesize

    160KB

    Download
  • memory/4388-136-0x0000000000000000-mapping.dmp
    Download
  • memory/4588-140-0x0000000000000000-mapping.dmp
    Download
  • memory/4588-144-0x0000000000820000-0x000000000084E000-memory.dmp
    Filesize

    184KB

    Download
  • memory/4588-145-0x0000000000820000-0x000000000084E000-memory.dmp
    Filesize

    184KB

    Download
  • memory/4876-132-0x00000000003C0000-0x000000000043E000-memory.dmp
    Filesize

    504KB

    Download
  • memory/4876-143-0x00000000003C0000-0x000000000043E000-memory.dmp
    Filesize

    504KB

    Download
  • memory/4876-134-0x00000000003C0000-0x000000000043E000-memory.dmp
    Filesize

    504KB

    Download
  • memory/4876-133-0x00000000003C0000-0x000000000043E000-memory.dmp
    Filesize

    504KB

    Download