fatalrat | 84397eb06ac563cfc61c29ca0545e93a03335a289976faa254d63cebb8779687

Analysis

max time kernel
31s
max time network
151s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
18-02-2023 11:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9ca0b6d4b98cd17fd73617442d4fdbd3.exe
Size

176KB
MD5

9ca0b6d4b98cd17fd73617442d4fdbd3
SHA1

0e19d4b8d05b9b4517121157cdca8f31ececc9c3
SHA256

84397eb06ac563cfc61c29ca0545e93a03335a289976faa254d63cebb8779687
SHA512

8550cf667efa26a74c42ab1e8e8cb646c997a3918246b45720c1bec917c902382856cd952d3adbc6939f8d1d2ada21241e1752f4840bd8331345d4bc99370201
SSDEEP

3072:1Qv5Ko2zTp5j7Uj48xtVxePiaI3A6+GP8vzndiRF/rp/6pHtg+fJj38InpPS:1Qv5KLpR8489EPtU7ezdsr2VS

Score

10^/10

fatalrat infostealer rat

Malware Config

Signatures

FatalRat
FatalRat is a modular infostealer family written in C++ first appearing in June 2021.
infostealer rat fatalrat

Fatal Rat payload 2 IoCs

rat infostealer

resource	yara_rule
behavioral1/memory/1540-55-0x0000000010000000-0x0000000010028000-memory.dmp	fatalrat
behavioral1/memory/1540-58-0x0000000002190000-0x00000000021DE000-memory.dmp	fatalrat

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	9ca0b6d4b98cd17fd73617442d4fdbd3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	9ca0b6d4b98cd17fd73617442d4fdbd3.exe

Suspicious behavior: EnumeratesProcesses 51 IoCs

pid	Process
1540	9ca0b6d4b98cd17fd73617442d4fdbd3.exe
1540	9ca0b6d4b98cd17fd73617442d4fdbd3.exe
1540	9ca0b6d4b98cd17fd73617442d4fdbd3.exe
1540	9ca0b6d4b98cd17fd73617442d4fdbd3.exe
1540	9ca0b6d4b98cd17fd73617442d4fdbd3.exe
1540	9ca0b6d4b98cd17fd73617442d4fdbd3.exe
1540	9ca0b6d4b98cd17fd73617442d4fdbd3.exe
1540	9ca0b6d4b98cd17fd73617442d4fdbd3.exe
1540	9ca0b6d4b98cd17fd73617442d4fdbd3.exe
1540	9ca0b6d4b98cd17fd73617442d4fdbd3.exe
1540	9ca0b6d4b98cd17fd73617442d4fdbd3.exe
1540	9ca0b6d4b98cd17fd73617442d4fdbd3.exe
1540	9ca0b6d4b98cd17fd73617442d4fdbd3.exe
1540	9ca0b6d4b98cd17fd73617442d4fdbd3.exe
1540	9ca0b6d4b98cd17fd73617442d4fdbd3.exe
1540	9ca0b6d4b98cd17fd73617442d4fdbd3.exe
1540	9ca0b6d4b98cd17fd73617442d4fdbd3.exe
1540	9ca0b6d4b98cd17fd73617442d4fdbd3.exe
1540	9ca0b6d4b98cd17fd73617442d4fdbd3.exe
1540	9ca0b6d4b98cd17fd73617442d4fdbd3.exe
1540	9ca0b6d4b98cd17fd73617442d4fdbd3.exe
1540	9ca0b6d4b98cd17fd73617442d4fdbd3.exe
1540	9ca0b6d4b98cd17fd73617442d4fdbd3.exe
1540	9ca0b6d4b98cd17fd73617442d4fdbd3.exe
1540	9ca0b6d4b98cd17fd73617442d4fdbd3.exe
1540	9ca0b6d4b98cd17fd73617442d4fdbd3.exe
1540	9ca0b6d4b98cd17fd73617442d4fdbd3.exe
1540	9ca0b6d4b98cd17fd73617442d4fdbd3.exe
1540	9ca0b6d4b98cd17fd73617442d4fdbd3.exe
1540	9ca0b6d4b98cd17fd73617442d4fdbd3.exe
1540	9ca0b6d4b98cd17fd73617442d4fdbd3.exe
1540	9ca0b6d4b98cd17fd73617442d4fdbd3.exe
1540	9ca0b6d4b98cd17fd73617442d4fdbd3.exe
1540	9ca0b6d4b98cd17fd73617442d4fdbd3.exe
1540	9ca0b6d4b98cd17fd73617442d4fdbd3.exe
1540	9ca0b6d4b98cd17fd73617442d4fdbd3.exe
1540	9ca0b6d4b98cd17fd73617442d4fdbd3.exe
1540	9ca0b6d4b98cd17fd73617442d4fdbd3.exe
1540	9ca0b6d4b98cd17fd73617442d4fdbd3.exe
1540	9ca0b6d4b98cd17fd73617442d4fdbd3.exe
1540	9ca0b6d4b98cd17fd73617442d4fdbd3.exe
1540	9ca0b6d4b98cd17fd73617442d4fdbd3.exe
1540	9ca0b6d4b98cd17fd73617442d4fdbd3.exe
1540	9ca0b6d4b98cd17fd73617442d4fdbd3.exe
1540	9ca0b6d4b98cd17fd73617442d4fdbd3.exe
1540	9ca0b6d4b98cd17fd73617442d4fdbd3.exe
1540	9ca0b6d4b98cd17fd73617442d4fdbd3.exe
1540	9ca0b6d4b98cd17fd73617442d4fdbd3.exe
1540	9ca0b6d4b98cd17fd73617442d4fdbd3.exe
1540	9ca0b6d4b98cd17fd73617442d4fdbd3.exe
1540	9ca0b6d4b98cd17fd73617442d4fdbd3.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1540	9ca0b6d4b98cd17fd73617442d4fdbd3.exe

C:\Users\Admin\AppData\Local\Temp\9ca0b6d4b98cd17fd73617442d4fdbd3.exe
"C:\Users\Admin\AppData\Local\Temp\9ca0b6d4b98cd17fd73617442d4fdbd3.exe"
1⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1540

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1540-54-0x0000000075931000-0x0000000075933000-memory.dmp

Filesize
8KB

Download
memory/1540-55-0x0000000010000000-0x0000000010028000-memory.dmp

Filesize
160KB

Download
memory/1540-58-0x0000000002190000-0x00000000021DE000-memory.dmp

Filesize
312KB

Download