Analysis
-
max time kernel
30s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
26-02-2023 15:30
Static task
static1
Behavioral task
behavioral1
Sample
qbcore.dll
Resource
win7-20230220-en
windows7-x64
Behavioral task
behavioral2
Sample
qbcore.dll
Resource
win10v2004-20230220-en
windows10-2004-x64
General
-
Target
qbcore.dll
-
Size
108KB
-
MD5
fc6ebebbe50f6d2736a5ed2d76509728
-
SHA1
af263396b3b3f18a84a2c2e3460952c38f7ceff5
-
SHA256
6987c59c2bc68484b63dc68b6b05b823458cc91dc44c50579b464d1d777bf1b1
-
SHA512
d91488763f082cfc4d49b00f2cce54c35dc7e824f4c18f23f48ceea88037aba6d7a8f025e695957dc2c70bb5b5b995b1108ab640527481e0726f2e3692e525fb
-
SSDEEP
1536:Oh3MU/5bLDCMtm/ejs5x2WcHG82RqNoRKV2KoyqkvITnzZh/Qz6r:mt5bLDtm/ejs5xqHG82RWqWITzZRQO
Malware Config
Signatures
-
FatalRat
FatalRat is a modular infostealer family written in C++ first appearing in June 2021.
-
Fatal Rat payload 2 IoCs
resource yara_rule behavioral1/memory/376-54-0x00000000002A0000-0x00000000002EE000-memory.dmp fatalrat behavioral1/memory/376-55-0x0000000000210000-0x0000000000238000-memory.dmp fatalrat -
Blocklisted process makes network request 2 IoCs
flow pid Process 1 376 rundll32.exe 2 376 rundll32.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz rundll32.exe -
Suspicious behavior: EnumeratesProcesses 51 IoCs
pid Process 376 rundll32.exe 376 rundll32.exe 376 rundll32.exe 376 rundll32.exe 376 rundll32.exe 376 rundll32.exe 376 rundll32.exe 376 rundll32.exe 376 rundll32.exe 376 rundll32.exe 376 rundll32.exe 376 rundll32.exe 376 rundll32.exe 376 rundll32.exe 376 rundll32.exe 376 rundll32.exe 376 rundll32.exe 376 rundll32.exe 376 rundll32.exe 376 rundll32.exe 376 rundll32.exe 376 rundll32.exe 376 rundll32.exe 376 rundll32.exe 376 rundll32.exe 376 rundll32.exe 376 rundll32.exe 376 rundll32.exe 376 rundll32.exe 376 rundll32.exe 376 rundll32.exe 376 rundll32.exe 376 rundll32.exe 376 rundll32.exe 376 rundll32.exe 376 rundll32.exe 376 rundll32.exe 376 rundll32.exe 376 rundll32.exe 376 rundll32.exe 376 rundll32.exe 376 rundll32.exe 376 rundll32.exe 376 rundll32.exe 376 rundll32.exe 376 rundll32.exe 376 rundll32.exe 376 rundll32.exe 376 rundll32.exe 376 rundll32.exe 376 rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 1624 wrote to memory of 376 1624 rundll32.exe 26 PID 1624 wrote to memory of 376 1624 rundll32.exe 26 PID 1624 wrote to memory of 376 1624 rundll32.exe 26 PID 1624 wrote to memory of 376 1624 rundll32.exe 26 PID 1624 wrote to memory of 376 1624 rundll32.exe 26 PID 1624 wrote to memory of 376 1624 rundll32.exe 26 PID 1624 wrote to memory of 376 1624 rundll32.exe 26
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\qbcore.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1624 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\qbcore.dll,#12⤵
- Blocklisted process makes network request
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:376
-