Analysis
-
max time kernel
90s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
26-02-2023 15:30
Static task
static1
Behavioral task
behavioral1
Sample
qbcore.dll
Resource
win7-20230220-en
windows7-x64
Behavioral task
behavioral2
Sample
qbcore.dll
Resource
win10v2004-20230220-en
windows10-2004-x64
General
-
Target
qbcore.dll
-
Size
108KB
-
MD5
fc6ebebbe50f6d2736a5ed2d76509728
-
SHA1
af263396b3b3f18a84a2c2e3460952c38f7ceff5
-
SHA256
6987c59c2bc68484b63dc68b6b05b823458cc91dc44c50579b464d1d777bf1b1
-
SHA512
d91488763f082cfc4d49b00f2cce54c35dc7e824f4c18f23f48ceea88037aba6d7a8f025e695957dc2c70bb5b5b995b1108ab640527481e0726f2e3692e525fb
-
SSDEEP
1536:Oh3MU/5bLDCMtm/ejs5x2WcHG82RqNoRKV2KoyqkvITnzZh/Qz6r:mt5bLDtm/ejs5xqHG82RWqWITzZRQO
Malware Config
Signatures
-
FatalRat
FatalRat is a modular infostealer family written in C++ first appearing in June 2021.
-
Fatal Rat payload 2 IoCs
resource yara_rule behavioral2/memory/1940-133-0x0000000002640000-0x000000000268E000-memory.dmp fatalrat behavioral2/memory/1940-134-0x0000000002490000-0x00000000024B8000-memory.dmp fatalrat -
Blocklisted process makes network request 2 IoCs
flow pid Process 3 1940 rundll32.exe 11 1940 rundll32.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz rundll32.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1940 rundll32.exe 1940 rundll32.exe 1940 rundll32.exe 1940 rundll32.exe 1940 rundll32.exe 1940 rundll32.exe 1940 rundll32.exe 1940 rundll32.exe 1940 rundll32.exe 1940 rundll32.exe 1940 rundll32.exe 1940 rundll32.exe 1940 rundll32.exe 1940 rundll32.exe 1940 rundll32.exe 1940 rundll32.exe 1940 rundll32.exe 1940 rundll32.exe 1940 rundll32.exe 1940 rundll32.exe 1940 rundll32.exe 1940 rundll32.exe 1940 rundll32.exe 1940 rundll32.exe 1940 rundll32.exe 1940 rundll32.exe 1940 rundll32.exe 1940 rundll32.exe 1940 rundll32.exe 1940 rundll32.exe 1940 rundll32.exe 1940 rundll32.exe 1940 rundll32.exe 1940 rundll32.exe 1940 rundll32.exe 1940 rundll32.exe 1940 rundll32.exe 1940 rundll32.exe 1940 rundll32.exe 1940 rundll32.exe 1940 rundll32.exe 1940 rundll32.exe 1940 rundll32.exe 1940 rundll32.exe 1940 rundll32.exe 1940 rundll32.exe 1940 rundll32.exe 1940 rundll32.exe 1940 rundll32.exe 1940 rundll32.exe 1940 rundll32.exe 1940 rundll32.exe 1940 rundll32.exe 1940 rundll32.exe 1940 rundll32.exe 1940 rundll32.exe 1940 rundll32.exe 1940 rundll32.exe 1940 rundll32.exe 1940 rundll32.exe 1940 rundll32.exe 1940 rundll32.exe 1940 rundll32.exe 1940 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3176 wrote to memory of 1940 3176 rundll32.exe 80 PID 3176 wrote to memory of 1940 3176 rundll32.exe 80 PID 3176 wrote to memory of 1940 3176 rundll32.exe 80
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\qbcore.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3176 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\qbcore.dll,#12⤵
- Blocklisted process makes network request
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:1940
-