fatalrat | 1df47bf09157103d5d08b33bd2b6dbb189d1d478752f7470e4783d96439bd0e9

Analysis

max time kernel
93s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
01-03-2023 10:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

252KB
MD5

b5904d25e781dd428edce60ec8e8c672
SHA1

d23af1e2e20de9c422cbd8e261b9ad09627a162b
SHA256

1df47bf09157103d5d08b33bd2b6dbb189d1d478752f7470e4783d96439bd0e9
SHA512

c4814cd8ef8c337264c1c7b4798f53f460ecfea44ca0753aaab6d012ca7861d011f144b9e5789416e11848d920149ff77fe9f7b37527c9f838440cc0599be081
SSDEEP

6144:LQ/clEFFaRoA/qhpTKSdzCUeUtoETto08KtXscI:LQHFTA/gdFeUtoERr8KtXsc

Score

10^/10

fatalrat infostealer rat

Malware Config

Signatures

FatalRat
FatalRat is a modular infostealer family written in C++ first appearing in June 2021.
infostealer rat fatalrat

Fatal Rat payload 2 IoCs

rat infostealer

resource	yara_rule
behavioral2/memory/3712-133-0x0000000002330000-0x000000000237E000-memory.dmp	fatalrat
behavioral2/memory/3712-134-0x0000000010000000-0x0000000010028000-memory.dmp	fatalrat

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	tmp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	tmp.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3712	tmp.exe
3712	tmp.exe
3712	tmp.exe
3712	tmp.exe
3712	tmp.exe
3712	tmp.exe
3712	tmp.exe
3712	tmp.exe
3712	tmp.exe
3712	tmp.exe
3712	tmp.exe
3712	tmp.exe
3712	tmp.exe
3712	tmp.exe
3712	tmp.exe
3712	tmp.exe
3712	tmp.exe
3712	tmp.exe
3712	tmp.exe
3712	tmp.exe
3712	tmp.exe
3712	tmp.exe
3712	tmp.exe
3712	tmp.exe
3712	tmp.exe
3712	tmp.exe
3712	tmp.exe
3712	tmp.exe
3712	tmp.exe
3712	tmp.exe
3712	tmp.exe
3712	tmp.exe
3712	tmp.exe
3712	tmp.exe
3712	tmp.exe
3712	tmp.exe
3712	tmp.exe
3712	tmp.exe
3712	tmp.exe
3712	tmp.exe
3712	tmp.exe
3712	tmp.exe
3712	tmp.exe
3712	tmp.exe
3712	tmp.exe
3712	tmp.exe
3712	tmp.exe
3712	tmp.exe
3712	tmp.exe
3712	tmp.exe
3712	tmp.exe
3712	tmp.exe
3712	tmp.exe
3712	tmp.exe
3712	tmp.exe
3712	tmp.exe
3712	tmp.exe
3712	tmp.exe
3712	tmp.exe
3712	tmp.exe
3712	tmp.exe
3712	tmp.exe
3712	tmp.exe
3712	tmp.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3712	tmp.exe

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3712

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3712-133-0x0000000002330000-0x000000000237E000-memory.dmp

Filesize
312KB

Download
memory/3712-134-0x0000000010000000-0x0000000010028000-memory.dmp

Filesize
160KB

Download