Analysis
-
max time kernel
30s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
11-04-2023 08:34
Static task
static1
Behavioral task
behavioral1
Sample
aba0ee9b59c0f8114abdd258a9e3a01d9928816b6b3ffd25bd2b9ac62d75f88a.dll
Resource
win7-20230220-en
windows7-x64
Behavioral task
behavioral2
Sample
aba0ee9b59c0f8114abdd258a9e3a01d9928816b6b3ffd25bd2b9ac62d75f88a.dll
Resource
win10v2004-20230220-en
windows10-2004-x64
General
-
Target
aba0ee9b59c0f8114abdd258a9e3a01d9928816b6b3ffd25bd2b9ac62d75f88a.dll
-
Size
201KB
-
MD5
438fe1a43c316223c5310a2e71132b1c
-
SHA1
3ca90032a60c62f8ebf13bf1a6fc15ee5978cbf4
-
SHA256
aba0ee9b59c0f8114abdd258a9e3a01d9928816b6b3ffd25bd2b9ac62d75f88a
-
SHA512
d2c88681020f9bfd0fd56b03f66987ffd7c9f05b14b5e41bde055b3e7c1fb03502ada7f525bd706511d9fa638e097f7e85482c64bc5d31d7def92cfe736f6ad5
-
SSDEEP
6144:MwYEf/HqSnofL4YGwmNx8SoQYNIcGoPsLeVMorTv:BJnoNhD1PhrTv
Malware Config
Extracted
fatalrat
156.236.64.28
Signatures
-
FatalRat
FatalRat is a modular infostealer family written in C++ first appearing in June 2021.
-
Fatal Rat payload 2 IoCs
resource yara_rule behavioral1/memory/1404-54-0x0000000000630000-0x000000000067E000-memory.dmp fatalrat behavioral1/memory/1404-55-0x0000000000280000-0x00000000002A8000-memory.dmp fatalrat -
Blocklisted process makes network request 2 IoCs
flow pid Process 2 1404 rundll32.exe 3 1404 rundll32.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz rundll32.exe -
Suspicious behavior: EnumeratesProcesses 51 IoCs
pid Process 1404 rundll32.exe 1404 rundll32.exe 1404 rundll32.exe 1404 rundll32.exe 1404 rundll32.exe 1404 rundll32.exe 1404 rundll32.exe 1404 rundll32.exe 1404 rundll32.exe 1404 rundll32.exe 1404 rundll32.exe 1404 rundll32.exe 1404 rundll32.exe 1404 rundll32.exe 1404 rundll32.exe 1404 rundll32.exe 1404 rundll32.exe 1404 rundll32.exe 1404 rundll32.exe 1404 rundll32.exe 1404 rundll32.exe 1404 rundll32.exe 1404 rundll32.exe 1404 rundll32.exe 1404 rundll32.exe 1404 rundll32.exe 1404 rundll32.exe 1404 rundll32.exe 1404 rundll32.exe 1404 rundll32.exe 1404 rundll32.exe 1404 rundll32.exe 1404 rundll32.exe 1404 rundll32.exe 1404 rundll32.exe 1404 rundll32.exe 1404 rundll32.exe 1404 rundll32.exe 1404 rundll32.exe 1404 rundll32.exe 1404 rundll32.exe 1404 rundll32.exe 1404 rundll32.exe 1404 rundll32.exe 1404 rundll32.exe 1404 rundll32.exe 1404 rundll32.exe 1404 rundll32.exe 1404 rundll32.exe 1404 rundll32.exe 1404 rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 1984 wrote to memory of 1404 1984 rundll32.exe 27 PID 1984 wrote to memory of 1404 1984 rundll32.exe 27 PID 1984 wrote to memory of 1404 1984 rundll32.exe 27 PID 1984 wrote to memory of 1404 1984 rundll32.exe 27 PID 1984 wrote to memory of 1404 1984 rundll32.exe 27 PID 1984 wrote to memory of 1404 1984 rundll32.exe 27 PID 1984 wrote to memory of 1404 1984 rundll32.exe 27
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\aba0ee9b59c0f8114abdd258a9e3a01d9928816b6b3ffd25bd2b9ac62d75f88a.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1984 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\aba0ee9b59c0f8114abdd258a9e3a01d9928816b6b3ffd25bd2b9ac62d75f88a.dll,#12⤵
- Blocklisted process makes network request
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:1404
-