Analysis
-
max time kernel
27s -
max time network
162s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
26-04-2023 03:54
Static task
static1
Behavioral task
behavioral1
Sample
aba0ee9b59c0f8114abdd258a9e3a01d9928816b6b3ffd25bd2b9ac62d75f88a.dll
Resource
win7-20230220-en
windows7-x64
Behavioral task
behavioral2
Sample
aba0ee9b59c0f8114abdd258a9e3a01d9928816b6b3ffd25bd2b9ac62d75f88a.dll
Resource
win10v2004-20230220-en
windows10-2004-x64
General
-
Target
aba0ee9b59c0f8114abdd258a9e3a01d9928816b6b3ffd25bd2b9ac62d75f88a.dll
-
Size
201KB
-
MD5
438fe1a43c316223c5310a2e71132b1c
-
SHA1
3ca90032a60c62f8ebf13bf1a6fc15ee5978cbf4
-
SHA256
aba0ee9b59c0f8114abdd258a9e3a01d9928816b6b3ffd25bd2b9ac62d75f88a
-
SHA512
d2c88681020f9bfd0fd56b03f66987ffd7c9f05b14b5e41bde055b3e7c1fb03502ada7f525bd706511d9fa638e097f7e85482c64bc5d31d7def92cfe736f6ad5
-
SSDEEP
6144:MwYEf/HqSnofL4YGwmNx8SoQYNIcGoPsLeVMorTv:BJnoNhD1PhrTv
Malware Config
Extracted
fatalrat
156.236.64.28
Signatures
-
FatalRat
FatalRat is a modular infostealer family written in C++ first appearing in June 2021.
-
Fatal Rat payload 2 IoCs
resource yara_rule behavioral1/memory/1112-54-0x0000000000C80000-0x0000000000CCE000-memory.dmp fatalrat behavioral1/memory/1112-55-0x00000000001E0000-0x0000000000208000-memory.dmp fatalrat -
Blocklisted process makes network request 2 IoCs
flow pid Process 1 1112 rundll32.exe 2 1112 rundll32.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe -
Suspicious behavior: EnumeratesProcesses 51 IoCs
pid Process 1112 rundll32.exe 1112 rundll32.exe 1112 rundll32.exe 1112 rundll32.exe 1112 rundll32.exe 1112 rundll32.exe 1112 rundll32.exe 1112 rundll32.exe 1112 rundll32.exe 1112 rundll32.exe 1112 rundll32.exe 1112 rundll32.exe 1112 rundll32.exe 1112 rundll32.exe 1112 rundll32.exe 1112 rundll32.exe 1112 rundll32.exe 1112 rundll32.exe 1112 rundll32.exe 1112 rundll32.exe 1112 rundll32.exe 1112 rundll32.exe 1112 rundll32.exe 1112 rundll32.exe 1112 rundll32.exe 1112 rundll32.exe 1112 rundll32.exe 1112 rundll32.exe 1112 rundll32.exe 1112 rundll32.exe 1112 rundll32.exe 1112 rundll32.exe 1112 rundll32.exe 1112 rundll32.exe 1112 rundll32.exe 1112 rundll32.exe 1112 rundll32.exe 1112 rundll32.exe 1112 rundll32.exe 1112 rundll32.exe 1112 rundll32.exe 1112 rundll32.exe 1112 rundll32.exe 1112 rundll32.exe 1112 rundll32.exe 1112 rundll32.exe 1112 rundll32.exe 1112 rundll32.exe 1112 rundll32.exe 1112 rundll32.exe 1112 rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 1276 wrote to memory of 1112 1276 rundll32.exe 28 PID 1276 wrote to memory of 1112 1276 rundll32.exe 28 PID 1276 wrote to memory of 1112 1276 rundll32.exe 28 PID 1276 wrote to memory of 1112 1276 rundll32.exe 28 PID 1276 wrote to memory of 1112 1276 rundll32.exe 28 PID 1276 wrote to memory of 1112 1276 rundll32.exe 28 PID 1276 wrote to memory of 1112 1276 rundll32.exe 28
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\aba0ee9b59c0f8114abdd258a9e3a01d9928816b6b3ffd25bd2b9ac62d75f88a.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1276 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\aba0ee9b59c0f8114abdd258a9e3a01d9928816b6b3ffd25bd2b9ac62d75f88a.dll,#12⤵
- Blocklisted process makes network request
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:1112
-