fatalrat | 542574d5a06f3e3c362ddf812638bed924558f26579789de432f174792398231

Analysis

max time kernel
149s
max time network
130s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
28-04-2023 08:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

导出流水状况.exe
Size

6.7MB
MD5

9de58a47dc0ddc03b7ac693d99687531
SHA1

324b0906be1b53a439c1c1ee322acdff1d8459d8
SHA256

542574d5a06f3e3c362ddf812638bed924558f26579789de432f174792398231
SHA512

bb2135f5c9df6677be900eb4af495bf8adcb6fd9ba95fa07de75ff816e8e7b5b1a6b403b233bfe8a4108a58c9a972f985e801979bf33e6d21f7430d42bfa9d85
SSDEEP

98304:lOEYwyhvXeHcwsAIGeJ1M9wwaf1nW1iu8vl8HTeYJkmBBO/hRVcbgrJ2GBqmylXz:shvXetIbeww21nhjNMnmAkXV7Lqt

Score

10^/10

fatalrat infostealer rat

Malware Config

Signatures

FatalRat
FatalRat is a modular infostealer family written in C++ first appearing in June 2021.
infostealer rat fatalrat

Fatal Rat payload 1 IoCs

rat infostealer

resource	yara_rule
behavioral1/memory/1376-56-0x0000000010000000-0x000000001002A000-memory.dmp	fatalrat

Suspicious use of NtSetInformationThreadHideFromDebugger 11 IoCs

pid	Process
1376	导出流水状况.exe
1376	导出流水状况.exe
1376	导出流水状况.exe
1376	导出流水状况.exe
1376	导出流水状况.exe
1376	导出流水状况.exe
1376	导出流水状况.exe
1376	导出流水状况.exe
1376	导出流水状况.exe
1376	导出流水状况.exe
1376	导出流水状况.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1376	导出流水状况.exe
1376	导出流水状况.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1376	导出流水状况.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1376	导出流水状况.exe
1376	导出流水状况.exe

C:\Users\Admin\AppData\Local\Temp\导出流水状况.exe
"C:\Users\Admin\AppData\Local\Temp\导出流水状况.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1376

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1376-54-0x0000000000930000-0x00000000022F8000-memory.dmp

Filesize
25.8MB

Download
memory/1376-55-0x000000007EBD0000-0x000000007EFA1000-memory.dmp

Filesize
3.8MB

Download
memory/1376-56-0x0000000010000000-0x000000001002A000-memory.dmp

Filesize
168KB

Download
memory/1376-61-0x0000000000930000-0x00000000022F8000-memory.dmp

Filesize
25.8MB

Download
memory/1376-62-0x0000000000930000-0x00000000022F8000-memory.dmp

Filesize
25.8MB

Download
memory/1376-63-0x0000000000930000-0x00000000022F8000-memory.dmp

Filesize
25.8MB

Download
memory/1376-64-0x0000000000930000-0x00000000022F8000-memory.dmp

Filesize
25.8MB

Download
memory/1376-65-0x0000000000930000-0x00000000022F8000-memory.dmp

Filesize
25.8MB

Download
memory/1376-66-0x0000000000930000-0x00000000022F8000-memory.dmp

Filesize
25.8MB

Download
memory/1376-67-0x0000000000930000-0x00000000022F8000-memory.dmp

Filesize
25.8MB

Download
memory/1376-68-0x0000000000930000-0x00000000022F8000-memory.dmp

Filesize
25.8MB

Download
memory/1376-69-0x0000000000930000-0x00000000022F8000-memory.dmp

Filesize
25.8MB

Download
memory/1376-70-0x0000000000930000-0x00000000022F8000-memory.dmp

Filesize
25.8MB

Download
memory/1376-71-0x0000000000930000-0x00000000022F8000-memory.dmp

Filesize
25.8MB

Download
memory/1376-72-0x0000000000930000-0x00000000022F8000-memory.dmp

Filesize
25.8MB

Download
memory/1376-73-0x0000000000930000-0x00000000022F8000-memory.dmp

Filesize
25.8MB

Download
memory/1376-74-0x0000000000930000-0x00000000022F8000-memory.dmp

Filesize
25.8MB

Download
memory/1376-75-0x0000000000930000-0x00000000022F8000-memory.dmp

Filesize
25.8MB

Download