fatalrat | 5d3c3a309604356d25cc4bb23a8caeef2be23171a930817301a5f66d33fe8f42

Analysis

max time kernel
143s
max time network
144s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
08/05/2023, 09:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5d3c3a309604356d25cc4bb23a8caeef2be23171a930817301a5f66d33fe8f42.exe
Size

1.3MB
MD5

f3eab5e140210e0e4ff2ff625b2ffe21
SHA1

610fa43452f5cde3800a2ca81ce14e36a1dd3d6c
SHA256

5d3c3a309604356d25cc4bb23a8caeef2be23171a930817301a5f66d33fe8f42
SHA512

98cfb85663ecf5165f979fb76ab3302ea071cd0c64a1762d24c8334000999859555cae345a7382d5819a6f923fd8cdf2fd8d4d2e68e863378c7576882cd6a568
SSDEEP

24576:V5Jv9AJdTyl4pf97WzwSsQniCbqr0RwquvqryHFdYTZ/V:V5JVAJYl4pFyzwB6t63SyHFu99

Score

10^/10

fatalrat evasion infostealer rat

Malware Config

Signatures

FatalRat
FatalRat is a modular infostealer family written in C++ first appearing in June 2021.
infostealer rat fatalrat

Fatal Rat payload 18 IoCs

rat infostealer

resource	yara_rule
behavioral1/memory/1696-71-0x0000000000570000-0x00000000005BD000-memory.dmp	fatalrat
behavioral1/memory/1696-85-0x0000000010000000-0x0000000010215000-memory.dmp	fatalrat
behavioral1/memory/1848-94-0x0000000002AC0000-0x0000000002B0D000-memory.dmp	fatalrat
behavioral1/memory/1848-105-0x0000000010000000-0x0000000010215000-memory.dmp	fatalrat
behavioral1/memory/1848-106-0x0000000010000000-0x0000000010215000-memory.dmp	fatalrat
behavioral1/memory/1848-107-0x0000000010000000-0x0000000010215000-memory.dmp	fatalrat
behavioral1/memory/1848-108-0x0000000010000000-0x0000000010215000-memory.dmp	fatalrat
behavioral1/memory/1848-109-0x0000000010000000-0x0000000010215000-memory.dmp	fatalrat
behavioral1/memory/1848-110-0x0000000010000000-0x0000000010215000-memory.dmp	fatalrat
behavioral1/memory/1848-111-0x0000000010000000-0x0000000010215000-memory.dmp	fatalrat
behavioral1/memory/1848-112-0x0000000010000000-0x0000000010215000-memory.dmp	fatalrat
behavioral1/memory/1848-113-0x0000000010000000-0x0000000010215000-memory.dmp	fatalrat
behavioral1/memory/1848-114-0x0000000010000000-0x0000000010215000-memory.dmp	fatalrat
behavioral1/memory/1848-115-0x0000000010000000-0x0000000010215000-memory.dmp	fatalrat
behavioral1/memory/1848-116-0x0000000010000000-0x0000000010215000-memory.dmp	fatalrat
behavioral1/memory/1848-117-0x0000000010000000-0x0000000010215000-memory.dmp	fatalrat
behavioral1/memory/1848-118-0x0000000010000000-0x0000000010215000-memory.dmp	fatalrat
behavioral1/memory/1848-119-0x0000000010000000-0x0000000010215000-memory.dmp	fatalrat

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Agghost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Agghost.exe

Executes dropped EXE 2 IoCs

pid	Process
1696	Agghost.exe
1848	Agghost.exe

Identifies Wine through registry keys 2 TTPs 2 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Wine	Agghost.exe
Key opened	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Wine	Agghost.exe

Loads dropped DLL 9 IoCs

pid	Process
1724	5d3c3a309604356d25cc4bb23a8caeef2be23171a930817301a5f66d33fe8f42.exe
1696	Agghost.exe
1696	Agghost.exe
1696	Agghost.exe
1696	Agghost.exe
1696	Agghost.exe
1848	Agghost.exe
1848	Agghost.exe
1848	Agghost.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
1696	Agghost.exe
1848	Agghost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Agghost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Agghost.exe

Suspicious behavior: EnumeratesProcesses 55 IoCs

pid	Process
1696	Agghost.exe
1696	Agghost.exe
1848	Agghost.exe
1848	Agghost.exe
1848	Agghost.exe
1848	Agghost.exe
1848	Agghost.exe
1848	Agghost.exe
1848	Agghost.exe
1848	Agghost.exe
1848	Agghost.exe
1848	Agghost.exe
1848	Agghost.exe
1848	Agghost.exe
1848	Agghost.exe
1848	Agghost.exe
1848	Agghost.exe
1848	Agghost.exe
1848	Agghost.exe
1848	Agghost.exe
1848	Agghost.exe
1848	Agghost.exe
1848	Agghost.exe
1848	Agghost.exe
1848	Agghost.exe
1848	Agghost.exe
1848	Agghost.exe
1848	Agghost.exe
1848	Agghost.exe
1848	Agghost.exe
1848	Agghost.exe
1848	Agghost.exe
1848	Agghost.exe
1848	Agghost.exe
1848	Agghost.exe
1848	Agghost.exe
1848	Agghost.exe
1848	Agghost.exe
1848	Agghost.exe
1848	Agghost.exe
1848	Agghost.exe
1848	Agghost.exe
1848	Agghost.exe
1848	Agghost.exe
1848	Agghost.exe
1848	Agghost.exe
1848	Agghost.exe
1848	Agghost.exe
1848	Agghost.exe
1848	Agghost.exe
1848	Agghost.exe
1848	Agghost.exe
1848	Agghost.exe
1848	Agghost.exe
1848	Agghost.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1696	Agghost.exe
Token: SeDebugPrivilege	1848	Agghost.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1724 wrote to memory of 1696	1724	5d3c3a309604356d25cc4bb23a8caeef2be23171a930817301a5f66d33fe8f42.exe	28
PID 1724 wrote to memory of 1696	1724	5d3c3a309604356d25cc4bb23a8caeef2be23171a930817301a5f66d33fe8f42.exe	28
PID 1724 wrote to memory of 1696	1724	5d3c3a309604356d25cc4bb23a8caeef2be23171a930817301a5f66d33fe8f42.exe	28
PID 1724 wrote to memory of 1696	1724	5d3c3a309604356d25cc4bb23a8caeef2be23171a930817301a5f66d33fe8f42.exe	28
PID 1724 wrote to memory of 1696	1724	5d3c3a309604356d25cc4bb23a8caeef2be23171a930817301a5f66d33fe8f42.exe	28
PID 1724 wrote to memory of 1696	1724	5d3c3a309604356d25cc4bb23a8caeef2be23171a930817301a5f66d33fe8f42.exe	28
PID 1724 wrote to memory of 1696	1724	5d3c3a309604356d25cc4bb23a8caeef2be23171a930817301a5f66d33fe8f42.exe	28
PID 1696 wrote to memory of 1848	1696	Agghost.exe	29
PID 1696 wrote to memory of 1848	1696	Agghost.exe	29
PID 1696 wrote to memory of 1848	1696	Agghost.exe	29
PID 1696 wrote to memory of 1848	1696	Agghost.exe	29
PID 1696 wrote to memory of 1848	1696	Agghost.exe	29
PID 1696 wrote to memory of 1848	1696	Agghost.exe	29
PID 1696 wrote to memory of 1848	1696	Agghost.exe	29

C:\Users\Admin\AppData\Local\Temp\5d3c3a309604356d25cc4bb23a8caeef2be23171a930817301a5f66d33fe8f42.exe
"C:\Users\Admin\AppData\Local\Temp\5d3c3a309604356d25cc4bb23a8caeef2be23171a930817301a5f66d33fe8f42.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1724
- C:\Users\Admin\AppData\Local\Temp\data\Agghost.exe
  C:\Users\Admin\AppData\Local\Temp\data\Agghost.exe
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Loads dropped DLL
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1696
- - C:\Users\Admin\AppData\Local\Agghost.exe
    "C:\Users\Admin\AppData\Local\Agghost.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Loads dropped DLL
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1848

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Agghost.exe

Filesize
111KB

MD5
a9b40e0b76aa5a292cb6052c6c2fd81d

SHA1
e15bba9e662ef45350720218617d563620c76823

SHA256
f5017d72f3b829a55971f877ebaa257f5e9791ae253ae23111cc45628477c36c

SHA512
ad49410a233614128a103ae55155665f563b67daa7411c42bf314a6a6d1c2cb61e4428d9049d0d3209d44a1b5eef1cab00541b6bb41dcf575ff9e7e406a2f23f

Download Submit
C:\Users\Admin\AppData\Local\Agghost.exe

Filesize
111KB

MD5
a9b40e0b76aa5a292cb6052c6c2fd81d

SHA1
e15bba9e662ef45350720218617d563620c76823

SHA256
f5017d72f3b829a55971f877ebaa257f5e9791ae253ae23111cc45628477c36c

SHA512
ad49410a233614128a103ae55155665f563b67daa7411c42bf314a6a6d1c2cb61e4428d9049d0d3209d44a1b5eef1cab00541b6bb41dcf575ff9e7e406a2f23f

Download Submit
C:\Users\Admin\AppData\Local\Agghost.exe

Filesize
111KB

MD5
a9b40e0b76aa5a292cb6052c6c2fd81d

SHA1
e15bba9e662ef45350720218617d563620c76823

SHA256
f5017d72f3b829a55971f877ebaa257f5e9791ae253ae23111cc45628477c36c

SHA512
ad49410a233614128a103ae55155665f563b67daa7411c42bf314a6a6d1c2cb61e4428d9049d0d3209d44a1b5eef1cab00541b6bb41dcf575ff9e7e406a2f23f

Download Submit
C:\Users\Admin\AppData\Local\Temp\data\Agghost.exe

Filesize
111KB

MD5
a9b40e0b76aa5a292cb6052c6c2fd81d

SHA1
e15bba9e662ef45350720218617d563620c76823

SHA256
f5017d72f3b829a55971f877ebaa257f5e9791ae253ae23111cc45628477c36c

SHA512
ad49410a233614128a103ae55155665f563b67daa7411c42bf314a6a6d1c2cb61e4428d9049d0d3209d44a1b5eef1cab00541b6bb41dcf575ff9e7e406a2f23f

Download Submit
C:\Users\Admin\AppData\Local\Temp\data\Agghost.exe

Filesize
111KB

MD5
a9b40e0b76aa5a292cb6052c6c2fd81d

SHA1
e15bba9e662ef45350720218617d563620c76823

SHA256
f5017d72f3b829a55971f877ebaa257f5e9791ae253ae23111cc45628477c36c

SHA512
ad49410a233614128a103ae55155665f563b67daa7411c42bf314a6a6d1c2cb61e4428d9049d0d3209d44a1b5eef1cab00541b6bb41dcf575ff9e7e406a2f23f

Download Submit
C:\Users\Admin\AppData\Local\Temp\data\EduWebContainer.dll

Filesize
936KB

MD5
4683696a3518f9cd7c4ee730a53405c2

SHA1
23881246d838d9d2a1bd76430f9c5f7458e00e83

SHA256
43e51c6becb9c635cce68d1aa32310ddd6ae68125ca2c00e5e47dc3536cb5fca

SHA512
5bfc43d489b53585e7369e3d28daf9f501d6999517310249f88b158d268c2a4e730b8e10aec0959094f276e3b4ba79b5737add5dc01ef3d6136e42a04552522c

Download Submit
C:\Users\Admin\AppData\Local\Temp\data\VCRUNTIME140.dll

Filesize
77KB

MD5
f107a3c7371c4543bd3908ba729dd2db

SHA1
af8e7e8f446de74db2f31d532e46eab8bbf41e0a

SHA256
00df0901c101254525a219d93ff1830da3a20d3f14bc323354d8d5fee5854ec0

SHA512
fd776f8ceaac498f4f44819794c0fa89224712a8c476819ffc76ba4c7ff4caa9b360b9d299d9df7965387e5bbcb330f316f53759b5146a73b27a5f2e964c3530

Download Submit
\Users\Admin\AppData\Local\Agghost.exe

Filesize
111KB

MD5
a9b40e0b76aa5a292cb6052c6c2fd81d

SHA1
e15bba9e662ef45350720218617d563620c76823

SHA256
f5017d72f3b829a55971f877ebaa257f5e9791ae253ae23111cc45628477c36c

SHA512
ad49410a233614128a103ae55155665f563b67daa7411c42bf314a6a6d1c2cb61e4428d9049d0d3209d44a1b5eef1cab00541b6bb41dcf575ff9e7e406a2f23f

Download Submit
\Users\Admin\AppData\Local\Agghost.exe

Filesize
111KB

MD5
a9b40e0b76aa5a292cb6052c6c2fd81d

SHA1
e15bba9e662ef45350720218617d563620c76823

SHA256
f5017d72f3b829a55971f877ebaa257f5e9791ae253ae23111cc45628477c36c

SHA512
ad49410a233614128a103ae55155665f563b67daa7411c42bf314a6a6d1c2cb61e4428d9049d0d3209d44a1b5eef1cab00541b6bb41dcf575ff9e7e406a2f23f

Download Submit
\Users\Admin\AppData\Local\Agghost.exe

Filesize
111KB

MD5
a9b40e0b76aa5a292cb6052c6c2fd81d

SHA1
e15bba9e662ef45350720218617d563620c76823

SHA256
f5017d72f3b829a55971f877ebaa257f5e9791ae253ae23111cc45628477c36c

SHA512
ad49410a233614128a103ae55155665f563b67daa7411c42bf314a6a6d1c2cb61e4428d9049d0d3209d44a1b5eef1cab00541b6bb41dcf575ff9e7e406a2f23f

Download Submit
\Users\Admin\AppData\Local\Temp\data\Agghost.exe

Filesize
111KB

MD5
a9b40e0b76aa5a292cb6052c6c2fd81d

SHA1
e15bba9e662ef45350720218617d563620c76823

SHA256
f5017d72f3b829a55971f877ebaa257f5e9791ae253ae23111cc45628477c36c

SHA512
ad49410a233614128a103ae55155665f563b67daa7411c42bf314a6a6d1c2cb61e4428d9049d0d3209d44a1b5eef1cab00541b6bb41dcf575ff9e7e406a2f23f

Download Submit
\Users\Admin\AppData\Local\Temp\data\Agghost.exe

Filesize
111KB

MD5
a9b40e0b76aa5a292cb6052c6c2fd81d

SHA1
e15bba9e662ef45350720218617d563620c76823

SHA256
f5017d72f3b829a55971f877ebaa257f5e9791ae253ae23111cc45628477c36c

SHA512
ad49410a233614128a103ae55155665f563b67daa7411c42bf314a6a6d1c2cb61e4428d9049d0d3209d44a1b5eef1cab00541b6bb41dcf575ff9e7e406a2f23f

Download Submit
\Users\Admin\AppData\Local\Temp\data\Agghost.exe

Filesize
111KB

MD5
a9b40e0b76aa5a292cb6052c6c2fd81d

SHA1
e15bba9e662ef45350720218617d563620c76823

SHA256
f5017d72f3b829a55971f877ebaa257f5e9791ae253ae23111cc45628477c36c

SHA512
ad49410a233614128a103ae55155665f563b67daa7411c42bf314a6a6d1c2cb61e4428d9049d0d3209d44a1b5eef1cab00541b6bb41dcf575ff9e7e406a2f23f

Download Submit
\Users\Admin\AppData\Local\Temp\data\EduWebContainer.dll

Filesize
936KB

MD5
4683696a3518f9cd7c4ee730a53405c2

SHA1
23881246d838d9d2a1bd76430f9c5f7458e00e83

SHA256
43e51c6becb9c635cce68d1aa32310ddd6ae68125ca2c00e5e47dc3536cb5fca

SHA512
5bfc43d489b53585e7369e3d28daf9f501d6999517310249f88b158d268c2a4e730b8e10aec0959094f276e3b4ba79b5737add5dc01ef3d6136e42a04552522c

Download Submit
\Users\Admin\AppData\Local\Temp\data\EduWebContainer.dll

Filesize
936KB

MD5
4683696a3518f9cd7c4ee730a53405c2

SHA1
23881246d838d9d2a1bd76430f9c5f7458e00e83

SHA256
43e51c6becb9c635cce68d1aa32310ddd6ae68125ca2c00e5e47dc3536cb5fca

SHA512
5bfc43d489b53585e7369e3d28daf9f501d6999517310249f88b158d268c2a4e730b8e10aec0959094f276e3b4ba79b5737add5dc01ef3d6136e42a04552522c

Download Submit
\Users\Admin\AppData\Local\Temp\data\vcruntime140.dll

Filesize
77KB

MD5
f107a3c7371c4543bd3908ba729dd2db

SHA1
af8e7e8f446de74db2f31d532e46eab8bbf41e0a

SHA256
00df0901c101254525a219d93ff1830da3a20d3f14bc323354d8d5fee5854ec0

SHA512
fd776f8ceaac498f4f44819794c0fa89224712a8c476819ffc76ba4c7ff4caa9b360b9d299d9df7965387e5bbcb330f316f53759b5146a73b27a5f2e964c3530

Download Submit
memory/1696-70-0x0000000010000000-0x0000000010215000-memory.dmp

Filesize
2.1MB

Download
memory/1696-71-0x0000000000570000-0x00000000005BD000-memory.dmp

Filesize
308KB

Download
memory/1696-85-0x0000000010000000-0x0000000010215000-memory.dmp

Filesize
2.1MB

Download
memory/1848-94-0x0000000002AC0000-0x0000000002B0D000-memory.dmp

Filesize
308KB

Download
memory/1848-109-0x0000000010000000-0x0000000010215000-memory.dmp

Filesize
2.1MB

Download
memory/1848-102-0x0000000000440000-0x0000000000441000-memory.dmp

Filesize
4KB

Download
memory/1848-100-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/1848-101-0x0000000000450000-0x0000000000452000-memory.dmp

Filesize
8KB

Download
memory/1848-103-0x0000000000460000-0x0000000000461000-memory.dmp

Filesize
4KB

Download
memory/1848-104-0x0000000000680000-0x0000000000681000-memory.dmp

Filesize
4KB

Download
memory/1848-105-0x0000000010000000-0x0000000010215000-memory.dmp

Filesize
2.1MB

Download
memory/1848-106-0x0000000010000000-0x0000000010215000-memory.dmp

Filesize
2.1MB

Download
memory/1848-107-0x0000000010000000-0x0000000010215000-memory.dmp

Filesize
2.1MB

Download
memory/1848-108-0x0000000010000000-0x0000000010215000-memory.dmp

Filesize
2.1MB

Download
memory/1848-93-0x0000000010000000-0x0000000010215000-memory.dmp

Filesize
2.1MB

Download
memory/1848-110-0x0000000010000000-0x0000000010215000-memory.dmp

Filesize
2.1MB

Download
memory/1848-111-0x0000000010000000-0x0000000010215000-memory.dmp

Filesize
2.1MB

Download
memory/1848-112-0x0000000010000000-0x0000000010215000-memory.dmp

Filesize
2.1MB

Download
memory/1848-113-0x0000000010000000-0x0000000010215000-memory.dmp

Filesize
2.1MB

Download
memory/1848-114-0x0000000010000000-0x0000000010215000-memory.dmp

Filesize
2.1MB

Download
memory/1848-115-0x0000000010000000-0x0000000010215000-memory.dmp

Filesize
2.1MB

Download
memory/1848-116-0x0000000010000000-0x0000000010215000-memory.dmp

Filesize
2.1MB

Download
memory/1848-117-0x0000000010000000-0x0000000010215000-memory.dmp

Filesize
2.1MB

Download
memory/1848-118-0x0000000010000000-0x0000000010215000-memory.dmp

Filesize
2.1MB

Download
memory/1848-119-0x0000000010000000-0x0000000010215000-memory.dmp

Filesize
2.1MB

Download