fatalrat | f10495057c282936b7d00e5bed9c2eb0efdcef1e23ef60ec6be4566fb2626be3

Analysis

max time kernel
31s
max time network
142s
platform
windows7_x64
resource
win7-20230703-en
resource tags

arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
submitted
07-07-2023 21:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

140KB
MD5

667aca3b0011aebd3ac1eb04a929e79b
SHA1

7489d2101aaa8057fdfe8c22cca54df999f9bd7b
SHA256

f10495057c282936b7d00e5bed9c2eb0efdcef1e23ef60ec6be4566fb2626be3
SHA512

ddd335b9af141352409b1a94ca0020a581ba19b5cfa3edb9daad0805ce51d8a4d12ce6f5a4e0742db9cab7f92ae67f83b3a51f88dc018821aa0f8edf5e636b45
SSDEEP

1536:Vua+BTv3tIO8MtM+/6jRVGIk1MgHjsPGYYwOda2CqqZOIgQJb0lfjtO+vbWL8xJb:Vn+htWMtf+7GZYGVA2QJgi8xJLDoU

Score

10^/10

fatalrat infostealer rat

Malware Config

Signatures

FatalRat
FatalRat is a modular infostealer family written in C++ first appearing in June 2021.
infostealer rat fatalrat

Fatal Rat payload 1 IoCs

rat infostealer

resource	yara_rule
behavioral1/memory/2872-54-0x0000000010000000-0x000000001001C000-memory.dmp	fatalrat

Executes dropped EXE 2 IoCs

pid	Process
2188	Jklmno.exe
2420	Jklmno.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\Jklmno.exe	tmp.exe
File opened for modification	C:\Windows\Jklmno.exe	tmp.exe
File opened for modification	C:\Windows\Jklmno.exe	Jklmno.exe
File created	C:\Windows\Jklmno.exe	Jklmno.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jklmno.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Jklmno.exe

Modifies data under HKEY_USERS 12 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software	Jklmno.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie	Jklmno.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum	Jklmno.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Services\Jklmno Qrstuvwx	Jklmno.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet	Jklmno.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Services	Jklmno.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Services\Jklmno Qrstuvwx\InstallTime = "2023-07-07 21:07"	Jklmno.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum\Version = "7"	Jklmno.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM	Jklmno.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Services\Jklmno Qrstuvwx\Group = "Fatal"	Jklmno.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum	Jklmno.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	Jklmno.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

pid	Process
2872	tmp.exe
2188	Jklmno.exe
2420	Jklmno.exe
2420	Jklmno.exe
2420	Jklmno.exe
2420	Jklmno.exe
2420	Jklmno.exe
2420	Jklmno.exe
2420	Jklmno.exe
2420	Jklmno.exe
2420	Jklmno.exe
2420	Jklmno.exe
2420	Jklmno.exe
2420	Jklmno.exe
2420	Jklmno.exe
2420	Jklmno.exe
2420	Jklmno.exe
2420	Jklmno.exe
2420	Jklmno.exe
2420	Jklmno.exe
2420	Jklmno.exe
2420	Jklmno.exe
2420	Jklmno.exe
2420	Jklmno.exe
2420	Jklmno.exe
2420	Jklmno.exe
2420	Jklmno.exe
2420	Jklmno.exe
2420	Jklmno.exe
2420	Jklmno.exe
2420	Jklmno.exe
2420	Jklmno.exe
2420	Jklmno.exe
2420	Jklmno.exe
2420	Jklmno.exe
2420	Jklmno.exe
2420	Jklmno.exe
2420	Jklmno.exe
2420	Jklmno.exe
2420	Jklmno.exe
2420	Jklmno.exe
2420	Jklmno.exe
2420	Jklmno.exe
2420	Jklmno.exe
2420	Jklmno.exe
2420	Jklmno.exe
2420	Jklmno.exe
2420	Jklmno.exe
2420	Jklmno.exe
2420	Jklmno.exe
2420	Jklmno.exe
2420	Jklmno.exe
2420	Jklmno.exe
2420	Jklmno.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2872	tmp.exe
Token: SeDebugPrivilege	2188	Jklmno.exe
Token: SeDebugPrivilege	2420	Jklmno.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2188 wrote to memory of 2420	2188	Jklmno.exe	30
PID 2188 wrote to memory of 2420	2188	Jklmno.exe	30
PID 2188 wrote to memory of 2420	2188	Jklmno.exe	30
PID 2188 wrote to memory of 2420	2188	Jklmno.exe	30

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2872

C:\Windows\Jklmno.exe
C:\Windows\Jklmno.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2188
- C:\Windows\Jklmno.exe
  C:\Windows\Jklmno.exe Win7
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Checks processor information in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2420

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Jklmno.exe

Filesize
140KB

MD5
667aca3b0011aebd3ac1eb04a929e79b

SHA1
7489d2101aaa8057fdfe8c22cca54df999f9bd7b

SHA256
f10495057c282936b7d00e5bed9c2eb0efdcef1e23ef60ec6be4566fb2626be3

SHA512
ddd335b9af141352409b1a94ca0020a581ba19b5cfa3edb9daad0805ce51d8a4d12ce6f5a4e0742db9cab7f92ae67f83b3a51f88dc018821aa0f8edf5e636b45

Download Submit
C:\Windows\Jklmno.exe

Filesize
140KB

MD5
667aca3b0011aebd3ac1eb04a929e79b

SHA1
7489d2101aaa8057fdfe8c22cca54df999f9bd7b

SHA256
f10495057c282936b7d00e5bed9c2eb0efdcef1e23ef60ec6be4566fb2626be3

SHA512
ddd335b9af141352409b1a94ca0020a581ba19b5cfa3edb9daad0805ce51d8a4d12ce6f5a4e0742db9cab7f92ae67f83b3a51f88dc018821aa0f8edf5e636b45

Download Submit
C:\Windows\Jklmno.exe

Filesize
140KB

MD5
667aca3b0011aebd3ac1eb04a929e79b

SHA1
7489d2101aaa8057fdfe8c22cca54df999f9bd7b

SHA256
f10495057c282936b7d00e5bed9c2eb0efdcef1e23ef60ec6be4566fb2626be3

SHA512
ddd335b9af141352409b1a94ca0020a581ba19b5cfa3edb9daad0805ce51d8a4d12ce6f5a4e0742db9cab7f92ae67f83b3a51f88dc018821aa0f8edf5e636b45

Download Submit
memory/2872-54-0x0000000010000000-0x000000001001C000-memory.dmp

Filesize
112KB

Download