fatalrat | 7107606074d34bfb3d9a659b21bf84e55692b810b8e7d60c677b86b6477fdd7a

Analysis

max time kernel
137s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
06-08-2023 06:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

u9.exe
Size

4.5MB
MD5

92bd14c4a22b2aed0fe832f2b1174af0
SHA1

f08d2d2e6a6ffc92a7133d0ceaf01963cfaebe86
SHA256

7107606074d34bfb3d9a659b21bf84e55692b810b8e7d60c677b86b6477fdd7a
SHA512

bbc16c3595cf20a6aec3811975d8ae4121220f4549456dca9a4cc03e0d13131139736fa669d0dd941052f0cee25cf7d6d251e5cc61e34a22e712b19751c68b6a
SSDEEP

98304:sJizlahPkloq0/nubwpJPYSeHrNYgLVBwsrX:sJiQIoq+ubwpxANYs0sr

Score

10^/10

fatalrat infostealer persistence rat

Malware Config

Signatures

FatalRat
FatalRat is a modular infostealer family written in C++ first appearing in June 2021.
infostealer rat fatalrat

Fatal Rat payload 1 IoCs

rat infostealer

resource	yara_rule
behavioral3/memory/3720-13213-0x0000000010000000-0x000000001002A000-memory.dmp	fatalrat

Executes dropped EXE 2 IoCs

pid	Process
3720	spolsvt.exe
2372	elf.exe

Loads dropped DLL 2 IoCs

pid	Process
2080	u9.exe
2372	elf.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hxrobot = "C:\\Users\\Admin\\Documents\\robot\\elf.exe"	elf.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 25 IoCs

pid	Process
2080	u9.exe
2080	u9.exe
2080	u9.exe
2080	u9.exe
2080	u9.exe
2080	u9.exe
2080	u9.exe
2080	u9.exe
2080	u9.exe
2080	u9.exe
2080	u9.exe
2080	u9.exe
2080	u9.exe
2080	u9.exe
2080	u9.exe
2080	u9.exe
2080	u9.exe
2080	u9.exe
2080	u9.exe
2080	u9.exe
2080	u9.exe
2080	u9.exe
2080	u9.exe
2080	u9.exe
2080	u9.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2080 set thread context of 3720	2080	u9.exe	87

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2080	u9.exe
2080	u9.exe
3720	spolsvt.exe
3720	spolsvt.exe
3720	spolsvt.exe
3720	spolsvt.exe
3720	spolsvt.exe
3720	spolsvt.exe
3720	spolsvt.exe
3720	spolsvt.exe
3720	spolsvt.exe
3720	spolsvt.exe
3720	spolsvt.exe
3720	spolsvt.exe
3720	spolsvt.exe
3720	spolsvt.exe
3720	spolsvt.exe
3720	spolsvt.exe
3720	spolsvt.exe
3720	spolsvt.exe
3720	spolsvt.exe
3720	spolsvt.exe
3720	spolsvt.exe
3720	spolsvt.exe
3720	spolsvt.exe
3720	spolsvt.exe
3720	spolsvt.exe
3720	spolsvt.exe
3720	spolsvt.exe
3720	spolsvt.exe
3720	spolsvt.exe
3720	spolsvt.exe
3720	spolsvt.exe
3720	spolsvt.exe
3720	spolsvt.exe
3720	spolsvt.exe
3720	spolsvt.exe
3720	spolsvt.exe
3720	spolsvt.exe
3720	spolsvt.exe
3720	spolsvt.exe
3720	spolsvt.exe
3720	spolsvt.exe
3720	spolsvt.exe
3720	spolsvt.exe
3720	spolsvt.exe
3720	spolsvt.exe
3720	spolsvt.exe
3720	spolsvt.exe
3720	spolsvt.exe
3720	spolsvt.exe
3720	spolsvt.exe
3720	spolsvt.exe
3720	spolsvt.exe
3720	spolsvt.exe
3720	spolsvt.exe
3720	spolsvt.exe
3720	spolsvt.exe
3720	spolsvt.exe
3720	spolsvt.exe
3720	spolsvt.exe
3720	spolsvt.exe
3720	spolsvt.exe
3720	spolsvt.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3720	spolsvt.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2080	u9.exe
2080	u9.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2080 wrote to memory of 3720	2080	u9.exe	87
PID 2080 wrote to memory of 3720	2080	u9.exe	87
PID 2080 wrote to memory of 3720	2080	u9.exe	87
PID 2080 wrote to memory of 3720	2080	u9.exe	87
PID 2080 wrote to memory of 3720	2080	u9.exe	87
PID 2080 wrote to memory of 3720	2080	u9.exe	87
PID 2080 wrote to memory of 3720	2080	u9.exe	87
PID 2080 wrote to memory of 3720	2080	u9.exe	87
PID 2080 wrote to memory of 2372	2080	u9.exe	90
PID 2080 wrote to memory of 2372	2080	u9.exe	90
PID 2080 wrote to memory of 2372	2080	u9.exe	90
PID 2080 wrote to memory of 1864	2080	u9.exe	93
PID 2080 wrote to memory of 1864	2080	u9.exe	93
PID 2080 wrote to memory of 1864	2080	u9.exe	93

C:\Users\Admin\AppData\Local\Temp\u9.exe
"C:\Users\Admin\AppData\Local\Temp\u9.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2080
- C:\Users\Public\Documents\t\spolsvt.exe
  C:\Users\Public\Documents\t\spolsvt.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3720
- C:\Users\Admin\Documents\robot\elf.exe
  "C:\Users\Admin\Documents\robot\elf.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  PID:2372
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c del u9.exe
  2⤵
  PID:1864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\UnRAR.dll

Filesize
278KB

MD5
c5587655293f83c72f0c88c74660dd10

SHA1
675d7cac72e4caebebd7c2a88403d138b69acd89

SHA256
a647aec65edb9736ad9bbc60a99779d18438b783b3a7045533de97ba4134f4fe

SHA512
6b275764ba29dd5d2f789107de1b98095f42fe4929b725b5599136a6a626e32432fcb223ce1cf89050874102f0d24e6911c170e4d50a023dab4604c383380fd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\UnRAR.dll

Filesize
278KB

MD5
c5587655293f83c72f0c88c74660dd10

SHA1
675d7cac72e4caebebd7c2a88403d138b69acd89

SHA256
a647aec65edb9736ad9bbc60a99779d18438b783b3a7045533de97ba4134f4fe

SHA512
6b275764ba29dd5d2f789107de1b98095f42fe4929b725b5599136a6a626e32432fcb223ce1cf89050874102f0d24e6911c170e4d50a023dab4604c383380fd1

Download Submit
C:\Users\Admin\Documents\robot\LoggerCollector.dll

Filesize
510KB

MD5
47fe0ab041a9c28fe838eb1b11556e33

SHA1
b7128f679230730cf477f3c081235de118c98960

SHA256
29fc393b56fcfa4a242c7bc5177b0861072f35c7c8be2546115e0f34d059e2bf

SHA512
7191170e244dac3b176bf89c67511b5938751471d84f73c58c3ff7fef3e6e1e70c3af5d3143cf3b66be461152b80845231fc6a3fafc31328193d47edd2961a40

Download Submit
C:\Users\Admin\Documents\robot\LoggerCollector.dll

Filesize
510KB

MD5
47fe0ab041a9c28fe838eb1b11556e33

SHA1
b7128f679230730cf477f3c081235de118c98960

SHA256
29fc393b56fcfa4a242c7bc5177b0861072f35c7c8be2546115e0f34d059e2bf

SHA512
7191170e244dac3b176bf89c67511b5938751471d84f73c58c3ff7fef3e6e1e70c3af5d3143cf3b66be461152b80845231fc6a3fafc31328193d47edd2961a40

Download Submit
C:\Users\Admin\Documents\robot\elf.exe

Filesize
2.2MB

MD5
33922d12e5bb8f40ecddf816124ae93d

SHA1
28244217fa205f12cf40278e97a3a01e6d7366a3

SHA256
255e4c5b81ddabc02455b7b4560e168b4064e63ec3721230201d1a7928c9f158

SHA512
1fdc906fdf3a89105d8e8996ec58e26e4d802fbbc99004d2f9a13a94cabeabde104fd55135763d5b959d1741d53e06ca18879407864c1e37e0a8764df9ea1973

Download Submit
C:\Users\Admin\Documents\robot\elf.exe

Filesize
2.2MB

MD5
33922d12e5bb8f40ecddf816124ae93d

SHA1
28244217fa205f12cf40278e97a3a01e6d7366a3

SHA256
255e4c5b81ddabc02455b7b4560e168b4064e63ec3721230201d1a7928c9f158

SHA512
1fdc906fdf3a89105d8e8996ec58e26e4d802fbbc99004d2f9a13a94cabeabde104fd55135763d5b959d1741d53e06ca18879407864c1e37e0a8764df9ea1973

Download Submit
C:\Users\Admin\Documents\robot\elf.exe

Filesize
2.2MB

MD5
33922d12e5bb8f40ecddf816124ae93d

SHA1
28244217fa205f12cf40278e97a3a01e6d7366a3

SHA256
255e4c5b81ddabc02455b7b4560e168b4064e63ec3721230201d1a7928c9f158

SHA512
1fdc906fdf3a89105d8e8996ec58e26e4d802fbbc99004d2f9a13a94cabeabde104fd55135763d5b959d1741d53e06ca18879407864c1e37e0a8764df9ea1973

Download Submit
C:\Users\Admin\Documents\robot\skin\Robot\Robot.xml

Filesize
260B

MD5
2fdb0ba1aa4f2088d10468757490b3fc

SHA1
3757f286d6fa2585747bf6135eb8c927bc3145b8

SHA256
6f1d5abe5173cab5a5d5553d6ebf4c78f0b0d587337c8c942c170acf24d9f02a

SHA512
aba55dd158a645d76c05c5b4e226547b42619f123de30050963cced626b914dce7c79574eca4f222b6eaae3a0acfd737818a423fc4bdf1402a31979f859fdaaa

Download Submit
C:\Users\Admin\Documents\robot\skin\Robot\icon_wnd.xml

Filesize
629B

MD5
f74ff1f559d4f5a7af7b09b00d17a3f7

SHA1
7ae57ae206977eb874cf1037e7dedb37cb464e4b

SHA256
1ebba2b9a0d222642016121ca19ee5cd6d1b32f40b43bd57aed165dc8dcdf781

SHA512
fc26f6af3c8e0d642a91e31e5060db94d7ed2cce33619a4d8e9b78c68b95b397db15863165ce536fbc364f2e361772ffb86be61e3d9a921011f167ca9c9d9c51

Download Submit
C:\Users\Admin\Documents\robot\skin\Robot\push_wnd.xml

Filesize
1KB

MD5
ee58358ad4380ad0da672cdb49247454

SHA1
e99376e5eaa92538221789ff8f25768d83f0cf1e

SHA256
633b462f98038aa0f9ab302d3cd0def8352fde79990af747b3c97b49ebab2103

SHA512
eded6474a11deb02292682e3354b2d7d17ac898348f533fc13a74451fb5a312ec25a0de69bd40d2b9a4159e2284834277b47072b2e8990780f6783519b0dfda3

Download Submit
C:\Users\Admin\Documents\robot\skin\mainres.xml

Filesize
671B

MD5
47fb824e5df4deb39e5b5342e833d8e4

SHA1
3196520d4dabefd5b4eb6c689210d5ce459476da

SHA256
04fb5ba3130fb6cb99ce5d5ffa11a8df2d2c02fcb9dd3517d691bf97e0369289

SHA512
fb64455995630400f73a4725e365e44c8d77dd1ccb534c2ba8a0ff50cf42c9b838abe7bf63e98596bc40466a3c7eafda29d7981564684772afd3cba136e6bb42

Download Submit
C:\Users\Admin\Documents\robot\switch.json

Filesize
142B

MD5
08fb3a0f403c967af37d1db1a3764fa8

SHA1
7cbe156d55ecb43a0956fca7d21a28e6526caeee

SHA256
5e0bc36efc862716939431367cf2a370348c97b0ab5c87b177d665dd80f2ef52

SHA512
49211ee927761cdd1c800802d277d183c8b8a36e9c2d44e28ed64a55e78e20732a343553aa5df81d7bd919d5da6e87a93c2ff90eaf192621410aa19d9eb38a4f

Download Submit
C:\Users\Public\Documents\t\spolsvt.exe

Filesize
16KB

MD5
cdce4713e784ae069d73723034a957ff

SHA1
9a393a6bab6568f1a774fb753353223f11367e09

SHA256
b29e48102ecb3d3614e8980a8b8cc63dd2b993c6346f466479244ec2b47b69d8

SHA512
0a3a59a305cc2a6fad4e1315b0bcc5a4129595dfe1e8b703363fa02528d2d7c48d3fd22d365708be84a5557cf1916873df9563c454732f93f94a66e7e3b9fb0f

Download Submit
C:\Users\Public\Documents\t\spolsvt.exe

Filesize
16KB

MD5
cdce4713e784ae069d73723034a957ff

SHA1
9a393a6bab6568f1a774fb753353223f11367e09

SHA256
b29e48102ecb3d3614e8980a8b8cc63dd2b993c6346f466479244ec2b47b69d8

SHA512
0a3a59a305cc2a6fad4e1315b0bcc5a4129595dfe1e8b703363fa02528d2d7c48d3fd22d365708be84a5557cf1916873df9563c454732f93f94a66e7e3b9fb0f

Download Submit
memory/2080-6017-0x00000000774F0000-0x000000007756A000-memory.dmp

Filesize
488KB

Download
memory/2080-133-0x0000000000400000-0x000000000087A000-memory.dmp

Filesize
4.5MB

Download
memory/2080-13265-0x0000000000400000-0x000000000087A000-memory.dmp

Filesize
4.5MB

Download
memory/2080-4008-0x0000000077160000-0x0000000077300000-memory.dmp

Filesize
1.6MB

Download
memory/2080-134-0x0000000076E60000-0x0000000077075000-memory.dmp

Filesize
2.1MB

Download
memory/2080-13290-0x0000000000400000-0x000000000087A000-memory.dmp

Filesize
4.5MB

Download
memory/3720-13206-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3720-13205-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3720-13204-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3720-13213-0x0000000010000000-0x000000001002A000-memory.dmp

Filesize
168KB

Download
memory/3720-13210-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download