Analysis Overview
SHA256
e09a30a80a3dfc9ec7357358a61227815ef7cc3ae2bd07f7587cec0dc52d8ab1
Threat Level: Known bad
The file e09a30a80a3dfc9ec7357358a61227815ef7cc3ae2bd07f7587cec0dc52d8ab1 was found to be: Known bad.
Malicious Activity Summary
FatalRat
Fatal Rat payload
Executes dropped EXE
Loads dropped DLL
Enumerates physical storage devices
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-08-10 11:50
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-08-10 11:50
Reported
2023-08-10 11:53
Platform
win7-20230712-en
Max time kernel
118s
Max time network
148s
Command Line
Signatures
FatalRat
Fatal Rat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\e09a30a80a3dfc9ec7357358a61227815ef7cc3ae2bd07f7587cec0dc52d8ab1.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e09a30a80a3dfc9ec7357358a61227815ef7cc3ae2bd07f7587cec0dc52d8ab1.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\e09a30a80a3dfc9ec7357358a61227815ef7cc3ae2bd07f7587cec0dc52d8ab1.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\e09a30a80a3dfc9ec7357358a61227815ef7cc3ae2bd07f7587cec0dc52d8ab1.exe | N/A |
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\e09a30a80a3dfc9ec7357358a61227815ef7cc3ae2bd07f7587cec0dc52d8ab1.exe
"C:\Users\Admin\AppData\Local\Temp\e09a30a80a3dfc9ec7357358a61227815ef7cc3ae2bd07f7587cec0dc52d8ab1.exe"
C:\Users\Admin\AppData\Local\e09a30a80a3dfc9ec7357358a61227815ef7cc3ae2bd07f7587cec0dc52d8ab1.exe
"C:\Users\Admin\AppData\Local\e09a30a80a3dfc9ec7357358a61227815ef7cc3ae2bd07f7587cec0dc52d8ab1.exe"
Network
| Country | Destination | Domain | Proto |
| MU | 156.236.70.181:16553 | tcp | |
| MU | 156.236.70.181:16553 | tcp | |
| MU | 156.236.70.181:5858 | tcp |
Files
memory/2236-55-0x00000000004E0000-0x00000000005E0000-memory.dmp
memory/2236-56-0x0000000000140000-0x0000000000141000-memory.dmp
memory/2236-57-0x0000000010000000-0x0000000010031000-memory.dmp
memory/2236-58-0x0000000000900000-0x0000000000938000-memory.dmp
memory/2236-61-0x0000000000210000-0x000000000023A000-memory.dmp
\Users\Admin\AppData\Local\e09a30a80a3dfc9ec7357358a61227815ef7cc3ae2bd07f7587cec0dc52d8ab1.exe
| MD5 | a341b3a7990a811f0666bc0bedefb1dd |
| SHA1 | 647b053c5308b18b9202c6133b9c85c72b611760 |
| SHA256 | e09a30a80a3dfc9ec7357358a61227815ef7cc3ae2bd07f7587cec0dc52d8ab1 |
| SHA512 | 9860c5bc63097c3cbfd52eb26528750eb7925488218781c55cb4244fe4a426c5c05c193b16a5ac2624dd708cfe2265d84ef864e47a3fa1c9682139b5e011da73 |
C:\Users\Admin\AppData\Local\e09a30a80a3dfc9ec7357358a61227815ef7cc3ae2bd07f7587cec0dc52d8ab1.exe
| MD5 | a341b3a7990a811f0666bc0bedefb1dd |
| SHA1 | 647b053c5308b18b9202c6133b9c85c72b611760 |
| SHA256 | e09a30a80a3dfc9ec7357358a61227815ef7cc3ae2bd07f7587cec0dc52d8ab1 |
| SHA512 | 9860c5bc63097c3cbfd52eb26528750eb7925488218781c55cb4244fe4a426c5c05c193b16a5ac2624dd708cfe2265d84ef864e47a3fa1c9682139b5e011da73 |
memory/2236-73-0x00000000004E0000-0x00000000005E0000-memory.dmp
C:\Users\Admin\AppData\Local\e09a30a80a3dfc9ec7357358a61227815ef7cc3ae2bd07f7587cec0dc52d8ab1.exe
| MD5 | a341b3a7990a811f0666bc0bedefb1dd |
| SHA1 | 647b053c5308b18b9202c6133b9c85c72b611760 |
| SHA256 | e09a30a80a3dfc9ec7357358a61227815ef7cc3ae2bd07f7587cec0dc52d8ab1 |
| SHA512 | 9860c5bc63097c3cbfd52eb26528750eb7925488218781c55cb4244fe4a426c5c05c193b16a5ac2624dd708cfe2265d84ef864e47a3fa1c9682139b5e011da73 |
memory/2256-75-0x00000000001B0000-0x00000000002B0000-memory.dmp
memory/2256-78-0x00000000007F0000-0x0000000000828000-memory.dmp
memory/2256-80-0x0000000000830000-0x000000000085A000-memory.dmp
C:\Users\Admin\AppData\Local\e09a30a80a3dfc9ec7357358a61227815ef7cc3ae2bd07f7587cec0dc52d8ab1.exe
| MD5 | a341b3a7990a811f0666bc0bedefb1dd |
| SHA1 | 647b053c5308b18b9202c6133b9c85c72b611760 |
| SHA256 | e09a30a80a3dfc9ec7357358a61227815ef7cc3ae2bd07f7587cec0dc52d8ab1 |
| SHA512 | 9860c5bc63097c3cbfd52eb26528750eb7925488218781c55cb4244fe4a426c5c05c193b16a5ac2624dd708cfe2265d84ef864e47a3fa1c9682139b5e011da73 |
memory/2256-86-0x00000000001B0000-0x00000000002B0000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-08-10 11:50
Reported
2023-08-10 11:53
Platform
win10v2004-20230703-en
Max time kernel
127s
Max time network
148s
Command Line
Signatures
FatalRat
Fatal Rat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\e09a30a80a3dfc9ec7357358a61227815ef7cc3ae2bd07f7587cec0dc52d8ab1.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\e09a30a80a3dfc9ec7357358a61227815ef7cc3ae2bd07f7587cec0dc52d8ab1.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\e09a30a80a3dfc9ec7357358a61227815ef7cc3ae2bd07f7587cec0dc52d8ab1.exe | N/A |
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1900 wrote to memory of 4916 | N/A | C:\Users\Admin\AppData\Local\Temp\e09a30a80a3dfc9ec7357358a61227815ef7cc3ae2bd07f7587cec0dc52d8ab1.exe | C:\Users\Admin\AppData\Local\e09a30a80a3dfc9ec7357358a61227815ef7cc3ae2bd07f7587cec0dc52d8ab1.exe |
| PID 1900 wrote to memory of 4916 | N/A | C:\Users\Admin\AppData\Local\Temp\e09a30a80a3dfc9ec7357358a61227815ef7cc3ae2bd07f7587cec0dc52d8ab1.exe | C:\Users\Admin\AppData\Local\e09a30a80a3dfc9ec7357358a61227815ef7cc3ae2bd07f7587cec0dc52d8ab1.exe |
| PID 1900 wrote to memory of 4916 | N/A | C:\Users\Admin\AppData\Local\Temp\e09a30a80a3dfc9ec7357358a61227815ef7cc3ae2bd07f7587cec0dc52d8ab1.exe | C:\Users\Admin\AppData\Local\e09a30a80a3dfc9ec7357358a61227815ef7cc3ae2bd07f7587cec0dc52d8ab1.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\e09a30a80a3dfc9ec7357358a61227815ef7cc3ae2bd07f7587cec0dc52d8ab1.exe
"C:\Users\Admin\AppData\Local\Temp\e09a30a80a3dfc9ec7357358a61227815ef7cc3ae2bd07f7587cec0dc52d8ab1.exe"
C:\Users\Admin\AppData\Local\e09a30a80a3dfc9ec7357358a61227815ef7cc3ae2bd07f7587cec0dc52d8ab1.exe
"C:\Users\Admin\AppData\Local\e09a30a80a3dfc9ec7357358a61227815ef7cc3ae2bd07f7587cec0dc52d8ab1.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| MU | 156.236.70.181:16553 | tcp | |
| US | 8.8.8.8:53 | 254.158.241.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 181.70.236.156.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 108.211.229.192.in-addr.arpa | udp |
| MU | 156.236.70.181:16553 | tcp | |
| MU | 156.236.70.181:5858 | tcp | |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 85.65.42.20.in-addr.arpa | udp |
Files
memory/1900-134-0x0000000001540000-0x0000000001640000-memory.dmp
memory/1900-136-0x0000000010000000-0x0000000010031000-memory.dmp
memory/1900-135-0x00000000031F0000-0x00000000031F1000-memory.dmp
memory/1900-137-0x0000000000400000-0x0000000000438000-memory.dmp
memory/1900-140-0x0000000003B80000-0x0000000003BAA000-memory.dmp
C:\Users\Admin\AppData\Local\e09a30a80a3dfc9ec7357358a61227815ef7cc3ae2bd07f7587cec0dc52d8ab1.exe
| MD5 | a341b3a7990a811f0666bc0bedefb1dd |
| SHA1 | 647b053c5308b18b9202c6133b9c85c72b611760 |
| SHA256 | e09a30a80a3dfc9ec7357358a61227815ef7cc3ae2bd07f7587cec0dc52d8ab1 |
| SHA512 | 9860c5bc63097c3cbfd52eb26528750eb7925488218781c55cb4244fe4a426c5c05c193b16a5ac2624dd708cfe2265d84ef864e47a3fa1c9682139b5e011da73 |
C:\Users\Admin\AppData\Local\e09a30a80a3dfc9ec7357358a61227815ef7cc3ae2bd07f7587cec0dc52d8ab1.exe
| MD5 | a341b3a7990a811f0666bc0bedefb1dd |
| SHA1 | 647b053c5308b18b9202c6133b9c85c72b611760 |
| SHA256 | e09a30a80a3dfc9ec7357358a61227815ef7cc3ae2bd07f7587cec0dc52d8ab1 |
| SHA512 | 9860c5bc63097c3cbfd52eb26528750eb7925488218781c55cb4244fe4a426c5c05c193b16a5ac2624dd708cfe2265d84ef864e47a3fa1c9682139b5e011da73 |
C:\Users\Admin\AppData\Local\e09a30a80a3dfc9ec7357358a61227815ef7cc3ae2bd07f7587cec0dc52d8ab1.exe
| MD5 | a341b3a7990a811f0666bc0bedefb1dd |
| SHA1 | 647b053c5308b18b9202c6133b9c85c72b611760 |
| SHA256 | e09a30a80a3dfc9ec7357358a61227815ef7cc3ae2bd07f7587cec0dc52d8ab1 |
| SHA512 | 9860c5bc63097c3cbfd52eb26528750eb7925488218781c55cb4244fe4a426c5c05c193b16a5ac2624dd708cfe2265d84ef864e47a3fa1c9682139b5e011da73 |
memory/4916-158-0x0000000001060000-0x0000000001160000-memory.dmp
memory/4916-160-0x0000000003500000-0x0000000003538000-memory.dmp
memory/4916-163-0x0000000002B80000-0x0000000002BAA000-memory.dmp
memory/4916-168-0x0000000001060000-0x0000000001160000-memory.dmp