fatalrat | 317de7a10ace036e37d3a244516ca67eb674d458c33569c91c911c69481a518c

Analysis

max time kernel
134s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
10-08-2023 14:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Rat/2345Capture.exe
Size

236KB
MD5

bebcd675fed7940179932dd5aa63b61c
SHA1

bace66cdc1a67a7b32bd7fdd882f2781b9dac672
SHA256

c04e31d99459edf3a093e49d163f2f650ba789a1b3c6c7c98f26af14909615b2
SHA512

d50ece5d75d0aefe741c35874817972a73bc642d33a5a4074a07ab57bbcbaf76a0c3d2e42be2ae0f3ddf59957197019619bf61746818473eb26f22757d8a434d
SSDEEP

6144:pGgyduw1wqkQ5Qc3yHnFjBq0EAkYIkRHXkYIkRH:p4jZkQCieFpzxHXxH

Score

10^/10

fatalrat aspackv2 infostealer rat

Malware Config

Signatures

FatalRat
FatalRat is a modular infostealer family written in C++ first appearing in June 2021.
infostealer rat fatalrat

Fatal Rat payload 2 IoCs

rat infostealer

resource	yara_rule
behavioral2/memory/640-178-0x0000000000F90000-0x0000000000FBA000-memory.dmp	fatalrat
behavioral2/memory/4460-202-0x00000000031B0000-0x00000000031DA000-memory.dmp	fatalrat

Downloads MZ/PE file

ASPack v2.12-2.42 3 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x000300000001e5be-160.dat	aspack_v212_v242
behavioral2/files/0x000300000001e5be-163.dat	aspack_v212_v242
behavioral2/files/0x000300000001e5be-165.dat	aspack_v212_v242

Executes dropped EXE 3 IoCs

pid	Process
2468	Adam.exe
640	Taskmg.exe
4460	Taskmg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2468	Adam.exe
2468	Adam.exe
4460	Taskmg.exe
4460	Taskmg.exe
4460	Taskmg.exe
4460	Taskmg.exe
4460	Taskmg.exe
4460	Taskmg.exe
4460	Taskmg.exe
4460	Taskmg.exe
4460	Taskmg.exe
4460	Taskmg.exe
4460	Taskmg.exe
4460	Taskmg.exe
4460	Taskmg.exe
4460	Taskmg.exe
4460	Taskmg.exe
4460	Taskmg.exe
4460	Taskmg.exe
4460	Taskmg.exe
4460	Taskmg.exe
4460	Taskmg.exe
4460	Taskmg.exe
4460	Taskmg.exe
4460	Taskmg.exe
4460	Taskmg.exe
4460	Taskmg.exe
4460	Taskmg.exe
4460	Taskmg.exe
4460	Taskmg.exe
4460	Taskmg.exe
4460	Taskmg.exe
4460	Taskmg.exe
4460	Taskmg.exe
4460	Taskmg.exe
4460	Taskmg.exe
4460	Taskmg.exe
4460	Taskmg.exe
4460	Taskmg.exe
4460	Taskmg.exe
4460	Taskmg.exe
4460	Taskmg.exe
4460	Taskmg.exe
4460	Taskmg.exe
4460	Taskmg.exe
4460	Taskmg.exe
4460	Taskmg.exe
4460	Taskmg.exe
4460	Taskmg.exe
4460	Taskmg.exe
4460	Taskmg.exe
4460	Taskmg.exe
4460	Taskmg.exe
4460	Taskmg.exe
4460	Taskmg.exe
4460	Taskmg.exe
4460	Taskmg.exe
4460	Taskmg.exe
4460	Taskmg.exe
4460	Taskmg.exe
4460	Taskmg.exe
4460	Taskmg.exe
4460	Taskmg.exe
4460	Taskmg.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2468	Adam.exe
Token: SeDebugPrivilege	2468	Adam.exe
Token: SeDebugPrivilege	640	Taskmg.exe
Token: SeDebugPrivilege	4460	Taskmg.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4460	Taskmg.exe
4460	Taskmg.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2328 wrote to memory of 2468	2328	2345Capture.exe	86
PID 2328 wrote to memory of 2468	2328	2345Capture.exe	86
PID 2328 wrote to memory of 2468	2328	2345Capture.exe	86
PID 2328 wrote to memory of 640	2328	2345Capture.exe	87
PID 2328 wrote to memory of 640	2328	2345Capture.exe	87
PID 2328 wrote to memory of 640	2328	2345Capture.exe	87
PID 640 wrote to memory of 4460	640	Taskmg.exe	91
PID 640 wrote to memory of 4460	640	Taskmg.exe	91
PID 640 wrote to memory of 4460	640	Taskmg.exe	91

C:\Users\Admin\AppData\Local\Temp\Rat\2345Capture.exe
"C:\Users\Admin\AppData\Local\Temp\Rat\2345Capture.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2328
- C:\Users\Public\Documents\Admin558\Adam.exe
  C:\Users\Public\Documents\Admin558\Adam.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2468
- C:\Users\Public\Documents\Admin558\Taskmg.exe
  C:\Users\Public\Documents\Admin558\Taskmg.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:640
- - C:\Users\Admin\AppData\Local\Taskmg.exe
    "C:\Users\Admin\AppData\Local\Taskmg.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:4460

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Taskmg.exe

Filesize
2.0MB

MD5
a341b3a7990a811f0666bc0bedefb1dd

SHA1
647b053c5308b18b9202c6133b9c85c72b611760

SHA256
e09a30a80a3dfc9ec7357358a61227815ef7cc3ae2bd07f7587cec0dc52d8ab1

SHA512
9860c5bc63097c3cbfd52eb26528750eb7925488218781c55cb4244fe4a426c5c05c193b16a5ac2624dd708cfe2265d84ef864e47a3fa1c9682139b5e011da73

Download Submit
C:\Users\Admin\AppData\Local\Taskmg.exe

Filesize
2.0MB

MD5
a341b3a7990a811f0666bc0bedefb1dd

SHA1
647b053c5308b18b9202c6133b9c85c72b611760

SHA256
e09a30a80a3dfc9ec7357358a61227815ef7cc3ae2bd07f7587cec0dc52d8ab1

SHA512
9860c5bc63097c3cbfd52eb26528750eb7925488218781c55cb4244fe4a426c5c05c193b16a5ac2624dd708cfe2265d84ef864e47a3fa1c9682139b5e011da73

Download Submit
C:\Users\Admin\AppData\Local\Taskmg.exe

Filesize
2.0MB

MD5
a341b3a7990a811f0666bc0bedefb1dd

SHA1
647b053c5308b18b9202c6133b9c85c72b611760

SHA256
e09a30a80a3dfc9ec7357358a61227815ef7cc3ae2bd07f7587cec0dc52d8ab1

SHA512
9860c5bc63097c3cbfd52eb26528750eb7925488218781c55cb4244fe4a426c5c05c193b16a5ac2624dd708cfe2265d84ef864e47a3fa1c9682139b5e011da73

Download Submit
C:\Users\Public\Documents\Admin558\Adam.exe

Filesize
48KB

MD5
2cca2c467cfafb31500b0f5fae518372

SHA1
823a897d3ac313c2c28d9e7276ef8beb0f6ad8d1

SHA256
8071edb914b488e5e693b750f99e25eaaf74d6e587fce4eb5ddcd36ade9a07f2

SHA512
d66f97dd68b15795eccace13e92eebd3d1330637c052e0a0c9e2ef87b5ddc62d4676de74ec9b56aa8084406502a6ab5d547ce6a727427e5f15e53b8e272d7592

Download Submit
C:\Users\Public\Documents\Admin558\Adam.exe

Filesize
48KB

MD5
2cca2c467cfafb31500b0f5fae518372

SHA1
823a897d3ac313c2c28d9e7276ef8beb0f6ad8d1

SHA256
8071edb914b488e5e693b750f99e25eaaf74d6e587fce4eb5ddcd36ade9a07f2

SHA512
d66f97dd68b15795eccace13e92eebd3d1330637c052e0a0c9e2ef87b5ddc62d4676de74ec9b56aa8084406502a6ab5d547ce6a727427e5f15e53b8e272d7592

Download Submit
C:\Users\Public\Documents\Admin558\Adam.exe

Filesize
48KB

MD5
2cca2c467cfafb31500b0f5fae518372

SHA1
823a897d3ac313c2c28d9e7276ef8beb0f6ad8d1

SHA256
8071edb914b488e5e693b750f99e25eaaf74d6e587fce4eb5ddcd36ade9a07f2

SHA512
d66f97dd68b15795eccace13e92eebd3d1330637c052e0a0c9e2ef87b5ddc62d4676de74ec9b56aa8084406502a6ab5d547ce6a727427e5f15e53b8e272d7592

Download Submit
C:\Users\Public\Documents\Admin558\Taskmg.exe

Filesize
94KB

MD5
e376fc393659c59a3af365c0f918d28e

SHA1
4288795e1680c8bba231d37c3f6e217ce7444a72

SHA256
d95bde6f4984ad35a0113da3850f55e40b801c7716fe2c7130a350389877d065

SHA512
2771a44cb46242333eaf2d64b9e87077b429c54089c120e65b097f139271547441e98d75886ac69687ede26ff0447df482ade7cd49a48f9e2ba7bb117845f010

Download Submit
C:\Users\Public\Documents\Admin558\Taskmg.exe

Filesize
94KB

MD5
e376fc393659c59a3af365c0f918d28e

SHA1
4288795e1680c8bba231d37c3f6e217ce7444a72

SHA256
d95bde6f4984ad35a0113da3850f55e40b801c7716fe2c7130a350389877d065

SHA512
2771a44cb46242333eaf2d64b9e87077b429c54089c120e65b097f139271547441e98d75886ac69687ede26ff0447df482ade7cd49a48f9e2ba7bb117845f010

Download Submit
C:\Users\Public\Documents\Admin558\Taskmg.exe

Filesize
94KB

MD5
e376fc393659c59a3af365c0f918d28e

SHA1
4288795e1680c8bba231d37c3f6e217ce7444a72

SHA256
d95bde6f4984ad35a0113da3850f55e40b801c7716fe2c7130a350389877d065

SHA512
2771a44cb46242333eaf2d64b9e87077b429c54089c120e65b097f139271547441e98d75886ac69687ede26ff0447df482ade7cd49a48f9e2ba7bb117845f010

Download Submit
C:\Users\Public\Documents\Admin558\Thunder.exe

Filesize
932KB

MD5
7dd16a3c5ee05579e756b34c23ea1c6e

SHA1
f9df773ebd835addadfea97b353c4b6a11922380

SHA256
387058c609bf7ba4a60b30677c03778ab1a80c3eaa38b0b3e8ca3f354dde1fb0

SHA512
543d51fcf6c5bda5b37497815ab1f1a3e43e31824fb7b14fd63f978a6514bc07eea3bf50b1a5ce58e8a7dd46b87eb78988b6a665bc08931e503c2ad0a55bdbe1

Download Submit
C:\Users\Public\Documents\Admin558\libcef.dll

Filesize
6KB

MD5
bb2a1deee1190183d91b8bdbf535498f

SHA1
3369b9324f8ae1c3cde6c779c6eb810516cd8d90

SHA256
57db4cc481facc6feeb350a85856efb2f05cbb724b84332d283e0a8133e4a51b

SHA512
9b86fc3c81f7a99926d869e053e79a4833bbe4c0d185c5d26b5208a054097ceda79fe710ad42d0758dea0f001a8b5cc057c02a85dae49d91dfdef5835ec0a407

Download Submit
memory/640-174-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/640-178-0x0000000000F90000-0x0000000000FBA000-memory.dmp

Filesize
168KB

Download
memory/640-176-0x00000000009F0000-0x00000000009F1000-memory.dmp

Filesize
4KB

Download
memory/640-173-0x0000000010000000-0x0000000010031000-memory.dmp

Filesize
196KB

Download
memory/640-172-0x00000000012E0000-0x00000000013E0000-memory.dmp

Filesize
1024KB

Download
memory/2328-185-0x0000000000240000-0x00000000002B9000-memory.dmp

Filesize
484KB

Download
memory/2328-171-0x0000000000240000-0x00000000002B9000-memory.dmp

Filesize
484KB

Download
memory/2328-133-0x0000000000240000-0x00000000002B9000-memory.dmp

Filesize
484KB

Download
memory/2328-134-0x0000000000240000-0x00000000002B9000-memory.dmp

Filesize
484KB

Download
memory/2328-135-0x0000000000240000-0x00000000002B9000-memory.dmp

Filesize
484KB

Download
memory/2468-167-0x0000000000350000-0x000000000036C000-memory.dmp

Filesize
112KB

Download
memory/2468-166-0x0000000000350000-0x000000000036C000-memory.dmp

Filesize
112KB

Download
memory/2468-164-0x0000000000350000-0x000000000036C000-memory.dmp

Filesize
112KB

Download
memory/4460-198-0x0000000000C40000-0x0000000000D40000-memory.dmp

Filesize
1024KB

Download
memory/4460-200-0x0000000003170000-0x00000000031A8000-memory.dmp

Filesize
224KB

Download
memory/4460-202-0x00000000031B0000-0x00000000031DA000-memory.dmp

Filesize
168KB

Download
memory/4460-207-0x0000000000C40000-0x0000000000D40000-memory.dmp

Filesize
1024KB

Download