Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
141s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
10/08/2023, 14:52
Behavioral task
behavioral1
Sample
Rat/2345Capture.exe
Resource
win7-20230712-en
Behavioral task
behavioral2
Sample
Rat/2345Capture.exe
Resource
win10v2004-20230703-en
Behavioral task
behavioral3
Sample
Rat/Taskmg.exe
Resource
win7-20230712-en
Behavioral task
behavioral4
Sample
Rat/Taskmg.exe
Resource
win10v2004-20230703-en
Behavioral task
behavioral5
Sample
Rat/libcef.dll
Resource
win7-20230712-en
Behavioral task
behavioral6
Sample
Rat/libcef.dll
Resource
win10v2004-20230703-en
General
-
Target
Rat/Taskmg.exe
-
Size
2.0MB
-
MD5
a341b3a7990a811f0666bc0bedefb1dd
-
SHA1
647b053c5308b18b9202c6133b9c85c72b611760
-
SHA256
e09a30a80a3dfc9ec7357358a61227815ef7cc3ae2bd07f7587cec0dc52d8ab1
-
SHA512
9860c5bc63097c3cbfd52eb26528750eb7925488218781c55cb4244fe4a426c5c05c193b16a5ac2624dd708cfe2265d84ef864e47a3fa1c9682139b5e011da73
-
SSDEEP
49152:ZDPHyxkEDRNyxB69FeHkYij8jdphkygcsTuGhthoXsxZZ:ZD/mBDRNgyFeHkYiYpphkygcsTdthoX0
Malware Config
Signatures
-
FatalRat
FatalRat is a modular infostealer family written in C++ first appearing in June 2021.
-
Fatal Rat payload 2 IoCs
resource yara_rule behavioral4/memory/1380-140-0x0000000003300000-0x000000000332A000-memory.dmp fatalrat behavioral4/memory/4636-163-0x0000000002F70000-0x0000000002F9A000-memory.dmp fatalrat -
Executes dropped EXE 1 IoCs
pid Process 4636 Taskmg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4636 Taskmg.exe 4636 Taskmg.exe 4636 Taskmg.exe 4636 Taskmg.exe 4636 Taskmg.exe 4636 Taskmg.exe 4636 Taskmg.exe 4636 Taskmg.exe 4636 Taskmg.exe 4636 Taskmg.exe 4636 Taskmg.exe 4636 Taskmg.exe 4636 Taskmg.exe 4636 Taskmg.exe 4636 Taskmg.exe 4636 Taskmg.exe 4636 Taskmg.exe 4636 Taskmg.exe 4636 Taskmg.exe 4636 Taskmg.exe 4636 Taskmg.exe 4636 Taskmg.exe 4636 Taskmg.exe 4636 Taskmg.exe 4636 Taskmg.exe 4636 Taskmg.exe 4636 Taskmg.exe 4636 Taskmg.exe 4636 Taskmg.exe 4636 Taskmg.exe 4636 Taskmg.exe 4636 Taskmg.exe 4636 Taskmg.exe 4636 Taskmg.exe 4636 Taskmg.exe 4636 Taskmg.exe 4636 Taskmg.exe 4636 Taskmg.exe 4636 Taskmg.exe 4636 Taskmg.exe 4636 Taskmg.exe 4636 Taskmg.exe 4636 Taskmg.exe 4636 Taskmg.exe 4636 Taskmg.exe 4636 Taskmg.exe 4636 Taskmg.exe 4636 Taskmg.exe 4636 Taskmg.exe 4636 Taskmg.exe 4636 Taskmg.exe 4636 Taskmg.exe 4636 Taskmg.exe 4636 Taskmg.exe 4636 Taskmg.exe 4636 Taskmg.exe 4636 Taskmg.exe 4636 Taskmg.exe 4636 Taskmg.exe 4636 Taskmg.exe 4636 Taskmg.exe 4636 Taskmg.exe 4636 Taskmg.exe 4636 Taskmg.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1380 Taskmg.exe Token: SeDebugPrivilege 4636 Taskmg.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 1380 Taskmg.exe 1380 Taskmg.exe 4636 Taskmg.exe 4636 Taskmg.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1380 wrote to memory of 4636 1380 Taskmg.exe 84 PID 1380 wrote to memory of 4636 1380 Taskmg.exe 84 PID 1380 wrote to memory of 4636 1380 Taskmg.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\Rat\Taskmg.exe"C:\Users\Admin\AppData\Local\Temp\Rat\Taskmg.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1380 -
C:\Users\Admin\AppData\Local\Taskmg.exe"C:\Users\Admin\AppData\Local\Taskmg.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4636
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.0MB
MD5a341b3a7990a811f0666bc0bedefb1dd
SHA1647b053c5308b18b9202c6133b9c85c72b611760
SHA256e09a30a80a3dfc9ec7357358a61227815ef7cc3ae2bd07f7587cec0dc52d8ab1
SHA5129860c5bc63097c3cbfd52eb26528750eb7925488218781c55cb4244fe4a426c5c05c193b16a5ac2624dd708cfe2265d84ef864e47a3fa1c9682139b5e011da73
-
Filesize
2.0MB
MD5a341b3a7990a811f0666bc0bedefb1dd
SHA1647b053c5308b18b9202c6133b9c85c72b611760
SHA256e09a30a80a3dfc9ec7357358a61227815ef7cc3ae2bd07f7587cec0dc52d8ab1
SHA5129860c5bc63097c3cbfd52eb26528750eb7925488218781c55cb4244fe4a426c5c05c193b16a5ac2624dd708cfe2265d84ef864e47a3fa1c9682139b5e011da73
-
Filesize
2.0MB
MD5a341b3a7990a811f0666bc0bedefb1dd
SHA1647b053c5308b18b9202c6133b9c85c72b611760
SHA256e09a30a80a3dfc9ec7357358a61227815ef7cc3ae2bd07f7587cec0dc52d8ab1
SHA5129860c5bc63097c3cbfd52eb26528750eb7925488218781c55cb4244fe4a426c5c05c193b16a5ac2624dd708cfe2265d84ef864e47a3fa1c9682139b5e011da73