fatalrat | a6108ee9f106dfa91427fdec33e519ba94e61a678d65f5b16e54eb9d44291517

Analysis

max time kernel
138s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
10/08/2023, 17:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a6108ee9f106dfa91427fdec33e519ba94e61a678d65f5b16e54eb9d44291517.exe
Size

299KB
MD5

5b8b5b65e19ac1bde4757df37cc514f2
SHA1

302ee18b546d39d2f7d99d55a8fdb41839dfffae
SHA256

a6108ee9f106dfa91427fdec33e519ba94e61a678d65f5b16e54eb9d44291517
SHA512

951b16e3811823301ef5c3f799d1243d8e357060af943866e7ad61b331fc49464a5d133c79bf321970e2f7ed0cfc6dbfdcdef4b7a2a9f1d74a5db6bd621a5831
SSDEEP

384:yf11c+U6A8pWfG+Ax7r6+Y9PffPztcOB8lpI7:yfrAgWfGJxCbPrtc68E7

Score

10^/10

fatalrat aspackv2 infostealer rat

Malware Config

Signatures

FatalRat
FatalRat is a modular infostealer family written in C++ first appearing in June 2021.
infostealer rat fatalrat

Fatal Rat payload 1 IoCs

rat infostealer

resource	yara_rule
behavioral2/memory/2052-181-0x0000000002FF0000-0x000000000301A000-memory.dmp	fatalrat

Downloads MZ/PE file

ASPack v2.12-2.42 3 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x000600000002308c-162.dat	aspack_v212_v242
behavioral2/files/0x000600000002308c-165.dat	aspack_v212_v242
behavioral2/files/0x000600000002308c-167.dat	aspack_v212_v242

Executes dropped EXE 2 IoCs

pid	Process
3464	Adam.exe
2052	WmiSrv.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3464	Adam.exe
3464	Adam.exe
2052	WmiSrv.exe
2052	WmiSrv.exe
2052	WmiSrv.exe
2052	WmiSrv.exe
2052	WmiSrv.exe
2052	WmiSrv.exe
2052	WmiSrv.exe
2052	WmiSrv.exe
2052	WmiSrv.exe
2052	WmiSrv.exe
2052	WmiSrv.exe
2052	WmiSrv.exe
2052	WmiSrv.exe
2052	WmiSrv.exe
2052	WmiSrv.exe
2052	WmiSrv.exe
2052	WmiSrv.exe
2052	WmiSrv.exe
2052	WmiSrv.exe
2052	WmiSrv.exe
2052	WmiSrv.exe
2052	WmiSrv.exe
2052	WmiSrv.exe
2052	WmiSrv.exe
2052	WmiSrv.exe
2052	WmiSrv.exe
2052	WmiSrv.exe
2052	WmiSrv.exe
2052	WmiSrv.exe
2052	WmiSrv.exe
2052	WmiSrv.exe
2052	WmiSrv.exe
2052	WmiSrv.exe
2052	WmiSrv.exe
2052	WmiSrv.exe
2052	WmiSrv.exe
2052	WmiSrv.exe
2052	WmiSrv.exe
2052	WmiSrv.exe
2052	WmiSrv.exe
2052	WmiSrv.exe
2052	WmiSrv.exe
2052	WmiSrv.exe
2052	WmiSrv.exe
2052	WmiSrv.exe
2052	WmiSrv.exe
2052	WmiSrv.exe
2052	WmiSrv.exe
2052	WmiSrv.exe
2052	WmiSrv.exe
2052	WmiSrv.exe
2052	WmiSrv.exe
2052	WmiSrv.exe
2052	WmiSrv.exe
2052	WmiSrv.exe
2052	WmiSrv.exe
2052	WmiSrv.exe
2052	WmiSrv.exe
2052	WmiSrv.exe
2052	WmiSrv.exe
2052	WmiSrv.exe
2052	WmiSrv.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	3464	Adam.exe
Token: SeDebugPrivilege	3464	Adam.exe
Token: SeDebugPrivilege	2052	WmiSrv.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2052	WmiSrv.exe
2052	WmiSrv.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1404 wrote to memory of 3464	1404	a6108ee9f106dfa91427fdec33e519ba94e61a678d65f5b16e54eb9d44291517.exe	86
PID 1404 wrote to memory of 3464	1404	a6108ee9f106dfa91427fdec33e519ba94e61a678d65f5b16e54eb9d44291517.exe	86
PID 1404 wrote to memory of 3464	1404	a6108ee9f106dfa91427fdec33e519ba94e61a678d65f5b16e54eb9d44291517.exe	86
PID 1404 wrote to memory of 2052	1404	a6108ee9f106dfa91427fdec33e519ba94e61a678d65f5b16e54eb9d44291517.exe	88
PID 1404 wrote to memory of 2052	1404	a6108ee9f106dfa91427fdec33e519ba94e61a678d65f5b16e54eb9d44291517.exe	88
PID 1404 wrote to memory of 2052	1404	a6108ee9f106dfa91427fdec33e519ba94e61a678d65f5b16e54eb9d44291517.exe	88

C:\Users\Admin\AppData\Local\Temp\a6108ee9f106dfa91427fdec33e519ba94e61a678d65f5b16e54eb9d44291517.exe
"C:\Users\Admin\AppData\Local\Temp\a6108ee9f106dfa91427fdec33e519ba94e61a678d65f5b16e54eb9d44291517.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1404
- C:\Users\Public\Documents\Admin558\Adam.exe
  C:\Users\Public\Documents\Admin558\Adam.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3464
- C:\Users\Public\Documents\Admin558\WmiSrv.exe
  C:\Users\Public\Documents\Admin558\WmiSrv.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2052

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\Documents\Admin558\Adam.exe

Filesize
48KB

MD5
2cca2c467cfafb31500b0f5fae518372

SHA1
823a897d3ac313c2c28d9e7276ef8beb0f6ad8d1

SHA256
8071edb914b488e5e693b750f99e25eaaf74d6e587fce4eb5ddcd36ade9a07f2

SHA512
d66f97dd68b15795eccace13e92eebd3d1330637c052e0a0c9e2ef87b5ddc62d4676de74ec9b56aa8084406502a6ab5d547ce6a727427e5f15e53b8e272d7592

Download Submit
C:\Users\Public\Documents\Admin558\Adam.exe

Filesize
48KB

MD5
2cca2c467cfafb31500b0f5fae518372

SHA1
823a897d3ac313c2c28d9e7276ef8beb0f6ad8d1

SHA256
8071edb914b488e5e693b750f99e25eaaf74d6e587fce4eb5ddcd36ade9a07f2

SHA512
d66f97dd68b15795eccace13e92eebd3d1330637c052e0a0c9e2ef87b5ddc62d4676de74ec9b56aa8084406502a6ab5d547ce6a727427e5f15e53b8e272d7592

Download Submit
C:\Users\Public\Documents\Admin558\Adam.exe

Filesize
48KB

MD5
2cca2c467cfafb31500b0f5fae518372

SHA1
823a897d3ac313c2c28d9e7276ef8beb0f6ad8d1

SHA256
8071edb914b488e5e693b750f99e25eaaf74d6e587fce4eb5ddcd36ade9a07f2

SHA512
d66f97dd68b15795eccace13e92eebd3d1330637c052e0a0c9e2ef87b5ddc62d4676de74ec9b56aa8084406502a6ab5d547ce6a727427e5f15e53b8e272d7592

Download Submit
C:\Users\Public\Documents\Admin558\Thunder.exe

Filesize
932KB

MD5
7dd16a3c5ee05579e756b34c23ea1c6e

SHA1
f9df773ebd835addadfea97b353c4b6a11922380

SHA256
387058c609bf7ba4a60b30677c03778ab1a80c3eaa38b0b3e8ca3f354dde1fb0

SHA512
543d51fcf6c5bda5b37497815ab1f1a3e43e31824fb7b14fd63f978a6514bc07eea3bf50b1a5ce58e8a7dd46b87eb78988b6a665bc08931e503c2ad0a55bdbe1

Download Submit
C:\Users\Public\Documents\Admin558\WmiSrv.exe

Filesize
2.0MB

MD5
c7c90fbcbd1a3faa9541dff69636709d

SHA1
2667d3f5c76dd2b6c6f0118bcf43e19cca142c66

SHA256
eed4c28152fa4f961848dd6ef50458b3154db3541d4e32b45564bb9bf65d7614

SHA512
7ce221a2d57dbb4612232153906417f748683badd3f52ad8af5bbe7b74364195361441fb4e2edcd6fe5d210a5a91d4f768acb59761e8ac67118a8b685c7bfe13

Download Submit
C:\Users\Public\Documents\Admin558\WmiSrv.exe

Filesize
2.0MB

MD5
c7c90fbcbd1a3faa9541dff69636709d

SHA1
2667d3f5c76dd2b6c6f0118bcf43e19cca142c66

SHA256
eed4c28152fa4f961848dd6ef50458b3154db3541d4e32b45564bb9bf65d7614

SHA512
7ce221a2d57dbb4612232153906417f748683badd3f52ad8af5bbe7b74364195361441fb4e2edcd6fe5d210a5a91d4f768acb59761e8ac67118a8b685c7bfe13

Download Submit
C:\Users\Public\Documents\Admin558\WmiSrv.exe

Filesize
2.0MB

MD5
c7c90fbcbd1a3faa9541dff69636709d

SHA1
2667d3f5c76dd2b6c6f0118bcf43e19cca142c66

SHA256
eed4c28152fa4f961848dd6ef50458b3154db3541d4e32b45564bb9bf65d7614

SHA512
7ce221a2d57dbb4612232153906417f748683badd3f52ad8af5bbe7b74364195361441fb4e2edcd6fe5d210a5a91d4f768acb59761e8ac67118a8b685c7bfe13

Download Submit
C:\Users\Public\Documents\Admin558\libcef.dll

Filesize
6KB

MD5
a66332a6c7cdda1045ea2a1cd29bf562

SHA1
821ed5f58714c0d0dbc98758d34db583536d8fbc

SHA256
a97b92126ba0c3fce702a5ec7015071b52fb4b3d2746a117c4de7bfb98b38d4b

SHA512
ef8fbf24ec453cd7dfbf819cdb91a14d906a566e6e54b9b6b6139da658da83cabd74a185549a6b0050678c6beff1fa0e31701e562e83c0263d426566fd23f2d2

Download Submit
memory/1404-147-0x0000000000D50000-0x0000000000DE7000-memory.dmp

Filesize
604KB

Download
memory/1404-136-0x0000000000D50000-0x0000000000DE7000-memory.dmp

Filesize
604KB

Download
memory/2052-175-0x0000000001010000-0x0000000001110000-memory.dmp

Filesize
1024KB

Download
memory/2052-176-0x0000000010000000-0x0000000010031000-memory.dmp

Filesize
196KB

Download
memory/2052-178-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2052-180-0x0000000002FE0000-0x0000000002FE1000-memory.dmp

Filesize
4KB

Download
memory/2052-181-0x0000000002FF0000-0x000000000301A000-memory.dmp

Filesize
168KB

Download
memory/2052-186-0x0000000001010000-0x0000000001110000-memory.dmp

Filesize
1024KB

Download
memory/3464-168-0x0000000000D60000-0x0000000000D7C000-memory.dmp

Filesize
112KB

Download
memory/3464-169-0x0000000000D60000-0x0000000000D7C000-memory.dmp

Filesize
112KB

Download
memory/3464-166-0x0000000000D60000-0x0000000000D7C000-memory.dmp

Filesize
112KB

Download