Malware Analysis Report

2025-03-15 03:55

Sample ID 230810-ybpncsae9x
Target e7bb680df5ae448fa67e272a8e8855bb9409e3a9f3f8c28275a99e3aeaa9388d
SHA256 e7bb680df5ae448fa67e272a8e8855bb9409e3a9f3f8c28275a99e3aeaa9388d
Tags
fatalrat infostealer rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e7bb680df5ae448fa67e272a8e8855bb9409e3a9f3f8c28275a99e3aeaa9388d

Threat Level: Known bad

The file e7bb680df5ae448fa67e272a8e8855bb9409e3a9f3f8c28275a99e3aeaa9388d was found to be: Known bad.

Malicious Activity Summary

fatalrat infostealer rat

FatalRat

Fatal Rat payload

Executes dropped EXE

Enumerates physical storage devices

Program crash

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-08-10 19:36

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-08-10 19:36

Reported

2023-08-10 19:39

Platform

win7-20230712-en

Max time kernel

117s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e7bb680df5ae448fa67e272a8e8855bb9409e3a9f3f8c28275a99e3aeaa9388d.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\e7bb680df5ae448fa67e272a8e8855bb9409e3a9f3f8c28275a99e3aeaa9388d.exe

"C:\Users\Admin\AppData\Local\Temp\e7bb680df5ae448fa67e272a8e8855bb9409e3a9f3f8c28275a99e3aeaa9388d.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2080 -s 116

Network

Country Destination Domain Proto
HK 39.109.115.130:16553 tcp

Files

memory/2080-53-0x0000000000650000-0x0000000000690000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-08-10 19:36

Reported

2023-08-10 19:39

Platform

win10v2004-20230703-en

Max time kernel

117s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e7bb680df5ae448fa67e272a8e8855bb9409e3a9f3f8c28275a99e3aeaa9388d.exe"

Signatures

FatalRat

infostealer rat fatalrat

Fatal Rat payload

rat infostealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\e7bb680df5ae448fa67e272a8e8855bb9409e3a9f3f8c28275a99e3aeaa9388d.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\e7bb680df5ae448fa67e272a8e8855bb9409e3a9f3f8c28275a99e3aeaa9388d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\e7bb680df5ae448fa67e272a8e8855bb9409e3a9f3f8c28275a99e3aeaa9388d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\e7bb680df5ae448fa67e272a8e8855bb9409e3a9f3f8c28275a99e3aeaa9388d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\e7bb680df5ae448fa67e272a8e8855bb9409e3a9f3f8c28275a99e3aeaa9388d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\e7bb680df5ae448fa67e272a8e8855bb9409e3a9f3f8c28275a99e3aeaa9388d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\e7bb680df5ae448fa67e272a8e8855bb9409e3a9f3f8c28275a99e3aeaa9388d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\e7bb680df5ae448fa67e272a8e8855bb9409e3a9f3f8c28275a99e3aeaa9388d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\e7bb680df5ae448fa67e272a8e8855bb9409e3a9f3f8c28275a99e3aeaa9388d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\e7bb680df5ae448fa67e272a8e8855bb9409e3a9f3f8c28275a99e3aeaa9388d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\e7bb680df5ae448fa67e272a8e8855bb9409e3a9f3f8c28275a99e3aeaa9388d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\e7bb680df5ae448fa67e272a8e8855bb9409e3a9f3f8c28275a99e3aeaa9388d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\e7bb680df5ae448fa67e272a8e8855bb9409e3a9f3f8c28275a99e3aeaa9388d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\e7bb680df5ae448fa67e272a8e8855bb9409e3a9f3f8c28275a99e3aeaa9388d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\e7bb680df5ae448fa67e272a8e8855bb9409e3a9f3f8c28275a99e3aeaa9388d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\e7bb680df5ae448fa67e272a8e8855bb9409e3a9f3f8c28275a99e3aeaa9388d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\e7bb680df5ae448fa67e272a8e8855bb9409e3a9f3f8c28275a99e3aeaa9388d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\e7bb680df5ae448fa67e272a8e8855bb9409e3a9f3f8c28275a99e3aeaa9388d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\e7bb680df5ae448fa67e272a8e8855bb9409e3a9f3f8c28275a99e3aeaa9388d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\e7bb680df5ae448fa67e272a8e8855bb9409e3a9f3f8c28275a99e3aeaa9388d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\e7bb680df5ae448fa67e272a8e8855bb9409e3a9f3f8c28275a99e3aeaa9388d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\e7bb680df5ae448fa67e272a8e8855bb9409e3a9f3f8c28275a99e3aeaa9388d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\e7bb680df5ae448fa67e272a8e8855bb9409e3a9f3f8c28275a99e3aeaa9388d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\e7bb680df5ae448fa67e272a8e8855bb9409e3a9f3f8c28275a99e3aeaa9388d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\e7bb680df5ae448fa67e272a8e8855bb9409e3a9f3f8c28275a99e3aeaa9388d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\e7bb680df5ae448fa67e272a8e8855bb9409e3a9f3f8c28275a99e3aeaa9388d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\e7bb680df5ae448fa67e272a8e8855bb9409e3a9f3f8c28275a99e3aeaa9388d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\e7bb680df5ae448fa67e272a8e8855bb9409e3a9f3f8c28275a99e3aeaa9388d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\e7bb680df5ae448fa67e272a8e8855bb9409e3a9f3f8c28275a99e3aeaa9388d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\e7bb680df5ae448fa67e272a8e8855bb9409e3a9f3f8c28275a99e3aeaa9388d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\e7bb680df5ae448fa67e272a8e8855bb9409e3a9f3f8c28275a99e3aeaa9388d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\e7bb680df5ae448fa67e272a8e8855bb9409e3a9f3f8c28275a99e3aeaa9388d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\e7bb680df5ae448fa67e272a8e8855bb9409e3a9f3f8c28275a99e3aeaa9388d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\e7bb680df5ae448fa67e272a8e8855bb9409e3a9f3f8c28275a99e3aeaa9388d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\e7bb680df5ae448fa67e272a8e8855bb9409e3a9f3f8c28275a99e3aeaa9388d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\e7bb680df5ae448fa67e272a8e8855bb9409e3a9f3f8c28275a99e3aeaa9388d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\e7bb680df5ae448fa67e272a8e8855bb9409e3a9f3f8c28275a99e3aeaa9388d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\e7bb680df5ae448fa67e272a8e8855bb9409e3a9f3f8c28275a99e3aeaa9388d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\e7bb680df5ae448fa67e272a8e8855bb9409e3a9f3f8c28275a99e3aeaa9388d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\e7bb680df5ae448fa67e272a8e8855bb9409e3a9f3f8c28275a99e3aeaa9388d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\e7bb680df5ae448fa67e272a8e8855bb9409e3a9f3f8c28275a99e3aeaa9388d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\e7bb680df5ae448fa67e272a8e8855bb9409e3a9f3f8c28275a99e3aeaa9388d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\e7bb680df5ae448fa67e272a8e8855bb9409e3a9f3f8c28275a99e3aeaa9388d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\e7bb680df5ae448fa67e272a8e8855bb9409e3a9f3f8c28275a99e3aeaa9388d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\e7bb680df5ae448fa67e272a8e8855bb9409e3a9f3f8c28275a99e3aeaa9388d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\e7bb680df5ae448fa67e272a8e8855bb9409e3a9f3f8c28275a99e3aeaa9388d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\e7bb680df5ae448fa67e272a8e8855bb9409e3a9f3f8c28275a99e3aeaa9388d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\e7bb680df5ae448fa67e272a8e8855bb9409e3a9f3f8c28275a99e3aeaa9388d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\e7bb680df5ae448fa67e272a8e8855bb9409e3a9f3f8c28275a99e3aeaa9388d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\e7bb680df5ae448fa67e272a8e8855bb9409e3a9f3f8c28275a99e3aeaa9388d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\e7bb680df5ae448fa67e272a8e8855bb9409e3a9f3f8c28275a99e3aeaa9388d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\e7bb680df5ae448fa67e272a8e8855bb9409e3a9f3f8c28275a99e3aeaa9388d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\e7bb680df5ae448fa67e272a8e8855bb9409e3a9f3f8c28275a99e3aeaa9388d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\e7bb680df5ae448fa67e272a8e8855bb9409e3a9f3f8c28275a99e3aeaa9388d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\e7bb680df5ae448fa67e272a8e8855bb9409e3a9f3f8c28275a99e3aeaa9388d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\e7bb680df5ae448fa67e272a8e8855bb9409e3a9f3f8c28275a99e3aeaa9388d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\e7bb680df5ae448fa67e272a8e8855bb9409e3a9f3f8c28275a99e3aeaa9388d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\e7bb680df5ae448fa67e272a8e8855bb9409e3a9f3f8c28275a99e3aeaa9388d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\e7bb680df5ae448fa67e272a8e8855bb9409e3a9f3f8c28275a99e3aeaa9388d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\e7bb680df5ae448fa67e272a8e8855bb9409e3a9f3f8c28275a99e3aeaa9388d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\e7bb680df5ae448fa67e272a8e8855bb9409e3a9f3f8c28275a99e3aeaa9388d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\e7bb680df5ae448fa67e272a8e8855bb9409e3a9f3f8c28275a99e3aeaa9388d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\e7bb680df5ae448fa67e272a8e8855bb9409e3a9f3f8c28275a99e3aeaa9388d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\e7bb680df5ae448fa67e272a8e8855bb9409e3a9f3f8c28275a99e3aeaa9388d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\e7bb680df5ae448fa67e272a8e8855bb9409e3a9f3f8c28275a99e3aeaa9388d.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e7bb680df5ae448fa67e272a8e8855bb9409e3a9f3f8c28275a99e3aeaa9388d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\e7bb680df5ae448fa67e272a8e8855bb9409e3a9f3f8c28275a99e3aeaa9388d.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\e7bb680df5ae448fa67e272a8e8855bb9409e3a9f3f8c28275a99e3aeaa9388d.exe

"C:\Users\Admin\AppData\Local\Temp\e7bb680df5ae448fa67e272a8e8855bb9409e3a9f3f8c28275a99e3aeaa9388d.exe"

C:\Users\Admin\AppData\Local\e7bb680df5ae448fa67e272a8e8855bb9409e3a9f3f8c28275a99e3aeaa9388d.exe

"C:\Users\Admin\AppData\Local\e7bb680df5ae448fa67e272a8e8855bb9409e3a9f3f8c28275a99e3aeaa9388d.exe"

Network

Country Destination Domain Proto
HK 39.109.115.130:16553 tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 130.115.109.39.in-addr.arpa udp
US 8.8.8.8:53 240.81.21.72.in-addr.arpa udp
US 8.8.8.8:53 108.211.229.192.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
HK 39.109.115.130:16553 tcp
HK 39.109.115.130:5858 tcp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 126.138.241.8.in-addr.arpa udp
US 8.8.8.8:53 126.133.241.8.in-addr.arpa udp
US 8.8.8.8:53 210.143.182.52.in-addr.arpa udp

Files

memory/4992-133-0x0000000001320000-0x0000000001420000-memory.dmp

memory/4992-134-0x0000000000E70000-0x0000000000E71000-memory.dmp

memory/4992-135-0x0000000000400000-0x0000000000438000-memory.dmp

memory/4992-136-0x0000000010000000-0x0000000010031000-memory.dmp

memory/4992-139-0x0000000001420000-0x000000000144A000-memory.dmp

C:\Users\Admin\AppData\Local\e7bb680df5ae448fa67e272a8e8855bb9409e3a9f3f8c28275a99e3aeaa9388d.exe

MD5 62e07fef574fe2914ca58ce1b5efc5d2
SHA1 266d77ba35c3c348402ee93a090a93bf5a7835d4
SHA256 e7bb680df5ae448fa67e272a8e8855bb9409e3a9f3f8c28275a99e3aeaa9388d
SHA512 1a202349e31dcbdc90e0d8ba04593ad5da878cb8f85b926ed2262109909ec094a3e2592e35f02c351e166fd1e4fb4cbbc33f3b168d91b79e509be64ed78524cb

C:\Users\Admin\AppData\Local\e7bb680df5ae448fa67e272a8e8855bb9409e3a9f3f8c28275a99e3aeaa9388d.exe

MD5 62e07fef574fe2914ca58ce1b5efc5d2
SHA1 266d77ba35c3c348402ee93a090a93bf5a7835d4
SHA256 e7bb680df5ae448fa67e272a8e8855bb9409e3a9f3f8c28275a99e3aeaa9388d
SHA512 1a202349e31dcbdc90e0d8ba04593ad5da878cb8f85b926ed2262109909ec094a3e2592e35f02c351e166fd1e4fb4cbbc33f3b168d91b79e509be64ed78524cb

C:\Users\Admin\AppData\Local\e7bb680df5ae448fa67e272a8e8855bb9409e3a9f3f8c28275a99e3aeaa9388d.exe

MD5 62e07fef574fe2914ca58ce1b5efc5d2
SHA1 266d77ba35c3c348402ee93a090a93bf5a7835d4
SHA256 e7bb680df5ae448fa67e272a8e8855bb9409e3a9f3f8c28275a99e3aeaa9388d
SHA512 1a202349e31dcbdc90e0d8ba04593ad5da878cb8f85b926ed2262109909ec094a3e2592e35f02c351e166fd1e4fb4cbbc33f3b168d91b79e509be64ed78524cb

memory/4992-156-0x0000000000400000-0x0000000000438000-memory.dmp

memory/4372-158-0x00000000011C0000-0x00000000012C0000-memory.dmp

memory/4372-160-0x0000000000400000-0x0000000000438000-memory.dmp

memory/4372-162-0x0000000000F70000-0x0000000000F9A000-memory.dmp

memory/4372-167-0x00000000011C0000-0x00000000012C0000-memory.dmp