fatalrat | 70032d6d08402516ab464181773608750231cf5036a9f1cddfc9aad250ee76b4

Analysis

max time kernel
151s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
27-08-2023 00:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

70032d6d08402516ab464181773608750231cf5036a9f1cddfc9aad250ee76b4.exe
Size

15.4MB
MD5

72fa8fdb2aeac623d34c8635744670a4
SHA1

1bcb5e0b3f43d0529650225b05e79cf8c59123fc
SHA256

70032d6d08402516ab464181773608750231cf5036a9f1cddfc9aad250ee76b4
SHA512

9398f3a55c978ce993f87595a619f025815fec63e97b15de42ff1acdf8bd770791bdbdfe71ad2ea61fa7af838deb5ef34af4616bf1f15e0829faa82421298b22
SSDEEP

393216:ZZ5ubaquU3Ie1no4aHLup8f7A2yefA4KaxEzJm:ZZIbMU3Z1J7ODR1fzKamJm

Score

10^/10

fatalrat infostealer persistence rat upx

Malware Config

Signatures

FatalRat
FatalRat is a modular infostealer family written in C++ first appearing in June 2021.
infostealer rat fatalrat

Fatal Rat payload 1 IoCs

rat infostealer

resource	yara_rule
behavioral2/memory/3116-45-0x0000000010000000-0x000000001002A000-memory.dmp	fatalrat

Downloads MZ/PE file

Executes dropped EXE 5 IoCs

pid	Process
4360	sg.tmp
888	m3.exe
4140	spolsvt.exe
3116	spolsvt.exe
2748	PTvrst.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2640-0-0x0000000000400000-0x0000000000572000-memory.dmp	upx
behavioral2/files/0x000600000002320c-12.dat	upx
behavioral2/files/0x000600000002320c-14.dat	upx
behavioral2/memory/888-15-0x0000000000F30000-0x0000000001082000-memory.dmp	upx
behavioral2/memory/2640-50-0x0000000000400000-0x0000000000572000-memory.dmp	upx
behavioral2/memory/888-53-0x0000000000F30000-0x0000000001082000-memory.dmp	upx
behavioral2/memory/888-58-0x0000000000F30000-0x0000000001082000-memory.dmp	upx
behavioral2/memory/2640-78-0x0000000000400000-0x0000000000572000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ÏµÍ³×é¼þ = "C:\\Users\\Public\\Documents\\123\\PTvrst.exe"	spolsvt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Therecontinuous = "C:\\WINDOWS\\DNomb\\PTvrst.exe"	PTvrst.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2748	PTvrst.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 888 set thread context of 4140	888	m3.exe	92
PID 4140 set thread context of 3116	4140	spolsvt.exe	94

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\m3.exe	sg.tmp
File opened for modification	C:\Program Files (x86)\m3.exe	sg.tmp
File created	C:\Program Files (x86)\letsvpn-latest.exe	sg.tmp
File opened for modification	C:\Program Files (x86)\letsvpn-latest.exe	sg.tmp

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\DNomb\spolsvt.exe	m3.exe
File created	C:\Windows\DNomb\yh.png	m3.exe
File created	C:\Windows\DNomb\PTvrst.exe	m3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings	m3.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
888	m3.exe
888	m3.exe
888	m3.exe
888	m3.exe
888	m3.exe
888	m3.exe
888	m3.exe
888	m3.exe
3116	spolsvt.exe
3116	spolsvt.exe
3116	spolsvt.exe
3116	spolsvt.exe
3116	spolsvt.exe
3116	spolsvt.exe
3116	spolsvt.exe
3116	spolsvt.exe
3116	spolsvt.exe
3116	spolsvt.exe
3116	spolsvt.exe
3116	spolsvt.exe
3116	spolsvt.exe
3116	spolsvt.exe
3116	spolsvt.exe
3116	spolsvt.exe
3116	spolsvt.exe
3116	spolsvt.exe
3116	spolsvt.exe
3116	spolsvt.exe
3116	spolsvt.exe
3116	spolsvt.exe
3116	spolsvt.exe
3116	spolsvt.exe
3116	spolsvt.exe
3116	spolsvt.exe
3116	spolsvt.exe
3116	spolsvt.exe
3116	spolsvt.exe
3116	spolsvt.exe
3116	spolsvt.exe
3116	spolsvt.exe
3116	spolsvt.exe
3116	spolsvt.exe
3116	spolsvt.exe
3116	spolsvt.exe
3116	spolsvt.exe
3116	spolsvt.exe
3116	spolsvt.exe
3116	spolsvt.exe
3116	spolsvt.exe
3116	spolsvt.exe
3116	spolsvt.exe
3116	spolsvt.exe
3116	spolsvt.exe
3116	spolsvt.exe
3116	spolsvt.exe
3116	spolsvt.exe
3116	spolsvt.exe
3116	spolsvt.exe
3116	spolsvt.exe
3116	spolsvt.exe
3116	spolsvt.exe
3116	spolsvt.exe
3116	spolsvt.exe
3116	spolsvt.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

description	pid	Process
Token: SeBackupPrivilege	2640	70032d6d08402516ab464181773608750231cf5036a9f1cddfc9aad250ee76b4.exe
Token: SeRestorePrivilege	2640	70032d6d08402516ab464181773608750231cf5036a9f1cddfc9aad250ee76b4.exe
Token: 33	2640	70032d6d08402516ab464181773608750231cf5036a9f1cddfc9aad250ee76b4.exe
Token: SeIncBasePriorityPrivilege	2640	70032d6d08402516ab464181773608750231cf5036a9f1cddfc9aad250ee76b4.exe
Token: SeCreateGlobalPrivilege	2640	70032d6d08402516ab464181773608750231cf5036a9f1cddfc9aad250ee76b4.exe
Token: 33	2640	70032d6d08402516ab464181773608750231cf5036a9f1cddfc9aad250ee76b4.exe
Token: SeIncBasePriorityPrivilege	2640	70032d6d08402516ab464181773608750231cf5036a9f1cddfc9aad250ee76b4.exe
Token: 33	2640	70032d6d08402516ab464181773608750231cf5036a9f1cddfc9aad250ee76b4.exe
Token: SeIncBasePriorityPrivilege	2640	70032d6d08402516ab464181773608750231cf5036a9f1cddfc9aad250ee76b4.exe
Token: SeRestorePrivilege	4360	sg.tmp
Token: 35	4360	sg.tmp
Token: SeSecurityPrivilege	4360	sg.tmp
Token: SeSecurityPrivilege	4360	sg.tmp
Token: 33	2640	70032d6d08402516ab464181773608750231cf5036a9f1cddfc9aad250ee76b4.exe
Token: SeIncBasePriorityPrivilege	2640	70032d6d08402516ab464181773608750231cf5036a9f1cddfc9aad250ee76b4.exe
Token: SeDebugPrivilege	3116	spolsvt.exe
Token: SeDebugPrivilege	2640	70032d6d08402516ab464181773608750231cf5036a9f1cddfc9aad250ee76b4.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
888	m3.exe
888	m3.exe
4140	spolsvt.exe
4140	spolsvt.exe
2748	PTvrst.exe
2748	PTvrst.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 2640 wrote to memory of 3372	2640	70032d6d08402516ab464181773608750231cf5036a9f1cddfc9aad250ee76b4.exe	82
PID 2640 wrote to memory of 3372	2640	70032d6d08402516ab464181773608750231cf5036a9f1cddfc9aad250ee76b4.exe	82
PID 2640 wrote to memory of 4360	2640	70032d6d08402516ab464181773608750231cf5036a9f1cddfc9aad250ee76b4.exe	84
PID 2640 wrote to memory of 4360	2640	70032d6d08402516ab464181773608750231cf5036a9f1cddfc9aad250ee76b4.exe	84
PID 2640 wrote to memory of 4360	2640	70032d6d08402516ab464181773608750231cf5036a9f1cddfc9aad250ee76b4.exe	84
PID 2640 wrote to memory of 888	2640	70032d6d08402516ab464181773608750231cf5036a9f1cddfc9aad250ee76b4.exe	86
PID 2640 wrote to memory of 888	2640	70032d6d08402516ab464181773608750231cf5036a9f1cddfc9aad250ee76b4.exe	86
PID 2640 wrote to memory of 888	2640	70032d6d08402516ab464181773608750231cf5036a9f1cddfc9aad250ee76b4.exe	86
PID 888 wrote to memory of 4140	888	m3.exe	92
PID 888 wrote to memory of 4140	888	m3.exe	92
PID 888 wrote to memory of 4140	888	m3.exe	92
PID 888 wrote to memory of 4140	888	m3.exe	92
PID 888 wrote to memory of 4140	888	m3.exe	92
PID 888 wrote to memory of 4140	888	m3.exe	92
PID 888 wrote to memory of 4140	888	m3.exe	92
PID 888 wrote to memory of 4140	888	m3.exe	92
PID 888 wrote to memory of 4140	888	m3.exe	92
PID 4140 wrote to memory of 3116	4140	spolsvt.exe	94
PID 4140 wrote to memory of 3116	4140	spolsvt.exe	94
PID 4140 wrote to memory of 3116	4140	spolsvt.exe	94
PID 4140 wrote to memory of 3116	4140	spolsvt.exe	94
PID 4140 wrote to memory of 3116	4140	spolsvt.exe	94
PID 4140 wrote to memory of 3116	4140	spolsvt.exe	94
PID 4140 wrote to memory of 3116	4140	spolsvt.exe	94
PID 4140 wrote to memory of 3116	4140	spolsvt.exe	94

C:\Users\Admin\AppData\Local\Temp\70032d6d08402516ab464181773608750231cf5036a9f1cddfc9aad250ee76b4.exe
"C:\Users\Admin\AppData\Local\Temp\70032d6d08402516ab464181773608750231cf5036a9f1cddfc9aad250ee76b4.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2640
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c set
  2⤵
  PID:3372
- C:\Users\Admin\AppData\Local\Temp\~6955278722715525918~\sg.tmp
  7zG_exe x "C:\Users\Admin\AppData\Local\Temp\70032d6d08402516ab464181773608750231cf5036a9f1cddfc9aad250ee76b4.exe" -y -aoa -o"C:\Program Files (x86)\"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of AdjustPrivilegeToken
  PID:4360
- C:\Program Files (x86)\m3.exe
  "C:\Program Files (x86)\\m3.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Drops file in Windows directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:888
- - C:\Windows\DNomb\spolsvt.exe
    C:\Windows\DNomb\spolsvt.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4140
  - - C:\Users\Public\Documents\t\spolsvt.exe
      C:\Users\Public\Documents\t\spolsvt.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3116

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4808

C:\Users\Public\Documents\123\PTvrst.exe
"C:\Users\Public\Documents\123\PTvrst.exe"
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:2748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\m3.exe

Filesize
394KB

MD5
8e20fbdc0ce6cbf27fcc7d3ae77b455f

SHA1
1e1009abe3adc82d6e6070a7e6d4bcddd33a02f3

SHA256
41ec2cee1770658a5f7d52ef1d5705a18fe1bffd27832694c2a92c4c42f9b2e9

SHA512
550b0b8f05e383f9eb2da0de3f51961af25a36646d33cdbbb51e974602410d3172547d1bdb86b60ee276485537e8bcc88f9b16898c2a6bfad774b4dffccbb91e

Download Submit
C:\Program Files (x86)\m3.exe

Filesize
394KB

MD5
8e20fbdc0ce6cbf27fcc7d3ae77b455f

SHA1
1e1009abe3adc82d6e6070a7e6d4bcddd33a02f3

SHA256
41ec2cee1770658a5f7d52ef1d5705a18fe1bffd27832694c2a92c4c42f9b2e9

SHA512
550b0b8f05e383f9eb2da0de3f51961af25a36646d33cdbbb51e974602410d3172547d1bdb86b60ee276485537e8bcc88f9b16898c2a6bfad774b4dffccbb91e

Download Submit
C:\Users\Admin\AppData\Local\Temp\~6955278722715525918~\sg.tmp

Filesize
715KB

MD5
7c4718943bd3f66ebdb47ccca72c7b1e

SHA1
f9edfaa7adb8fa528b2e61b2b251f18da10a6969

SHA256
4cc32d00338fc7b206a7c052297acf9ac304ae7de9d61a2475a116959c1524fc

SHA512
e18c40d646fa4948f90f7471da55489df431f255041ebb6dcef86346f91078c9b27894e27216a4b2fe2a1c5e501c7953c77893cf696930123d28a322d49e1516

Download Submit
C:\Users\Public\Documents\123\PTvrst.exe

Filesize
1.2MB

MD5
d22cfb5bfaeb1503b12b07e53ef0a149

SHA1
8ea2c85e363f551a159fabd65377affed4e417a1

SHA256
260464fb05210cfb30ef7a12d568f75eb781634b251d958cae8911948f6ca360

SHA512
151024cb2960b1ee485ded7ccbb753fe368a93fda5699af72e568667fa54bfb0d1732444e7b60efaab6d372204157cdb6abbf8862d0e89d612dd963342215e45

Download Submit
C:\Users\Public\Documents\123\PTvrst.exe

Filesize
1.2MB

MD5
d22cfb5bfaeb1503b12b07e53ef0a149

SHA1
8ea2c85e363f551a159fabd65377affed4e417a1

SHA256
260464fb05210cfb30ef7a12d568f75eb781634b251d958cae8911948f6ca360

SHA512
151024cb2960b1ee485ded7ccbb753fe368a93fda5699af72e568667fa54bfb0d1732444e7b60efaab6d372204157cdb6abbf8862d0e89d612dd963342215e45

Download Submit
C:\Users\Public\Documents\t\spolsvt.exe

Filesize
16KB

MD5
cdce4713e784ae069d73723034a957ff

SHA1
9a393a6bab6568f1a774fb753353223f11367e09

SHA256
b29e48102ecb3d3614e8980a8b8cc63dd2b993c6346f466479244ec2b47b69d8

SHA512
0a3a59a305cc2a6fad4e1315b0bcc5a4129595dfe1e8b703363fa02528d2d7c48d3fd22d365708be84a5557cf1916873df9563c454732f93f94a66e7e3b9fb0f

Download Submit
C:\Users\Public\Documents\t\spolsvt.exe

Filesize
16KB

MD5
cdce4713e784ae069d73723034a957ff

SHA1
9a393a6bab6568f1a774fb753353223f11367e09

SHA256
b29e48102ecb3d3614e8980a8b8cc63dd2b993c6346f466479244ec2b47b69d8

SHA512
0a3a59a305cc2a6fad4e1315b0bcc5a4129595dfe1e8b703363fa02528d2d7c48d3fd22d365708be84a5557cf1916873df9563c454732f93f94a66e7e3b9fb0f

Download Submit
C:\Windows\DNomb\spolsvt.exe

Filesize
9KB

MD5
523d5c39f9d8d2375c3df68251fa2249

SHA1
d4ed365c44bec9246fc1a65a32a7791792647a10

SHA256
20e3dc90a3e83b6202e2a7f4603b60e5e859639cb68693426c400b13aaeabd78

SHA512
526e1bba30d03f1ac177c6ab7409187a730969c429cebef15da68ffcf44b3b93227781eebc827b2f7a0fa17c391e00a0e532263fd0167aeaeb0456f96cfe3ae4

Download Submit
C:\Windows\DNomb\spolsvt.exe

Filesize
9KB

MD5
523d5c39f9d8d2375c3df68251fa2249

SHA1
d4ed365c44bec9246fc1a65a32a7791792647a10

SHA256
20e3dc90a3e83b6202e2a7f4603b60e5e859639cb68693426c400b13aaeabd78

SHA512
526e1bba30d03f1ac177c6ab7409187a730969c429cebef15da68ffcf44b3b93227781eebc827b2f7a0fa17c391e00a0e532263fd0167aeaeb0456f96cfe3ae4

Download Submit
memory/888-58-0x0000000000F30000-0x0000000001082000-memory.dmp

Filesize
1.3MB

Download
memory/888-53-0x0000000000F30000-0x0000000001082000-memory.dmp

Filesize
1.3MB

Download
memory/888-15-0x0000000000F30000-0x0000000001082000-memory.dmp

Filesize
1.3MB

Download
memory/2640-0-0x0000000000400000-0x0000000000572000-memory.dmp

Filesize
1.4MB

Download
memory/2640-78-0x0000000000400000-0x0000000000572000-memory.dmp

Filesize
1.4MB

Download
memory/2640-50-0x0000000000400000-0x0000000000572000-memory.dmp

Filesize
1.4MB

Download
memory/2748-69-0x00000000047A0000-0x00000000047A1000-memory.dmp

Filesize
4KB

Download
memory/2748-66-0x00000000047E0000-0x00000000047E2000-memory.dmp

Filesize
8KB

Download
memory/2748-81-0x0000000004770000-0x0000000004771000-memory.dmp

Filesize
4KB

Download
memory/2748-80-0x0000000000400000-0x00000000006A2000-memory.dmp

Filesize
2.6MB

Download
memory/2748-79-0x0000000004830000-0x0000000004831000-memory.dmp

Filesize
4KB

Download
memory/2748-77-0x0000000004890000-0x0000000004891000-memory.dmp

Filesize
4KB

Download
memory/2748-75-0x0000000004790000-0x0000000004791000-memory.dmp

Filesize
4KB

Download
memory/2748-76-0x0000000004860000-0x0000000004861000-memory.dmp

Filesize
4KB

Download
memory/2748-70-0x00000000047D0000-0x00000000047D1000-memory.dmp

Filesize
4KB

Download
memory/2748-57-0x0000000000400000-0x00000000006A2000-memory.dmp

Filesize
2.6MB

Download
memory/2748-74-0x0000000004880000-0x0000000004881000-memory.dmp

Filesize
4KB

Download
memory/2748-59-0x0000000077564000-0x0000000077566000-memory.dmp

Filesize
8KB

Download
memory/2748-60-0x00000000047F0000-0x00000000047F1000-memory.dmp

Filesize
4KB

Download
memory/2748-61-0x0000000000400000-0x00000000006A2000-memory.dmp

Filesize
2.6MB

Download
memory/2748-62-0x0000000004750000-0x0000000004751000-memory.dmp

Filesize
4KB

Download
memory/2748-63-0x00000000047B0000-0x00000000047B1000-memory.dmp

Filesize
4KB

Download
memory/2748-64-0x0000000004780000-0x0000000004781000-memory.dmp

Filesize
4KB

Download
memory/2748-73-0x0000000004900000-0x0000000004901000-memory.dmp

Filesize
4KB

Download
memory/2748-65-0x0000000004760000-0x0000000004761000-memory.dmp

Filesize
4KB

Download
memory/2748-67-0x0000000004800000-0x0000000004801000-memory.dmp

Filesize
4KB

Download
memory/2748-68-0x0000000004740000-0x0000000004741000-memory.dmp

Filesize
4KB

Download
memory/2748-72-0x0000000004820000-0x0000000004821000-memory.dmp

Filesize
4KB

Download
memory/2748-71-0x00000000047C0000-0x00000000047C1000-memory.dmp

Filesize
4KB

Download
memory/3116-40-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3116-38-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3116-45-0x0000000010000000-0x000000001002A000-memory.dmp

Filesize
168KB

Download
memory/3116-44-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3116-39-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4140-25-0x0000000000400000-0x0000000000516000-memory.dmp

Filesize
1.1MB

Download
memory/4140-26-0x0000000000400000-0x0000000000516000-memory.dmp

Filesize
1.1MB

Download
memory/4140-27-0x0000000000400000-0x0000000000516000-memory.dmp

Filesize
1.1MB

Download
memory/4140-32-0x0000000000400000-0x0000000000516000-memory.dmp

Filesize
1.1MB

Download
memory/4140-33-0x0000000000400000-0x0000000000516000-memory.dmp

Filesize
1.1MB

Download
memory/4140-24-0x0000000000400000-0x0000000000516000-memory.dmp

Filesize
1.1MB

Download