fatalrat | c9fc7053ad84c62d28263b28e84df8781f322bc17fd050ecfcbad4ba26c2b789

Analysis

max time kernel
137s
max time network
149s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
16-09-2023 11:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c9fc7053ad84c62d28263b28e84df8781f322bc17fd050ecfcbad4ba26c2b789.exe
Size

556KB
MD5

6e1acf21c78407c478ec1eb2c38284b8
SHA1

f5f82de57c523a8edcc4f05bb6cae1c3d61f4039
SHA256

c9fc7053ad84c62d28263b28e84df8781f322bc17fd050ecfcbad4ba26c2b789
SHA512

7258cfe7512d199a2a653dfe541de9f26d2e960f72a44a9429f8de6da65d7ed4decf217b4bfa03957abfddf6802c213468c52b809e4934729a0815becb563713
SSDEEP

6144:/ZHQvaAq+hVnEvt/QW23WHtGgMrmCxFrRP+Eple2bhxILkR0FVq7VKuUvtx5bMal:NQvaA3LniXpgxFrDZx+BC+ZbX

Score

10^/10

fatalrat gh0strat infostealer rat upx

Malware Config

Extracted

Family

gh0strat

206.237.30.55

Signatures

FatalRat
FatalRat is a modular infostealer family written in C++ first appearing in June 2021.
infostealer rat fatalrat

Gh0st RAT payload 6 IoCs

resource	yara_rule
behavioral1/memory/2232-2-0x0000000010000000-0x000000001002B000-memory.dmp	family_gh0strat
behavioral1/memory/2448-10-0x0000000010000000-0x000000001002B000-memory.dmp	family_gh0strat
behavioral1/memory/2800-19-0x0000000010000000-0x000000001002B000-memory.dmp	family_gh0strat
behavioral1/memory/2232-25-0x0000000010000000-0x000000001002B000-memory.dmp	family_gh0strat
behavioral1/memory/2448-26-0x0000000010000000-0x000000001002B000-memory.dmp	family_gh0strat
behavioral1/memory/2800-27-0x0000000010000000-0x000000001002B000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Fatal Rat payload 5 IoCs

rat infostealer

resource	yara_rule
behavioral1/memory/2232-2-0x0000000010000000-0x000000001002B000-memory.dmp	fatalrat
behavioral1/memory/2800-19-0x0000000010000000-0x000000001002B000-memory.dmp	fatalrat
behavioral1/memory/2232-25-0x0000000010000000-0x000000001002B000-memory.dmp	fatalrat
behavioral1/memory/2448-26-0x0000000010000000-0x000000001002B000-memory.dmp	fatalrat
behavioral1/memory/2800-27-0x0000000010000000-0x000000001002B000-memory.dmp	fatalrat

Executes dropped EXE 2 IoCs

pid	Process
2448	Chrome.exe
2800	Chrome.exe

Loads dropped DLL 6 IoCs

pid	Process
2448	Chrome.exe
2700	WerFault.exe
2700	WerFault.exe
2700	WerFault.exe
2700	WerFault.exe
2700	WerFault.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2232-0-0x0000000010000000-0x000000001002B000-memory.dmp	upx
behavioral1/memory/2232-2-0x0000000010000000-0x000000001002B000-memory.dmp	upx
behavioral1/memory/2448-10-0x0000000010000000-0x000000001002B000-memory.dmp	upx
behavioral1/memory/2800-19-0x0000000010000000-0x000000001002B000-memory.dmp	upx
behavioral1/memory/2232-25-0x0000000010000000-0x000000001002B000-memory.dmp	upx
behavioral1/memory/2448-26-0x0000000010000000-0x000000001002B000-memory.dmp	upx
behavioral1/memory/2800-27-0x0000000010000000-0x000000001002B000-memory.dmp	upx

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\AppPatch\Chrome.exe	c9fc7053ad84c62d28263b28e84df8781f322bc17fd050ecfcbad4ba26c2b789.exe
File opened for modification	C:\Program Files (x86)\AppPatch\Chrome.exe	c9fc7053ad84c62d28263b28e84df8781f322bc17fd050ecfcbad4ba26c2b789.exe
File opened for modification	C:\Program Files (x86)\AppPatch\Chrome.exe	Chrome.exe
File created	C:\Program Files (x86)\AppPatch\Chrome.exe	Chrome.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2700	2232	WerFault.exe	27

Modifies data under HKEY_USERS 6 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Services	Chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Services\IntelMangerNet\Group = "Fatal"	Chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Services\IntelMangerNet\InstallTime = "2023-09-16 11:41"	Chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Services\IntelMangerNet	Chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM	Chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet	Chrome.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2232	c9fc7053ad84c62d28263b28e84df8781f322bc17fd050ecfcbad4ba26c2b789.exe
Token: SeDebugPrivilege	2448	Chrome.exe
Token: SeDebugPrivilege	2800	Chrome.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2448 wrote to memory of 2800	2448	Chrome.exe	29
PID 2448 wrote to memory of 2800	2448	Chrome.exe	29
PID 2448 wrote to memory of 2800	2448	Chrome.exe	29
PID 2448 wrote to memory of 2800	2448	Chrome.exe	29
PID 2232 wrote to memory of 2700	2232	c9fc7053ad84c62d28263b28e84df8781f322bc17fd050ecfcbad4ba26c2b789.exe	30
PID 2232 wrote to memory of 2700	2232	c9fc7053ad84c62d28263b28e84df8781f322bc17fd050ecfcbad4ba26c2b789.exe	30
PID 2232 wrote to memory of 2700	2232	c9fc7053ad84c62d28263b28e84df8781f322bc17fd050ecfcbad4ba26c2b789.exe	30
PID 2232 wrote to memory of 2700	2232	c9fc7053ad84c62d28263b28e84df8781f322bc17fd050ecfcbad4ba26c2b789.exe	30

C:\Users\Admin\AppData\Local\Temp\c9fc7053ad84c62d28263b28e84df8781f322bc17fd050ecfcbad4ba26c2b789.exe
"C:\Users\Admin\AppData\Local\Temp\c9fc7053ad84c62d28263b28e84df8781f322bc17fd050ecfcbad4ba26c2b789.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2232
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2232 -s 56
  2⤵
  - Loads dropped DLL
  - Program crash
  PID:2700

C:\Program Files (x86)\AppPatch\Chrome.exe
"C:\Program Files (x86)\AppPatch\Chrome.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2448
- C:\Program Files (x86)\AppPatch\Chrome.exe
  "C:\Program Files (x86)\AppPatch\Chrome.exe" Win7
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:2800

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\AppPatch\Chrome.exe

Filesize
556KB

MD5
6e1acf21c78407c478ec1eb2c38284b8

SHA1
f5f82de57c523a8edcc4f05bb6cae1c3d61f4039

SHA256
c9fc7053ad84c62d28263b28e84df8781f322bc17fd050ecfcbad4ba26c2b789

SHA512
7258cfe7512d199a2a653dfe541de9f26d2e960f72a44a9429f8de6da65d7ed4decf217b4bfa03957abfddf6802c213468c52b809e4934729a0815becb563713

Download Submit
C:\Program Files (x86)\AppPatch\Chrome.exe

Filesize
556KB

MD5
6e1acf21c78407c478ec1eb2c38284b8

SHA1
f5f82de57c523a8edcc4f05bb6cae1c3d61f4039

SHA256
c9fc7053ad84c62d28263b28e84df8781f322bc17fd050ecfcbad4ba26c2b789

SHA512
7258cfe7512d199a2a653dfe541de9f26d2e960f72a44a9429f8de6da65d7ed4decf217b4bfa03957abfddf6802c213468c52b809e4934729a0815becb563713

Download Submit
C:\Program Files (x86)\AppPatch\Chrome.exe

Filesize
556KB

MD5
6e1acf21c78407c478ec1eb2c38284b8

SHA1
f5f82de57c523a8edcc4f05bb6cae1c3d61f4039

SHA256
c9fc7053ad84c62d28263b28e84df8781f322bc17fd050ecfcbad4ba26c2b789

SHA512
7258cfe7512d199a2a653dfe541de9f26d2e960f72a44a9429f8de6da65d7ed4decf217b4bfa03957abfddf6802c213468c52b809e4934729a0815becb563713

Download Submit
\Program Files (x86)\AppPatch\Chrome.exe

Filesize
556KB

MD5
6e1acf21c78407c478ec1eb2c38284b8

SHA1
f5f82de57c523a8edcc4f05bb6cae1c3d61f4039

SHA256
c9fc7053ad84c62d28263b28e84df8781f322bc17fd050ecfcbad4ba26c2b789

SHA512
7258cfe7512d199a2a653dfe541de9f26d2e960f72a44a9429f8de6da65d7ed4decf217b4bfa03957abfddf6802c213468c52b809e4934729a0815becb563713

Download Submit
\Users\Admin\AppData\Local\Temp\c9fc7053ad84c62d28263b28e84df8781f322bc17fd050ecfcbad4ba26c2b789.exe

Filesize
556KB

MD5
6e1acf21c78407c478ec1eb2c38284b8

SHA1
f5f82de57c523a8edcc4f05bb6cae1c3d61f4039

SHA256
c9fc7053ad84c62d28263b28e84df8781f322bc17fd050ecfcbad4ba26c2b789

SHA512
7258cfe7512d199a2a653dfe541de9f26d2e960f72a44a9429f8de6da65d7ed4decf217b4bfa03957abfddf6802c213468c52b809e4934729a0815becb563713

Download Submit
\Users\Admin\AppData\Local\Temp\c9fc7053ad84c62d28263b28e84df8781f322bc17fd050ecfcbad4ba26c2b789.exe

Filesize
556KB

MD5
6e1acf21c78407c478ec1eb2c38284b8

SHA1
f5f82de57c523a8edcc4f05bb6cae1c3d61f4039

SHA256
c9fc7053ad84c62d28263b28e84df8781f322bc17fd050ecfcbad4ba26c2b789

SHA512
7258cfe7512d199a2a653dfe541de9f26d2e960f72a44a9429f8de6da65d7ed4decf217b4bfa03957abfddf6802c213468c52b809e4934729a0815becb563713

Download Submit
\Users\Admin\AppData\Local\Temp\c9fc7053ad84c62d28263b28e84df8781f322bc17fd050ecfcbad4ba26c2b789.exe

Filesize
556KB

MD5
6e1acf21c78407c478ec1eb2c38284b8

SHA1
f5f82de57c523a8edcc4f05bb6cae1c3d61f4039

SHA256
c9fc7053ad84c62d28263b28e84df8781f322bc17fd050ecfcbad4ba26c2b789

SHA512
7258cfe7512d199a2a653dfe541de9f26d2e960f72a44a9429f8de6da65d7ed4decf217b4bfa03957abfddf6802c213468c52b809e4934729a0815becb563713

Download Submit
\Users\Admin\AppData\Local\Temp\c9fc7053ad84c62d28263b28e84df8781f322bc17fd050ecfcbad4ba26c2b789.exe

Filesize
556KB

MD5
6e1acf21c78407c478ec1eb2c38284b8

SHA1
f5f82de57c523a8edcc4f05bb6cae1c3d61f4039

SHA256
c9fc7053ad84c62d28263b28e84df8781f322bc17fd050ecfcbad4ba26c2b789

SHA512
7258cfe7512d199a2a653dfe541de9f26d2e960f72a44a9429f8de6da65d7ed4decf217b4bfa03957abfddf6802c213468c52b809e4934729a0815becb563713

Download Submit
\Users\Admin\AppData\Local\Temp\c9fc7053ad84c62d28263b28e84df8781f322bc17fd050ecfcbad4ba26c2b789.exe

Filesize
556KB

MD5
6e1acf21c78407c478ec1eb2c38284b8

SHA1
f5f82de57c523a8edcc4f05bb6cae1c3d61f4039

SHA256
c9fc7053ad84c62d28263b28e84df8781f322bc17fd050ecfcbad4ba26c2b789

SHA512
7258cfe7512d199a2a653dfe541de9f26d2e960f72a44a9429f8de6da65d7ed4decf217b4bfa03957abfddf6802c213468c52b809e4934729a0815becb563713

Download Submit
memory/2232-2-0x0000000010000000-0x000000001002B000-memory.dmp

Filesize
172KB

Download
memory/2232-0-0x0000000010000000-0x000000001002B000-memory.dmp

Filesize
172KB

Download
memory/2232-25-0x0000000010000000-0x000000001002B000-memory.dmp

Filesize
172KB

Download
memory/2448-10-0x0000000010000000-0x000000001002B000-memory.dmp

Filesize
172KB

Download
memory/2448-26-0x0000000010000000-0x000000001002B000-memory.dmp

Filesize
172KB

Download
memory/2800-19-0x0000000010000000-0x000000001002B000-memory.dmp

Filesize
172KB

Download
memory/2800-27-0x0000000010000000-0x000000001002B000-memory.dmp

Filesize
172KB

Download