fatalrat | c9fc7053ad84c62d28263b28e84df8781f322bc17fd050ecfcbad4ba26c2b789

General

Target

c9fc7053ad84c62d28263b28e84df8781f322bc17fd050ecfcbad4ba26c2b789.exe
Size

556KB
MD5

6e1acf21c78407c478ec1eb2c38284b8
SHA1

f5f82de57c523a8edcc4f05bb6cae1c3d61f4039
SHA256

c9fc7053ad84c62d28263b28e84df8781f322bc17fd050ecfcbad4ba26c2b789
SHA512

7258cfe7512d199a2a653dfe541de9f26d2e960f72a44a9429f8de6da65d7ed4decf217b4bfa03957abfddf6802c213468c52b809e4934729a0815becb563713
SSDEEP

6144:/ZHQvaAq+hVnEvt/QW23WHtGgMrmCxFrRP+Eple2bhxILkR0FVq7VKuUvtx5bMal:NQvaA3LniXpgxFrDZx+BC+ZbX

Score

10^/10

fatalrat gh0strat infostealer rat upx

Malware Config

Extracted

Family

gh0strat

C2

206.237.30.55

Signatures

FatalRat
FatalRat is a modular infostealer family written in C++ first appearing in June 2021.
infostealer rat fatalrat

Gh0st RAT payload 5 IoCs

resource	yara_rule
behavioral2/memory/3932-2-0x0000000010000000-0x000000001002B000-memory.dmp	family_gh0strat
behavioral2/memory/632-11-0x0000000010000000-0x000000001002B000-memory.dmp	family_gh0strat
behavioral2/memory/3932-19-0x0000000010000000-0x000000001002B000-memory.dmp	family_gh0strat
behavioral2/memory/632-20-0x0000000010000000-0x000000001002B000-memory.dmp	family_gh0strat
behavioral2/memory/3880-21-0x0000000010000000-0x000000001002B000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Fatal Rat payload 5 IoCs

rat infostealer

resource	yara_rule
behavioral2/memory/3932-2-0x0000000010000000-0x000000001002B000-memory.dmp	fatalrat
behavioral2/memory/632-11-0x0000000010000000-0x000000001002B000-memory.dmp	fatalrat
behavioral2/memory/3932-19-0x0000000010000000-0x000000001002B000-memory.dmp	fatalrat
behavioral2/memory/632-20-0x0000000010000000-0x000000001002B000-memory.dmp	fatalrat
behavioral2/memory/3880-21-0x0000000010000000-0x000000001002B000-memory.dmp	fatalrat

Executes dropped EXE 2 IoCs

pid	Process
632	Chrome.exe
3880	Chrome.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3932-0-0x0000000010000000-0x000000001002B000-memory.dmp	upx
behavioral2/memory/3932-2-0x0000000010000000-0x000000001002B000-memory.dmp	upx
behavioral2/memory/632-11-0x0000000010000000-0x000000001002B000-memory.dmp	upx
behavioral2/memory/3880-16-0x0000000010000000-0x000000001002B000-memory.dmp	upx
behavioral2/memory/3932-19-0x0000000010000000-0x000000001002B000-memory.dmp	upx
behavioral2/memory/632-20-0x0000000010000000-0x000000001002B000-memory.dmp	upx
behavioral2/memory/3880-21-0x0000000010000000-0x000000001002B000-memory.dmp	upx

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\AppPatch\Chrome.exe	Chrome.exe
File created	C:\Program Files (x86)\AppPatch\Chrome.exe	Chrome.exe
File created	C:\Program Files (x86)\AppPatch\Chrome.exe	c9fc7053ad84c62d28263b28e84df8781f322bc17fd050ecfcbad4ba26c2b789.exe
File opened for modification	C:\Program Files (x86)\AppPatch\Chrome.exe	c9fc7053ad84c62d28263b28e84df8781f322bc17fd050ecfcbad4ba26c2b789.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
440	3932	WerFault.exe	82

Modifies data under HKEY_USERS 7 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\System\CurrentControlSet\Services\IntelMangerNet	Chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\System\CurrentControlSet\Services\IntelMangerNet\Group = "Fatal"	Chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\System\CurrentControlSet\Services\IntelMangerNet\InstallTime = "2023-09-16 11:41"	Chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Services\IntelMangerNet	Chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM	Chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\System\CurrentControlSet	Chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\System\CurrentControlSet\Services	Chrome.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	3932	c9fc7053ad84c62d28263b28e84df8781f322bc17fd050ecfcbad4ba26c2b789.exe
Token: SeDebugPrivilege	632	Chrome.exe
Token: SeDebugPrivilege	3880	Chrome.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 632 wrote to memory of 3880	632	Chrome.exe	85
PID 632 wrote to memory of 3880	632	Chrome.exe	85
PID 632 wrote to memory of 3880	632	Chrome.exe	85

C:\Users\Admin\AppData\Local\Temp\c9fc7053ad84c62d28263b28e84df8781f322bc17fd050ecfcbad4ba26c2b789.exe
"C:\Users\Admin\AppData\Local\Temp\c9fc7053ad84c62d28263b28e84df8781f322bc17fd050ecfcbad4ba26c2b789.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:3932
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3932 -s 564
  2⤵
  - Program crash
  PID:440

C:\Program Files (x86)\AppPatch\Chrome.exe
"C:\Program Files (x86)\AppPatch\Chrome.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:632
- C:\Program Files (x86)\AppPatch\Chrome.exe
  "C:\Program Files (x86)\AppPatch\Chrome.exe" Win7
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:3880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 3932 -ip 3932
1⤵
PID:2148

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\AppPatch\Chrome.exe

Filesize
556KB

MD5
6e1acf21c78407c478ec1eb2c38284b8

SHA1
f5f82de57c523a8edcc4f05bb6cae1c3d61f4039

SHA256
c9fc7053ad84c62d28263b28e84df8781f322bc17fd050ecfcbad4ba26c2b789

SHA512
7258cfe7512d199a2a653dfe541de9f26d2e960f72a44a9429f8de6da65d7ed4decf217b4bfa03957abfddf6802c213468c52b809e4934729a0815becb563713

Download Submit
C:\Program Files (x86)\AppPatch\Chrome.exe

Filesize
556KB

MD5
6e1acf21c78407c478ec1eb2c38284b8

SHA1
f5f82de57c523a8edcc4f05bb6cae1c3d61f4039

SHA256
c9fc7053ad84c62d28263b28e84df8781f322bc17fd050ecfcbad4ba26c2b789

SHA512
7258cfe7512d199a2a653dfe541de9f26d2e960f72a44a9429f8de6da65d7ed4decf217b4bfa03957abfddf6802c213468c52b809e4934729a0815becb563713

Download Submit
C:\Program Files (x86)\AppPatch\Chrome.exe

Filesize
556KB

MD5
6e1acf21c78407c478ec1eb2c38284b8

SHA1
f5f82de57c523a8edcc4f05bb6cae1c3d61f4039

SHA256
c9fc7053ad84c62d28263b28e84df8781f322bc17fd050ecfcbad4ba26c2b789

SHA512
7258cfe7512d199a2a653dfe541de9f26d2e960f72a44a9429f8de6da65d7ed4decf217b4bfa03957abfddf6802c213468c52b809e4934729a0815becb563713

Download Submit
memory/632-11-0x0000000010000000-0x000000001002B000-memory.dmp

Filesize
172KB

Download
memory/632-20-0x0000000010000000-0x000000001002B000-memory.dmp

Filesize
172KB

Download
memory/3880-16-0x0000000010000000-0x000000001002B000-memory.dmp

Filesize
172KB

Download
memory/3880-21-0x0000000010000000-0x000000001002B000-memory.dmp

Filesize
172KB

Download
memory/3932-0-0x0000000010000000-0x000000001002B000-memory.dmp

Filesize
172KB

Download
memory/3932-2-0x0000000010000000-0x000000001002B000-memory.dmp

Filesize
172KB

Download
memory/3932-19-0x0000000010000000-0x000000001002B000-memory.dmp

Filesize
172KB

Download

Analysis

Sharing