fatalrat | 530b818e7b34f95857d6d5370cd54692f19f5ecf2b0a92c400778094c973f41f

Analysis

max time kernel
149s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
27/09/2023, 19:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2023-08-26_9eed79924f483a61a623e9aaefa56c4e_mafia_JC.exe
Size

96KB
MD5

9eed79924f483a61a623e9aaefa56c4e
SHA1

2127364ae13f6e6bbd070a72bc9a92a443e1870f
SHA256

530b818e7b34f95857d6d5370cd54692f19f5ecf2b0a92c400778094c973f41f
SHA512

91c6514e463d18ad1d2a0223bf2dff11159d117805fdc165d12b088728be2bd5e8dde3f8512b45074dce02e49e0d99811d861d88b49e0264b540943c2ab865cc
SSDEEP

1536:b0FfM5+DncE24ujIds67Ef+TTd014KWzqYs3cTP:4FfM4D1/2+W14KWzqYs

Score

10^/10

fatalrat aspackv2 infostealer rat upx

Malware Config

Signatures

FatalRat
FatalRat is a modular infostealer family written in C++ first appearing in June 2021.
infostealer rat fatalrat

Fatal Rat payload 1 IoCs

rat infostealer

resource	yara_rule
behavioral2/memory/4864-45-0x0000000000C80000-0x0000000000CAA000-memory.dmp	fatalrat

Downloads MZ/PE file

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x000600000002321a-22.dat	acprotect

ASPack v2.12-2.42 6 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x000700000002321d-23.dat	aspack_v212_v242
behavioral2/files/0x000800000002321f-24.dat	aspack_v212_v242
behavioral2/files/0x000800000002321f-27.dat	aspack_v212_v242
behavioral2/files/0x000800000002321f-28.dat	aspack_v212_v242
behavioral2/files/0x000700000002321d-34.dat	aspack_v212_v242
behavioral2/files/0x000700000002321d-35.dat	aspack_v212_v242

Executes dropped EXE 2 IoCs

pid	Process
2628	Adam.exe
4864	WmiSrv.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000600000002321a-22.dat	upx

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	WmiSrv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WmiSrv.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2628	Adam.exe
2628	Adam.exe
4864	WmiSrv.exe
4864	WmiSrv.exe
4864	WmiSrv.exe
4864	WmiSrv.exe
4864	WmiSrv.exe
4864	WmiSrv.exe
4864	WmiSrv.exe
4864	WmiSrv.exe
4864	WmiSrv.exe
4864	WmiSrv.exe
4864	WmiSrv.exe
4864	WmiSrv.exe
4864	WmiSrv.exe
4864	WmiSrv.exe
4864	WmiSrv.exe
4864	WmiSrv.exe
4864	WmiSrv.exe
4864	WmiSrv.exe
4864	WmiSrv.exe
4864	WmiSrv.exe
4864	WmiSrv.exe
4864	WmiSrv.exe
4864	WmiSrv.exe
4864	WmiSrv.exe
4864	WmiSrv.exe
4864	WmiSrv.exe
4864	WmiSrv.exe
4864	WmiSrv.exe
4864	WmiSrv.exe
4864	WmiSrv.exe
4864	WmiSrv.exe
4864	WmiSrv.exe
4864	WmiSrv.exe
4864	WmiSrv.exe
4864	WmiSrv.exe
4864	WmiSrv.exe
4864	WmiSrv.exe
4864	WmiSrv.exe
4864	WmiSrv.exe
4864	WmiSrv.exe
4864	WmiSrv.exe
4864	WmiSrv.exe
4864	WmiSrv.exe
4864	WmiSrv.exe
4864	WmiSrv.exe
4864	WmiSrv.exe
4864	WmiSrv.exe
4864	WmiSrv.exe
4864	WmiSrv.exe
4864	WmiSrv.exe
4864	WmiSrv.exe
4864	WmiSrv.exe
4864	WmiSrv.exe
4864	WmiSrv.exe
4864	WmiSrv.exe
4864	WmiSrv.exe
4864	WmiSrv.exe
4864	WmiSrv.exe
4864	WmiSrv.exe
4864	WmiSrv.exe
4864	WmiSrv.exe
4864	WmiSrv.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2628	Adam.exe
Token: SeDebugPrivilege	2628	Adam.exe
Token: SeDebugPrivilege	4864	WmiSrv.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4920 wrote to memory of 2628	4920	2023-08-26_9eed79924f483a61a623e9aaefa56c4e_mafia_JC.exe	96
PID 4920 wrote to memory of 2628	4920	2023-08-26_9eed79924f483a61a623e9aaefa56c4e_mafia_JC.exe	96
PID 4920 wrote to memory of 2628	4920	2023-08-26_9eed79924f483a61a623e9aaefa56c4e_mafia_JC.exe	96
PID 4920 wrote to memory of 4864	4920	2023-08-26_9eed79924f483a61a623e9aaefa56c4e_mafia_JC.exe	97
PID 4920 wrote to memory of 4864	4920	2023-08-26_9eed79924f483a61a623e9aaefa56c4e_mafia_JC.exe	97
PID 4920 wrote to memory of 4864	4920	2023-08-26_9eed79924f483a61a623e9aaefa56c4e_mafia_JC.exe	97

C:\Users\Admin\AppData\Local\Temp\2023-08-26_9eed79924f483a61a623e9aaefa56c4e_mafia_JC.exe
"C:\Users\Admin\AppData\Local\Temp\2023-08-26_9eed79924f483a61a623e9aaefa56c4e_mafia_JC.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4920
- C:\Users\Public\Documents\Admin558\Adam.exe
  C:\Users\Public\Documents\Admin558\Adam.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2628
- C:\Users\Public\Documents\Admin558\WmiSrv.exe
  C:\Users\Public\Documents\Admin558\WmiSrv.exe
  2⤵
  - Executes dropped EXE
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\Documents\Admin558\Adam.exe

Filesize
169KB

MD5
928969d2a2dbb58479ae2236ac328d22

SHA1
e4d9631a343d73b1ee0d7e4db55978ce59dee1d6

SHA256
709776daeb0a8aac58b530e9fa0ff61afd4ffad1677c3b46ac7b375ccb1f2c4a

SHA512
62a25aa6ac3383142ab3fdc3462c296ec60f8255173b21443a83b87151c2ce931cf0dd2fb6868f783f13fba8ad3c283d53250e61ebc172f80a0ef47bdcbaae9c

Download Submit
C:\Users\Public\Documents\Admin558\Adam.exe

Filesize
169KB

MD5
928969d2a2dbb58479ae2236ac328d22

SHA1
e4d9631a343d73b1ee0d7e4db55978ce59dee1d6

SHA256
709776daeb0a8aac58b530e9fa0ff61afd4ffad1677c3b46ac7b375ccb1f2c4a

SHA512
62a25aa6ac3383142ab3fdc3462c296ec60f8255173b21443a83b87151c2ce931cf0dd2fb6868f783f13fba8ad3c283d53250e61ebc172f80a0ef47bdcbaae9c

Download Submit
C:\Users\Public\Documents\Admin558\Adam.exe

Filesize
169KB

MD5
928969d2a2dbb58479ae2236ac328d22

SHA1
e4d9631a343d73b1ee0d7e4db55978ce59dee1d6

SHA256
709776daeb0a8aac58b530e9fa0ff61afd4ffad1677c3b46ac7b375ccb1f2c4a

SHA512
62a25aa6ac3383142ab3fdc3462c296ec60f8255173b21443a83b87151c2ce931cf0dd2fb6868f783f13fba8ad3c283d53250e61ebc172f80a0ef47bdcbaae9c

Download Submit
C:\Users\Public\Documents\Admin558\Thunder.exe

Filesize
1.1MB

MD5
61967681c21ab3403d35469c1639d2ca

SHA1
5c5f5090e2033e03346a50ad0cc2f72670667bbf

SHA256
1e4855f383a002839707711cd77b9700074ad3f71037443eb574ffac8af472a2

SHA512
1f70aa3bdf398b05f396d748f8dd1e99212e5bfa779753756e4c4f9dfd0547bc24d2606b6a3e9007b12e044946a7468f79cb4599990140b1bfa4d4f045a0d444

Download Submit
C:\Users\Public\Documents\Admin558\WmiSrv.exe

Filesize
197KB

MD5
b6335bc769f15b2d20c92c1f6cc8fcc5

SHA1
ef999a8fca3e683b6c3041f12cbddcf5c01b9c57

SHA256
1a3ae7914610860bb295fd5ba9185b1db8f960738a43a20c838cc79e79b47f26

SHA512
b0d10909b27f122725b56b2e81f84c46ea6314fa378c1efc9607db277d3cf1b670067aed3f82a8c29f2f2f9b632b02d79cec59dbe3507de08cb9b3cc4de52eea

Download Submit
C:\Users\Public\Documents\Admin558\WmiSrv.exe

Filesize
197KB

MD5
b6335bc769f15b2d20c92c1f6cc8fcc5

SHA1
ef999a8fca3e683b6c3041f12cbddcf5c01b9c57

SHA256
1a3ae7914610860bb295fd5ba9185b1db8f960738a43a20c838cc79e79b47f26

SHA512
b0d10909b27f122725b56b2e81f84c46ea6314fa378c1efc9607db277d3cf1b670067aed3f82a8c29f2f2f9b632b02d79cec59dbe3507de08cb9b3cc4de52eea

Download Submit
C:\Users\Public\Documents\Admin558\WmiSrv.exe

Filesize
197KB

MD5
b6335bc769f15b2d20c92c1f6cc8fcc5

SHA1
ef999a8fca3e683b6c3041f12cbddcf5c01b9c57

SHA256
1a3ae7914610860bb295fd5ba9185b1db8f960738a43a20c838cc79e79b47f26

SHA512
b0d10909b27f122725b56b2e81f84c46ea6314fa378c1efc9607db277d3cf1b670067aed3f82a8c29f2f2f9b632b02d79cec59dbe3507de08cb9b3cc4de52eea

Download Submit
C:\Users\Public\Documents\Admin558\libcef.dll

Filesize
74KB

MD5
f33ebee08e6201da42174de8813a1401

SHA1
4e9dae56f730ee8118396ae64b1005e1e844c1c1

SHA256
a3ee77ec052b6511264c7a8af3b50e2c295b4a00313609c6f803940880a10685

SHA512
0cc96e19442a680ae41a139f7b4498d69405c4388a065e5da240103fc7d8b760b843860b3c6d7fe90f06ba7b45f9d91a7cadf6b8089ee41e89f79d2b2fd8967f

Download Submit
memory/2628-32-0x00000000007C0000-0x0000000000818000-memory.dmp

Filesize
352KB

Download
memory/2628-29-0x00000000007C0000-0x0000000000818000-memory.dmp

Filesize
352KB

Download
memory/2628-31-0x00000000007C0000-0x0000000000818000-memory.dmp

Filesize
352KB

Download
memory/2628-30-0x00000000007C0000-0x0000000000818000-memory.dmp

Filesize
352KB

Download
memory/4864-37-0x0000000000CF0000-0x0000000000D4E000-memory.dmp

Filesize
376KB

Download
memory/4864-38-0x0000000000CF0000-0x0000000000D4E000-memory.dmp

Filesize
376KB

Download
memory/4864-40-0x0000000000D50000-0x0000000000E50000-memory.dmp

Filesize
1024KB

Download
memory/4864-42-0x0000000000C20000-0x0000000000C58000-memory.dmp

Filesize
224KB

Download
memory/4864-44-0x0000000000760000-0x0000000000761000-memory.dmp

Filesize
4KB

Download
memory/4864-39-0x0000000010000000-0x0000000010031000-memory.dmp

Filesize
196KB

Download
memory/4864-45-0x0000000000C80000-0x0000000000CAA000-memory.dmp

Filesize
168KB

Download
memory/4864-50-0x0000000000CF0000-0x0000000000D4E000-memory.dmp

Filesize
376KB

Download
memory/4864-51-0x0000000000D50000-0x0000000000E50000-memory.dmp

Filesize
1024KB

Download