fatalrat | 0373e6b54ee6a2016973e3764af817b19b3aa9cb97e77845c86227eb215b4e72

Analysis

max time kernel
144s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
01-10-2023 21:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2023-08-26_f5bde7dc4c139488d3dd8434e92a5cc4_mafia_JC.exe
Size

96KB
MD5

f5bde7dc4c139488d3dd8434e92a5cc4
SHA1

7b682d6607e2a11a88d34e4ad141e4135bdde589
SHA256

0373e6b54ee6a2016973e3764af817b19b3aa9cb97e77845c86227eb215b4e72
SHA512

de8e99335e1459374838baff9d0af4ed3b7a425813de9e4649d613b4165f96d374ebd5db340a3dcadab3bd8a197806146aee26527dc16030534a2c0f4da8dfa0
SSDEEP

1536:J0FfM5+DncE24ujIds67Ef+TTd014UQcqYs3sbTP:WFfM4D1/2+W14UQcqYs

Score

10^/10

fatalrat aspackv2 infostealer rat upx

Malware Config

Signatures

FatalRat
FatalRat is a modular infostealer family written in C++ first appearing in June 2021.
infostealer rat fatalrat

Fatal Rat payload 1 IoCs

rat infostealer

resource	yara_rule
behavioral2/memory/448-45-0x0000000000D30000-0x0000000000D5A000-memory.dmp	fatalrat

Downloads MZ/PE file

ACProtect 1.3x - 1.4x DLL software 3 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x00080000000231e4-22.dat	acprotect
behavioral2/files/0x00080000000231e4-36.dat	acprotect
behavioral2/files/0x00080000000231e4-37.dat	acprotect

ASPack v2.12-2.42 3 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x00060000000231f5-24.dat	aspack_v212_v242
behavioral2/files/0x00060000000231f5-27.dat	aspack_v212_v242
behavioral2/files/0x00060000000231f5-28.dat	aspack_v212_v242

Executes dropped EXE 2 IoCs

pid	Process
4176	Adam.exe
448	Thun.exe

Loads dropped DLL 1 IoCs

pid	Process
448	Thun.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x00080000000231e4-22.dat	upx
behavioral2/files/0x00080000000231e4-36.dat	upx
behavioral2/files/0x00080000000231e4-37.dat	upx
behavioral2/memory/448-38-0x00000000744D0000-0x00000000744EF000-memory.dmp	upx
behavioral2/memory/448-50-0x00000000744D0000-0x00000000744EF000-memory.dmp	upx
behavioral2/memory/448-55-0x00000000744D0000-0x00000000744EF000-memory.dmp	upx

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Thun.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Thun.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4176	Adam.exe
4176	Adam.exe
448	Thun.exe
448	Thun.exe
448	Thun.exe
448	Thun.exe
448	Thun.exe
448	Thun.exe
448	Thun.exe
448	Thun.exe
448	Thun.exe
448	Thun.exe
448	Thun.exe
448	Thun.exe
448	Thun.exe
448	Thun.exe
448	Thun.exe
448	Thun.exe
448	Thun.exe
448	Thun.exe
448	Thun.exe
448	Thun.exe
448	Thun.exe
448	Thun.exe
448	Thun.exe
448	Thun.exe
448	Thun.exe
448	Thun.exe
448	Thun.exe
448	Thun.exe
448	Thun.exe
448	Thun.exe
448	Thun.exe
448	Thun.exe
448	Thun.exe
448	Thun.exe
448	Thun.exe
448	Thun.exe
448	Thun.exe
448	Thun.exe
448	Thun.exe
448	Thun.exe
448	Thun.exe
448	Thun.exe
448	Thun.exe
448	Thun.exe
448	Thun.exe
448	Thun.exe
448	Thun.exe
448	Thun.exe
448	Thun.exe
448	Thun.exe
448	Thun.exe
448	Thun.exe
448	Thun.exe
448	Thun.exe
448	Thun.exe
448	Thun.exe
448	Thun.exe
448	Thun.exe
448	Thun.exe
448	Thun.exe
448	Thun.exe
448	Thun.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4176	Adam.exe
Token: SeDebugPrivilege	4176	Adam.exe
Token: SeDebugPrivilege	448	Thun.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3768 wrote to memory of 4176	3768	2023-08-26_f5bde7dc4c139488d3dd8434e92a5cc4_mafia_JC.exe	96
PID 3768 wrote to memory of 4176	3768	2023-08-26_f5bde7dc4c139488d3dd8434e92a5cc4_mafia_JC.exe	96
PID 3768 wrote to memory of 4176	3768	2023-08-26_f5bde7dc4c139488d3dd8434e92a5cc4_mafia_JC.exe	96
PID 3768 wrote to memory of 448	3768	2023-08-26_f5bde7dc4c139488d3dd8434e92a5cc4_mafia_JC.exe	97
PID 3768 wrote to memory of 448	3768	2023-08-26_f5bde7dc4c139488d3dd8434e92a5cc4_mafia_JC.exe	97
PID 3768 wrote to memory of 448	3768	2023-08-26_f5bde7dc4c139488d3dd8434e92a5cc4_mafia_JC.exe	97

C:\Users\Admin\AppData\Local\Temp\2023-08-26_f5bde7dc4c139488d3dd8434e92a5cc4_mafia_JC.exe
"C:\Users\Admin\AppData\Local\Temp\2023-08-26_f5bde7dc4c139488d3dd8434e92a5cc4_mafia_JC.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3768
- C:\Users\Public\Documents\Admin558\Adam.exe
  C:\Users\Public\Documents\Admin558\Adam.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4176
- C:\Users\Public\Documents\Admin558\Thun.exe
  C:\Users\Public\Documents\Admin558\Thun.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\Documents\Admin558\Adam.exe

Filesize
169KB

MD5
928969d2a2dbb58479ae2236ac328d22

SHA1
e4d9631a343d73b1ee0d7e4db55978ce59dee1d6

SHA256
709776daeb0a8aac58b530e9fa0ff61afd4ffad1677c3b46ac7b375ccb1f2c4a

SHA512
62a25aa6ac3383142ab3fdc3462c296ec60f8255173b21443a83b87151c2ce931cf0dd2fb6868f783f13fba8ad3c283d53250e61ebc172f80a0ef47bdcbaae9c

Download Submit
C:\Users\Public\Documents\Admin558\Adam.exe

Filesize
169KB

MD5
928969d2a2dbb58479ae2236ac328d22

SHA1
e4d9631a343d73b1ee0d7e4db55978ce59dee1d6

SHA256
709776daeb0a8aac58b530e9fa0ff61afd4ffad1677c3b46ac7b375ccb1f2c4a

SHA512
62a25aa6ac3383142ab3fdc3462c296ec60f8255173b21443a83b87151c2ce931cf0dd2fb6868f783f13fba8ad3c283d53250e61ebc172f80a0ef47bdcbaae9c

Download Submit
C:\Users\Public\Documents\Admin558\Adam.exe

Filesize
169KB

MD5
928969d2a2dbb58479ae2236ac328d22

SHA1
e4d9631a343d73b1ee0d7e4db55978ce59dee1d6

SHA256
709776daeb0a8aac58b530e9fa0ff61afd4ffad1677c3b46ac7b375ccb1f2c4a

SHA512
62a25aa6ac3383142ab3fdc3462c296ec60f8255173b21443a83b87151c2ce931cf0dd2fb6868f783f13fba8ad3c283d53250e61ebc172f80a0ef47bdcbaae9c

Download Submit
C:\Users\Public\Documents\Admin558\Thun.exe

Filesize
1.1MB

MD5
7c4bfda1e4dfa3a7c59aaeb7fee08c80

SHA1
7ac76bcf4a74ab57aeb62aa59531f8aad14c6c77

SHA256
781609c3f08ad116aa2c342e277c4899ae760e08e6c1593f95b6aa3cf6f5b109

SHA512
bd189c981a1a25c782f4c12dc00a9009a4819a33ee9eacb6c1ba30b1d656965c86099bd0beb66f1ea8cfc0bf5e7a5ddfc370b1a0fd0f69381f216e05d437d68a

Download Submit
C:\Users\Public\Documents\Admin558\Thun.exe

Filesize
1.1MB

MD5
7c4bfda1e4dfa3a7c59aaeb7fee08c80

SHA1
7ac76bcf4a74ab57aeb62aa59531f8aad14c6c77

SHA256
781609c3f08ad116aa2c342e277c4899ae760e08e6c1593f95b6aa3cf6f5b109

SHA512
bd189c981a1a25c782f4c12dc00a9009a4819a33ee9eacb6c1ba30b1d656965c86099bd0beb66f1ea8cfc0bf5e7a5ddfc370b1a0fd0f69381f216e05d437d68a

Download Submit
C:\Users\Public\Documents\Admin558\Thun.exe

Filesize
1.1MB

MD5
7c4bfda1e4dfa3a7c59aaeb7fee08c80

SHA1
7ac76bcf4a74ab57aeb62aa59531f8aad14c6c77

SHA256
781609c3f08ad116aa2c342e277c4899ae760e08e6c1593f95b6aa3cf6f5b109

SHA512
bd189c981a1a25c782f4c12dc00a9009a4819a33ee9eacb6c1ba30b1d656965c86099bd0beb66f1ea8cfc0bf5e7a5ddfc370b1a0fd0f69381f216e05d437d68a

Download Submit
C:\Users\Public\Documents\Admin558\Thunder.exe

Filesize
1.1MB

MD5
61967681c21ab3403d35469c1639d2ca

SHA1
5c5f5090e2033e03346a50ad0cc2f72670667bbf

SHA256
1e4855f383a002839707711cd77b9700074ad3f71037443eb574ffac8af472a2

SHA512
1f70aa3bdf398b05f396d748f8dd1e99212e5bfa779753756e4c4f9dfd0547bc24d2606b6a3e9007b12e044946a7468f79cb4599990140b1bfa4d4f045a0d444

Download Submit
C:\Users\Public\Documents\Admin558\libcef.dll

Filesize
74KB

MD5
745f4b12f1eaa9e8e31628ba57a8b024

SHA1
0da99c3df50aa2f4f89a7a53b985791101a589aa

SHA256
c9bd8c6693239dbed5f1aa5f54b1f08f031ce9538a5839c4aa1b0ad28fb695d8

SHA512
4297053a57914dfe03bf827039b5c7f88e858717ac4d3a739a45af36d68370ccaba46577e53e35a32ff3550babc4d5ec919661643da5dba82191dc2bbcd5a69c

Download Submit
C:\Users\Public\Documents\Admin558\libcef.dll

Filesize
74KB

MD5
745f4b12f1eaa9e8e31628ba57a8b024

SHA1
0da99c3df50aa2f4f89a7a53b985791101a589aa

SHA256
c9bd8c6693239dbed5f1aa5f54b1f08f031ce9538a5839c4aa1b0ad28fb695d8

SHA512
4297053a57914dfe03bf827039b5c7f88e858717ac4d3a739a45af36d68370ccaba46577e53e35a32ff3550babc4d5ec919661643da5dba82191dc2bbcd5a69c

Download Submit
C:\Users\Public\Documents\Admin558\libcef.dll

Filesize
74KB

MD5
745f4b12f1eaa9e8e31628ba57a8b024

SHA1
0da99c3df50aa2f4f89a7a53b985791101a589aa

SHA256
c9bd8c6693239dbed5f1aa5f54b1f08f031ce9538a5839c4aa1b0ad28fb695d8

SHA512
4297053a57914dfe03bf827039b5c7f88e858717ac4d3a739a45af36d68370ccaba46577e53e35a32ff3550babc4d5ec919661643da5dba82191dc2bbcd5a69c

Download Submit
memory/448-39-0x0000000000CB0000-0x0000000000CE5000-memory.dmp

Filesize
212KB

Download
memory/448-38-0x00000000744D0000-0x00000000744EF000-memory.dmp

Filesize
124KB

Download
memory/448-40-0x0000000000610000-0x0000000000611000-memory.dmp

Filesize
4KB

Download
memory/448-43-0x0000000000CF0000-0x0000000000D28000-memory.dmp

Filesize
224KB

Download
memory/448-41-0x0000000010000000-0x0000000010031000-memory.dmp

Filesize
196KB

Download
memory/448-45-0x0000000000D30000-0x0000000000D5A000-memory.dmp

Filesize
168KB

Download
memory/448-50-0x00000000744D0000-0x00000000744EF000-memory.dmp

Filesize
124KB

Download
memory/448-51-0x0000000000CB0000-0x0000000000CE5000-memory.dmp

Filesize
212KB

Download
memory/448-55-0x00000000744D0000-0x00000000744EF000-memory.dmp

Filesize
124KB

Download
memory/4176-32-0x0000000000710000-0x0000000000768000-memory.dmp

Filesize
352KB

Download
memory/4176-31-0x0000000000710000-0x0000000000768000-memory.dmp

Filesize
352KB

Download
memory/4176-30-0x0000000000710000-0x0000000000768000-memory.dmp

Filesize
352KB

Download
memory/4176-29-0x0000000000710000-0x0000000000768000-memory.dmp

Filesize
352KB

Download