Overview

overview

10

Static

static

3

6ecf7cf74a...07.exe

windows7-x64

8

6ecf7cf74a...07.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    142s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-10-2023 08:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6ecf7cf74a9eaa98f899c198b4e876a302041b090db057135eefc05c3c8a8607.exe

  • Size

    203KB

  • MD5

    5e8ca71cc6b60c4d92eac70f84e14487

  • SHA1

    58988de5f00c4e8454a8dfd0126a58f39e7db8cb

  • SHA256

    6ecf7cf74a9eaa98f899c198b4e876a302041b090db057135eefc05c3c8a8607

  • SHA512

    9d83f3c43397b2cb56b3d7112fdab31f5b1d0d7705485ab141f5dafcb4dd955c150feaa0b2b59619933c0fd456ebb96a04f7e507ccb4fe4c6263b1aec68a44e0

  • SSDEEP

    6144:ISEciALqb7GHGuMz7FeuRAOo6SLuQkmsS:ISEcdLqby2aUms

Score
10/10
fatalratinfostealerrat

Malware Config

Signatures

  • FatalRat

    FatalRat is a modular infostealer family written in C++ first appearing in June 2021.

    infostealerratfatalrat
  • Fatal Rat payload 1 IoCs
    ratinfostealer
  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6ecf7cf74a9eaa98f899c198b4e876a302041b090db057135eefc05c3c8a8607.exe
    "C:\Users\Admin\AppData\Local\Temp\6ecf7cf74a9eaa98f899c198b4e876a302041b090db057135eefc05c3c8a8607.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2108
    • C:\Users\Public\Admin558\a.exe
      "C:\Users\Public\Admin558\a.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4208
    • C:\Users\Public\Admin558\Googdler.exe
      "C:\Users\Public\Admin558\Googdler.exe"
      2⤵
      • Executes dropped EXE
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3396

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Public\Admin558\Googdler.exe
    Filesize

    84KB

    MD5

    686f22f397c2322876239d72d500a0cd

    SHA1

    fcd252fa36d37ee72eb31e0fe353176403fa274b

    SHA256

    715c7de857cd700dcf510988fe5ae0ef24c8fd0c714da74eaac3e967072c5e3d

    SHA512

    812e72466ad23c738e99fddda3301e6313d8a23a1ba6dca25d1feec1232d517524c4e9b7f0df03644b6aad04d1560357c9369ec4f1eb72eac5652eb2ef0ef759

    Download Submit

  • C:\Users\Public\Admin558\Googdler.exe
    Filesize

    84KB

    MD5

    686f22f397c2322876239d72d500a0cd

    SHA1

    fcd252fa36d37ee72eb31e0fe353176403fa274b

    SHA256

    715c7de857cd700dcf510988fe5ae0ef24c8fd0c714da74eaac3e967072c5e3d

    SHA512

    812e72466ad23c738e99fddda3301e6313d8a23a1ba6dca25d1feec1232d517524c4e9b7f0df03644b6aad04d1560357c9369ec4f1eb72eac5652eb2ef0ef759

    Download Submit

  • C:\Users\Public\Admin558\Googdler.exe
    Filesize

    84KB

    MD5

    686f22f397c2322876239d72d500a0cd

    SHA1

    fcd252fa36d37ee72eb31e0fe353176403fa274b

    SHA256

    715c7de857cd700dcf510988fe5ae0ef24c8fd0c714da74eaac3e967072c5e3d

    SHA512

    812e72466ad23c738e99fddda3301e6313d8a23a1ba6dca25d1feec1232d517524c4e9b7f0df03644b6aad04d1560357c9369ec4f1eb72eac5652eb2ef0ef759

    Download Submit

  • C:\Users\Public\Admin558\a.exe
    Filesize

    126KB

    MD5

    c52628453cdf55063ad0a4d6527bdec5

    SHA1

    013fb935ca85e37e94dfff409d1bd6275eb5e3b8

    SHA256

    d764f6bd49645b0ec3662530405c034d9ef9752455170d5aae2310ae37f6658c

    SHA512

    f7f4b1a8c36f76d0d6d5aeb13edb3a39cb71404afe41ca75ab655682831c8640217b83db02ef08d992cb3b943fd06b6a26a917d5830377ef3a5ca84c84c87918

    Download Submit

  • C:\Users\Public\Admin558\a.exe
    Filesize

    126KB

    MD5

    c52628453cdf55063ad0a4d6527bdec5

    SHA1

    013fb935ca85e37e94dfff409d1bd6275eb5e3b8

    SHA256

    d764f6bd49645b0ec3662530405c034d9ef9752455170d5aae2310ae37f6658c

    SHA512

    f7f4b1a8c36f76d0d6d5aeb13edb3a39cb71404afe41ca75ab655682831c8640217b83db02ef08d992cb3b943fd06b6a26a917d5830377ef3a5ca84c84c87918

    Download Submit

  • C:\Users\Public\Admin558\a.exe
    Filesize

    126KB

    MD5

    c52628453cdf55063ad0a4d6527bdec5

    SHA1

    013fb935ca85e37e94dfff409d1bd6275eb5e3b8

    SHA256

    d764f6bd49645b0ec3662530405c034d9ef9752455170d5aae2310ae37f6658c

    SHA512

    f7f4b1a8c36f76d0d6d5aeb13edb3a39cb71404afe41ca75ab655682831c8640217b83db02ef08d992cb3b943fd06b6a26a917d5830377ef3a5ca84c84c87918

    Download Submit

  • memory/3396-30-0x00000000012F0000-0x00000000013F0000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/3396-31-0x0000000000E90000-0x0000000000E91000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3396-32-0x0000000010000000-0x0000000010031000-memory.dmp

    Filesize

    196KB

    Download

  • memory/3396-33-0x0000000000400000-0x0000000000438000-memory.dmp

    Filesize

    224KB

    Download

  • memory/3396-36-0x00000000012A0000-0x00000000012CA000-memory.dmp

    Filesize

    168KB

    Download

  • memory/3396-41-0x00000000012F0000-0x00000000013F0000-memory.dmp

    Filesize

    1024KB

    Download