fatalrat | 291e91026dc87e8d85e4a25cdbdce09010c4a7f1b2492e23e3ec875a3370c7d7

General

Target

291e91026dc87e8d85e4a25cdbdce09010c4a7f1b2492e23e3ec875a3370c7d7.dll
Size

922KB
MD5

22019e31ea6f7134c94358e9eb8516fe
SHA1

51673f72f119b1fc391fcb8b0780c0077aac1e13
SHA256

291e91026dc87e8d85e4a25cdbdce09010c4a7f1b2492e23e3ec875a3370c7d7
SHA512

20d226aec3cc06aa2d62b555d144896fc6f7d575968f02997f96875640ba51801b9fd29925dd1e3ec092870a7696c5d14c1c0303f35607aa979f40a28ccc33d4
SSDEEP

24576:pFQlHXEcOC4yQHNrJn46YoNP0jhqFRDxVgx9NbMMdh:8l3EcOJyKNl4kOj6DxoM

Score

10^/10

fatalrat evasion infostealer rat

Malware Config

Signatures

FatalRat
FatalRat is a modular infostealer family written in C++ first appearing in June 2021.
infostealer rat fatalrat

Fatal Rat payload 17 IoCs

rat infostealer

resource	yara_rule
behavioral2/memory/1500-8-0x0000000003A40000-0x0000000003A76000-memory.dmp	fatalrat
behavioral2/memory/1500-13-0x0000000010000000-0x0000000010209000-memory.dmp	fatalrat
behavioral2/memory/1500-14-0x0000000010000000-0x0000000010209000-memory.dmp	fatalrat
behavioral2/memory/1500-15-0x0000000010000000-0x0000000010209000-memory.dmp	fatalrat
behavioral2/memory/1500-16-0x0000000010000000-0x0000000010209000-memory.dmp	fatalrat
behavioral2/memory/1500-17-0x0000000010000000-0x0000000010209000-memory.dmp	fatalrat
behavioral2/memory/1500-18-0x0000000010000000-0x0000000010209000-memory.dmp	fatalrat
behavioral2/memory/1500-19-0x0000000010000000-0x0000000010209000-memory.dmp	fatalrat
behavioral2/memory/1500-20-0x0000000010000000-0x0000000010209000-memory.dmp	fatalrat
behavioral2/memory/1500-21-0x0000000010000000-0x0000000010209000-memory.dmp	fatalrat
behavioral2/memory/1500-22-0x0000000010000000-0x0000000010209000-memory.dmp	fatalrat
behavioral2/memory/1500-23-0x0000000010000000-0x0000000010209000-memory.dmp	fatalrat
behavioral2/memory/1500-24-0x0000000010000000-0x0000000010209000-memory.dmp	fatalrat
behavioral2/memory/1500-25-0x0000000010000000-0x0000000010209000-memory.dmp	fatalrat
behavioral2/memory/1500-26-0x0000000010000000-0x0000000010209000-memory.dmp	fatalrat
behavioral2/memory/1500-27-0x0000000010000000-0x0000000010209000-memory.dmp	fatalrat
behavioral2/memory/1500-28-0x0000000010000000-0x0000000010209000-memory.dmp	fatalrat

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rundll32.exe

Blocklisted process makes network request 5 IoCs

flow	pid	Process
13	1500	rundll32.exe
26	1500	rundll32.exe
42	1500	rundll32.exe
43	1500	rundll32.exe
44	1500	rundll32.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Software\Wine	rundll32.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
1500	rundll32.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1500	rundll32.exe
1500	rundll32.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1500	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3088 wrote to memory of 1500	3088	rundll32.exe	82
PID 3088 wrote to memory of 1500	3088	rundll32.exe	82
PID 3088 wrote to memory of 1500	3088	rundll32.exe	82

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\291e91026dc87e8d85e4a25cdbdce09010c4a7f1b2492e23e3ec875a3370c7d7.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3088
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\291e91026dc87e8d85e4a25cdbdce09010c4a7f1b2492e23e3ec875a3370c7d7.dll,#1
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Blocklisted process makes network request
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1500

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

2

T1497

Credential Access

Discovery

Query Registry

2

T1012

Virtualization/Sandbox Evasion

2

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1500-0-0x0000000010000000-0x0000000010209000-memory.dmp

Filesize
2.0MB

Download
memory/1500-1-0x0000000002720000-0x00000000027BD000-memory.dmp

Filesize
628KB

Download
memory/1500-2-0x0000000077BA4000-0x0000000077BA6000-memory.dmp

Filesize
8KB

Download
memory/1500-3-0x0000000010000000-0x0000000010209000-memory.dmp

Filesize
2.0MB

Download
memory/1500-4-0x0000000003A00000-0x0000000003A01000-memory.dmp

Filesize
4KB

Download
memory/1500-6-0x0000000003A20000-0x0000000003A21000-memory.dmp

Filesize
4KB

Download
memory/1500-7-0x0000000003A30000-0x0000000003A31000-memory.dmp

Filesize
4KB

Download
memory/1500-5-0x0000000003A10000-0x0000000003A12000-memory.dmp

Filesize
8KB

Download
memory/1500-8-0x0000000003A40000-0x0000000003A76000-memory.dmp

Filesize
216KB

Download
memory/1500-13-0x0000000010000000-0x0000000010209000-memory.dmp

Filesize
2.0MB

Download
memory/1500-14-0x0000000010000000-0x0000000010209000-memory.dmp

Filesize
2.0MB

Download
memory/1500-15-0x0000000010000000-0x0000000010209000-memory.dmp

Filesize
2.0MB

Download
memory/1500-16-0x0000000010000000-0x0000000010209000-memory.dmp

Filesize
2.0MB

Download
memory/1500-17-0x0000000010000000-0x0000000010209000-memory.dmp

Filesize
2.0MB

Download
memory/1500-18-0x0000000010000000-0x0000000010209000-memory.dmp

Filesize
2.0MB

Download
memory/1500-19-0x0000000010000000-0x0000000010209000-memory.dmp

Filesize
2.0MB

Download
memory/1500-20-0x0000000010000000-0x0000000010209000-memory.dmp

Filesize
2.0MB

Download
memory/1500-21-0x0000000010000000-0x0000000010209000-memory.dmp

Filesize
2.0MB

Download
memory/1500-22-0x0000000010000000-0x0000000010209000-memory.dmp

Filesize
2.0MB

Download
memory/1500-23-0x0000000010000000-0x0000000010209000-memory.dmp

Filesize
2.0MB

Download
memory/1500-24-0x0000000010000000-0x0000000010209000-memory.dmp

Filesize
2.0MB

Download
memory/1500-25-0x0000000010000000-0x0000000010209000-memory.dmp

Filesize
2.0MB

Download
memory/1500-26-0x0000000010000000-0x0000000010209000-memory.dmp

Filesize
2.0MB

Download
memory/1500-27-0x0000000010000000-0x0000000010209000-memory.dmp

Filesize
2.0MB

Download
memory/1500-28-0x0000000010000000-0x0000000010209000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads