Analysis
-
max time kernel
140s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
20-10-2023 15:19
Static task
static1
Behavioral task
behavioral1
Sample
NEAS.039db5567a5186b57b3a00a04d0e2a20.dll
Resource
win7-20230831-en
windows7-x64
Behavioral task
behavioral2
Sample
NEAS.039db5567a5186b57b3a00a04d0e2a20.dll
Resource
win10v2004-20230915-en
windows10-2004-x64
General
-
Target
NEAS.039db5567a5186b57b3a00a04d0e2a20.dll
-
Size
196KB
-
MD5
039db5567a5186b57b3a00a04d0e2a20
-
SHA1
7eda390e7c16fe66c1c89a2913b11cd3a5dd9236
-
SHA256
f4877f3f155f7aeb635ce86818eea7a159d83c0eaf0e2e86ada8f7018a1a9c71
-
SHA512
23dab108a5f12655ac8aa1ac24be651fbf5a3c8f3f0b59d9c987143a9b07bba2476a1ca55667b02741cf84c01c6cb3fc91a2e97edf02c992d576964a7c7c094e
-
SSDEEP
3072:xYmbI+t/5LZseWDzoPZ6WS6BLfvgaSlpcD+05f:2lmSzkPDNGEf
Malware Config
Signatures
-
FatalRat
FatalRat is a modular infostealer family written in C++ first appearing in June 2021.
-
Fatal Rat payload 1 IoCs
resource yara_rule behavioral2/memory/844-0-0x0000000000600000-0x000000000062A000-memory.dmp fatalrat -
Blocklisted process makes network request 1 IoCs
flow pid Process 5 844 rundll32.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz rundll32.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 844 rundll32.exe 844 rundll32.exe 844 rundll32.exe 844 rundll32.exe 844 rundll32.exe 844 rundll32.exe 844 rundll32.exe 844 rundll32.exe 844 rundll32.exe 844 rundll32.exe 844 rundll32.exe 844 rundll32.exe 844 rundll32.exe 844 rundll32.exe 844 rundll32.exe 844 rundll32.exe 844 rundll32.exe 844 rundll32.exe 844 rundll32.exe 844 rundll32.exe 844 rundll32.exe 844 rundll32.exe 844 rundll32.exe 844 rundll32.exe 844 rundll32.exe 844 rundll32.exe 844 rundll32.exe 844 rundll32.exe 844 rundll32.exe 844 rundll32.exe 844 rundll32.exe 844 rundll32.exe 844 rundll32.exe 844 rundll32.exe 844 rundll32.exe 844 rundll32.exe 844 rundll32.exe 844 rundll32.exe 844 rundll32.exe 844 rundll32.exe 844 rundll32.exe 844 rundll32.exe 844 rundll32.exe 844 rundll32.exe 844 rundll32.exe 844 rundll32.exe 844 rundll32.exe 844 rundll32.exe 844 rundll32.exe 844 rundll32.exe 844 rundll32.exe 844 rundll32.exe 844 rundll32.exe 844 rundll32.exe 844 rundll32.exe 844 rundll32.exe 844 rundll32.exe 844 rundll32.exe 844 rundll32.exe 844 rundll32.exe 844 rundll32.exe 844 rundll32.exe 844 rundll32.exe 844 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 844 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3856 wrote to memory of 844 3856 rundll32.exe 76 PID 3856 wrote to memory of 844 3856 rundll32.exe 76 PID 3856 wrote to memory of 844 3856 rundll32.exe 76
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\NEAS.039db5567a5186b57b3a00a04d0e2a20.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3856 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\NEAS.039db5567a5186b57b3a00a04d0e2a20.dll,#12⤵
- Blocklisted process makes network request
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:844
-