Analysis
-
max time kernel
146s -
max time network
142s -
platform
windows7_x64 -
resource
win7-20231020-en -
resource tags
arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system -
submitted
22/10/2023, 11:43
Static task
static1
Behavioral task
behavioral1
Sample
7225a15c6afbbaf5476f3289f6b161fc543c4b981d72997ca182ae830bbde318.exe
Resource
win7-20231020-en
Behavioral task
behavioral2
Sample
7225a15c6afbbaf5476f3289f6b161fc543c4b981d72997ca182ae830bbde318.exe
Resource
win10v2004-20231020-en
General
-
Target
7225a15c6afbbaf5476f3289f6b161fc543c4b981d72997ca182ae830bbde318.exe
-
Size
2.1MB
-
MD5
724c2a51739b5aba9cffb7e1358b5af3
-
SHA1
b9e86b7126279b617d0ce6bd84772033b953ef5f
-
SHA256
7225a15c6afbbaf5476f3289f6b161fc543c4b981d72997ca182ae830bbde318
-
SHA512
f289f2a6b8b72d2a8f2ae03d00793f489b17254dcc9dbb11a59971991f188bcb87467b6b996e56a18f697ae46f326fe953125b42a53176c2581f2b0d453f890d
-
SSDEEP
49152:tVef8NffIPbIQ09ufo9m8QCFwyL5FfJel7x1g82T9NlJbGP/m:tVQUIjo9FWIZJerl2+P/m
Malware Config
Signatures
-
FatalRat
FatalRat is a modular infostealer family written in C++ first appearing in June 2021.
-
Fatal Rat payload 1 IoCs
resource yara_rule behavioral1/memory/2152-10776-0x0000000000400000-0x000000000081F000-memory.dmp fatalrat -
Executes dropped EXE 1 IoCs
pid Process 1164 BitBrowser.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 28 IoCs
pid Process 2152 7225a15c6afbbaf5476f3289f6b161fc543c4b981d72997ca182ae830bbde318.exe 2152 7225a15c6afbbaf5476f3289f6b161fc543c4b981d72997ca182ae830bbde318.exe 2152 7225a15c6afbbaf5476f3289f6b161fc543c4b981d72997ca182ae830bbde318.exe 2152 7225a15c6afbbaf5476f3289f6b161fc543c4b981d72997ca182ae830bbde318.exe 2152 7225a15c6afbbaf5476f3289f6b161fc543c4b981d72997ca182ae830bbde318.exe 2152 7225a15c6afbbaf5476f3289f6b161fc543c4b981d72997ca182ae830bbde318.exe 2152 7225a15c6afbbaf5476f3289f6b161fc543c4b981d72997ca182ae830bbde318.exe 2152 7225a15c6afbbaf5476f3289f6b161fc543c4b981d72997ca182ae830bbde318.exe 2152 7225a15c6afbbaf5476f3289f6b161fc543c4b981d72997ca182ae830bbde318.exe 2152 7225a15c6afbbaf5476f3289f6b161fc543c4b981d72997ca182ae830bbde318.exe 2152 7225a15c6afbbaf5476f3289f6b161fc543c4b981d72997ca182ae830bbde318.exe 2152 7225a15c6afbbaf5476f3289f6b161fc543c4b981d72997ca182ae830bbde318.exe 2152 7225a15c6afbbaf5476f3289f6b161fc543c4b981d72997ca182ae830bbde318.exe 2152 7225a15c6afbbaf5476f3289f6b161fc543c4b981d72997ca182ae830bbde318.exe 2152 7225a15c6afbbaf5476f3289f6b161fc543c4b981d72997ca182ae830bbde318.exe 2152 7225a15c6afbbaf5476f3289f6b161fc543c4b981d72997ca182ae830bbde318.exe 2152 7225a15c6afbbaf5476f3289f6b161fc543c4b981d72997ca182ae830bbde318.exe 2152 7225a15c6afbbaf5476f3289f6b161fc543c4b981d72997ca182ae830bbde318.exe 2152 7225a15c6afbbaf5476f3289f6b161fc543c4b981d72997ca182ae830bbde318.exe 2152 7225a15c6afbbaf5476f3289f6b161fc543c4b981d72997ca182ae830bbde318.exe 2152 7225a15c6afbbaf5476f3289f6b161fc543c4b981d72997ca182ae830bbde318.exe 2152 7225a15c6afbbaf5476f3289f6b161fc543c4b981d72997ca182ae830bbde318.exe 2152 7225a15c6afbbaf5476f3289f6b161fc543c4b981d72997ca182ae830bbde318.exe 2152 7225a15c6afbbaf5476f3289f6b161fc543c4b981d72997ca182ae830bbde318.exe 2152 7225a15c6afbbaf5476f3289f6b161fc543c4b981d72997ca182ae830bbde318.exe 2152 7225a15c6afbbaf5476f3289f6b161fc543c4b981d72997ca182ae830bbde318.exe 2152 7225a15c6afbbaf5476f3289f6b161fc543c4b981d72997ca182ae830bbde318.exe 2152 7225a15c6afbbaf5476f3289f6b161fc543c4b981d72997ca182ae830bbde318.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\BitBrowser.exe 7225a15c6afbbaf5476f3289f6b161fc543c4b981d72997ca182ae830bbde318.exe File opened for modification C:\Program Files (x86)\BitBrowser.exe 7225a15c6afbbaf5476f3289f6b161fc543c4b981d72997ca182ae830bbde318.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 7225a15c6afbbaf5476f3289f6b161fc543c4b981d72997ca182ae830bbde318.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz 7225a15c6afbbaf5476f3289f6b161fc543c4b981d72997ca182ae830bbde318.exe -
Suspicious behavior: EnumeratesProcesses 51 IoCs
pid Process 2152 7225a15c6afbbaf5476f3289f6b161fc543c4b981d72997ca182ae830bbde318.exe 2152 7225a15c6afbbaf5476f3289f6b161fc543c4b981d72997ca182ae830bbde318.exe 2152 7225a15c6afbbaf5476f3289f6b161fc543c4b981d72997ca182ae830bbde318.exe 2152 7225a15c6afbbaf5476f3289f6b161fc543c4b981d72997ca182ae830bbde318.exe 2152 7225a15c6afbbaf5476f3289f6b161fc543c4b981d72997ca182ae830bbde318.exe 2152 7225a15c6afbbaf5476f3289f6b161fc543c4b981d72997ca182ae830bbde318.exe 2152 7225a15c6afbbaf5476f3289f6b161fc543c4b981d72997ca182ae830bbde318.exe 2152 7225a15c6afbbaf5476f3289f6b161fc543c4b981d72997ca182ae830bbde318.exe 2152 7225a15c6afbbaf5476f3289f6b161fc543c4b981d72997ca182ae830bbde318.exe 2152 7225a15c6afbbaf5476f3289f6b161fc543c4b981d72997ca182ae830bbde318.exe 2152 7225a15c6afbbaf5476f3289f6b161fc543c4b981d72997ca182ae830bbde318.exe 2152 7225a15c6afbbaf5476f3289f6b161fc543c4b981d72997ca182ae830bbde318.exe 2152 7225a15c6afbbaf5476f3289f6b161fc543c4b981d72997ca182ae830bbde318.exe 2152 7225a15c6afbbaf5476f3289f6b161fc543c4b981d72997ca182ae830bbde318.exe 2152 7225a15c6afbbaf5476f3289f6b161fc543c4b981d72997ca182ae830bbde318.exe 2152 7225a15c6afbbaf5476f3289f6b161fc543c4b981d72997ca182ae830bbde318.exe 2152 7225a15c6afbbaf5476f3289f6b161fc543c4b981d72997ca182ae830bbde318.exe 2152 7225a15c6afbbaf5476f3289f6b161fc543c4b981d72997ca182ae830bbde318.exe 2152 7225a15c6afbbaf5476f3289f6b161fc543c4b981d72997ca182ae830bbde318.exe 2152 7225a15c6afbbaf5476f3289f6b161fc543c4b981d72997ca182ae830bbde318.exe 2152 7225a15c6afbbaf5476f3289f6b161fc543c4b981d72997ca182ae830bbde318.exe 2152 7225a15c6afbbaf5476f3289f6b161fc543c4b981d72997ca182ae830bbde318.exe 2152 7225a15c6afbbaf5476f3289f6b161fc543c4b981d72997ca182ae830bbde318.exe 2152 7225a15c6afbbaf5476f3289f6b161fc543c4b981d72997ca182ae830bbde318.exe 2152 7225a15c6afbbaf5476f3289f6b161fc543c4b981d72997ca182ae830bbde318.exe 2152 7225a15c6afbbaf5476f3289f6b161fc543c4b981d72997ca182ae830bbde318.exe 2152 7225a15c6afbbaf5476f3289f6b161fc543c4b981d72997ca182ae830bbde318.exe 2152 7225a15c6afbbaf5476f3289f6b161fc543c4b981d72997ca182ae830bbde318.exe 2152 7225a15c6afbbaf5476f3289f6b161fc543c4b981d72997ca182ae830bbde318.exe 2152 7225a15c6afbbaf5476f3289f6b161fc543c4b981d72997ca182ae830bbde318.exe 2152 7225a15c6afbbaf5476f3289f6b161fc543c4b981d72997ca182ae830bbde318.exe 2152 7225a15c6afbbaf5476f3289f6b161fc543c4b981d72997ca182ae830bbde318.exe 2152 7225a15c6afbbaf5476f3289f6b161fc543c4b981d72997ca182ae830bbde318.exe 2152 7225a15c6afbbaf5476f3289f6b161fc543c4b981d72997ca182ae830bbde318.exe 2152 7225a15c6afbbaf5476f3289f6b161fc543c4b981d72997ca182ae830bbde318.exe 2152 7225a15c6afbbaf5476f3289f6b161fc543c4b981d72997ca182ae830bbde318.exe 2152 7225a15c6afbbaf5476f3289f6b161fc543c4b981d72997ca182ae830bbde318.exe 2152 7225a15c6afbbaf5476f3289f6b161fc543c4b981d72997ca182ae830bbde318.exe 2152 7225a15c6afbbaf5476f3289f6b161fc543c4b981d72997ca182ae830bbde318.exe 2152 7225a15c6afbbaf5476f3289f6b161fc543c4b981d72997ca182ae830bbde318.exe 2152 7225a15c6afbbaf5476f3289f6b161fc543c4b981d72997ca182ae830bbde318.exe 2152 7225a15c6afbbaf5476f3289f6b161fc543c4b981d72997ca182ae830bbde318.exe 2152 7225a15c6afbbaf5476f3289f6b161fc543c4b981d72997ca182ae830bbde318.exe 2152 7225a15c6afbbaf5476f3289f6b161fc543c4b981d72997ca182ae830bbde318.exe 2152 7225a15c6afbbaf5476f3289f6b161fc543c4b981d72997ca182ae830bbde318.exe 2152 7225a15c6afbbaf5476f3289f6b161fc543c4b981d72997ca182ae830bbde318.exe 2152 7225a15c6afbbaf5476f3289f6b161fc543c4b981d72997ca182ae830bbde318.exe 2152 7225a15c6afbbaf5476f3289f6b161fc543c4b981d72997ca182ae830bbde318.exe 2152 7225a15c6afbbaf5476f3289f6b161fc543c4b981d72997ca182ae830bbde318.exe 2152 7225a15c6afbbaf5476f3289f6b161fc543c4b981d72997ca182ae830bbde318.exe 2152 7225a15c6afbbaf5476f3289f6b161fc543c4b981d72997ca182ae830bbde318.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2152 7225a15c6afbbaf5476f3289f6b161fc543c4b981d72997ca182ae830bbde318.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7225a15c6afbbaf5476f3289f6b161fc543c4b981d72997ca182ae830bbde318.exe"C:\Users\Admin\AppData\Local\Temp\7225a15c6afbbaf5476f3289f6b161fc543c4b981d72997ca182ae830bbde318.exe"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2152
-
C:\Program Files (x86)\BitBrowser.exe"C:\Program Files (x86)\BitBrowser.exe"1⤵
- Executes dropped EXE
PID:1164
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD5724c2a51739b5aba9cffb7e1358b5af3
SHA1b9e86b7126279b617d0ce6bd84772033b953ef5f
SHA2567225a15c6afbbaf5476f3289f6b161fc543c4b981d72997ca182ae830bbde318
SHA512f289f2a6b8b72d2a8f2ae03d00793f489b17254dcc9dbb11a59971991f188bcb87467b6b996e56a18f697ae46f326fe953125b42a53176c2581f2b0d453f890d