fatalrat | 7225a15c6afbbaf5476f3289f6b161fc543c4b981d72997ca182ae830bbde318

Analysis

max time kernel
146s
max time network
142s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
22/10/2023, 11:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7225a15c6afbbaf5476f3289f6b161fc543c4b981d72997ca182ae830bbde318.exe
Size

2.1MB
MD5

724c2a51739b5aba9cffb7e1358b5af3
SHA1

b9e86b7126279b617d0ce6bd84772033b953ef5f
SHA256

7225a15c6afbbaf5476f3289f6b161fc543c4b981d72997ca182ae830bbde318
SHA512

f289f2a6b8b72d2a8f2ae03d00793f489b17254dcc9dbb11a59971991f188bcb87467b6b996e56a18f697ae46f326fe953125b42a53176c2581f2b0d453f890d
SSDEEP

49152:tVef8NffIPbIQ09ufo9m8QCFwyL5FfJel7x1g82T9NlJbGP/m:tVQUIjo9FWIZJerl2+P/m

Score

10^/10

fatalrat infostealer rat

Malware Config

Signatures

FatalRat
FatalRat is a modular infostealer family written in C++ first appearing in June 2021.
infostealer rat fatalrat

Fatal Rat payload 1 IoCs

rat infostealer

resource	yara_rule
behavioral1/memory/2152-10776-0x0000000000400000-0x000000000081F000-memory.dmp	fatalrat

Executes dropped EXE 1 IoCs

pid	Process
1164	BitBrowser.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 28 IoCs

pid	Process
2152	7225a15c6afbbaf5476f3289f6b161fc543c4b981d72997ca182ae830bbde318.exe
2152	7225a15c6afbbaf5476f3289f6b161fc543c4b981d72997ca182ae830bbde318.exe
2152	7225a15c6afbbaf5476f3289f6b161fc543c4b981d72997ca182ae830bbde318.exe
2152	7225a15c6afbbaf5476f3289f6b161fc543c4b981d72997ca182ae830bbde318.exe
2152	7225a15c6afbbaf5476f3289f6b161fc543c4b981d72997ca182ae830bbde318.exe
2152	7225a15c6afbbaf5476f3289f6b161fc543c4b981d72997ca182ae830bbde318.exe
2152	7225a15c6afbbaf5476f3289f6b161fc543c4b981d72997ca182ae830bbde318.exe
2152	7225a15c6afbbaf5476f3289f6b161fc543c4b981d72997ca182ae830bbde318.exe
2152	7225a15c6afbbaf5476f3289f6b161fc543c4b981d72997ca182ae830bbde318.exe
2152	7225a15c6afbbaf5476f3289f6b161fc543c4b981d72997ca182ae830bbde318.exe
2152	7225a15c6afbbaf5476f3289f6b161fc543c4b981d72997ca182ae830bbde318.exe
2152	7225a15c6afbbaf5476f3289f6b161fc543c4b981d72997ca182ae830bbde318.exe
2152	7225a15c6afbbaf5476f3289f6b161fc543c4b981d72997ca182ae830bbde318.exe
2152	7225a15c6afbbaf5476f3289f6b161fc543c4b981d72997ca182ae830bbde318.exe
2152	7225a15c6afbbaf5476f3289f6b161fc543c4b981d72997ca182ae830bbde318.exe
2152	7225a15c6afbbaf5476f3289f6b161fc543c4b981d72997ca182ae830bbde318.exe
2152	7225a15c6afbbaf5476f3289f6b161fc543c4b981d72997ca182ae830bbde318.exe
2152	7225a15c6afbbaf5476f3289f6b161fc543c4b981d72997ca182ae830bbde318.exe
2152	7225a15c6afbbaf5476f3289f6b161fc543c4b981d72997ca182ae830bbde318.exe
2152	7225a15c6afbbaf5476f3289f6b161fc543c4b981d72997ca182ae830bbde318.exe
2152	7225a15c6afbbaf5476f3289f6b161fc543c4b981d72997ca182ae830bbde318.exe
2152	7225a15c6afbbaf5476f3289f6b161fc543c4b981d72997ca182ae830bbde318.exe
2152	7225a15c6afbbaf5476f3289f6b161fc543c4b981d72997ca182ae830bbde318.exe
2152	7225a15c6afbbaf5476f3289f6b161fc543c4b981d72997ca182ae830bbde318.exe
2152	7225a15c6afbbaf5476f3289f6b161fc543c4b981d72997ca182ae830bbde318.exe
2152	7225a15c6afbbaf5476f3289f6b161fc543c4b981d72997ca182ae830bbde318.exe
2152	7225a15c6afbbaf5476f3289f6b161fc543c4b981d72997ca182ae830bbde318.exe
2152	7225a15c6afbbaf5476f3289f6b161fc543c4b981d72997ca182ae830bbde318.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\BitBrowser.exe	7225a15c6afbbaf5476f3289f6b161fc543c4b981d72997ca182ae830bbde318.exe
File opened for modification	C:\Program Files (x86)\BitBrowser.exe	7225a15c6afbbaf5476f3289f6b161fc543c4b981d72997ca182ae830bbde318.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	7225a15c6afbbaf5476f3289f6b161fc543c4b981d72997ca182ae830bbde318.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	7225a15c6afbbaf5476f3289f6b161fc543c4b981d72997ca182ae830bbde318.exe

Suspicious behavior: EnumeratesProcesses 51 IoCs

pid	Process
2152	7225a15c6afbbaf5476f3289f6b161fc543c4b981d72997ca182ae830bbde318.exe
2152	7225a15c6afbbaf5476f3289f6b161fc543c4b981d72997ca182ae830bbde318.exe
2152	7225a15c6afbbaf5476f3289f6b161fc543c4b981d72997ca182ae830bbde318.exe
2152	7225a15c6afbbaf5476f3289f6b161fc543c4b981d72997ca182ae830bbde318.exe
2152	7225a15c6afbbaf5476f3289f6b161fc543c4b981d72997ca182ae830bbde318.exe
2152	7225a15c6afbbaf5476f3289f6b161fc543c4b981d72997ca182ae830bbde318.exe
2152	7225a15c6afbbaf5476f3289f6b161fc543c4b981d72997ca182ae830bbde318.exe
2152	7225a15c6afbbaf5476f3289f6b161fc543c4b981d72997ca182ae830bbde318.exe
2152	7225a15c6afbbaf5476f3289f6b161fc543c4b981d72997ca182ae830bbde318.exe
2152	7225a15c6afbbaf5476f3289f6b161fc543c4b981d72997ca182ae830bbde318.exe
2152	7225a15c6afbbaf5476f3289f6b161fc543c4b981d72997ca182ae830bbde318.exe
2152	7225a15c6afbbaf5476f3289f6b161fc543c4b981d72997ca182ae830bbde318.exe
2152	7225a15c6afbbaf5476f3289f6b161fc543c4b981d72997ca182ae830bbde318.exe
2152	7225a15c6afbbaf5476f3289f6b161fc543c4b981d72997ca182ae830bbde318.exe
2152	7225a15c6afbbaf5476f3289f6b161fc543c4b981d72997ca182ae830bbde318.exe
2152	7225a15c6afbbaf5476f3289f6b161fc543c4b981d72997ca182ae830bbde318.exe
2152	7225a15c6afbbaf5476f3289f6b161fc543c4b981d72997ca182ae830bbde318.exe
2152	7225a15c6afbbaf5476f3289f6b161fc543c4b981d72997ca182ae830bbde318.exe
2152	7225a15c6afbbaf5476f3289f6b161fc543c4b981d72997ca182ae830bbde318.exe
2152	7225a15c6afbbaf5476f3289f6b161fc543c4b981d72997ca182ae830bbde318.exe
2152	7225a15c6afbbaf5476f3289f6b161fc543c4b981d72997ca182ae830bbde318.exe
2152	7225a15c6afbbaf5476f3289f6b161fc543c4b981d72997ca182ae830bbde318.exe
2152	7225a15c6afbbaf5476f3289f6b161fc543c4b981d72997ca182ae830bbde318.exe
2152	7225a15c6afbbaf5476f3289f6b161fc543c4b981d72997ca182ae830bbde318.exe
2152	7225a15c6afbbaf5476f3289f6b161fc543c4b981d72997ca182ae830bbde318.exe
2152	7225a15c6afbbaf5476f3289f6b161fc543c4b981d72997ca182ae830bbde318.exe
2152	7225a15c6afbbaf5476f3289f6b161fc543c4b981d72997ca182ae830bbde318.exe
2152	7225a15c6afbbaf5476f3289f6b161fc543c4b981d72997ca182ae830bbde318.exe
2152	7225a15c6afbbaf5476f3289f6b161fc543c4b981d72997ca182ae830bbde318.exe
2152	7225a15c6afbbaf5476f3289f6b161fc543c4b981d72997ca182ae830bbde318.exe
2152	7225a15c6afbbaf5476f3289f6b161fc543c4b981d72997ca182ae830bbde318.exe
2152	7225a15c6afbbaf5476f3289f6b161fc543c4b981d72997ca182ae830bbde318.exe
2152	7225a15c6afbbaf5476f3289f6b161fc543c4b981d72997ca182ae830bbde318.exe
2152	7225a15c6afbbaf5476f3289f6b161fc543c4b981d72997ca182ae830bbde318.exe
2152	7225a15c6afbbaf5476f3289f6b161fc543c4b981d72997ca182ae830bbde318.exe
2152	7225a15c6afbbaf5476f3289f6b161fc543c4b981d72997ca182ae830bbde318.exe
2152	7225a15c6afbbaf5476f3289f6b161fc543c4b981d72997ca182ae830bbde318.exe
2152	7225a15c6afbbaf5476f3289f6b161fc543c4b981d72997ca182ae830bbde318.exe
2152	7225a15c6afbbaf5476f3289f6b161fc543c4b981d72997ca182ae830bbde318.exe
2152	7225a15c6afbbaf5476f3289f6b161fc543c4b981d72997ca182ae830bbde318.exe
2152	7225a15c6afbbaf5476f3289f6b161fc543c4b981d72997ca182ae830bbde318.exe
2152	7225a15c6afbbaf5476f3289f6b161fc543c4b981d72997ca182ae830bbde318.exe
2152	7225a15c6afbbaf5476f3289f6b161fc543c4b981d72997ca182ae830bbde318.exe
2152	7225a15c6afbbaf5476f3289f6b161fc543c4b981d72997ca182ae830bbde318.exe
2152	7225a15c6afbbaf5476f3289f6b161fc543c4b981d72997ca182ae830bbde318.exe
2152	7225a15c6afbbaf5476f3289f6b161fc543c4b981d72997ca182ae830bbde318.exe
2152	7225a15c6afbbaf5476f3289f6b161fc543c4b981d72997ca182ae830bbde318.exe
2152	7225a15c6afbbaf5476f3289f6b161fc543c4b981d72997ca182ae830bbde318.exe
2152	7225a15c6afbbaf5476f3289f6b161fc543c4b981d72997ca182ae830bbde318.exe
2152	7225a15c6afbbaf5476f3289f6b161fc543c4b981d72997ca182ae830bbde318.exe
2152	7225a15c6afbbaf5476f3289f6b161fc543c4b981d72997ca182ae830bbde318.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2152	7225a15c6afbbaf5476f3289f6b161fc543c4b981d72997ca182ae830bbde318.exe

C:\Users\Admin\AppData\Local\Temp\7225a15c6afbbaf5476f3289f6b161fc543c4b981d72997ca182ae830bbde318.exe
"C:\Users\Admin\AppData\Local\Temp\7225a15c6afbbaf5476f3289f6b161fc543c4b981d72997ca182ae830bbde318.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2152

C:\Program Files (x86)\BitBrowser.exe
"C:\Program Files (x86)\BitBrowser.exe"
1⤵
- Executes dropped EXE
PID:1164

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\BitBrowser.exe

Filesize
2.1MB

MD5
724c2a51739b5aba9cffb7e1358b5af3

SHA1
b9e86b7126279b617d0ce6bd84772033b953ef5f

SHA256
7225a15c6afbbaf5476f3289f6b161fc543c4b981d72997ca182ae830bbde318

SHA512
f289f2a6b8b72d2a8f2ae03d00793f489b17254dcc9dbb11a59971991f188bcb87467b6b996e56a18f697ae46f326fe953125b42a53176c2581f2b0d453f890d

Download Submit
memory/1164-15640-0x0000000000400000-0x000000000081F000-memory.dmp

Filesize
4.1MB

Download
memory/1164-11249-0x0000000002410000-0x0000000002591000-memory.dmp

Filesize
1.5MB

Download
memory/2152-846-0x00000000026B0000-0x00000000027C1000-memory.dmp

Filesize
1.1MB

Download
memory/2152-850-0x00000000026B0000-0x00000000027C1000-memory.dmp

Filesize
1.1MB

Download
memory/2152-816-0x00000000026B0000-0x00000000027C1000-memory.dmp

Filesize
1.1MB

Download
memory/2152-818-0x00000000026B0000-0x00000000027C1000-memory.dmp

Filesize
1.1MB

Download
memory/2152-820-0x00000000026B0000-0x00000000027C1000-memory.dmp

Filesize
1.1MB

Download
memory/2152-822-0x00000000026B0000-0x00000000027C1000-memory.dmp

Filesize
1.1MB

Download
memory/2152-824-0x00000000026B0000-0x00000000027C1000-memory.dmp

Filesize
1.1MB

Download
memory/2152-826-0x00000000026B0000-0x00000000027C1000-memory.dmp

Filesize
1.1MB

Download
memory/2152-828-0x00000000026B0000-0x00000000027C1000-memory.dmp

Filesize
1.1MB

Download
memory/2152-852-0x00000000026B0000-0x00000000027C1000-memory.dmp

Filesize
1.1MB

Download
memory/2152-832-0x00000000026B0000-0x00000000027C1000-memory.dmp

Filesize
1.1MB

Download
memory/2152-834-0x00000000026B0000-0x00000000027C1000-memory.dmp

Filesize
1.1MB

Download
memory/2152-836-0x00000000026B0000-0x00000000027C1000-memory.dmp

Filesize
1.1MB

Download
memory/2152-838-0x00000000026B0000-0x00000000027C1000-memory.dmp

Filesize
1.1MB

Download
memory/2152-840-0x00000000026B0000-0x00000000027C1000-memory.dmp

Filesize
1.1MB

Download
memory/2152-842-0x00000000026B0000-0x00000000027C1000-memory.dmp

Filesize
1.1MB

Download
memory/2152-844-0x00000000026B0000-0x00000000027C1000-memory.dmp

Filesize
1.1MB

Download
memory/2152-0-0x0000000000400000-0x000000000081F000-memory.dmp

Filesize
4.1MB

Download
memory/2152-814-0x00000000026B0000-0x00000000027C1000-memory.dmp

Filesize
1.1MB

Download
memory/2152-848-0x00000000026B0000-0x00000000027C1000-memory.dmp

Filesize
1.1MB

Download
memory/2152-830-0x00000000026B0000-0x00000000027C1000-memory.dmp

Filesize
1.1MB

Download
memory/2152-854-0x00000000026B0000-0x00000000027C1000-memory.dmp

Filesize
1.1MB

Download
memory/2152-856-0x00000000026B0000-0x00000000027C1000-memory.dmp

Filesize
1.1MB

Download
memory/2152-858-0x00000000026B0000-0x00000000027C1000-memory.dmp

Filesize
1.1MB

Download
memory/2152-860-0x00000000026B0000-0x00000000027C1000-memory.dmp

Filesize
1.1MB

Download
memory/2152-862-0x00000000026B0000-0x00000000027C1000-memory.dmp

Filesize
1.1MB

Download
memory/2152-864-0x00000000026B0000-0x00000000027C1000-memory.dmp

Filesize
1.1MB

Download
memory/2152-866-0x00000000026B0000-0x00000000027C1000-memory.dmp

Filesize
1.1MB

Download
memory/2152-868-0x00000000026B0000-0x00000000027C1000-memory.dmp

Filesize
1.1MB

Download
memory/2152-870-0x00000000026B0000-0x00000000027C1000-memory.dmp

Filesize
1.1MB

Download
memory/2152-872-0x00000000026B0000-0x00000000027C1000-memory.dmp

Filesize
1.1MB

Download
memory/2152-2547-0x0000000002400000-0x0000000002581000-memory.dmp

Filesize
1.5MB

Download
memory/2152-8686-0x00000000026B0000-0x00000000027C1000-memory.dmp

Filesize
1.1MB

Download
memory/2152-8693-0x0000000000400000-0x000000000081F000-memory.dmp

Filesize
4.1MB

Download
memory/2152-812-0x00000000026B0000-0x00000000027C1000-memory.dmp

Filesize
1.1MB

Download
memory/2152-10776-0x0000000000400000-0x000000000081F000-memory.dmp

Filesize
4.1MB

Download
memory/2152-811-0x00000000026B0000-0x00000000027C1000-memory.dmp

Filesize
1.1MB

Download
memory/2152-1-0x00000000768D0000-0x0000000076917000-memory.dmp

Filesize
284KB

Download