fatalrat | 9fc8f67f6570c9fc91f29046dd479445759d8536265efa9ca002c3572d6d30f2

Analysis

max time kernel
142s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
23-10-2023 10:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9fc8f67f6570c9fc91f29046dd479445759d8536265efa9ca002c3572d6d30f2.exe
Size

9.0MB
MD5

2e0cda9fc4ec5825448161d3f6af0906
SHA1

8f3b57f7ddf7a00e435f372d9013214c24b45b7f
SHA256

9fc8f67f6570c9fc91f29046dd479445759d8536265efa9ca002c3572d6d30f2
SHA512

9ded8989748ed83e0abbb30e1ca08870b6c231aaae70749fbdbe558b09d8b2df600f968479a8f73ea26e6b1c6d0ff4cc5b6fc23eb4be856d95e27c42f2eb7d8c
SSDEEP

98304:k2/1r91ACJda/Bg3DziUHWumVMPnkqFVwMmJTMNmlFU10dR8NzpKkvz:k2/FYCJcyziUHoWv/FKRJANSFNEpdv

Score

10^/10

fatalrat gh0strat infostealer rat upx

Malware Config

Signatures

FatalRat
FatalRat is a modular infostealer family written in C++ first appearing in June 2021.
infostealer rat fatalrat

Gh0st RAT payload 7 IoCs

resource	yara_rule
behavioral2/memory/1028-54-0x0000000010000000-0x0000000010011000-memory.dmp	family_gh0strat
behavioral2/memory/1028-53-0x0000000010000000-0x0000000010011000-memory.dmp	family_gh0strat
behavioral2/memory/1028-57-0x0000000010000000-0x0000000010011000-memory.dmp	family_gh0strat
behavioral2/memory/4056-62-0x0000000003AA0000-0x0000000003BED000-memory.dmp	family_gh0strat
behavioral2/memory/4056-61-0x0000000003AA0000-0x0000000003BED000-memory.dmp	family_gh0strat
behavioral2/memory/4056-63-0x0000000003AA0000-0x0000000003BED000-memory.dmp	family_gh0strat
behavioral2/memory/4056-64-0x0000000003AA0000-0x0000000003BED000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Fatal Rat payload 1 IoCs

rat infostealer

resource	yara_rule
behavioral2/memory/4056-42-0x0000000003160000-0x0000000003189000-memory.dmp	fatalrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Control Panel\International\Geo\Nation	9fc8f67f6570c9fc91f29046dd479445759d8536265efa9ca002c3572d6d30f2.exe

Executes dropped EXE 4 IoCs

pid	Process
2700	unzip.exe
4056	erp.exe
1028	SkyOption.exe
2556	erp.exe

Loads dropped DLL 3 IoCs

pid	Process
4056	erp.exe
1028	SkyOption.exe
2556	erp.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1028-49-0x0000000010000000-0x0000000010011000-memory.dmp	upx
behavioral2/memory/1028-54-0x0000000010000000-0x0000000010011000-memory.dmp	upx
behavioral2/memory/1028-53-0x0000000010000000-0x0000000010011000-memory.dmp	upx
behavioral2/memory/1028-57-0x0000000010000000-0x0000000010011000-memory.dmp	upx
behavioral2/memory/4056-58-0x0000000003AA0000-0x0000000003BED000-memory.dmp	upx
behavioral2/memory/4056-62-0x0000000003AA0000-0x0000000003BED000-memory.dmp	upx
behavioral2/memory/4056-61-0x0000000003AA0000-0x0000000003BED000-memory.dmp	upx
behavioral2/memory/4056-63-0x0000000003AA0000-0x0000000003BED000-memory.dmp	upx
behavioral2/memory/4056-64-0x0000000003AA0000-0x0000000003BED000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	erp.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	erp.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2344	9fc8f67f6570c9fc91f29046dd479445759d8536265efa9ca002c3572d6d30f2.exe
2344	9fc8f67f6570c9fc91f29046dd479445759d8536265efa9ca002c3572d6d30f2.exe
4056	erp.exe
4056	erp.exe
4056	erp.exe
4056	erp.exe
4056	erp.exe
4056	erp.exe
4056	erp.exe
4056	erp.exe
4056	erp.exe
4056	erp.exe
4056	erp.exe
4056	erp.exe
4056	erp.exe
4056	erp.exe
4056	erp.exe
4056	erp.exe
4056	erp.exe
4056	erp.exe
4056	erp.exe
4056	erp.exe
4056	erp.exe
4056	erp.exe
4056	erp.exe
4056	erp.exe
4056	erp.exe
4056	erp.exe
4056	erp.exe
4056	erp.exe
4056	erp.exe
4056	erp.exe
4056	erp.exe
4056	erp.exe
4056	erp.exe
4056	erp.exe
4056	erp.exe
4056	erp.exe
4056	erp.exe
4056	erp.exe
4056	erp.exe
4056	erp.exe
4056	erp.exe
4056	erp.exe
4056	erp.exe
4056	erp.exe
4056	erp.exe
4056	erp.exe
4056	erp.exe
4056	erp.exe
4056	erp.exe
4056	erp.exe
4056	erp.exe
4056	erp.exe
4056	erp.exe
4056	erp.exe
4056	erp.exe
4056	erp.exe
4056	erp.exe
4056	erp.exe
4056	erp.exe
4056	erp.exe
4056	erp.exe
4056	erp.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4056	erp.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2344	9fc8f67f6570c9fc91f29046dd479445759d8536265efa9ca002c3572d6d30f2.exe
1028	SkyOption.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2344 wrote to memory of 1832	2344	9fc8f67f6570c9fc91f29046dd479445759d8536265efa9ca002c3572d6d30f2.exe	91
PID 2344 wrote to memory of 1832	2344	9fc8f67f6570c9fc91f29046dd479445759d8536265efa9ca002c3572d6d30f2.exe	91
PID 2344 wrote to memory of 1832	2344	9fc8f67f6570c9fc91f29046dd479445759d8536265efa9ca002c3572d6d30f2.exe	91
PID 1832 wrote to memory of 2700	1832	cmd.exe	93
PID 1832 wrote to memory of 2700	1832	cmd.exe	93
PID 1832 wrote to memory of 2700	1832	cmd.exe	93
PID 2344 wrote to memory of 4056	2344	9fc8f67f6570c9fc91f29046dd479445759d8536265efa9ca002c3572d6d30f2.exe	95
PID 2344 wrote to memory of 4056	2344	9fc8f67f6570c9fc91f29046dd479445759d8536265efa9ca002c3572d6d30f2.exe	95
PID 2344 wrote to memory of 4056	2344	9fc8f67f6570c9fc91f29046dd479445759d8536265efa9ca002c3572d6d30f2.exe	95
PID 2344 wrote to memory of 1028	2344	9fc8f67f6570c9fc91f29046dd479445759d8536265efa9ca002c3572d6d30f2.exe	96
PID 2344 wrote to memory of 1028	2344	9fc8f67f6570c9fc91f29046dd479445759d8536265efa9ca002c3572d6d30f2.exe	96
PID 2344 wrote to memory of 1028	2344	9fc8f67f6570c9fc91f29046dd479445759d8536265efa9ca002c3572d6d30f2.exe	96
PID 4056 wrote to memory of 2556	4056	erp.exe	97
PID 4056 wrote to memory of 2556	4056	erp.exe	97
PID 4056 wrote to memory of 2556	4056	erp.exe	97

C:\Users\Admin\AppData\Local\Temp\9fc8f67f6570c9fc91f29046dd479445759d8536265efa9ca002c3572d6d30f2.exe
"C:\Users\Admin\AppData\Local\Temp\9fc8f67f6570c9fc91f29046dd479445759d8536265efa9ca002c3572d6d30f2.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2344
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C C:\Recovery\unzip.exe -o C:\Recovery\2333.zip -d C:\Recovery
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1832
- - C:\Recovery\unzip.exe
    C:\Recovery\unzip.exe -o C:\Recovery\2333.zip -d C:\Recovery
    3⤵
    - Executes dropped EXE
    PID:2700
- C:\Recovery\erp.exe
  "C:\Recovery\erp.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4056
- - C:\Recovery\erp.exe
    C:\Recovery\erp.exe --type=crashpad-handler /prefetch:7 --no-rate-limit --database=C:\Users\Admin\AppData\Local\Crashpad --annotation=channel= --annotation=plat=Win32 --annotation=prod=书生ERP --annotation=ver=-devel --handshake-handle=0x24c
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2556
- C:\Recovery\SkyOption.exe
  "C:\Recovery\SkyOption.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:1028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\2333.zip

Filesize
4.1MB

MD5
39bb4b089b694ef6e8d5edef8b75633d

SHA1
a22cdaa80df1fbaac3f100fa380fc6155475013e

SHA256
e7eda820015554e7e39ab960235cb54796db56a0e99aa6d3f1f2cafe3f91caa2

SHA512
0022e18ca14d930974a2c8133cf37dabda5a5802da095f0c81ea406a5a2e87e8287a0d209d9858765792f5ed8cf478bb73247c4c8e3938c9f76983d4c02af835

Download Submit
C:\Recovery\SkyOption.exe

Filesize
489KB

MD5
ab88fd36465c5d8da1996c1da1821038

SHA1
16d04d389c40d2c6e5ee11faf8349ae372c99d28

SHA256
02de1d7e7ec382496ede996f52c00e75cf1ba28853eabd53a8e923a98610ffeb

SHA512
d8647ba272a8494a1993786ddfc72dff4f814827cd482785ae582082c266c52e4f7d8552b151fe61cd1851c3167a7d85c22094e944ce78175c641c9447c08d04

Download Submit
C:\Recovery\SkyOption.exe

Filesize
489KB

MD5
ab88fd36465c5d8da1996c1da1821038

SHA1
16d04d389c40d2c6e5ee11faf8349ae372c99d28

SHA256
02de1d7e7ec382496ede996f52c00e75cf1ba28853eabd53a8e923a98610ffeb

SHA512
d8647ba272a8494a1993786ddfc72dff4f814827cd482785ae582082c266c52e4f7d8552b151fe61cd1851c3167a7d85c22094e944ce78175c641c9447c08d04

Download Submit
C:\Recovery\dskinliteu.dll

Filesize
4.0MB

MD5
f48b35beada236353fd804618191b247

SHA1
61b554295d407e3f75462eac0022931291a56a7c

SHA256
500a703a09d85f8e2426dbc56d66897fad125f9c4da0455cf52343a895602ebd

SHA512
1bcc893d0aa1b345075ee0c765b4bf2a190400f2ccf3b66bd442384e0e54494fe98a7e8ac7a8cff56dc44269c47e5b2162cff1513ec571546ba8a65807d7951e

Download Submit
C:\Recovery\dskinliteu.dll

Filesize
4.0MB

MD5
f48b35beada236353fd804618191b247

SHA1
61b554295d407e3f75462eac0022931291a56a7c

SHA256
500a703a09d85f8e2426dbc56d66897fad125f9c4da0455cf52343a895602ebd

SHA512
1bcc893d0aa1b345075ee0c765b4bf2a190400f2ccf3b66bd442384e0e54494fe98a7e8ac7a8cff56dc44269c47e5b2162cff1513ec571546ba8a65807d7951e

Download Submit
C:\Recovery\erp.exe

Filesize
1.0MB

MD5
a182097a3169f5924c29d107c0b4b5a4

SHA1
8c5e7ff7a8b62de893a3cb6dad3fc028435ead92

SHA256
a60a8592d45f56d9c2ec2039089b55b371dda0797e4fbb57038d40e8c8530e01

SHA512
0f57bac990a446d17c468cd4cf9604c5eec4e40c599afd64451a6718417174f7f06de717412863c0f44f2f692a0557857a8799f3f4c700016db2a406f1d6a50d

Download Submit
C:\Recovery\erp.exe

Filesize
1.0MB

MD5
a182097a3169f5924c29d107c0b4b5a4

SHA1
8c5e7ff7a8b62de893a3cb6dad3fc028435ead92

SHA256
a60a8592d45f56d9c2ec2039089b55b371dda0797e4fbb57038d40e8c8530e01

SHA512
0f57bac990a446d17c468cd4cf9604c5eec4e40c599afd64451a6718417174f7f06de717412863c0f44f2f692a0557857a8799f3f4c700016db2a406f1d6a50d

Download Submit
C:\Recovery\erp.exe

Filesize
1.0MB

MD5
a182097a3169f5924c29d107c0b4b5a4

SHA1
8c5e7ff7a8b62de893a3cb6dad3fc028435ead92

SHA256
a60a8592d45f56d9c2ec2039089b55b371dda0797e4fbb57038d40e8c8530e01

SHA512
0f57bac990a446d17c468cd4cf9604c5eec4e40c599afd64451a6718417174f7f06de717412863c0f44f2f692a0557857a8799f3f4c700016db2a406f1d6a50d

Download Submit
C:\Recovery\hex.txt

Filesize
390KB

MD5
2d16c5c935ab997def2273ca9a3f0ca4

SHA1
5303c3afd35674e0c90b4c18daa81de1a318dfa1

SHA256
637ec1d424214afa4d45fd4ddc30122a38ffca736e3b940420042ca9fd6a718d

SHA512
87ef78bfd721380bb14407e61b6d7a3cf9a5c5191ddc4fa054a51107088c3ccac4289fd19f65cd1b49a06d8cbc5b29c35dc5e64d067991cf795ec085a2219726

Download Submit
C:\Recovery\hgfd.bin

Filesize
3KB

MD5
09557e3d1848c43483f8cfb397b365fa

SHA1
64d329633154809ab79e37f7395e9e8153d4e2a6

SHA256
61f574d6739679dced9e704d24766d73800504da5b44694ae3196e4db556dbbf

SHA512
ee82c23f40932ed4f02b1022a608ca946c6d4ed93e72da53d15a7966854d4f69df29bbbfd4cff8d6d2ea645aa85a9dad335b4baf9622dab1550cba25f232fcd9

Download Submit
C:\Recovery\nw_elf.dll

Filesize
4.0MB

MD5
d4895d2e0fa6c401591f9d67ee21c389

SHA1
7d592032b3aaa437184c817b9649d303d1498fd1

SHA256
e2ed5aa2f57a33e9f42e2c25e30029c20bbfbd753e4ff7b43a3ee0ba4ddf5c85

SHA512
71154b7c432408a9e87c908a6f58dd9de94ef97241cf1000282671c1f866b08c5d7753aff997cdb798489aa11630aa0b87e873cc2471d62e8cef491ae33ee67c

Download Submit
C:\Recovery\nw_elf.dll

Filesize
4.0MB

MD5
d4895d2e0fa6c401591f9d67ee21c389

SHA1
7d592032b3aaa437184c817b9649d303d1498fd1

SHA256
e2ed5aa2f57a33e9f42e2c25e30029c20bbfbd753e4ff7b43a3ee0ba4ddf5c85

SHA512
71154b7c432408a9e87c908a6f58dd9de94ef97241cf1000282671c1f866b08c5d7753aff997cdb798489aa11630aa0b87e873cc2471d62e8cef491ae33ee67c

Download Submit
C:\Recovery\nw_elf.dll

Filesize
4.0MB

MD5
d4895d2e0fa6c401591f9d67ee21c389

SHA1
7d592032b3aaa437184c817b9649d303d1498fd1

SHA256
e2ed5aa2f57a33e9f42e2c25e30029c20bbfbd753e4ff7b43a3ee0ba4ddf5c85

SHA512
71154b7c432408a9e87c908a6f58dd9de94ef97241cf1000282671c1f866b08c5d7753aff997cdb798489aa11630aa0b87e873cc2471d62e8cef491ae33ee67c

Download Submit
C:\Recovery\unzip.exe

Filesize
161KB

MD5
fecf803f7d84d4cfa81277298574d6e6

SHA1
0fd9a61bf9a361f87661de295e70a9c6795fe6a1

SHA256
81046f943d26501561612a629d8be95af254bc161011ba8a62d25c34c16d6d2a

SHA512
a4e2e2dfc98a874f7ec8318c40500b0e481fa4476d75d559f2895ce29fbe793a889fb2390220a25ab919deac477ada0c904b30f002324529285bda94292b48a4

Download Submit
C:\Recovery\unzip.exe

Filesize
161KB

MD5
fecf803f7d84d4cfa81277298574d6e6

SHA1
0fd9a61bf9a361f87661de295e70a9c6795fe6a1

SHA256
81046f943d26501561612a629d8be95af254bc161011ba8a62d25c34c16d6d2a

SHA512
a4e2e2dfc98a874f7ec8318c40500b0e481fa4476d75d559f2895ce29fbe793a889fb2390220a25ab919deac477ada0c904b30f002324529285bda94292b48a4

Download Submit
C:\Users\Admin\AppData\Local\Crashpad\settings.dat

Filesize
40B

MD5
0ee269d893b509693dac2516501932f7

SHA1
0b2ae772c09b384319cc068726061ac4553e6e09

SHA256
e7259685136f41e3cbd0ae391eed95991df7d85308df31eaba40e7a6bc7efca1

SHA512
7cab2302ac91999f8841adb881c6b632916baddaabd56f44ea4635716c8f81d1e1d642241aff218f6437d7ab2571df0a59db06fcf282d30520b02ad699a5346d

Download Submit
memory/1028-54-0x0000000010000000-0x0000000010011000-memory.dmp

Filesize
68KB

Download
memory/1028-57-0x0000000010000000-0x0000000010011000-memory.dmp

Filesize
68KB

Download
memory/1028-41-0x0000000002370000-0x0000000002371000-memory.dmp

Filesize
4KB

Download
memory/1028-53-0x0000000010000000-0x0000000010011000-memory.dmp

Filesize
68KB

Download
memory/1028-49-0x0000000010000000-0x0000000010011000-memory.dmp

Filesize
68KB

Download
memory/1028-47-0x0000000002370000-0x0000000002371000-memory.dmp

Filesize
4KB

Download
memory/1028-48-0x0000000002420000-0x000000000246E000-memory.dmp

Filesize
312KB

Download
memory/2700-20-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4056-42-0x0000000003160000-0x0000000003189000-memory.dmp

Filesize
164KB

Download
memory/4056-36-0x0000000003110000-0x0000000003141000-memory.dmp

Filesize
196KB

Download
memory/4056-35-0x0000000010000000-0x0000000010031000-memory.dmp

Filesize
196KB

Download
memory/4056-58-0x0000000003AA0000-0x0000000003BED000-memory.dmp

Filesize
1.3MB

Download
memory/4056-62-0x0000000003AA0000-0x0000000003BED000-memory.dmp

Filesize
1.3MB

Download
memory/4056-61-0x0000000003AA0000-0x0000000003BED000-memory.dmp

Filesize
1.3MB

Download
memory/4056-63-0x0000000003AA0000-0x0000000003BED000-memory.dmp

Filesize
1.3MB

Download
memory/4056-64-0x0000000003AA0000-0x0000000003BED000-memory.dmp

Filesize
1.3MB

Download