fatalrat | 583bab667b93dd222594d5d49b3ece7a629927cfeff44b1820f77c0f09dc3303

Analysis

max time kernel
149s
max time network
157s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
26-10-2023 14:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

583bab667b93dd222594d5d49b3ece7a629927cfeff44b1820f77c0f09dc3303.exe
Size

2.0MB
MD5

603a8b54656cb1e32727bdc9a6afa82a
SHA1

1020b8bbb67d41e765080d326b4e770ad68fb7fc
SHA256

583bab667b93dd222594d5d49b3ece7a629927cfeff44b1820f77c0f09dc3303
SHA512

9a3d12d0909aef21cc8556e6ab5c5a847fbfa726a3535fa0bba0a0355a3ce76ff8ff8d8118baf92500c4e256adf9230db87ed6081bcb1290a919e5ee415db8ca
SSDEEP

49152:MoxVO1wKM5P1kk/Xn47jFQSVWCiwMlU/5:MCVO1a168X4vFvcS/5

Score

10^/10

fatalrat infostealer rat

Malware Config

Signatures

FatalRat
FatalRat is a modular infostealer family written in C++ first appearing in June 2021.
infostealer rat fatalrat

Fatal Rat payload 1 IoCs

rat infostealer

resource	yara_rule
behavioral1/memory/2096-10830-0x0000000000400000-0x0000000000806000-memory.dmp	fatalrat

Executes dropped EXE 1 IoCs

pid	Process
1524	bitbrowser.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 28 IoCs

pid	Process
2096	583bab667b93dd222594d5d49b3ece7a629927cfeff44b1820f77c0f09dc3303.exe
2096	583bab667b93dd222594d5d49b3ece7a629927cfeff44b1820f77c0f09dc3303.exe
2096	583bab667b93dd222594d5d49b3ece7a629927cfeff44b1820f77c0f09dc3303.exe
2096	583bab667b93dd222594d5d49b3ece7a629927cfeff44b1820f77c0f09dc3303.exe
2096	583bab667b93dd222594d5d49b3ece7a629927cfeff44b1820f77c0f09dc3303.exe
2096	583bab667b93dd222594d5d49b3ece7a629927cfeff44b1820f77c0f09dc3303.exe
2096	583bab667b93dd222594d5d49b3ece7a629927cfeff44b1820f77c0f09dc3303.exe
2096	583bab667b93dd222594d5d49b3ece7a629927cfeff44b1820f77c0f09dc3303.exe
2096	583bab667b93dd222594d5d49b3ece7a629927cfeff44b1820f77c0f09dc3303.exe
2096	583bab667b93dd222594d5d49b3ece7a629927cfeff44b1820f77c0f09dc3303.exe
2096	583bab667b93dd222594d5d49b3ece7a629927cfeff44b1820f77c0f09dc3303.exe
2096	583bab667b93dd222594d5d49b3ece7a629927cfeff44b1820f77c0f09dc3303.exe
2096	583bab667b93dd222594d5d49b3ece7a629927cfeff44b1820f77c0f09dc3303.exe
2096	583bab667b93dd222594d5d49b3ece7a629927cfeff44b1820f77c0f09dc3303.exe
2096	583bab667b93dd222594d5d49b3ece7a629927cfeff44b1820f77c0f09dc3303.exe
2096	583bab667b93dd222594d5d49b3ece7a629927cfeff44b1820f77c0f09dc3303.exe
2096	583bab667b93dd222594d5d49b3ece7a629927cfeff44b1820f77c0f09dc3303.exe
2096	583bab667b93dd222594d5d49b3ece7a629927cfeff44b1820f77c0f09dc3303.exe
2096	583bab667b93dd222594d5d49b3ece7a629927cfeff44b1820f77c0f09dc3303.exe
2096	583bab667b93dd222594d5d49b3ece7a629927cfeff44b1820f77c0f09dc3303.exe
2096	583bab667b93dd222594d5d49b3ece7a629927cfeff44b1820f77c0f09dc3303.exe
2096	583bab667b93dd222594d5d49b3ece7a629927cfeff44b1820f77c0f09dc3303.exe
2096	583bab667b93dd222594d5d49b3ece7a629927cfeff44b1820f77c0f09dc3303.exe
2096	583bab667b93dd222594d5d49b3ece7a629927cfeff44b1820f77c0f09dc3303.exe
2096	583bab667b93dd222594d5d49b3ece7a629927cfeff44b1820f77c0f09dc3303.exe
2096	583bab667b93dd222594d5d49b3ece7a629927cfeff44b1820f77c0f09dc3303.exe
2096	583bab667b93dd222594d5d49b3ece7a629927cfeff44b1820f77c0f09dc3303.exe
2096	583bab667b93dd222594d5d49b3ece7a629927cfeff44b1820f77c0f09dc3303.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\bitbrowser.exe	583bab667b93dd222594d5d49b3ece7a629927cfeff44b1820f77c0f09dc3303.exe
File opened for modification	C:\Program Files (x86)\bitbrowser.exe	583bab667b93dd222594d5d49b3ece7a629927cfeff44b1820f77c0f09dc3303.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2096	583bab667b93dd222594d5d49b3ece7a629927cfeff44b1820f77c0f09dc3303.exe

C:\Users\Admin\AppData\Local\Temp\583bab667b93dd222594d5d49b3ece7a629927cfeff44b1820f77c0f09dc3303.exe
"C:\Users\Admin\AppData\Local\Temp\583bab667b93dd222594d5d49b3ece7a629927cfeff44b1820f77c0f09dc3303.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:2096

C:\Program Files (x86)\bitbrowser.exe
"C:\Program Files (x86)\bitbrowser.exe"
1⤵
- Executes dropped EXE
PID:1524

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\bitbrowser.exe

Filesize
2.0MB

MD5
603a8b54656cb1e32727bdc9a6afa82a

SHA1
1020b8bbb67d41e765080d326b4e770ad68fb7fc

SHA256
583bab667b93dd222594d5d49b3ece7a629927cfeff44b1820f77c0f09dc3303

SHA512
9a3d12d0909aef21cc8556e6ab5c5a847fbfa726a3535fa0bba0a0355a3ce76ff8ff8d8118baf92500c4e256adf9230db87ed6081bcb1290a919e5ee415db8ca

Download Submit
memory/1524-15645-0x0000000000400000-0x0000000000806000-memory.dmp

Filesize
4.0MB

Download
memory/1524-11252-0x0000000002260000-0x00000000023E1000-memory.dmp

Filesize
1.5MB

Download
memory/1524-8702-0x0000000000400000-0x0000000000806000-memory.dmp

Filesize
4.0MB

Download
memory/2096-846-0x0000000002610000-0x0000000002721000-memory.dmp

Filesize
1.1MB

Download
memory/2096-811-0x0000000002610000-0x0000000002721000-memory.dmp

Filesize
1.1MB

Download
memory/2096-820-0x0000000002610000-0x0000000002721000-memory.dmp

Filesize
1.1MB

Download
memory/2096-818-0x0000000002610000-0x0000000002721000-memory.dmp

Filesize
1.1MB

Download
memory/2096-822-0x0000000002610000-0x0000000002721000-memory.dmp

Filesize
1.1MB

Download
memory/2096-824-0x0000000002610000-0x0000000002721000-memory.dmp

Filesize
1.1MB

Download
memory/2096-826-0x0000000002610000-0x0000000002721000-memory.dmp

Filesize
1.1MB

Download
memory/2096-828-0x0000000002610000-0x0000000002721000-memory.dmp

Filesize
1.1MB

Download
memory/2096-850-0x0000000002610000-0x0000000002721000-memory.dmp

Filesize
1.1MB

Download
memory/2096-832-0x0000000002610000-0x0000000002721000-memory.dmp

Filesize
1.1MB

Download
memory/2096-834-0x0000000002610000-0x0000000002721000-memory.dmp

Filesize
1.1MB

Download
memory/2096-838-0x0000000002610000-0x0000000002721000-memory.dmp

Filesize
1.1MB

Download
memory/2096-836-0x0000000002610000-0x0000000002721000-memory.dmp

Filesize
1.1MB

Download
memory/2096-840-0x0000000002610000-0x0000000002721000-memory.dmp

Filesize
1.1MB

Download
memory/2096-842-0x0000000002610000-0x0000000002721000-memory.dmp

Filesize
1.1MB

Download
memory/2096-844-0x0000000002610000-0x0000000002721000-memory.dmp

Filesize
1.1MB

Download
memory/2096-0-0x0000000000400000-0x0000000000806000-memory.dmp

Filesize
4.0MB

Download
memory/2096-848-0x0000000002610000-0x0000000002721000-memory.dmp

Filesize
1.1MB

Download
memory/2096-830-0x0000000002610000-0x0000000002721000-memory.dmp

Filesize
1.1MB

Download
memory/2096-816-0x0000000002610000-0x0000000002721000-memory.dmp

Filesize
1.1MB

Download
memory/2096-864-0x0000000002610000-0x0000000002721000-memory.dmp

Filesize
1.1MB

Download
memory/2096-856-0x0000000002610000-0x0000000002721000-memory.dmp

Filesize
1.1MB

Download
memory/2096-858-0x0000000002610000-0x0000000002721000-memory.dmp

Filesize
1.1MB

Download
memory/2096-860-0x0000000002610000-0x0000000002721000-memory.dmp

Filesize
1.1MB

Download
memory/2096-862-0x0000000002610000-0x0000000002721000-memory.dmp

Filesize
1.1MB

Download
memory/2096-854-0x0000000002610000-0x0000000002721000-memory.dmp

Filesize
1.1MB

Download
memory/2096-866-0x0000000002610000-0x0000000002721000-memory.dmp

Filesize
1.1MB

Download
memory/2096-868-0x0000000002610000-0x0000000002721000-memory.dmp

Filesize
1.1MB

Download
memory/2096-870-0x0000000002610000-0x0000000002721000-memory.dmp

Filesize
1.1MB

Download
memory/2096-872-0x0000000002610000-0x0000000002721000-memory.dmp

Filesize
1.1MB

Download
memory/2096-2547-0x0000000002360000-0x00000000024E1000-memory.dmp

Filesize
1.5MB

Download
memory/2096-8686-0x0000000002610000-0x0000000002721000-memory.dmp

Filesize
1.1MB

Download
memory/2096-8693-0x0000000000400000-0x0000000000806000-memory.dmp

Filesize
4.0MB

Download
memory/2096-814-0x0000000002610000-0x0000000002721000-memory.dmp

Filesize
1.1MB

Download
memory/2096-812-0x0000000002610000-0x0000000002721000-memory.dmp

Filesize
1.1MB

Download
memory/2096-10830-0x0000000000400000-0x0000000000806000-memory.dmp

Filesize
4.0MB

Download
memory/2096-852-0x0000000002610000-0x0000000002721000-memory.dmp

Filesize
1.1MB

Download
memory/2096-1-0x0000000076A40000-0x0000000076A87000-memory.dmp

Filesize
284KB

Download