Overview

overview

10

Static

static

1

583bab667b...03.exe

windows7-x64

10

583bab667b...03.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231023-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-10-2023 14:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    583bab667b93dd222594d5d49b3ece7a629927cfeff44b1820f77c0f09dc3303.exe

  • Size

    2.0MB

  • MD5

    603a8b54656cb1e32727bdc9a6afa82a

  • SHA1

    1020b8bbb67d41e765080d326b4e770ad68fb7fc

  • SHA256

    583bab667b93dd222594d5d49b3ece7a629927cfeff44b1820f77c0f09dc3303

  • SHA512

    9a3d12d0909aef21cc8556e6ab5c5a847fbfa726a3535fa0bba0a0355a3ce76ff8ff8d8118baf92500c4e256adf9230db87ed6081bcb1290a919e5ee415db8ca

  • SSDEEP

    49152:MoxVO1wKM5P1kk/Xn47jFQSVWCiwMlU/5:MCVO1a168X4vFvcS/5

Score
10/10
fatalratinfostealerrat

Malware Config

Signatures

  • FatalRat

    FatalRat is a modular infostealer family written in C++ first appearing in June 2021.

    infostealerratfatalrat
  • Fatal Rat payload 5 IoCs
    ratinfostealer
  • Executes dropped EXE 2 IoCs
  • Drops file in System32 directory 13 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 30 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\583bab667b93dd222594d5d49b3ece7a629927cfeff44b1820f77c0f09dc3303.exe
    "C:\Users\Admin\AppData\Local\Temp\583bab667b93dd222594d5d49b3ece7a629927cfeff44b1820f77c0f09dc3303.exe"
    1⤵
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Program Files directory
    • Suspicious use of AdjustPrivilegeToken
    PID:312
  • C:\Program Files (x86)\bitbrowser.exe
    "C:\Program Files (x86)\bitbrowser.exe"
    1⤵
    • Executes dropped EXE
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Modifies data under HKEY_USERS
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1932
    • C:\Program Files (x86)\bitbrowser.exe
      "C:\Program Files (x86)\bitbrowser.exe" Win7
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Drops file in Program Files directory
      • Checks processor information in registry
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2044

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\bitbrowser.exe
    Filesize

    2.0MB

    MD5

    603a8b54656cb1e32727bdc9a6afa82a

    SHA1

    1020b8bbb67d41e765080d326b4e770ad68fb7fc

    SHA256

    583bab667b93dd222594d5d49b3ece7a629927cfeff44b1820f77c0f09dc3303

    SHA512

    9a3d12d0909aef21cc8556e6ab5c5a847fbfa726a3535fa0bba0a0355a3ce76ff8ff8d8118baf92500c4e256adf9230db87ed6081bcb1290a919e5ee415db8ca

    Download Submit

  • C:\Program Files (x86)\bitbrowser.exe
    Filesize

    2.0MB

    MD5

    603a8b54656cb1e32727bdc9a6afa82a

    SHA1

    1020b8bbb67d41e765080d326b4e770ad68fb7fc

    SHA256

    583bab667b93dd222594d5d49b3ece7a629927cfeff44b1820f77c0f09dc3303

    SHA512

    9a3d12d0909aef21cc8556e6ab5c5a847fbfa726a3535fa0bba0a0355a3ce76ff8ff8d8118baf92500c4e256adf9230db87ed6081bcb1290a919e5ee415db8ca

    Download Submit

  • C:\Program Files (x86)\bitbrowser.exe
    Filesize

    2.0MB

    MD5

    603a8b54656cb1e32727bdc9a6afa82a

    SHA1

    1020b8bbb67d41e765080d326b4e770ad68fb7fc

    SHA256

    583bab667b93dd222594d5d49b3ece7a629927cfeff44b1820f77c0f09dc3303

    SHA512

    9a3d12d0909aef21cc8556e6ab5c5a847fbfa726a3535fa0bba0a0355a3ce76ff8ff8d8118baf92500c4e256adf9230db87ed6081bcb1290a919e5ee415db8ca

    Download Submit

  • memory/312-13069-0x0000000000400000-0x0000000000806000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/312-0-0x0000000000400000-0x0000000000806000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/312-13070-0x0000000000400000-0x0000000000806000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/312-13071-0x0000000000400000-0x0000000000806000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/312-13073-0x0000000000400000-0x0000000000806000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/312-13075-0x0000000000400000-0x0000000000806000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/312-13076-0x0000000000400000-0x0000000000806000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/312-13077-0x0000000010000000-0x000000001002A000-memory.dmp

    Filesize

    168KB

    Download

  • memory/312-5884-0x0000000075510000-0x000000007558A000-memory.dmp

    Filesize

    488KB

    Download

  • memory/312-3875-0x0000000076860000-0x0000000076A00000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/312-27564-0x0000000000400000-0x0000000000806000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/312-1-0x0000000077330000-0x0000000077545000-memory.dmp

    Filesize

    2.1MB

    Download

  • memory/312-17425-0x0000000000400000-0x0000000000806000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/1932-26157-0x0000000000400000-0x0000000000806000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/1932-29713-0x0000000000400000-0x0000000000806000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/1932-18970-0x0000000075510000-0x000000007558A000-memory.dmp

    Filesize

    488KB

    Download

  • memory/1932-26158-0x0000000000400000-0x0000000000806000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/1932-26159-0x0000000000400000-0x0000000000806000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/1932-26161-0x0000000000400000-0x0000000000806000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/1932-26164-0x0000000000400000-0x0000000000806000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/1932-16960-0x0000000076860000-0x0000000076A00000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/1932-26156-0x0000000000400000-0x0000000000806000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/1932-13086-0x0000000077330000-0x0000000077545000-memory.dmp

    Filesize

    2.1MB

    Download

  • memory/2044-26171-0x0000000077330000-0x0000000077545000-memory.dmp

    Filesize

    2.1MB

    Download

  • memory/2044-26170-0x0000000000400000-0x0000000000806000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/2044-30047-0x0000000076860000-0x0000000076A00000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2044-32056-0x0000000075510000-0x000000007558A000-memory.dmp

    Filesize

    488KB

    Download

  • memory/2044-39243-0x0000000000400000-0x0000000000806000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/2044-39244-0x0000000000400000-0x0000000000806000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/2044-39245-0x0000000000400000-0x0000000000806000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/2044-39246-0x0000000000400000-0x0000000000806000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/2044-39248-0x0000000000400000-0x0000000000806000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/2044-39249-0x0000000000400000-0x0000000000806000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/2044-39268-0x0000000000400000-0x0000000000806000-memory.dmp

    Filesize

    4.0MB

    Download