fatalrat | 3f0cd2633be7ea3c4d26d4aed23d5aa1f449c52c45112c3e2ec792c03a6e0f4d

Analysis

max time kernel
149s
max time network
154s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
05-11-2023 02:34

Target

NEAS.a19c66d28c3cc04ff2c2a4b552bfe0f0_JC.dll
Size

196KB
MD5

a19c66d28c3cc04ff2c2a4b552bfe0f0
SHA1

a5fd813513020eee33c476d789821a7e9df3c406
SHA256

3f0cd2633be7ea3c4d26d4aed23d5aa1f449c52c45112c3e2ec792c03a6e0f4d
SHA512

552160f99a64a1212887ba0b185eba03fb0c0d853f0ce94203f81f33321f90cfb8f6f3d5407061b547611783916e0de7bdf7010358d63d10c3010ca5279d7ce0
SSDEEP

3072:L4mbIutzlpBARwMJ2KYB6li+FLPLgaSlGcD+0Rp+:klijWbJ2RyNGhp

Score

10^/10

FatalRat
FatalRat is a modular infostealer family written in C++ first appearing in June 2021.
infostealer rat fatalrat

Fatal Rat payload 1 IoCs

rat infostealer

resource	yara_rule
behavioral1/memory/2128-0-0x0000000000140000-0x000000000016A000-memory.dmp	fatalrat

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2260 wrote to memory of 2128	2260	rundll32.exe	28
PID 2260 wrote to memory of 2128	2260	rundll32.exe	28
PID 2260 wrote to memory of 2128	2260	rundll32.exe	28
PID 2260 wrote to memory of 2128	2260	rundll32.exe	28
PID 2260 wrote to memory of 2128	2260	rundll32.exe	28
PID 2260 wrote to memory of 2128	2260	rundll32.exe	28
PID 2260 wrote to memory of 2128	2260	rundll32.exe	28

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\NEAS.a19c66d28c3cc04ff2c2a4b552bfe0f0_JC.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2260
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\NEAS.a19c66d28c3cc04ff2c2a4b552bfe0f0_JC.dll,#1
  2⤵
  PID:2128

memory/2128-0-0x0000000000140000-0x000000000016A000-memory.dmp

Filesize
168KB

Download