Overview

overview

10

Static

static

3

e69b9f7302...20.exe

windows7-x64

10

e69b9f7302...20.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    144s
  • platform
    windows7_x64
  • resource
    win7-20231025-en
  • resource tags

    arch:x64arch:x86image:win7-20231025-enlocale:en-usos:windows7-x64system
  • submitted
    27/11/2023, 10:01

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    e69b9f730231c88660429ded1362e43522aee7de2ba92bfa71d388741461fd20.exe

  • Size

    3.5MB

  • MD5

    b331ff135846956a414cdcaec85e420f

  • SHA1

    2fd49427e95d9093645bfc6f9d7ba7280bf1fee8

  • SHA256

    e69b9f730231c88660429ded1362e43522aee7de2ba92bfa71d388741461fd20

  • SHA512

    0b979fa28171966be656da99aa9abcc00ffe1fc364f3914f96ddb4fbda52368966d3ad7b81673909dbbc888a05160233cce163a599fb41465f19130c8d96939c

  • SSDEEP

    49152:W2dcEdgh8Lrj3vU6/ltO/byhW/XJ+2hCLXqTluciTst2u0+vs6xFw7G:xdcEFjvUwtOWbq0z6w7

Score
10/10
fatalratinfostealerrat

Malware Config

Signatures

  • FatalRat

    FatalRat is a modular infostealer family written in C++ first appearing in June 2021.

    infostealerratfatalrat
  • Fatal Rat payload 1 IoCs
    ratinfostealer
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Drops file in Program Files directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 53 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e69b9f730231c88660429ded1362e43522aee7de2ba92bfa71d388741461fd20.exe
    "C:\Users\Admin\AppData\Local\Temp\e69b9f730231c88660429ded1362e43522aee7de2ba92bfa71d388741461fd20.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2448
    • C:\Program Files (x86)\daidaiWEOI\DySDKController.exe
      "C:\Program Files (x86)\daidaiWEOI\DySDKController.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1984

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\daidaiWEOI\DyCrashRpt.dll
    Filesize

    179KB

    MD5

    2e7b3eee678c1a063fc5fbec25671c67

    SHA1

    3f13bce37a9ec5cae083f72d2d8bed5f534bdffb

    SHA256

    4b1347ca11a27073e45876af68f054189cae55ac6b9cb683d96950d5a1bea1b8

    SHA512

    bcd32b06bee835ccda69fdea7d929f3eec81c6ab61f4131e8d864255d16d871cfcd5fc53e5f59c9ba4cfe833ec5bee2ea9029a78681f8d226f987adc63f5b1e0

    Download Submit

  • C:\Program Files (x86)\daidaiWEOI\DySDKController.exe
    Filesize

    1.1MB

    MD5

    5441bc3e3ceb2162a65cbfb4b6e7acd3

    SHA1

    103a0ec0f23e90def158eff9be7f63f6ca9af420

    SHA256

    90fe10bb10fbc95285696423e0ba4bfc10f4dcb63ea8d94fe29871036e4859f6

    SHA512

    f76ae8e1e43223e1fa06e5911b06dc7b2b3d60e3758fc5201c4dbd8df601b59be11e65f42ffe43a5823a71aa1cc328c7a2f625ca50893b1101d73d59b13b4ed4

    Download Submit

  • C:\Program Files (x86)\daidaiWEOI\DySDKController.exe
    Filesize

    1.1MB

    MD5

    5441bc3e3ceb2162a65cbfb4b6e7acd3

    SHA1

    103a0ec0f23e90def158eff9be7f63f6ca9af420

    SHA256

    90fe10bb10fbc95285696423e0ba4bfc10f4dcb63ea8d94fe29871036e4859f6

    SHA512

    f76ae8e1e43223e1fa06e5911b06dc7b2b3d60e3758fc5201c4dbd8df601b59be11e65f42ffe43a5823a71aa1cc328c7a2f625ca50893b1101d73d59b13b4ed4

    Download Submit

  • C:\Program Files (x86)\daidaiWEOI\afd.bin
    Filesize

    198KB

    MD5

    b13ffe8963d3f536bcbd88d4f6ebae93

    SHA1

    dcfdb4fa21a16dd417672c78ccdea8d5904c5f5e

    SHA256

    ab766c0fbcc5610ff5dca17b085d0ef5ed96ef23f0fc8b6a9e8dbe40821830c9

    SHA512

    0a6e3bf78aa2196dda368b3492bd017b4ea562ed0763359619faf6967aae1c88739fb662771bdce3084326e0db5ce0f55f9172f1a598e2d42c489d03500b2672

    Download Submit

  • \Program Files (x86)\daidaiWEOI\DyCrashRpt.dll
    Filesize

    179KB

    MD5

    2e7b3eee678c1a063fc5fbec25671c67

    SHA1

    3f13bce37a9ec5cae083f72d2d8bed5f534bdffb

    SHA256

    4b1347ca11a27073e45876af68f054189cae55ac6b9cb683d96950d5a1bea1b8

    SHA512

    bcd32b06bee835ccda69fdea7d929f3eec81c6ab61f4131e8d864255d16d871cfcd5fc53e5f59c9ba4cfe833ec5bee2ea9029a78681f8d226f987adc63f5b1e0

    Download Submit

  • \Program Files (x86)\daidaiWEOI\DySDKController.exe
    Filesize

    1.1MB

    MD5

    5441bc3e3ceb2162a65cbfb4b6e7acd3

    SHA1

    103a0ec0f23e90def158eff9be7f63f6ca9af420

    SHA256

    90fe10bb10fbc95285696423e0ba4bfc10f4dcb63ea8d94fe29871036e4859f6

    SHA512

    f76ae8e1e43223e1fa06e5911b06dc7b2b3d60e3758fc5201c4dbd8df601b59be11e65f42ffe43a5823a71aa1cc328c7a2f625ca50893b1101d73d59b13b4ed4

    Download Submit

  • memory/1984-16-0x0000000074CC0000-0x0000000074CF3000-memory.dmp

    Filesize

    204KB

    Download

  • memory/1984-18-0x0000000010000000-0x0000000010031000-memory.dmp

    Filesize

    196KB

    Download

  • memory/1984-19-0x00000000002E0000-0x0000000000344000-memory.dmp

    Filesize

    400KB

    Download

  • memory/1984-23-0x0000000000100000-0x000000000012A000-memory.dmp

    Filesize

    168KB

    Download

  • memory/1984-29-0x0000000074CC0000-0x0000000074CF3000-memory.dmp

    Filesize

    204KB

    Download