fatalrat | e69b9f730231c88660429ded1362e43522aee7de2ba92bfa71d388741461fd20

Analysis

max time kernel
90s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
27-11-2023 10:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e69b9f730231c88660429ded1362e43522aee7de2ba92bfa71d388741461fd20.exe
Size

3.5MB
MD5

b331ff135846956a414cdcaec85e420f
SHA1

2fd49427e95d9093645bfc6f9d7ba7280bf1fee8
SHA256

e69b9f730231c88660429ded1362e43522aee7de2ba92bfa71d388741461fd20
SHA512

0b979fa28171966be656da99aa9abcc00ffe1fc364f3914f96ddb4fbda52368966d3ad7b81673909dbbc888a05160233cce163a599fb41465f19130c8d96939c
SSDEEP

49152:W2dcEdgh8Lrj3vU6/ltO/byhW/XJ+2hCLXqTluciTst2u0+vs6xFw7G:xdcEFjvUwtOWbq0z6w7

Score

10^/10

fatalrat infostealer rat

Malware Config

Signatures

FatalRat
FatalRat is a modular infostealer family written in C++ first appearing in June 2021.
infostealer rat fatalrat

Fatal Rat payload 1 IoCs

rat infostealer

resource	yara_rule
behavioral2/memory/4452-28-0x0000000001270000-0x000000000129A000-memory.dmp	fatalrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Control Panel\International\Geo\Nation	e69b9f730231c88660429ded1362e43522aee7de2ba92bfa71d388741461fd20.exe

Executes dropped EXE 1 IoCs

pid	Process
4452	DySDKController.exe

Loads dropped DLL 1 IoCs

pid	Process
4452	DySDKController.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\daidaiWEOI\cvsd.xml	e69b9f730231c88660429ded1362e43522aee7de2ba92bfa71d388741461fd20.exe
File created	C:\Program Files (x86)\daidaiWEOI\decvsd.xml	e69b9f730231c88660429ded1362e43522aee7de2ba92bfa71d388741461fd20.exe
File created	C:\Program Files (x86)\daidaiWEOI\afd.bin	e69b9f730231c88660429ded1362e43522aee7de2ba92bfa71d388741461fd20.exe
File created	C:\Program Files (x86)\daidaiWEOI\DyCrashRpt.dll	e69b9f730231c88660429ded1362e43522aee7de2ba92bfa71d388741461fd20.exe
File created	C:\Program Files (x86)\daidaiWEOI\DySDKController.exe	e69b9f730231c88660429ded1362e43522aee7de2ba92bfa71d388741461fd20.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	DySDKController.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	DySDKController.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
224	e69b9f730231c88660429ded1362e43522aee7de2ba92bfa71d388741461fd20.exe
224	e69b9f730231c88660429ded1362e43522aee7de2ba92bfa71d388741461fd20.exe
224	e69b9f730231c88660429ded1362e43522aee7de2ba92bfa71d388741461fd20.exe
224	e69b9f730231c88660429ded1362e43522aee7de2ba92bfa71d388741461fd20.exe
4452	DySDKController.exe
4452	DySDKController.exe
4452	DySDKController.exe
4452	DySDKController.exe
4452	DySDKController.exe
4452	DySDKController.exe
4452	DySDKController.exe
4452	DySDKController.exe
4452	DySDKController.exe
4452	DySDKController.exe
4452	DySDKController.exe
4452	DySDKController.exe
4452	DySDKController.exe
4452	DySDKController.exe
4452	DySDKController.exe
4452	DySDKController.exe
4452	DySDKController.exe
4452	DySDKController.exe
4452	DySDKController.exe
4452	DySDKController.exe
4452	DySDKController.exe
4452	DySDKController.exe
4452	DySDKController.exe
4452	DySDKController.exe
4452	DySDKController.exe
4452	DySDKController.exe
4452	DySDKController.exe
4452	DySDKController.exe
4452	DySDKController.exe
4452	DySDKController.exe
4452	DySDKController.exe
4452	DySDKController.exe
4452	DySDKController.exe
4452	DySDKController.exe
4452	DySDKController.exe
4452	DySDKController.exe
4452	DySDKController.exe
4452	DySDKController.exe
4452	DySDKController.exe
4452	DySDKController.exe
4452	DySDKController.exe
4452	DySDKController.exe
4452	DySDKController.exe
4452	DySDKController.exe
4452	DySDKController.exe
4452	DySDKController.exe
4452	DySDKController.exe
4452	DySDKController.exe
4452	DySDKController.exe
4452	DySDKController.exe
4452	DySDKController.exe
4452	DySDKController.exe
4452	DySDKController.exe
4452	DySDKController.exe
4452	DySDKController.exe
4452	DySDKController.exe
4452	DySDKController.exe
4452	DySDKController.exe
4452	DySDKController.exe
4452	DySDKController.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4452	DySDKController.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
224	e69b9f730231c88660429ded1362e43522aee7de2ba92bfa71d388741461fd20.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 224 wrote to memory of 4452	224	e69b9f730231c88660429ded1362e43522aee7de2ba92bfa71d388741461fd20.exe	86
PID 224 wrote to memory of 4452	224	e69b9f730231c88660429ded1362e43522aee7de2ba92bfa71d388741461fd20.exe	86
PID 224 wrote to memory of 4452	224	e69b9f730231c88660429ded1362e43522aee7de2ba92bfa71d388741461fd20.exe	86

C:\Users\Admin\AppData\Local\Temp\e69b9f730231c88660429ded1362e43522aee7de2ba92bfa71d388741461fd20.exe
"C:\Users\Admin\AppData\Local\Temp\e69b9f730231c88660429ded1362e43522aee7de2ba92bfa71d388741461fd20.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:224
- C:\Program Files (x86)\daidaiWEOI\DySDKController.exe
  "C:\Program Files (x86)\daidaiWEOI\DySDKController.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\daidaiWEOI\DyCrashRpt.dll

Filesize
179KB

MD5
2e7b3eee678c1a063fc5fbec25671c67

SHA1
3f13bce37a9ec5cae083f72d2d8bed5f534bdffb

SHA256
4b1347ca11a27073e45876af68f054189cae55ac6b9cb683d96950d5a1bea1b8

SHA512
bcd32b06bee835ccda69fdea7d929f3eec81c6ab61f4131e8d864255d16d871cfcd5fc53e5f59c9ba4cfe833ec5bee2ea9029a78681f8d226f987adc63f5b1e0

Download Submit
C:\Program Files (x86)\daidaiWEOI\DyCrashRpt.dll

Filesize
179KB

MD5
2e7b3eee678c1a063fc5fbec25671c67

SHA1
3f13bce37a9ec5cae083f72d2d8bed5f534bdffb

SHA256
4b1347ca11a27073e45876af68f054189cae55ac6b9cb683d96950d5a1bea1b8

SHA512
bcd32b06bee835ccda69fdea7d929f3eec81c6ab61f4131e8d864255d16d871cfcd5fc53e5f59c9ba4cfe833ec5bee2ea9029a78681f8d226f987adc63f5b1e0

Download Submit
C:\Program Files (x86)\daidaiWEOI\DySDKController.exe

Filesize
1.1MB

MD5
5441bc3e3ceb2162a65cbfb4b6e7acd3

SHA1
103a0ec0f23e90def158eff9be7f63f6ca9af420

SHA256
90fe10bb10fbc95285696423e0ba4bfc10f4dcb63ea8d94fe29871036e4859f6

SHA512
f76ae8e1e43223e1fa06e5911b06dc7b2b3d60e3758fc5201c4dbd8df601b59be11e65f42ffe43a5823a71aa1cc328c7a2f625ca50893b1101d73d59b13b4ed4

Download Submit
C:\Program Files (x86)\daidaiWEOI\DySDKController.exe

Filesize
1.1MB

MD5
5441bc3e3ceb2162a65cbfb4b6e7acd3

SHA1
103a0ec0f23e90def158eff9be7f63f6ca9af420

SHA256
90fe10bb10fbc95285696423e0ba4bfc10f4dcb63ea8d94fe29871036e4859f6

SHA512
f76ae8e1e43223e1fa06e5911b06dc7b2b3d60e3758fc5201c4dbd8df601b59be11e65f42ffe43a5823a71aa1cc328c7a2f625ca50893b1101d73d59b13b4ed4

Download Submit
C:\Program Files (x86)\daidaiWEOI\DySDKController.exe

Filesize
1.1MB

MD5
5441bc3e3ceb2162a65cbfb4b6e7acd3

SHA1
103a0ec0f23e90def158eff9be7f63f6ca9af420

SHA256
90fe10bb10fbc95285696423e0ba4bfc10f4dcb63ea8d94fe29871036e4859f6

SHA512
f76ae8e1e43223e1fa06e5911b06dc7b2b3d60e3758fc5201c4dbd8df601b59be11e65f42ffe43a5823a71aa1cc328c7a2f625ca50893b1101d73d59b13b4ed4

Download Submit
C:\Program Files (x86)\daidaiWEOI\afd.bin

Filesize
198KB

MD5
b13ffe8963d3f536bcbd88d4f6ebae93

SHA1
dcfdb4fa21a16dd417672c78ccdea8d5904c5f5e

SHA256
ab766c0fbcc5610ff5dca17b085d0ef5ed96ef23f0fc8b6a9e8dbe40821830c9

SHA512
0a6e3bf78aa2196dda368b3492bd017b4ea562ed0763359619faf6967aae1c88739fb662771bdce3084326e0db5ce0f55f9172f1a598e2d42c489d03500b2672

Download Submit
memory/4452-22-0x0000000010000000-0x0000000010031000-memory.dmp

Filesize
196KB

Download
memory/4452-23-0x0000000073A70000-0x0000000073AA3000-memory.dmp

Filesize
204KB

Download
memory/4452-25-0x00000000013C0000-0x0000000001424000-memory.dmp

Filesize
400KB

Download
memory/4452-28-0x0000000001270000-0x000000000129A000-memory.dmp

Filesize
168KB

Download
memory/4452-33-0x0000000073A70000-0x0000000073AA3000-memory.dmp

Filesize
204KB

Download