Overview

overview

10

Static

static

3

49b3255330...dd.exe

windows7-x64

10

49b3255330...dd.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    118s
  • max time network
    143s
  • platform
    windows7_x64
  • resource
    win7-20231023-en
  • resource tags

    arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
  • submitted
    27-11-2023 10:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    49b32553304f50e71058a7eefcb75983399104dfef69892f7819454f06b1c3dd.exe

  • Size

    2.3MB

  • MD5

    4448b007465689002d925c3951d6e789

  • SHA1

    d0bf5bdcd1119aa5173a577df16ec283f861563e

  • SHA256

    49b32553304f50e71058a7eefcb75983399104dfef69892f7819454f06b1c3dd

  • SHA512

    bd4119b845757b726927dd0eec3dfd61ed1d5aa0c2ff5f55bcdeac42e2bc728a9d588f6bfac4cd9c517e287ed9bb17e903cfad3bd80be4b33e92091f50c80541

  • SSDEEP

    49152:/mNPCzKewwJIBjZ25HbuEFJnzpGxSs3pLVdEXYV4NmJ9dX76uciTst2u0+vs6xFn:/mgz4wJIBjZ25H6EFJn1GxSGLAXYS8Jj

Score
10/10
fatalratinfostealerrat

Malware Config

Signatures

  • FatalRat

    FatalRat is a modular infostealer family written in C++ first appearing in June 2021.

    infostealerratfatalrat
  • Fatal Rat payload 1 IoCs
    ratinfostealer
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Drops file in Program Files directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 53 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\49b32553304f50e71058a7eefcb75983399104dfef69892f7819454f06b1c3dd.exe
    "C:\Users\Admin\AppData\Local\Temp\49b32553304f50e71058a7eefcb75983399104dfef69892f7819454f06b1c3dd.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2436
    • C:\Program Files (x86)\daidaiWEOI\DySDKController.exe
      "C:\Program Files (x86)\daidaiWEOI\DySDKController.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3064

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\daidaiWEOI\DyCrashRpt.dll
    Filesize

    179KB

    MD5

    2e7b3eee678c1a063fc5fbec25671c67

    SHA1

    3f13bce37a9ec5cae083f72d2d8bed5f534bdffb

    SHA256

    4b1347ca11a27073e45876af68f054189cae55ac6b9cb683d96950d5a1bea1b8

    SHA512

    bcd32b06bee835ccda69fdea7d929f3eec81c6ab61f4131e8d864255d16d871cfcd5fc53e5f59c9ba4cfe833ec5bee2ea9029a78681f8d226f987adc63f5b1e0

    Download Submit

  • C:\Program Files (x86)\daidaiWEOI\DySDKController.exe
    Filesize

    1.1MB

    MD5

    5441bc3e3ceb2162a65cbfb4b6e7acd3

    SHA1

    103a0ec0f23e90def158eff9be7f63f6ca9af420

    SHA256

    90fe10bb10fbc95285696423e0ba4bfc10f4dcb63ea8d94fe29871036e4859f6

    SHA512

    f76ae8e1e43223e1fa06e5911b06dc7b2b3d60e3758fc5201c4dbd8df601b59be11e65f42ffe43a5823a71aa1cc328c7a2f625ca50893b1101d73d59b13b4ed4

    Download Submit

  • C:\Program Files (x86)\daidaiWEOI\DySDKController.exe
    Filesize

    1.1MB

    MD5

    5441bc3e3ceb2162a65cbfb4b6e7acd3

    SHA1

    103a0ec0f23e90def158eff9be7f63f6ca9af420

    SHA256

    90fe10bb10fbc95285696423e0ba4bfc10f4dcb63ea8d94fe29871036e4859f6

    SHA512

    f76ae8e1e43223e1fa06e5911b06dc7b2b3d60e3758fc5201c4dbd8df601b59be11e65f42ffe43a5823a71aa1cc328c7a2f625ca50893b1101d73d59b13b4ed4

    Download Submit

  • C:\Program Files (x86)\daidaiWEOI\afd.bin
    Filesize

    198KB

    MD5

    b13ffe8963d3f536bcbd88d4f6ebae93

    SHA1

    dcfdb4fa21a16dd417672c78ccdea8d5904c5f5e

    SHA256

    ab766c0fbcc5610ff5dca17b085d0ef5ed96ef23f0fc8b6a9e8dbe40821830c9

    SHA512

    0a6e3bf78aa2196dda368b3492bd017b4ea562ed0763359619faf6967aae1c88739fb662771bdce3084326e0db5ce0f55f9172f1a598e2d42c489d03500b2672

    Download Submit

  • \Program Files (x86)\daidaiWEOI\DyCrashRpt.dll
    Filesize

    179KB

    MD5

    2e7b3eee678c1a063fc5fbec25671c67

    SHA1

    3f13bce37a9ec5cae083f72d2d8bed5f534bdffb

    SHA256

    4b1347ca11a27073e45876af68f054189cae55ac6b9cb683d96950d5a1bea1b8

    SHA512

    bcd32b06bee835ccda69fdea7d929f3eec81c6ab61f4131e8d864255d16d871cfcd5fc53e5f59c9ba4cfe833ec5bee2ea9029a78681f8d226f987adc63f5b1e0

    Download Submit

  • \Program Files (x86)\daidaiWEOI\DySDKController.exe
    Filesize

    1.1MB

    MD5

    5441bc3e3ceb2162a65cbfb4b6e7acd3

    SHA1

    103a0ec0f23e90def158eff9be7f63f6ca9af420

    SHA256

    90fe10bb10fbc95285696423e0ba4bfc10f4dcb63ea8d94fe29871036e4859f6

    SHA512

    f76ae8e1e43223e1fa06e5911b06dc7b2b3d60e3758fc5201c4dbd8df601b59be11e65f42ffe43a5823a71aa1cc328c7a2f625ca50893b1101d73d59b13b4ed4

    Download Submit

  • memory/3064-16-0x0000000073FE0000-0x0000000074013000-memory.dmp

    Filesize

    204KB

    Download

  • memory/3064-18-0x0000000010000000-0x0000000010031000-memory.dmp

    Filesize

    196KB

    Download

  • memory/3064-19-0x0000000000100000-0x0000000000164000-memory.dmp

    Filesize

    400KB

    Download

  • memory/3064-23-0x0000000000170000-0x000000000019A000-memory.dmp

    Filesize

    168KB

    Download

  • memory/3064-29-0x0000000073FE0000-0x0000000074013000-memory.dmp

    Filesize

    204KB

    Download