fatalrat | fb13a37fee1166a41cc56ff9b5b4969b86b3bbebd04a6e29f22eec40271acb0d

Analysis

max time kernel
121s
max time network
141s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
27-11-2023 10:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fb13a37fee1166a41cc56ff9b5b4969b86b3bbebd04a6e29f22eec40271acb0d.exe
Size

2.5MB
MD5

45e33f0cc829f2b29a94bca7d4cfe409
SHA1

24906be653d1b7c2d049c6d0317912cc7d89eac2
SHA256

fb13a37fee1166a41cc56ff9b5b4969b86b3bbebd04a6e29f22eec40271acb0d
SHA512

d560b8185da8de99c270503838f340ca72c8a1cab4f5fa7dc0ef3bc22e5d0dd63e8f1e171fe2c8755a787777325e42cf944d80d67dd97b8bcc5e19beda73444c
SSDEEP

49152:hfajYdJBZO8Vt99U0kJanecCF1ks3rOL5CvKHEw/23HWZjzJHALjcucisuxU04ba:hfc8JO8Vt99UVJanecO1ks3SL5rHl23j

Score

10^/10

fatalrat infostealer rat

Malware Config

Signatures

FatalRat
FatalRat is a modular infostealer family written in C++ first appearing in June 2021.
infostealer rat fatalrat

Fatal Rat payload 1 IoCs

rat infostealer

resource	yara_rule
behavioral1/memory/3068-23-0x0000000000140000-0x000000000016A000-memory.dmp	fatalrat

Executes dropped EXE 1 IoCs

pid	Process
3068	DySDKController.exe

Loads dropped DLL 2 IoCs

pid	Process
2600	fb13a37fee1166a41cc56ff9b5b4969b86b3bbebd04a6e29f22eec40271acb0d.exe
3068	DySDKController.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\daidaiWEOI\afd.bin	fb13a37fee1166a41cc56ff9b5b4969b86b3bbebd04a6e29f22eec40271acb0d.exe
File created	C:\Program Files (x86)\daidaiWEOI\DyCrashRpt.dll	fb13a37fee1166a41cc56ff9b5b4969b86b3bbebd04a6e29f22eec40271acb0d.exe
File created	C:\Program Files (x86)\daidaiWEOI\DySDKController.exe	fb13a37fee1166a41cc56ff9b5b4969b86b3bbebd04a6e29f22eec40271acb0d.exe
File created	C:\Program Files (x86)\daidaiWEOI\cvsd.xml	fb13a37fee1166a41cc56ff9b5b4969b86b3bbebd04a6e29f22eec40271acb0d.exe
File created	C:\Program Files (x86)\daidaiWEOI\decvsd.xml	fb13a37fee1166a41cc56ff9b5b4969b86b3bbebd04a6e29f22eec40271acb0d.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	DySDKController.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	DySDKController.exe

Suspicious behavior: EnumeratesProcesses 53 IoCs

pid	Process
2600	fb13a37fee1166a41cc56ff9b5b4969b86b3bbebd04a6e29f22eec40271acb0d.exe
2600	fb13a37fee1166a41cc56ff9b5b4969b86b3bbebd04a6e29f22eec40271acb0d.exe
3068	DySDKController.exe
3068	DySDKController.exe
3068	DySDKController.exe
3068	DySDKController.exe
3068	DySDKController.exe
3068	DySDKController.exe
3068	DySDKController.exe
3068	DySDKController.exe
3068	DySDKController.exe
3068	DySDKController.exe
3068	DySDKController.exe
3068	DySDKController.exe
3068	DySDKController.exe
3068	DySDKController.exe
3068	DySDKController.exe
3068	DySDKController.exe
3068	DySDKController.exe
3068	DySDKController.exe
3068	DySDKController.exe
3068	DySDKController.exe
3068	DySDKController.exe
3068	DySDKController.exe
3068	DySDKController.exe
3068	DySDKController.exe
3068	DySDKController.exe
3068	DySDKController.exe
3068	DySDKController.exe
3068	DySDKController.exe
3068	DySDKController.exe
3068	DySDKController.exe
3068	DySDKController.exe
3068	DySDKController.exe
3068	DySDKController.exe
3068	DySDKController.exe
3068	DySDKController.exe
3068	DySDKController.exe
3068	DySDKController.exe
3068	DySDKController.exe
3068	DySDKController.exe
3068	DySDKController.exe
3068	DySDKController.exe
3068	DySDKController.exe
3068	DySDKController.exe
3068	DySDKController.exe
3068	DySDKController.exe
3068	DySDKController.exe
3068	DySDKController.exe
3068	DySDKController.exe
3068	DySDKController.exe
3068	DySDKController.exe
3068	DySDKController.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3068	DySDKController.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2600	fb13a37fee1166a41cc56ff9b5b4969b86b3bbebd04a6e29f22eec40271acb0d.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2600 wrote to memory of 3068	2600	fb13a37fee1166a41cc56ff9b5b4969b86b3bbebd04a6e29f22eec40271acb0d.exe	28
PID 2600 wrote to memory of 3068	2600	fb13a37fee1166a41cc56ff9b5b4969b86b3bbebd04a6e29f22eec40271acb0d.exe	28
PID 2600 wrote to memory of 3068	2600	fb13a37fee1166a41cc56ff9b5b4969b86b3bbebd04a6e29f22eec40271acb0d.exe	28
PID 2600 wrote to memory of 3068	2600	fb13a37fee1166a41cc56ff9b5b4969b86b3bbebd04a6e29f22eec40271acb0d.exe	28

C:\Users\Admin\AppData\Local\Temp\fb13a37fee1166a41cc56ff9b5b4969b86b3bbebd04a6e29f22eec40271acb0d.exe
"C:\Users\Admin\AppData\Local\Temp\fb13a37fee1166a41cc56ff9b5b4969b86b3bbebd04a6e29f22eec40271acb0d.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2600
- C:\Program Files (x86)\daidaiWEOI\DySDKController.exe
  "C:\Program Files (x86)\daidaiWEOI\DySDKController.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\daidaiWEOI\DyCrashRpt.dll

Filesize
1.2MB

MD5
def7177524a8363410ba150e76d38154

SHA1
6b1075ec4ef0b059c93baef4d8ea597855d9d5ec

SHA256
47057ce496877d6cfcc832ec8999d9cddfdbaee320cbeaf8a9f07cf3dc852335

SHA512
3ea906e942d00ad4e64375efc9261e86ab1b76007eb9ad487e076273bfe89db0ae71e3d34a368b98de1faf39c0015c5f1b2daba17dec752072d1eda0f2f88015

Download Submit
C:\Program Files (x86)\daidaiWEOI\DySDKController.exe

Filesize
1.1MB

MD5
5441bc3e3ceb2162a65cbfb4b6e7acd3

SHA1
103a0ec0f23e90def158eff9be7f63f6ca9af420

SHA256
90fe10bb10fbc95285696423e0ba4bfc10f4dcb63ea8d94fe29871036e4859f6

SHA512
f76ae8e1e43223e1fa06e5911b06dc7b2b3d60e3758fc5201c4dbd8df601b59be11e65f42ffe43a5823a71aa1cc328c7a2f625ca50893b1101d73d59b13b4ed4

Download Submit
C:\Program Files (x86)\daidaiWEOI\DySDKController.exe

Filesize
1.1MB

MD5
5441bc3e3ceb2162a65cbfb4b6e7acd3

SHA1
103a0ec0f23e90def158eff9be7f63f6ca9af420

SHA256
90fe10bb10fbc95285696423e0ba4bfc10f4dcb63ea8d94fe29871036e4859f6

SHA512
f76ae8e1e43223e1fa06e5911b06dc7b2b3d60e3758fc5201c4dbd8df601b59be11e65f42ffe43a5823a71aa1cc328c7a2f625ca50893b1101d73d59b13b4ed4

Download Submit
C:\Program Files (x86)\daidaiWEOI\afd.bin

Filesize
198KB

MD5
e4813426c6d32d0ed3eb21369194f539

SHA1
f23b558f9917765a5e7848b05bd04aef813b46e5

SHA256
56bb0f8be5e06c1e394adbd88a97bbef4d5119a3b38d066c79a523790bb8a8d0

SHA512
2197a288939e21bb83682ac64b280a4fd029e629229c1190f2cc9839064b6ff6486d4c32d84c9c89f565460bae8a10a03a13b6cc5bf7a351b68d5bdf51a321a8

Download Submit
\Program Files (x86)\daidaiWEOI\DyCrashRpt.dll

Filesize
1.2MB

MD5
def7177524a8363410ba150e76d38154

SHA1
6b1075ec4ef0b059c93baef4d8ea597855d9d5ec

SHA256
47057ce496877d6cfcc832ec8999d9cddfdbaee320cbeaf8a9f07cf3dc852335

SHA512
3ea906e942d00ad4e64375efc9261e86ab1b76007eb9ad487e076273bfe89db0ae71e3d34a368b98de1faf39c0015c5f1b2daba17dec752072d1eda0f2f88015

Download Submit
\Program Files (x86)\daidaiWEOI\DySDKController.exe

Filesize
1.1MB

MD5
5441bc3e3ceb2162a65cbfb4b6e7acd3

SHA1
103a0ec0f23e90def158eff9be7f63f6ca9af420

SHA256
90fe10bb10fbc95285696423e0ba4bfc10f4dcb63ea8d94fe29871036e4859f6

SHA512
f76ae8e1e43223e1fa06e5911b06dc7b2b3d60e3758fc5201c4dbd8df601b59be11e65f42ffe43a5823a71aa1cc328c7a2f625ca50893b1101d73d59b13b4ed4

Download Submit
memory/3068-16-0x00000000749F0000-0x0000000074B2C000-memory.dmp

Filesize
1.2MB

Download
memory/3068-18-0x0000000010000000-0x0000000010031000-memory.dmp

Filesize
196KB

Download
memory/3068-19-0x0000000000360000-0x00000000003C4000-memory.dmp

Filesize
400KB

Download
memory/3068-23-0x0000000000140000-0x000000000016A000-memory.dmp

Filesize
168KB

Download
memory/3068-29-0x00000000749F0000-0x0000000074B2C000-memory.dmp

Filesize
1.2MB

Download