fatalrat | a673586be29571a106989389c044f73791a81299c757d7ad2834b5fdfe6585aa

Analysis

max time kernel
120s
max time network
124s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
27-11-2023 11:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a673586be29571a106989389c044f73791a81299c757d7ad2834b5fdfe6585aa.exe
Size

2.6MB
MD5

b96028390232c414aa1a7e734bd5c457
SHA1

df8f98cf5d3613693057d5ab0a7fcd9842756fbf
SHA256

a673586be29571a106989389c044f73791a81299c757d7ad2834b5fdfe6585aa
SHA512

548488d9c998eac3bd5641c648951f2dc502db10e9396862c0950375908af3f26de8db6a424f68a2c40f4dbb0b6c3a9e249306306bc962c276feb0cad57d59ad
SSDEEP

49152:nmNPCzKewwJIBjZ25HbuEFJnzpGxSs3pLVdEXYV4NmJ9dX79qbucipgpNrWKV52w:nmgz4wJIBjZ25H6EFJn1GxSGLAXYS8JI

Score

10^/10

fatalrat gh0strat infostealer rat upx

Malware Config

Signatures

FatalRat
FatalRat is a modular infostealer family written in C++ first appearing in June 2021.
infostealer rat fatalrat

Gh0st RAT payload 2 IoCs

resource	yara_rule
behavioral1/memory/2696-33-0x0000000002F80000-0x00000000030CD000-memory.dmp	family_gh0strat
behavioral1/memory/2696-35-0x0000000002F80000-0x00000000030CD000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Fatal Rat payload 1 IoCs

rat infostealer

resource	yara_rule
behavioral1/memory/2696-23-0x00000000007B0000-0x00000000007DA000-memory.dmp	fatalrat

Executes dropped EXE 1 IoCs

pid	Process
2696	DySDKController.exe

Loads dropped DLL 2 IoCs

pid	Process
2764	a673586be29571a106989389c044f73791a81299c757d7ad2834b5fdfe6585aa.exe
2696	DySDKController.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2696-29-0x0000000002F80000-0x00000000030CD000-memory.dmp	upx
behavioral1/memory/2696-33-0x0000000002F80000-0x00000000030CD000-memory.dmp	upx
behavioral1/memory/2696-35-0x0000000002F80000-0x00000000030CD000-memory.dmp	upx

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\daidaiWEOI\DyCrashRpt.dll	a673586be29571a106989389c044f73791a81299c757d7ad2834b5fdfe6585aa.exe
File created	C:\Program Files (x86)\daidaiWEOI\DySDKController.exe	a673586be29571a106989389c044f73791a81299c757d7ad2834b5fdfe6585aa.exe
File opened for modification	C:\Program Files (x86)\daidaiWEOI\DySDKController.exe	DySDKController.exe
File created	C:\Program Files (x86)\daidaiWEOI\cvsd.xml	a673586be29571a106989389c044f73791a81299c757d7ad2834b5fdfe6585aa.exe
File created	C:\Program Files (x86)\daidaiWEOI\decvsd.xml	a673586be29571a106989389c044f73791a81299c757d7ad2834b5fdfe6585aa.exe
File created	C:\Program Files (x86)\daidaiWEOI\afd.bin	a673586be29571a106989389c044f73791a81299c757d7ad2834b5fdfe6585aa.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	DySDKController.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	DySDKController.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2764	a673586be29571a106989389c044f73791a81299c757d7ad2834b5fdfe6585aa.exe
2764	a673586be29571a106989389c044f73791a81299c757d7ad2834b5fdfe6585aa.exe
2696	DySDKController.exe
2696	DySDKController.exe
2696	DySDKController.exe
2696	DySDKController.exe
2696	DySDKController.exe
2696	DySDKController.exe
2696	DySDKController.exe
2696	DySDKController.exe
2696	DySDKController.exe
2696	DySDKController.exe
2696	DySDKController.exe
2696	DySDKController.exe
2696	DySDKController.exe
2696	DySDKController.exe
2696	DySDKController.exe
2696	DySDKController.exe
2696	DySDKController.exe
2696	DySDKController.exe
2696	DySDKController.exe
2696	DySDKController.exe
2696	DySDKController.exe
2696	DySDKController.exe
2696	DySDKController.exe
2696	DySDKController.exe
2696	DySDKController.exe
2696	DySDKController.exe
2696	DySDKController.exe
2696	DySDKController.exe
2696	DySDKController.exe
2696	DySDKController.exe
2696	DySDKController.exe
2696	DySDKController.exe
2696	DySDKController.exe
2696	DySDKController.exe
2696	DySDKController.exe
2696	DySDKController.exe
2696	DySDKController.exe
2696	DySDKController.exe
2696	DySDKController.exe
2696	DySDKController.exe
2696	DySDKController.exe
2696	DySDKController.exe
2696	DySDKController.exe
2696	DySDKController.exe
2696	DySDKController.exe
2696	DySDKController.exe
2696	DySDKController.exe
2696	DySDKController.exe
2696	DySDKController.exe
2696	DySDKController.exe
2696	DySDKController.exe
2696	DySDKController.exe
2696	DySDKController.exe
2696	DySDKController.exe
2696	DySDKController.exe
2696	DySDKController.exe
2696	DySDKController.exe
2696	DySDKController.exe
2696	DySDKController.exe
2696	DySDKController.exe
2696	DySDKController.exe
2696	DySDKController.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2696	DySDKController.exe
Token: SeIncBasePriorityPrivilege	2696	DySDKController.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2764	a673586be29571a106989389c044f73791a81299c757d7ad2834b5fdfe6585aa.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2764 wrote to memory of 2696	2764	a673586be29571a106989389c044f73791a81299c757d7ad2834b5fdfe6585aa.exe	28
PID 2764 wrote to memory of 2696	2764	a673586be29571a106989389c044f73791a81299c757d7ad2834b5fdfe6585aa.exe	28
PID 2764 wrote to memory of 2696	2764	a673586be29571a106989389c044f73791a81299c757d7ad2834b5fdfe6585aa.exe	28
PID 2764 wrote to memory of 2696	2764	a673586be29571a106989389c044f73791a81299c757d7ad2834b5fdfe6585aa.exe	28
PID 2696 wrote to memory of 2528	2696	DySDKController.exe	31
PID 2696 wrote to memory of 2528	2696	DySDKController.exe	31
PID 2696 wrote to memory of 2528	2696	DySDKController.exe	31
PID 2696 wrote to memory of 2528	2696	DySDKController.exe	31

C:\Users\Admin\AppData\Local\Temp\a673586be29571a106989389c044f73791a81299c757d7ad2834b5fdfe6585aa.exe
"C:\Users\Admin\AppData\Local\Temp\a673586be29571a106989389c044f73791a81299c757d7ad2834b5fdfe6585aa.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2764
- C:\Program Files (x86)\daidaiWEOI\DySDKController.exe
  "C:\Program Files (x86)\daidaiWEOI\DySDKController.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2696
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c del /q C:\Program Files (x86)\daidaiWEOI\DySDKController.exe
    3⤵
    PID:2528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\daidaiWEOI\DyCrashRpt.dll

Filesize
104KB

MD5
94f35d80029de4bae1ca9ac4dcaccd50

SHA1
71122f63fc68de26d959aa64e1297860c577f99c

SHA256
8e4b05b8506a91af5bcf0cfcdaf8efc40ceba5919faf96a00898f7ac189e47c8

SHA512
209995d64f3525a20bad631768747d44db9a56147a93cfc02e77595dbda7287e83e15898d0ab39ea421d47f2dd1a7d8185664922115540be2bcb34f69b3de13b

Download Submit
C:\Program Files (x86)\daidaiWEOI\DySDKController.exe

Filesize
1.1MB

MD5
5441bc3e3ceb2162a65cbfb4b6e7acd3

SHA1
103a0ec0f23e90def158eff9be7f63f6ca9af420

SHA256
90fe10bb10fbc95285696423e0ba4bfc10f4dcb63ea8d94fe29871036e4859f6

SHA512
f76ae8e1e43223e1fa06e5911b06dc7b2b3d60e3758fc5201c4dbd8df601b59be11e65f42ffe43a5823a71aa1cc328c7a2f625ca50893b1101d73d59b13b4ed4

Download Submit
C:\Program Files (x86)\daidaiWEOI\DySDKController.exe

Filesize
1.1MB

MD5
5441bc3e3ceb2162a65cbfb4b6e7acd3

SHA1
103a0ec0f23e90def158eff9be7f63f6ca9af420

SHA256
90fe10bb10fbc95285696423e0ba4bfc10f4dcb63ea8d94fe29871036e4859f6

SHA512
f76ae8e1e43223e1fa06e5911b06dc7b2b3d60e3758fc5201c4dbd8df601b59be11e65f42ffe43a5823a71aa1cc328c7a2f625ca50893b1101d73d59b13b4ed4

Download Submit
C:\Program Files (x86)\daidaiWEOI\afd.bin

Filesize
198KB

MD5
67e71e58d7c84f700d951ef177eb01d8

SHA1
c8a988bacdaf9dd7d2f5b47db13bc68ed1ff26e8

SHA256
37d80f4d1f270885318677fe175d366105733ac09fd1541727e800c38a13d5bc

SHA512
f48e7ae19d2a2ea4a5b6b76ab609fd1efde93cbc8c048e799ba89b19cebb0a3e6775c6d70705a475afbfe5e5d75f6cb95694fab6872c9f58ef966d0d2aa7cf97

Download Submit
\Program Files (x86)\daidaiWEOI\DyCrashRpt.dll

Filesize
104KB

MD5
94f35d80029de4bae1ca9ac4dcaccd50

SHA1
71122f63fc68de26d959aa64e1297860c577f99c

SHA256
8e4b05b8506a91af5bcf0cfcdaf8efc40ceba5919faf96a00898f7ac189e47c8

SHA512
209995d64f3525a20bad631768747d44db9a56147a93cfc02e77595dbda7287e83e15898d0ab39ea421d47f2dd1a7d8185664922115540be2bcb34f69b3de13b

Download Submit
\Program Files (x86)\daidaiWEOI\DySDKController.exe

Filesize
1.1MB

MD5
5441bc3e3ceb2162a65cbfb4b6e7acd3

SHA1
103a0ec0f23e90def158eff9be7f63f6ca9af420

SHA256
90fe10bb10fbc95285696423e0ba4bfc10f4dcb63ea8d94fe29871036e4859f6

SHA512
f76ae8e1e43223e1fa06e5911b06dc7b2b3d60e3758fc5201c4dbd8df601b59be11e65f42ffe43a5823a71aa1cc328c7a2f625ca50893b1101d73d59b13b4ed4

Download Submit
memory/2696-20-0x00000000003E0000-0x0000000000444000-memory.dmp

Filesize
400KB

Download
memory/2696-18-0x0000000010000000-0x0000000010031000-memory.dmp

Filesize
196KB

Download
memory/2696-23-0x00000000007B0000-0x00000000007DA000-memory.dmp

Filesize
168KB

Download
memory/2696-16-0x0000000074710000-0x000000007472F000-memory.dmp

Filesize
124KB

Download
memory/2696-29-0x0000000002F80000-0x00000000030CD000-memory.dmp

Filesize
1.3MB

Download
memory/2696-32-0x0000000074710000-0x000000007472F000-memory.dmp

Filesize
124KB

Download
memory/2696-33-0x0000000002F80000-0x00000000030CD000-memory.dmp

Filesize
1.3MB

Download
memory/2696-35-0x0000000002F80000-0x00000000030CD000-memory.dmp

Filesize
1.3MB

Download
memory/2696-36-0x0000000074710000-0x000000007472F000-memory.dmp

Filesize
124KB

Download