fatalrat | ef53c2a2ce21b188a021b9a2c36f05439212b51a1ebd13bb3f7df1dea907a2ba

Analysis

max time kernel
118s
max time network
143s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
28-11-2023 11:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ef53c2a2ce21b188a021b9a2c36f05439212b51a1ebd13bb3f7df1dea907a2ba.exe
Size

2.7MB
MD5

0dade7bcf1212d7fafda2147303c19a2
SHA1

da9805a8596958e3e1730a51eb7758c0de48283b
SHA256

ef53c2a2ce21b188a021b9a2c36f05439212b51a1ebd13bb3f7df1dea907a2ba
SHA512

15558f0b9827cb9338c1987c8c714c246917c7dd4a9f1128de94d2fea05ef1d04ae88007dd0fd82236eb386d373deb4184f82309ae47372577fa5adc3f879c14
SSDEEP

49152:b9oI7ljc+otzcS/qh5lTHciyyiOkDB6sxPGuciQ5/RFFCmpwxSGq:hjpjZoT/qh5F8iyyiOGB6sxBaFFCmpwA

Score

10^/10

fatalrat infostealer rat

Malware Config

Signatures

FatalRat
FatalRat is a modular infostealer family written in C++ first appearing in June 2021.
infostealer rat fatalrat

Fatal Rat payload 1 IoCs

rat infostealer

resource	yara_rule
behavioral1/memory/2300-23-0x0000000000090000-0x00000000000BA000-memory.dmp	fatalrat

Executes dropped EXE 1 IoCs

pid	Process
2300	DySDKController.exe

Loads dropped DLL 2 IoCs

pid	Process
2204	ef53c2a2ce21b188a021b9a2c36f05439212b51a1ebd13bb3f7df1dea907a2ba.exe
2300	DySDKController.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Bonjour32\cvsd.xml	ef53c2a2ce21b188a021b9a2c36f05439212b51a1ebd13bb3f7df1dea907a2ba.exe
File created	C:\Program Files (x86)\Bonjour32\decvsd.xml	ef53c2a2ce21b188a021b9a2c36f05439212b51a1ebd13bb3f7df1dea907a2ba.exe
File created	C:\Program Files (x86)\Bonjour32\afd.bin	ef53c2a2ce21b188a021b9a2c36f05439212b51a1ebd13bb3f7df1dea907a2ba.exe
File created	C:\Program Files (x86)\Bonjour32\DyCrashRpt.dll	ef53c2a2ce21b188a021b9a2c36f05439212b51a1ebd13bb3f7df1dea907a2ba.exe
File created	C:\Program Files (x86)\Bonjour32\DySDKController.exe	ef53c2a2ce21b188a021b9a2c36f05439212b51a1ebd13bb3f7df1dea907a2ba.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	DySDKController.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	DySDKController.exe

Suspicious behavior: EnumeratesProcesses 53 IoCs

pid	Process
2204	ef53c2a2ce21b188a021b9a2c36f05439212b51a1ebd13bb3f7df1dea907a2ba.exe
2204	ef53c2a2ce21b188a021b9a2c36f05439212b51a1ebd13bb3f7df1dea907a2ba.exe
2300	DySDKController.exe
2300	DySDKController.exe
2300	DySDKController.exe
2300	DySDKController.exe
2300	DySDKController.exe
2300	DySDKController.exe
2300	DySDKController.exe
2300	DySDKController.exe
2300	DySDKController.exe
2300	DySDKController.exe
2300	DySDKController.exe
2300	DySDKController.exe
2300	DySDKController.exe
2300	DySDKController.exe
2300	DySDKController.exe
2300	DySDKController.exe
2300	DySDKController.exe
2300	DySDKController.exe
2300	DySDKController.exe
2300	DySDKController.exe
2300	DySDKController.exe
2300	DySDKController.exe
2300	DySDKController.exe
2300	DySDKController.exe
2300	DySDKController.exe
2300	DySDKController.exe
2300	DySDKController.exe
2300	DySDKController.exe
2300	DySDKController.exe
2300	DySDKController.exe
2300	DySDKController.exe
2300	DySDKController.exe
2300	DySDKController.exe
2300	DySDKController.exe
2300	DySDKController.exe
2300	DySDKController.exe
2300	DySDKController.exe
2300	DySDKController.exe
2300	DySDKController.exe
2300	DySDKController.exe
2300	DySDKController.exe
2300	DySDKController.exe
2300	DySDKController.exe
2300	DySDKController.exe
2300	DySDKController.exe
2300	DySDKController.exe
2300	DySDKController.exe
2300	DySDKController.exe
2300	DySDKController.exe
2300	DySDKController.exe
2300	DySDKController.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2300	DySDKController.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2204	ef53c2a2ce21b188a021b9a2c36f05439212b51a1ebd13bb3f7df1dea907a2ba.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2204 wrote to memory of 2300	2204	ef53c2a2ce21b188a021b9a2c36f05439212b51a1ebd13bb3f7df1dea907a2ba.exe	28
PID 2204 wrote to memory of 2300	2204	ef53c2a2ce21b188a021b9a2c36f05439212b51a1ebd13bb3f7df1dea907a2ba.exe	28
PID 2204 wrote to memory of 2300	2204	ef53c2a2ce21b188a021b9a2c36f05439212b51a1ebd13bb3f7df1dea907a2ba.exe	28
PID 2204 wrote to memory of 2300	2204	ef53c2a2ce21b188a021b9a2c36f05439212b51a1ebd13bb3f7df1dea907a2ba.exe	28

C:\Users\Admin\AppData\Local\Temp\ef53c2a2ce21b188a021b9a2c36f05439212b51a1ebd13bb3f7df1dea907a2ba.exe
"C:\Users\Admin\AppData\Local\Temp\ef53c2a2ce21b188a021b9a2c36f05439212b51a1ebd13bb3f7df1dea907a2ba.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2204
- C:\Program Files (x86)\Bonjour32\DySDKController.exe
  "C:\Program Files (x86)\Bonjour32\DySDKController.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2300

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Bonjour32\DyCrashRpt.dll

Filesize
140KB

MD5
cdf3f515f57bdbd53d4280fe775a1e8c

SHA1
98628ca009a6914cc121ab016323e033304423f5

SHA256
b1e00cd81645fed399d31a36d6ce3e4fb11a4dfc6e44e091d9a488bea5d7ad4f

SHA512
8644ef08787df8182ff226e5f3834527fbe8f642326424f5c3967a16cdf8be557914cac795e826cec3b3bf2398fd83887d085829f380b0cf2dbe5c5184f5fcf6

Download Submit
C:\Program Files (x86)\Bonjour32\DySDKController.exe

Filesize
1.1MB

MD5
5441bc3e3ceb2162a65cbfb4b6e7acd3

SHA1
103a0ec0f23e90def158eff9be7f63f6ca9af420

SHA256
90fe10bb10fbc95285696423e0ba4bfc10f4dcb63ea8d94fe29871036e4859f6

SHA512
f76ae8e1e43223e1fa06e5911b06dc7b2b3d60e3758fc5201c4dbd8df601b59be11e65f42ffe43a5823a71aa1cc328c7a2f625ca50893b1101d73d59b13b4ed4

Download Submit
C:\Program Files (x86)\Bonjour32\DySDKController.exe

Filesize
1.1MB

MD5
5441bc3e3ceb2162a65cbfb4b6e7acd3

SHA1
103a0ec0f23e90def158eff9be7f63f6ca9af420

SHA256
90fe10bb10fbc95285696423e0ba4bfc10f4dcb63ea8d94fe29871036e4859f6

SHA512
f76ae8e1e43223e1fa06e5911b06dc7b2b3d60e3758fc5201c4dbd8df601b59be11e65f42ffe43a5823a71aa1cc328c7a2f625ca50893b1101d73d59b13b4ed4

Download Submit
C:\Program Files (x86)\Bonjour32\afd.bin

Filesize
198KB

MD5
67e71e58d7c84f700d951ef177eb01d8

SHA1
c8a988bacdaf9dd7d2f5b47db13bc68ed1ff26e8

SHA256
37d80f4d1f270885318677fe175d366105733ac09fd1541727e800c38a13d5bc

SHA512
f48e7ae19d2a2ea4a5b6b76ab609fd1efde93cbc8c048e799ba89b19cebb0a3e6775c6d70705a475afbfe5e5d75f6cb95694fab6872c9f58ef966d0d2aa7cf97

Download Submit
\Program Files (x86)\Bonjour32\DyCrashRpt.dll

Filesize
140KB

MD5
cdf3f515f57bdbd53d4280fe775a1e8c

SHA1
98628ca009a6914cc121ab016323e033304423f5

SHA256
b1e00cd81645fed399d31a36d6ce3e4fb11a4dfc6e44e091d9a488bea5d7ad4f

SHA512
8644ef08787df8182ff226e5f3834527fbe8f642326424f5c3967a16cdf8be557914cac795e826cec3b3bf2398fd83887d085829f380b0cf2dbe5c5184f5fcf6

Download Submit
\Program Files (x86)\Bonjour32\DySDKController.exe

Filesize
1.1MB

MD5
5441bc3e3ceb2162a65cbfb4b6e7acd3

SHA1
103a0ec0f23e90def158eff9be7f63f6ca9af420

SHA256
90fe10bb10fbc95285696423e0ba4bfc10f4dcb63ea8d94fe29871036e4859f6

SHA512
f76ae8e1e43223e1fa06e5911b06dc7b2b3d60e3758fc5201c4dbd8df601b59be11e65f42ffe43a5823a71aa1cc328c7a2f625ca50893b1101d73d59b13b4ed4

Download Submit
memory/2300-16-0x00000000745A0000-0x00000000745C8000-memory.dmp

Filesize
160KB

Download
memory/2300-19-0x0000000000270000-0x00000000002D4000-memory.dmp

Filesize
400KB

Download
memory/2300-18-0x0000000010000000-0x0000000010031000-memory.dmp

Filesize
196KB

Download
memory/2300-23-0x0000000000090000-0x00000000000BA000-memory.dmp

Filesize
168KB

Download
memory/2300-29-0x00000000745A0000-0x00000000745C8000-memory.dmp

Filesize
160KB

Download