fatalrat | 5406036590a984cc1168a575c918b223a8eaafc25ca54eba60cf293d9bf2c0be

Analysis

max time kernel
120s
max time network
143s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
29-11-2023 02:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5406036590a984cc1168a575c918b223a8eaafc25ca54eba60cf293d9bf2c0be.exe
Size

6.1MB
MD5

63c67d664927cdb7e163bdb439cb242d
SHA1

9143e2b4bd33f53149f02acd9287f0508e4c0a08
SHA256

5406036590a984cc1168a575c918b223a8eaafc25ca54eba60cf293d9bf2c0be
SHA512

e25074ad31ad88654aa47ac8293fac94bb069f926d362bfd664027c1e76e8106151bf09b3a12cb2f31252097705d357d0db1b6a792a435ac9cddbba2f689d5a0
SSDEEP

49152:edwNM1El1BqxJ2wad9QFEDrdggFIt2sj3yXdaqy50QOsCkHfuxJX+nDfbttKIw57:edwknJ0/T1ePWEwjkE/bcI6aMwQIuj

Score

10^/10

fatalrat infostealer rat

Malware Config

Signatures

FatalRat
FatalRat is a modular infostealer family written in C++ first appearing in June 2021.
infostealer rat fatalrat

Fatal Rat payload 1 IoCs

rat infostealer

resource	yara_rule
behavioral1/memory/2860-36-0x0000000000730000-0x000000000075A000-memory.dmp	fatalrat

Executes dropped EXE 1 IoCs

pid	Process
2860	sihost32smi.exe

Loads dropped DLL 4 IoCs

pid	Process
308	5406036590a984cc1168a575c918b223a8eaafc25ca54eba60cf293d9bf2c0be.exe
2860	sihost32smi.exe
2860	sihost32smi.exe
2860	sihost32smi.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Application Verifier\decvsd.xml	5406036590a984cc1168a575c918b223a8eaafc25ca54eba60cf293d9bf2c0be.exe
File created	C:\Program Files (x86)\Application Verifier\afd.bin	5406036590a984cc1168a575c918b223a8eaafc25ca54eba60cf293d9bf2c0be.exe
File created	C:\Program Files (x86)\Application Verifier\hgsd.db	5406036590a984cc1168a575c918b223a8eaafc25ca54eba60cf293d9bf2c0be.exe
File created	C:\Program Files (x86)\Application Verifier\libcef.dll	5406036590a984cc1168a575c918b223a8eaafc25ca54eba60cf293d9bf2c0be.exe
File created	C:\Program Files (x86)\Application Verifier\msvcp120d.dll	5406036590a984cc1168a575c918b223a8eaafc25ca54eba60cf293d9bf2c0be.exe
File created	C:\Program Files (x86)\Application Verifier\msvcr120d.dll	5406036590a984cc1168a575c918b223a8eaafc25ca54eba60cf293d9bf2c0be.exe
File created	C:\Program Files (x86)\Application Verifier\sihost32smi.exe	5406036590a984cc1168a575c918b223a8eaafc25ca54eba60cf293d9bf2c0be.exe
File created	C:\Program Files (x86)\Application Verifier\cvsd.xml	5406036590a984cc1168a575c918b223a8eaafc25ca54eba60cf293d9bf2c0be.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	sihost32smi.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	sihost32smi.exe

Suspicious behavior: EnumeratesProcesses 53 IoCs

pid	Process
308	5406036590a984cc1168a575c918b223a8eaafc25ca54eba60cf293d9bf2c0be.exe
308	5406036590a984cc1168a575c918b223a8eaafc25ca54eba60cf293d9bf2c0be.exe
2860	sihost32smi.exe
2860	sihost32smi.exe
2860	sihost32smi.exe
2860	sihost32smi.exe
2860	sihost32smi.exe
2860	sihost32smi.exe
2860	sihost32smi.exe
2860	sihost32smi.exe
2860	sihost32smi.exe
2860	sihost32smi.exe
2860	sihost32smi.exe
2860	sihost32smi.exe
2860	sihost32smi.exe
2860	sihost32smi.exe
2860	sihost32smi.exe
2860	sihost32smi.exe
2860	sihost32smi.exe
2860	sihost32smi.exe
2860	sihost32smi.exe
2860	sihost32smi.exe
2860	sihost32smi.exe
2860	sihost32smi.exe
2860	sihost32smi.exe
2860	sihost32smi.exe
2860	sihost32smi.exe
2860	sihost32smi.exe
2860	sihost32smi.exe
2860	sihost32smi.exe
2860	sihost32smi.exe
2860	sihost32smi.exe
2860	sihost32smi.exe
2860	sihost32smi.exe
2860	sihost32smi.exe
2860	sihost32smi.exe
2860	sihost32smi.exe
2860	sihost32smi.exe
2860	sihost32smi.exe
2860	sihost32smi.exe
2860	sihost32smi.exe
2860	sihost32smi.exe
2860	sihost32smi.exe
2860	sihost32smi.exe
2860	sihost32smi.exe
2860	sihost32smi.exe
2860	sihost32smi.exe
2860	sihost32smi.exe
2860	sihost32smi.exe
2860	sihost32smi.exe
2860	sihost32smi.exe
2860	sihost32smi.exe
2860	sihost32smi.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2860	sihost32smi.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
308	5406036590a984cc1168a575c918b223a8eaafc25ca54eba60cf293d9bf2c0be.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 308 wrote to memory of 2860	308	5406036590a984cc1168a575c918b223a8eaafc25ca54eba60cf293d9bf2c0be.exe	28
PID 308 wrote to memory of 2860	308	5406036590a984cc1168a575c918b223a8eaafc25ca54eba60cf293d9bf2c0be.exe	28
PID 308 wrote to memory of 2860	308	5406036590a984cc1168a575c918b223a8eaafc25ca54eba60cf293d9bf2c0be.exe	28
PID 308 wrote to memory of 2860	308	5406036590a984cc1168a575c918b223a8eaafc25ca54eba60cf293d9bf2c0be.exe	28

C:\Users\Admin\AppData\Local\Temp\5406036590a984cc1168a575c918b223a8eaafc25ca54eba60cf293d9bf2c0be.exe
"C:\Users\Admin\AppData\Local\Temp\5406036590a984cc1168a575c918b223a8eaafc25ca54eba60cf293d9bf2c0be.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:308
- C:\Program Files (x86)\Application Verifier\sihost32smi.exe
  "C:\Program Files (x86)\Application Verifier\sihost32smi.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Application Verifier\MSVCP120D.dll

Filesize
796KB

MD5
3049622a9a5bc219504e39aca1fb35d1

SHA1
021d7badb2aeb0d126839cc5b1102b7257fc5a4c

SHA256
f7b62920f0ebd7521baa354eb82c2d96691fdb8eaf169757368ffe38af6aa5b4

SHA512
77c6968d43ea147938f5872de7f5859930a37b8d7ad3d9c4eb0628ed444509e12dd0627dc21628bcf38d516ee0c1a8583e39ebd77fbfd39ebb0989ec9c6aec10

Download Submit
C:\Program Files (x86)\Application Verifier\MSVCR120D.dll

Filesize
1.7MB

MD5
f67ca8d338dfd99e3c540336221f8fa7

SHA1
2d10397d3d84acf96097050949b88dfabede2ce1

SHA256
4c7bafb33eaebf8e9de81b775389d649f26502ccabd4c4540fc1b97bd43102b8

SHA512
ee1154abd3adbfdf8de5e6644d3ec2efea24518e64e39acff5a9f0820a6cf8defb8ad359f5f1c706d1e1b5e9f7c88542fb1ff0391a7f3cf6bc9fae996e5e29c6

Download Submit
C:\Program Files (x86)\Application Verifier\afd.bin

Filesize
198KB

MD5
cf592e5d63e9f464669406927f21ca38

SHA1
7c92432bcf4a2a586485ee9a18112f112fda4285

SHA256
9552507f6e2cde1211a49bc6634333daf9f33f6ccb654b9d6c68f374337b1a72

SHA512
3a4eabec45a8fadccaaa47ca90ee4ff32551e3e0ce25122b4b6362cfdd322498f33041e1c3ee5516ccae7229bd2e263a476cba9475c7f2bb509320a3069542e0

Download Submit
C:\Program Files (x86)\Application Verifier\libcef.dll

Filesize
23KB

MD5
cf5d10808cc788efe501d1b0a904bc71

SHA1
b719ba0de1a119d09c39f5c64028dd894c94abd3

SHA256
e341500d41869fa152a61dbc660ce8a96bf1fab39ca186eb0df9f9ffad69e678

SHA512
6969c36f7ccbc12ae4ab323e4b949163009c3daa6d1471f5efc46eba5b1cbe4056a28e2a7d9398615a65b960fc527276bdf037bc5e19882c9e4655e3e2afc513

Download Submit
C:\Program Files (x86)\Application Verifier\sihost32smi.exe

Filesize
1.4MB

MD5
30136be17e0f4fe52e431979e0465373

SHA1
6181aefff780ffb54ec06810116c3373a9d961dd

SHA256
20d48d2f666be4973e105bc6ead0102d26153d4603c3d787e762bb91b5d15bce

SHA512
7cd8c53f089ecf33e24b9b55aa012ba0fb332f1be2787bb8f78a551cb0934d2f6c4c8d9a53c5f8430a4f396568edab97d0ba4646c76ce41a3474cddca2fe560d

Download Submit
C:\Program Files (x86)\Application Verifier\sihost32smi.exe

Filesize
1.4MB

MD5
30136be17e0f4fe52e431979e0465373

SHA1
6181aefff780ffb54ec06810116c3373a9d961dd

SHA256
20d48d2f666be4973e105bc6ead0102d26153d4603c3d787e762bb91b5d15bce

SHA512
7cd8c53f089ecf33e24b9b55aa012ba0fb332f1be2787bb8f78a551cb0934d2f6c4c8d9a53c5f8430a4f396568edab97d0ba4646c76ce41a3474cddca2fe560d

Download Submit
\Program Files (x86)\Application Verifier\libcef.dll

Filesize
23KB

MD5
cf5d10808cc788efe501d1b0a904bc71

SHA1
b719ba0de1a119d09c39f5c64028dd894c94abd3

SHA256
e341500d41869fa152a61dbc660ce8a96bf1fab39ca186eb0df9f9ffad69e678

SHA512
6969c36f7ccbc12ae4ab323e4b949163009c3daa6d1471f5efc46eba5b1cbe4056a28e2a7d9398615a65b960fc527276bdf037bc5e19882c9e4655e3e2afc513

Download Submit
\Program Files (x86)\Application Verifier\msvcp120d.dll

Filesize
796KB

MD5
3049622a9a5bc219504e39aca1fb35d1

SHA1
021d7badb2aeb0d126839cc5b1102b7257fc5a4c

SHA256
f7b62920f0ebd7521baa354eb82c2d96691fdb8eaf169757368ffe38af6aa5b4

SHA512
77c6968d43ea147938f5872de7f5859930a37b8d7ad3d9c4eb0628ed444509e12dd0627dc21628bcf38d516ee0c1a8583e39ebd77fbfd39ebb0989ec9c6aec10

Download Submit
\Program Files (x86)\Application Verifier\msvcr120d.dll

Filesize
1.7MB

MD5
f67ca8d338dfd99e3c540336221f8fa7

SHA1
2d10397d3d84acf96097050949b88dfabede2ce1

SHA256
4c7bafb33eaebf8e9de81b775389d649f26502ccabd4c4540fc1b97bd43102b8

SHA512
ee1154abd3adbfdf8de5e6644d3ec2efea24518e64e39acff5a9f0820a6cf8defb8ad359f5f1c706d1e1b5e9f7c88542fb1ff0391a7f3cf6bc9fae996e5e29c6

Download Submit
\Program Files (x86)\Application Verifier\sihost32smi.exe

Filesize
1.4MB

MD5
30136be17e0f4fe52e431979e0465373

SHA1
6181aefff780ffb54ec06810116c3373a9d961dd

SHA256
20d48d2f666be4973e105bc6ead0102d26153d4603c3d787e762bb91b5d15bce

SHA512
7cd8c53f089ecf33e24b9b55aa012ba0fb332f1be2787bb8f78a551cb0934d2f6c4c8d9a53c5f8430a4f396568edab97d0ba4646c76ce41a3474cddca2fe560d

Download Submit
memory/308-12-0x0000000010000000-0x0000000010018000-memory.dmp

Filesize
96KB

Download
memory/308-15-0x0000000000090000-0x00000000000A4000-memory.dmp

Filesize
80KB

Download
memory/2860-31-0x0000000010000000-0x0000000010031000-memory.dmp

Filesize
196KB

Download
memory/2860-33-0x0000000000160000-0x0000000000192000-memory.dmp

Filesize
200KB

Download
memory/2860-36-0x0000000000730000-0x000000000075A000-memory.dmp

Filesize
168KB

Download