fatalrat | d034f51c56aff89183119dc15cb6f966960f304e05c57b0f4958cecfc2d4811a

Analysis

max time kernel
122s
max time network
153s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
30-11-2023 04:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d034f51c56aff89183119dc15cb6f966960f304e05c57b0f4958cecfc2d4811a.exe
Size

1.1MB
MD5

c538e111df08e83a056625baa3255333
SHA1

3196ef0ec82cbdc2cac8727fc034bfc994ca8f0b
SHA256

d034f51c56aff89183119dc15cb6f966960f304e05c57b0f4958cecfc2d4811a
SHA512

1a2d2fe8e7e382301228077b2beac6976c484e64ea849f7ba99153ca5b27b08b6f986fa5936d6ab9f282d0fdd78a76e769d15cd6e7a5ee0e8b143485fa751a12
SSDEEP

24576:zwDXIGPt2U4q9+Jpxcx7REstoKcCuj5qAQNvtOKer50/Zy6+:gIGo3TI7RBo7qZvtOp5n6+

Score

10^/10

fatalrat infostealer rat

Malware Config

Signatures

FatalRat
FatalRat is a modular infostealer family written in C++ first appearing in June 2021.
infostealer rat fatalrat

Fatal Rat payload 1 IoCs

rat infostealer

resource	yara_rule
behavioral1/memory/2040-36-0x00000000001F0000-0x000000000021A000-memory.dmp	fatalrat

Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
2040	erp.exe
2800	erp.exe

Loads dropped DLL 4 IoCs

pid	Process
2276	d034f51c56aff89183119dc15cb6f966960f304e05c57b0f4958cecfc2d4811a.exe
2040	erp.exe
2040	erp.exe
2800	erp.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\aiwo.jpg	d034f51c56aff89183119dc15cb6f966960f304e05c57b0f4958cecfc2d4811a.exe
File created	C:\Windows\Web\erp.exe	d034f51c56aff89183119dc15cb6f966960f304e05c57b0f4958cecfc2d4811a.exe
File created	C:\Windows\Web\3b.txt	d034f51c56aff89183119dc15cb6f966960f304e05c57b0f4958cecfc2d4811a.exe
File created	C:\Windows\Web\a6.txt	d034f51c56aff89183119dc15cb6f966960f304e05c57b0f4958cecfc2d4811a.exe
File created	C:\Windows\Web\nw_elf.dll	d034f51c56aff89183119dc15cb6f966960f304e05c57b0f4958cecfc2d4811a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	erp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	erp.exe

Suspicious behavior: EnumeratesProcesses 52 IoCs

pid	Process
2276	d034f51c56aff89183119dc15cb6f966960f304e05c57b0f4958cecfc2d4811a.exe
2040	erp.exe
2040	erp.exe
2040	erp.exe
2040	erp.exe
2040	erp.exe
2040	erp.exe
2040	erp.exe
2040	erp.exe
2040	erp.exe
2040	erp.exe
2040	erp.exe
2040	erp.exe
2040	erp.exe
2040	erp.exe
2040	erp.exe
2040	erp.exe
2040	erp.exe
2040	erp.exe
2040	erp.exe
2040	erp.exe
2040	erp.exe
2040	erp.exe
2040	erp.exe
2040	erp.exe
2040	erp.exe
2040	erp.exe
2040	erp.exe
2040	erp.exe
2040	erp.exe
2040	erp.exe
2040	erp.exe
2040	erp.exe
2040	erp.exe
2040	erp.exe
2040	erp.exe
2040	erp.exe
2040	erp.exe
2040	erp.exe
2040	erp.exe
2040	erp.exe
2040	erp.exe
2040	erp.exe
2040	erp.exe
2040	erp.exe
2040	erp.exe
2040	erp.exe
2040	erp.exe
2040	erp.exe
2040	erp.exe
2040	erp.exe
2040	erp.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2040	erp.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2276 wrote to memory of 2040	2276	d034f51c56aff89183119dc15cb6f966960f304e05c57b0f4958cecfc2d4811a.exe	28
PID 2276 wrote to memory of 2040	2276	d034f51c56aff89183119dc15cb6f966960f304e05c57b0f4958cecfc2d4811a.exe	28
PID 2276 wrote to memory of 2040	2276	d034f51c56aff89183119dc15cb6f966960f304e05c57b0f4958cecfc2d4811a.exe	28
PID 2276 wrote to memory of 2040	2276	d034f51c56aff89183119dc15cb6f966960f304e05c57b0f4958cecfc2d4811a.exe	28
PID 2040 wrote to memory of 2800	2040	erp.exe	29
PID 2040 wrote to memory of 2800	2040	erp.exe	29
PID 2040 wrote to memory of 2800	2040	erp.exe	29
PID 2040 wrote to memory of 2800	2040	erp.exe	29

C:\Users\Admin\AppData\Local\Temp\d034f51c56aff89183119dc15cb6f966960f304e05c57b0f4958cecfc2d4811a.exe
"C:\Users\Admin\AppData\Local\Temp\d034f51c56aff89183119dc15cb6f966960f304e05c57b0f4958cecfc2d4811a.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2276
- C:\Windows\Web\erp.exe
  "C:\Windows\Web\erp.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2040
- - C:\Windows\Web\erp.exe
    C:\Windows\Web\erp.exe --type=crashpad-handler /prefetch:7 --no-rate-limit --database=C:\Users\Admin\AppData\Local\Crashpad --annotation=channel= --annotation=plat=Win32 --annotation=prod=书生ERP --annotation=ver=-devel --handshake-handle=0xb8
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Crashpad\settings.dat

Filesize
40B

MD5
28a2be0433e3424d30ba316554db40ec

SHA1
4668e63c74f9b25b036828abb39cce89becbc2c7

SHA256
12aa8fb810b7bb9023813c8b5a7ee47fda9a1018c6ecbc7887acbe0c48d936ff

SHA512
7f444dee2685a926e8aa4732fb877ba70cecf1150cef5259a8d4d02d185db19114886a18455cf43096dfd29dd5ce8b0ee9bdadcf093bea115996003ad74e4fae

Download Submit
C:\Windows\Web\a6.txt

Filesize
198KB

MD5
b96ceeb2d20f407a433e9b416dd3a359

SHA1
d31b51633670cb46b9df34b294bb1fc351317937

SHA256
d1fc47d4b7ce95c75026fc127ad5800468c58f1b6316b096417786fef77158f9

SHA512
3faefef780c6355d3688d0d3fd5866ac82d8a468b882e4b223f5e7fa428ad62437818f535e5556e13a3900b4fb43e15783f7affdb80bc75fc8288e3f9e4a5c02

Download Submit
C:\Windows\Web\erp.exe

Filesize
1.0MB

MD5
a182097a3169f5924c29d107c0b4b5a4

SHA1
8c5e7ff7a8b62de893a3cb6dad3fc028435ead92

SHA256
a60a8592d45f56d9c2ec2039089b55b371dda0797e4fbb57038d40e8c8530e01

SHA512
0f57bac990a446d17c468cd4cf9604c5eec4e40c599afd64451a6718417174f7f06de717412863c0f44f2f692a0557857a8799f3f4c700016db2a406f1d6a50d

Download Submit
C:\Windows\Web\erp.exe

Filesize
1.0MB

MD5
a182097a3169f5924c29d107c0b4b5a4

SHA1
8c5e7ff7a8b62de893a3cb6dad3fc028435ead92

SHA256
a60a8592d45f56d9c2ec2039089b55b371dda0797e4fbb57038d40e8c8530e01

SHA512
0f57bac990a446d17c468cd4cf9604c5eec4e40c599afd64451a6718417174f7f06de717412863c0f44f2f692a0557857a8799f3f4c700016db2a406f1d6a50d

Download Submit
C:\Windows\Web\erp.exe

Filesize
1.0MB

MD5
a182097a3169f5924c29d107c0b4b5a4

SHA1
8c5e7ff7a8b62de893a3cb6dad3fc028435ead92

SHA256
a60a8592d45f56d9c2ec2039089b55b371dda0797e4fbb57038d40e8c8530e01

SHA512
0f57bac990a446d17c468cd4cf9604c5eec4e40c599afd64451a6718417174f7f06de717412863c0f44f2f692a0557857a8799f3f4c700016db2a406f1d6a50d

Download Submit
C:\Windows\Web\nw_elf.dll

Filesize
63KB

MD5
41d6c940f8d9fac21bbff423cac25d0c

SHA1
09c3db17b9552689b3f38b9c2be30851f56f15c9

SHA256
7da2b5062b3ed76a250e96aee6b460441bf0feb317f0de7aa5f11d24a49eb393

SHA512
a73f543891f789c438f32c5f4fa187f65e3067752ae3367a4b74ab87bd3e6fe0532b8c31305ac00fbb74c498781d0d3ad016f3d4f5e50afe505a8fc2f9d455c7

Download Submit
\Windows\Web\erp.exe

Filesize
1.0MB

MD5
a182097a3169f5924c29d107c0b4b5a4

SHA1
8c5e7ff7a8b62de893a3cb6dad3fc028435ead92

SHA256
a60a8592d45f56d9c2ec2039089b55b371dda0797e4fbb57038d40e8c8530e01

SHA512
0f57bac990a446d17c468cd4cf9604c5eec4e40c599afd64451a6718417174f7f06de717412863c0f44f2f692a0557857a8799f3f4c700016db2a406f1d6a50d

Download Submit
\Windows\Web\erp.exe

Filesize
1.0MB

MD5
a182097a3169f5924c29d107c0b4b5a4

SHA1
8c5e7ff7a8b62de893a3cb6dad3fc028435ead92

SHA256
a60a8592d45f56d9c2ec2039089b55b371dda0797e4fbb57038d40e8c8530e01

SHA512
0f57bac990a446d17c468cd4cf9604c5eec4e40c599afd64451a6718417174f7f06de717412863c0f44f2f692a0557857a8799f3f4c700016db2a406f1d6a50d

Download Submit
\Windows\Web\nw_elf.dll

Filesize
63KB

MD5
41d6c940f8d9fac21bbff423cac25d0c

SHA1
09c3db17b9552689b3f38b9c2be30851f56f15c9

SHA256
7da2b5062b3ed76a250e96aee6b460441bf0feb317f0de7aa5f11d24a49eb393

SHA512
a73f543891f789c438f32c5f4fa187f65e3067752ae3367a4b74ab87bd3e6fe0532b8c31305ac00fbb74c498781d0d3ad016f3d4f5e50afe505a8fc2f9d455c7

Download Submit
\Windows\Web\nw_elf.dll

Filesize
63KB

MD5
41d6c940f8d9fac21bbff423cac25d0c

SHA1
09c3db17b9552689b3f38b9c2be30851f56f15c9

SHA256
7da2b5062b3ed76a250e96aee6b460441bf0feb317f0de7aa5f11d24a49eb393

SHA512
a73f543891f789c438f32c5f4fa187f65e3067752ae3367a4b74ab87bd3e6fe0532b8c31305ac00fbb74c498781d0d3ad016f3d4f5e50afe505a8fc2f9d455c7

Download Submit
memory/2040-31-0x0000000010000000-0x0000000010031000-memory.dmp

Filesize
196KB

Download
memory/2040-35-0x00000000001A0000-0x00000000001D2000-memory.dmp

Filesize
200KB

Download
memory/2040-36-0x00000000001F0000-0x000000000021A000-memory.dmp

Filesize
168KB

Download
memory/2276-7-0x0000000010000000-0x000000001009D000-memory.dmp

Filesize
628KB

Download
memory/2276-14-0x0000000010000000-0x000000001009D000-memory.dmp

Filesize
628KB

Download
memory/2276-13-0x0000000010000000-0x000000001009D000-memory.dmp

Filesize
628KB

Download
memory/2276-9-0x0000000002330000-0x00000000023CA000-memory.dmp

Filesize
616KB

Download