Overview

overview

10

Static

static

3

5f0c6b332e...5d.exe

windows7-x64

10

5f0c6b332e...5d.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    79s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231127-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-12-2023 20:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5f0c6b332ecbeeb94f8660d9b5c848908af1e4917a600b22d559352d3d47be5d.exe

  • Size

    8.4MB

  • MD5

    aa246caafc8a20e8bc72eadcf20f2b10

  • SHA1

    6ca0bd0ced78d1746be9fb9bd278b9d029e74f08

  • SHA256

    5f0c6b332ecbeeb94f8660d9b5c848908af1e4917a600b22d559352d3d47be5d

  • SHA512

    1582cc4729a543cd54147ed092f348d013e54fcd819fbbfae046d736e3c69cfbdc7e334ebd759b75d15ca90e85b7099297893db59887c66e053900afce09ff42

  • SSDEEP

    98304:xxvIZAUerFooZwXjuPhdTMOgSGF0YMrsWpctwN8IxR88gG/UsQEHxFPZ1:sZrerFooZeIhd1GF0lNBRLcszHxZ

Score
10/10
fatalratgh0stratinfostealerrat

Malware Config

Signatures

  • FatalRat

    FatalRat is a modular infostealer family written in C++ first appearing in June 2021.

    infostealerratfatalrat
  • Gh0st RAT payload 1 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • Fatal Rat payload 1 IoCs
    ratinfostealer
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5f0c6b332ecbeeb94f8660d9b5c848908af1e4917a600b22d559352d3d47be5d.exe
    "C:\Users\Admin\AppData\Local\Temp\5f0c6b332ecbeeb94f8660d9b5c848908af1e4917a600b22d559352d3d47be5d.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4076
    • C:\Users\Public\Downloads\WinLong.exe
      "C:\Users\Public\Downloads\WinLong.exe"
      2⤵
      • Executes dropped EXE
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:840

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Public\Downloads\WinLong.exe
    Filesize

    8.4MB

    MD5

    aa246caafc8a20e8bc72eadcf20f2b10

    SHA1

    6ca0bd0ced78d1746be9fb9bd278b9d029e74f08

    SHA256

    5f0c6b332ecbeeb94f8660d9b5c848908af1e4917a600b22d559352d3d47be5d

    SHA512

    1582cc4729a543cd54147ed092f348d013e54fcd819fbbfae046d736e3c69cfbdc7e334ebd759b75d15ca90e85b7099297893db59887c66e053900afce09ff42

    Download Submit

  • C:\Users\Public\Downloads\WinLong.exe
    Filesize

    8.4MB

    MD5

    aa246caafc8a20e8bc72eadcf20f2b10

    SHA1

    6ca0bd0ced78d1746be9fb9bd278b9d029e74f08

    SHA256

    5f0c6b332ecbeeb94f8660d9b5c848908af1e4917a600b22d559352d3d47be5d

    SHA512

    1582cc4729a543cd54147ed092f348d013e54fcd819fbbfae046d736e3c69cfbdc7e334ebd759b75d15ca90e85b7099297893db59887c66e053900afce09ff42

    Download Submit

  • C:\Users\Public\Downloads\WinLong.exe
    Filesize

    8.4MB

    MD5

    aa246caafc8a20e8bc72eadcf20f2b10

    SHA1

    6ca0bd0ced78d1746be9fb9bd278b9d029e74f08

    SHA256

    5f0c6b332ecbeeb94f8660d9b5c848908af1e4917a600b22d559352d3d47be5d

    SHA512

    1582cc4729a543cd54147ed092f348d013e54fcd819fbbfae046d736e3c69cfbdc7e334ebd759b75d15ca90e85b7099297893db59887c66e053900afce09ff42

    Download Submit

  • memory/4076-0-0x0000000010000000-0x0000000010026000-memory.dmp

    Filesize

    152KB

    Download