fatalrat | b1009b8d107227e4ac86188a6f5f44e09814c65e8ed6077837f83253afe99225

Analysis

max time kernel
121s
max time network
139s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
09-12-2023 06:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b1009b8d107227e4ac86188a6f5f44e09814c65e8ed6077837f83253afe99225.exe
Size

2.6MB
MD5

5b15faa8c691740955275e26e80fafc5
SHA1

f478d3b62c3bc6fe909832928ae131380faa0468
SHA256

b1009b8d107227e4ac86188a6f5f44e09814c65e8ed6077837f83253afe99225
SHA512

f497e16d53315d830b29d6ade52671ea2d84aeb80391cad5bfba723c64d61ba5451b3957051ee188af8390f3eb8cfc5c5b44c02b09cee01f7ec9f30e4b852dca
SSDEEP

49152:zQoE06wk5MOufRnJ3v3WJwKnMcwbO49VgekNs39dvNfsg0O2iM2K:+/5KpJ3AirKN4vrp2Hl

Score

10^/10

fatalrat infostealer rat

Malware Config

Signatures

FatalRat
FatalRat is a modular infostealer family written in C++ first appearing in June 2021.
infostealer rat fatalrat

Fatal Rat payload 1 IoCs

rat infostealer

resource	yara_rule
behavioral1/memory/2936-36-0x0000000000840000-0x000000000086A000-memory.dmp	fatalrat

Executes dropped EXE 1 IoCs

pid	Process
2936	liaobei.exe

Loads dropped DLL 2 IoCs

pid	Process
1848	b1009b8d107227e4ac86188a6f5f44e09814c65e8ed6077837f83253afe99225.exe
2936	liaobei.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Actual\liaobei.exe	b1009b8d107227e4ac86188a6f5f44e09814c65e8ed6077837f83253afe99225.exe
File created	C:\Program Files (x86)\Actual\cvsd.xml	b1009b8d107227e4ac86188a6f5f44e09814c65e8ed6077837f83253afe99225.exe
File created	C:\Program Files (x86)\Actual\nw_elf.dll	b1009b8d107227e4ac86188a6f5f44e09814c65e8ed6077837f83253afe99225.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	liaobei.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	liaobei.exe

Suspicious behavior: EnumeratesProcesses 53 IoCs

pid	Process
1848	b1009b8d107227e4ac86188a6f5f44e09814c65e8ed6077837f83253afe99225.exe
1848	b1009b8d107227e4ac86188a6f5f44e09814c65e8ed6077837f83253afe99225.exe
2936	liaobei.exe
2936	liaobei.exe
2936	liaobei.exe
2936	liaobei.exe
2936	liaobei.exe
2936	liaobei.exe
2936	liaobei.exe
2936	liaobei.exe
2936	liaobei.exe
2936	liaobei.exe
2936	liaobei.exe
2936	liaobei.exe
2936	liaobei.exe
2936	liaobei.exe
2936	liaobei.exe
2936	liaobei.exe
2936	liaobei.exe
2936	liaobei.exe
2936	liaobei.exe
2936	liaobei.exe
2936	liaobei.exe
2936	liaobei.exe
2936	liaobei.exe
2936	liaobei.exe
2936	liaobei.exe
2936	liaobei.exe
2936	liaobei.exe
2936	liaobei.exe
2936	liaobei.exe
2936	liaobei.exe
2936	liaobei.exe
2936	liaobei.exe
2936	liaobei.exe
2936	liaobei.exe
2936	liaobei.exe
2936	liaobei.exe
2936	liaobei.exe
2936	liaobei.exe
2936	liaobei.exe
2936	liaobei.exe
2936	liaobei.exe
2936	liaobei.exe
2936	liaobei.exe
2936	liaobei.exe
2936	liaobei.exe
2936	liaobei.exe
2936	liaobei.exe
2936	liaobei.exe
2936	liaobei.exe
2936	liaobei.exe
2936	liaobei.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2936	liaobei.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1848	b1009b8d107227e4ac86188a6f5f44e09814c65e8ed6077837f83253afe99225.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1848 wrote to memory of 2936	1848	b1009b8d107227e4ac86188a6f5f44e09814c65e8ed6077837f83253afe99225.exe	28
PID 1848 wrote to memory of 2936	1848	b1009b8d107227e4ac86188a6f5f44e09814c65e8ed6077837f83253afe99225.exe	28
PID 1848 wrote to memory of 2936	1848	b1009b8d107227e4ac86188a6f5f44e09814c65e8ed6077837f83253afe99225.exe	28
PID 1848 wrote to memory of 2936	1848	b1009b8d107227e4ac86188a6f5f44e09814c65e8ed6077837f83253afe99225.exe	28

C:\Users\Admin\AppData\Local\Temp\b1009b8d107227e4ac86188a6f5f44e09814c65e8ed6077837f83253afe99225.exe
"C:\Users\Admin\AppData\Local\Temp\b1009b8d107227e4ac86188a6f5f44e09814c65e8ed6077837f83253afe99225.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1848
- C:\Program Files (x86)\Actual\liaobei.exe
  "C:\Program Files (x86)\Actual\liaobei.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Actual\liaobei.exe

Filesize
2.6MB

MD5
91057184eb697259e88dff99a1e957cf

SHA1
0aad25610df49e54b2e6af9f888eff8fb5a99e07

SHA256
149a58359c568d4a5ebb1fee53c5cba1dd63fdc14b165d043fd2a4c5f641ff67

SHA512
e5b27feea207bb7d3d35f8b11b10d64cef7b947fb9aa2612fab6e69bb270c4bfe3f1316d477c7832ecd9f7fd9cb622721e2ee5ee717cef1954ad353221068ffe

Download Submit
C:\Program Files (x86)\Actual\liaobei.exe

Filesize
2.6MB

MD5
91057184eb697259e88dff99a1e957cf

SHA1
0aad25610df49e54b2e6af9f888eff8fb5a99e07

SHA256
149a58359c568d4a5ebb1fee53c5cba1dd63fdc14b165d043fd2a4c5f641ff67

SHA512
e5b27feea207bb7d3d35f8b11b10d64cef7b947fb9aa2612fab6e69bb270c4bfe3f1316d477c7832ecd9f7fd9cb622721e2ee5ee717cef1954ad353221068ffe

Download Submit
C:\Program Files (x86)\Actual\nw_elf.dll

Filesize
35KB

MD5
c8a94c6c7ed5c2c11add2e1601d44b60

SHA1
3f0188484eebfcf60f9c0cc568c79e99af6fbc3c

SHA256
423967caf82131d986e05deb1809dde356da3f053775069f0071816f8a5fa0c9

SHA512
7c87218e495bcb0a247124157fe78c7e941f2c2fa65b86adb1db0c457322b1be2d46e3d77f13e134c9f83b3b87876088e708f1bd96e41e46545248362c70ba34

Download Submit
C:\ProgramData\afd.bin

Filesize
198KB

MD5
70b59a8bd5d1b7d3fc5d3b92f763a3fa

SHA1
f7178d3f1305222f88d8113c9865c8afee090973

SHA256
ce51d9ddfbe074f296de43ff0a8e25d84dbbf343ca475fe35c96bdf58882156b

SHA512
79ada5880bafea76390c7ef2cbab43314f16826302f05925e18ab4d00fe1ef5a7452c8f73b8fad8a773909c228caf270e1220d406671d36b731693e36e51db16

Download Submit
\Program Files (x86)\Actual\liaobei.exe

Filesize
2.6MB

MD5
91057184eb697259e88dff99a1e957cf

SHA1
0aad25610df49e54b2e6af9f888eff8fb5a99e07

SHA256
149a58359c568d4a5ebb1fee53c5cba1dd63fdc14b165d043fd2a4c5f641ff67

SHA512
e5b27feea207bb7d3d35f8b11b10d64cef7b947fb9aa2612fab6e69bb270c4bfe3f1316d477c7832ecd9f7fd9cb622721e2ee5ee717cef1954ad353221068ffe

Download Submit
\Program Files (x86)\Actual\nw_elf.dll

Filesize
35KB

MD5
c8a94c6c7ed5c2c11add2e1601d44b60

SHA1
3f0188484eebfcf60f9c0cc568c79e99af6fbc3c

SHA256
423967caf82131d986e05deb1809dde356da3f053775069f0071816f8a5fa0c9

SHA512
7c87218e495bcb0a247124157fe78c7e941f2c2fa65b86adb1db0c457322b1be2d46e3d77f13e134c9f83b3b87876088e708f1bd96e41e46545248362c70ba34

Download Submit
memory/1848-13-0x0000000000400000-0x0000000000A82000-memory.dmp

Filesize
6.5MB

Download
memory/1848-3-0x0000000000400000-0x0000000000A82000-memory.dmp

Filesize
6.5MB

Download
memory/1848-9-0x0000000000400000-0x0000000000A82000-memory.dmp

Filesize
6.5MB

Download
memory/1848-11-0x0000000000400000-0x0000000000A82000-memory.dmp

Filesize
6.5MB

Download
memory/1848-0-0x0000000000400000-0x0000000000A82000-memory.dmp

Filesize
6.5MB

Download
memory/1848-14-0x0000000000400000-0x0000000000A82000-memory.dmp

Filesize
6.5MB

Download
memory/1848-6-0x00000000002D0000-0x00000000002DC000-memory.dmp

Filesize
48KB

Download
memory/1848-28-0x0000000000400000-0x0000000000A82000-memory.dmp

Filesize
6.5MB

Download
memory/1848-1-0x0000000000250000-0x000000000029A000-memory.dmp

Filesize
296KB

Download
memory/1848-2-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/1848-26-0x0000000000250000-0x000000000029A000-memory.dmp

Filesize
296KB

Download
memory/1848-5-0x0000000000400000-0x0000000000A82000-memory.dmp

Filesize
6.5MB

Download
memory/1848-4-0x00000000002C0000-0x00000000002D0000-memory.dmp

Filesize
64KB

Download
memory/1848-8-0x0000000000250000-0x000000000029A000-memory.dmp

Filesize
296KB

Download
memory/2936-36-0x0000000000840000-0x000000000086A000-memory.dmp

Filesize
168KB

Download
memory/2936-33-0x0000000001E40000-0x0000000001EEE000-memory.dmp

Filesize
696KB

Download
memory/2936-31-0x0000000010000000-0x0000000010031000-memory.dmp

Filesize
196KB

Download