fatalrat | b99100e9b989224546d18df21ea90b5c9fa0fe00a098873befdf4afdefe0ab7c

Analysis

max time kernel
143s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231127-en
resource tags

arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system
submitted
12-12-2023 23:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b99100e9b989224546d18df21ea90b5c9fa0fe00a098873befdf4afdefe0ab7c.exe
Size

1.9MB
MD5

ff504e5889e75cd35713f531a837bf82
SHA1

1f47e5560a84e6ed0f172660c9882ddd751d7f18
SHA256

b99100e9b989224546d18df21ea90b5c9fa0fe00a098873befdf4afdefe0ab7c
SHA512

211c79bd716eeaaa4a8a042bdaa01e5b77081f0d090c9595ffcc6960def13f81d3bc15df4bf58847ef97d7858b98c050935207ccbf4a880585a79ecfd94ced31
SSDEEP

49152:C7QMGIEr2hyyU/sQaIbd/HA/XXO5YbQBIEbrGygStXBqxoXbrSIQ5kBG8KNUE:C5GIE6XU/sQDd4/e5YkBIEbrGygSZr9S

Score

10^/10

fatalrat infostealer rat

Malware Config

Signatures

FatalRat
FatalRat is a modular infostealer family written in C++ first appearing in June 2021.
infostealer rat fatalrat

Fatal Rat payload 1 IoCs

rat infostealer

resource	yara_rule
behavioral2/memory/5040-2-0x0000000010000000-0x000000001002A000-memory.dmp	fatalrat

Executes dropped EXE 2 IoCs

pid	Process
4912	mstcs.exe
1840	mstcs.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\WINDOWS\SysWOW64\1.bin	mstcs.exe
File opened for modification	C:\WINDOWS\SysWOW64\1.bin	mstcs.exe
File created	C:\WINDOWS\SysWOW64\1.bin	b99100e9b989224546d18df21ea90b5c9fa0fe00a098873befdf4afdefe0ab7c.exe

Modifies data under HKEY_USERS 7 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableLockWorkstation = "1"	mstcs.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\System	mstcs.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	mstcs.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	mstcs.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	mstcs.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	mstcs.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies	mstcs.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
5040	b99100e9b989224546d18df21ea90b5c9fa0fe00a098873befdf4afdefe0ab7c.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	5040	b99100e9b989224546d18df21ea90b5c9fa0fe00a098873befdf4afdefe0ab7c.exe
Token: SeDebugPrivilege	4912	mstcs.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
5040	b99100e9b989224546d18df21ea90b5c9fa0fe00a098873befdf4afdefe0ab7c.exe
4912	mstcs.exe
1840	mstcs.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4912 wrote to memory of 1840	4912	mstcs.exe	92
PID 4912 wrote to memory of 1840	4912	mstcs.exe	92
PID 4912 wrote to memory of 1840	4912	mstcs.exe	92

C:\Users\Admin\AppData\Local\Temp\b99100e9b989224546d18df21ea90b5c9fa0fe00a098873befdf4afdefe0ab7c.exe
"C:\Users\Admin\AppData\Local\Temp\b99100e9b989224546d18df21ea90b5c9fa0fe00a098873befdf4afdefe0ab7c.exe"
1⤵
- Drops file in System32 directory
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5040

C:\ProgramData\mstcs.exe
C:\ProgramData\mstcs.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4912
- C:\ProgramData\mstcs.exe
  C:\ProgramData\mstcs.exe Win7
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of SetWindowsHookEx
  PID:1840

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\mstcs.exe

Filesize
211KB

MD5
6c2e9badc4307007753155ce281dbaa0

SHA1
7347540b445065b8ff5587331fdfa71428e956a0

SHA256
f9f14f4f65ebb871236729fbc60a0e0bfccae662c18552b4a4830752d363b4d7

SHA512
716f20d0fa6f7fd1a9d3abc657762cb4ef03b0ed76433786ddae993f82ab6ffdf6fa79e74df11bde93a529c10fe39476e25b45559aab11603afe585ed03c226f

Download Submit
C:\ProgramData\mstcs.exe

Filesize
960KB

MD5
40fe771435634a746c18e01626c7fb92

SHA1
716f7e5427b29bd22c0f943a1bc1a48e561294ca

SHA256
abbc8d029c8e3576e9da5d55a6c1939574b43e0f6fae7c368cd7aeceda27c3cf

SHA512
7c6b2b39e34138111c7fe0fbc92e114e2af7d0176ab8304561b782adea13cff3cacb1345ba06fbd84179b1085cbe25d258687aab3b8f4d115816f53a5a42f04a

Download Submit
C:\ProgramData\mstcs.exe

Filesize
1.9MB

MD5
ff504e5889e75cd35713f531a837bf82

SHA1
1f47e5560a84e6ed0f172660c9882ddd751d7f18

SHA256
b99100e9b989224546d18df21ea90b5c9fa0fe00a098873befdf4afdefe0ab7c

SHA512
211c79bd716eeaaa4a8a042bdaa01e5b77081f0d090c9595ffcc6960def13f81d3bc15df4bf58847ef97d7858b98c050935207ccbf4a880585a79ecfd94ced31

Download Submit
C:\WINDOWS\SysWOW64\1.bin

Filesize
209KB

MD5
a7123c81c4ef7078afb1be30ce84c4bb

SHA1
489fab1e550794d008dfcc70fa0861bd59c6294c

SHA256
3978149da04b5be63c52e51b14e54a0d52bd2be1ac51b11d3565b0841173c31f

SHA512
5295517096877f63c8296c049764663b508d3add1c408f068c4b8d4542b822d198b57c41c395760d3856a62894eb476e317e81b67a45278d166f037c8380e9a6

Download Submit
memory/5040-1-0x00000000030B0000-0x00000000030E5000-memory.dmp

Filesize
212KB

Download
memory/5040-2-0x0000000010000000-0x000000001002A000-memory.dmp

Filesize
168KB

Download