fatalrat | 944d8370acd9297ccc6a76f963176631321caa5044c690502d0fc8d942f99bed

Analysis

max time kernel
138s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20231127-en
resource tags

arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system
submitted
12-12-2023 13:59

Target

944d8370acd9297ccc6a76f963176631321caa5044c690502d0fc8d942f99bed.dll
Size

288KB
MD5

e9e7b3dcb4a84a3ec5dcc9039926e735
SHA1

522142d34129ec42f56e5ca7e7239b17c1717bad
SHA256

944d8370acd9297ccc6a76f963176631321caa5044c690502d0fc8d942f99bed
SHA512

94846bc6320cba1b8ef35138f4b61f7df2cba4445c4ab0d759e3489a77856ad0a7a3b8194d0f2e4ccf3039405b295803b02480eef247dc010b65e33dfd39d350
SSDEEP

3072:oMy3mBPptH5LZseWDzoPZ6WS6BLfvgaSlpcD+05fDbRSH+zgn2zCFvu+2sLbzu6y:/SmZtSzkPDNGEfwHlHFGwLmVpkdwsFX

Score

10^/10

FatalRat
FatalRat is a modular infostealer family written in C++ first appearing in June 2021.
infostealer rat fatalrat

Fatal Rat payload 1 IoCs

rat infostealer

resource	yara_rule
behavioral2/memory/1420-0-0x00000000027D0000-0x00000000027FA000-memory.dmp	fatalrat

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1420	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 540 wrote to memory of 1420	540	rundll32.exe	86
PID 540 wrote to memory of 1420	540	rundll32.exe	86
PID 540 wrote to memory of 1420	540	rundll32.exe	86

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\944d8370acd9297ccc6a76f963176631321caa5044c690502d0fc8d942f99bed.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:540
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\944d8370acd9297ccc6a76f963176631321caa5044c690502d0fc8d942f99bed.dll,#1
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1420

memory/1420-0-0x00000000027D0000-0x00000000027FA000-memory.dmp

Filesize
168KB

Download