fatalrat | 84ddf0823586b96889ade538ba040a24e8904e5cf18f0d9f51ec0e9b08e504cd

Analysis

max time kernel
117s
max time network
143s
platform
windows7_x64
resource
win7-20231130-en
resource tags

arch:x64arch:x86image:win7-20231130-enlocale:en-usos:windows7-x64system
submitted
13-12-2023 21:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

84ddf0823586b96889ade538ba040a24e8904e5cf18f0d9f51ec0e9b08e504cd.exe
Size

3.0MB
MD5

139fdef0045c1f40b90e6d3b92ad8b56
SHA1

79a61b28284cb4c61ffeb0e818684d6ea0b9c760
SHA256

84ddf0823586b96889ade538ba040a24e8904e5cf18f0d9f51ec0e9b08e504cd
SHA512

69f326a71ab498a83d3a489cd6b40229d7b503f1c4826eb75d095c037e2eaa540037440fffc20f40b27fb171c2b351df9a59e4949a4a0ebd78ff35a82149356b
SSDEEP

98304:cZKc9qTsbAW0GpMtkxkT8ZPKJPZPyQeGvQfyjA7o:cZrswpZxkT8YyQeGYf+A7o

Score

10^/10

fatalrat infostealer rat

Malware Config

Signatures

FatalRat
FatalRat is a modular infostealer family written in C++ first appearing in June 2021.
infostealer rat fatalrat

Fatal Rat payload 1 IoCs

rat infostealer

resource	yara_rule
behavioral1/memory/2992-24-0x0000000000180000-0x00000000001AA000-memory.dmp	fatalrat

Executes dropped EXE 1 IoCs

pid	Process
2992	curl.exe

Loads dropped DLL 3 IoCs

pid	Process
1744	84ddf0823586b96889ade538ba040a24e8904e5cf18f0d9f51ec0e9b08e504cd.exe
2992	curl.exe
2992	curl.exe

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Sofa32\curl.exe	84ddf0823586b96889ade538ba040a24e8904e5cf18f0d9f51ec0e9b08e504cd.exe
File created	C:\Program Files (x86)\Sofa32\libcurl.dll	84ddf0823586b96889ade538ba040a24e8904e5cf18f0d9f51ec0e9b08e504cd.exe
File created	C:\Program Files (x86)\Sofa32\msvcp100.dll	84ddf0823586b96889ade538ba040a24e8904e5cf18f0d9f51ec0e9b08e504cd.exe
File created	C:\Program Files (x86)\Sofa32\msvcr100.dll	84ddf0823586b96889ade538ba040a24e8904e5cf18f0d9f51ec0e9b08e504cd.exe
File created	C:\Program Files (x86)\Sofa32\vcruntime140.dll	84ddf0823586b96889ade538ba040a24e8904e5cf18f0d9f51ec0e9b08e504cd.exe
File created	C:\Program Files (x86)\Sofa32\cvsd.xml	84ddf0823586b96889ade538ba040a24e8904e5cf18f0d9f51ec0e9b08e504cd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	curl.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	curl.exe

Suspicious behavior: EnumeratesProcesses 52 IoCs

pid	Process
1744	84ddf0823586b96889ade538ba040a24e8904e5cf18f0d9f51ec0e9b08e504cd.exe
2992	curl.exe
2992	curl.exe
2992	curl.exe
2992	curl.exe
2992	curl.exe
2992	curl.exe
2992	curl.exe
2992	curl.exe
2992	curl.exe
2992	curl.exe
2992	curl.exe
2992	curl.exe
2992	curl.exe
2992	curl.exe
2992	curl.exe
2992	curl.exe
2992	curl.exe
2992	curl.exe
2992	curl.exe
2992	curl.exe
2992	curl.exe
2992	curl.exe
2992	curl.exe
2992	curl.exe
2992	curl.exe
2992	curl.exe
2992	curl.exe
2992	curl.exe
2992	curl.exe
2992	curl.exe
2992	curl.exe
2992	curl.exe
2992	curl.exe
2992	curl.exe
2992	curl.exe
2992	curl.exe
2992	curl.exe
2992	curl.exe
2992	curl.exe
2992	curl.exe
2992	curl.exe
2992	curl.exe
2992	curl.exe
2992	curl.exe
2992	curl.exe
2992	curl.exe
2992	curl.exe
2992	curl.exe
2992	curl.exe
2992	curl.exe
2992	curl.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2992	curl.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1744	84ddf0823586b96889ade538ba040a24e8904e5cf18f0d9f51ec0e9b08e504cd.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1744 wrote to memory of 2992	1744	84ddf0823586b96889ade538ba040a24e8904e5cf18f0d9f51ec0e9b08e504cd.exe	28
PID 1744 wrote to memory of 2992	1744	84ddf0823586b96889ade538ba040a24e8904e5cf18f0d9f51ec0e9b08e504cd.exe	28
PID 1744 wrote to memory of 2992	1744	84ddf0823586b96889ade538ba040a24e8904e5cf18f0d9f51ec0e9b08e504cd.exe	28
PID 1744 wrote to memory of 2992	1744	84ddf0823586b96889ade538ba040a24e8904e5cf18f0d9f51ec0e9b08e504cd.exe	28

C:\Users\Admin\AppData\Local\Temp\84ddf0823586b96889ade538ba040a24e8904e5cf18f0d9f51ec0e9b08e504cd.exe
"C:\Users\Admin\AppData\Local\Temp\84ddf0823586b96889ade538ba040a24e8904e5cf18f0d9f51ec0e9b08e504cd.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1744
- C:\Program Files (x86)\Sofa32\curl.exe
  "C:\Program Files (x86)\Sofa32\curl.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Sofa32\curl.exe

Filesize
411KB

MD5
9c0e57db88cb68940233b879d716d915

SHA1
c82a3202fc618025051ca969afe88e7d8860f7a4

SHA256
4d2bff9ef9cb3f09466449129041dbfed672ca895edb7a6770d856af9acef54c

SHA512
4571e2fd0cf989420d57317c8927491aaa47e8bf5c5cb3d2598fe82b89aaa1f8e2673160f8d600f7ab8e5929243f11582c950df9013c753e94ce3deab1296ec9

Download Submit
C:\ProgramData\afd.bin

Filesize
198KB

MD5
1176ae44f89438b775fa2445ea7fcadb

SHA1
8c4ff222ac8f07bc4f05af6f324ef9591425dac3

SHA256
f5363287d0e624309b76dcb5bbbffb2d8280407830daf095292d2738afc4c996

SHA512
2df1dc165977e42e790002679d1b7de09c7a38a57300f0ea710cd5a1512c5751f02f6dff430e5f03aabe5684253b5f54c44cbdf8ae48bba951ec414fe0ed281b

Download Submit
\Program Files (x86)\Sofa32\libcurl.dll

Filesize
39KB

MD5
7f9dc128a376cf3f95588b312eb73fd5

SHA1
13a445d684656f33fc359661f7a9c47b00ca2dfe

SHA256
d5799703bfe2e869ae13cab59d05ee30fa66bdb40690318e8d3c910d3f819ec4

SHA512
23e8b0772710cb03fc45c9e574e758b1b58b1de804ce053bda33e1eb0501d160a0ec3039f4940c567c5854c008947835bc573787a42f070eafb2472e0efc89a4

Download Submit
\Program Files (x86)\Sofa32\vcruntime140.dll

Filesize
89KB

MD5
8a090e342a1cfc590b468b61e0c6e23a

SHA1
2ce5c404d0e926d3829565a819142657374271c7

SHA256
c432d3c6a02d636c4e66cb97bb738655efb1786a89d2ef446cd0aaedc7f6fb7b

SHA512
50ea6a9241dbbc52f93703cf29d2024ad49efd8f69f8552e493039640f2d0e625bd5c038e942079c0e291784674d531ea256c2556c637ce292ec6de8c417292a

Download Submit
memory/2992-24-0x0000000000180000-0x00000000001AA000-memory.dmp

Filesize
168KB

Download
memory/2992-23-0x0000000001D70000-0x0000000001E1E000-memory.dmp

Filesize
696KB

Download
memory/2992-19-0x0000000010000000-0x0000000010031000-memory.dmp

Filesize
196KB

Download