Overview

overview

10

Static

static

1

84ddf08235...cd.exe

windows7-x64

10

84ddf08235...cd.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    140s
  • max time network
    142s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231130-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231130-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-12-2023 21:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    84ddf0823586b96889ade538ba040a24e8904e5cf18f0d9f51ec0e9b08e504cd.exe

  • Size

    3.0MB

  • MD5

    139fdef0045c1f40b90e6d3b92ad8b56

  • SHA1

    79a61b28284cb4c61ffeb0e818684d6ea0b9c760

  • SHA256

    84ddf0823586b96889ade538ba040a24e8904e5cf18f0d9f51ec0e9b08e504cd

  • SHA512

    69f326a71ab498a83d3a489cd6b40229d7b503f1c4826eb75d095c037e2eaa540037440fffc20f40b27fb171c2b351df9a59e4949a4a0ebd78ff35a82149356b

  • SSDEEP

    98304:cZKc9qTsbAW0GpMtkxkT8ZPKJPZPyQeGvQfyjA7o:cZrswpZxkT8YyQeGYf+A7o

Score
10/10
fatalratinfostealerrat

Malware Config

Signatures

  • FatalRat

    FatalRat is a modular infostealer family written in C++ first appearing in June 2021.

    infostealerratfatalrat
  • Fatal Rat payload 1 IoCs
    ratinfostealer
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Drops file in Program Files directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\84ddf0823586b96889ade538ba040a24e8904e5cf18f0d9f51ec0e9b08e504cd.exe
    "C:\Users\Admin\AppData\Local\Temp\84ddf0823586b96889ade538ba040a24e8904e5cf18f0d9f51ec0e9b08e504cd.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3264
    • C:\Program Files (x86)\Sofa32\curl.exe
      "C:\Program Files (x86)\Sofa32\curl.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1780

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Sofa32\VCRUNTIME140.dll
    Filesize

    89KB

    MD5

    8a090e342a1cfc590b468b61e0c6e23a

    SHA1

    2ce5c404d0e926d3829565a819142657374271c7

    SHA256

    c432d3c6a02d636c4e66cb97bb738655efb1786a89d2ef446cd0aaedc7f6fb7b

    SHA512

    50ea6a9241dbbc52f93703cf29d2024ad49efd8f69f8552e493039640f2d0e625bd5c038e942079c0e291784674d531ea256c2556c637ce292ec6de8c417292a

    Download Submit

  • C:\Program Files (x86)\Sofa32\curl.exe
    Filesize

    411KB

    MD5

    9c0e57db88cb68940233b879d716d915

    SHA1

    c82a3202fc618025051ca969afe88e7d8860f7a4

    SHA256

    4d2bff9ef9cb3f09466449129041dbfed672ca895edb7a6770d856af9acef54c

    SHA512

    4571e2fd0cf989420d57317c8927491aaa47e8bf5c5cb3d2598fe82b89aaa1f8e2673160f8d600f7ab8e5929243f11582c950df9013c753e94ce3deab1296ec9

    Download Submit

  • C:\Program Files (x86)\Sofa32\curl.exe
    Filesize

    374KB

    MD5

    275b249bac0adcae1976e7ab998b00bd

    SHA1

    ab1e62260d71d112a71ef0315142148541ea2733

    SHA256

    193cd8e4c522b29f5584345c7134c87acf2c6d222e591dff76f72f24803fbe57

    SHA512

    23c30e08f8f1fb7e51ff713d0d743e0642f7cd40ad2cc54427f69e88a682bf0bd1e33ed310f9496a3eccaba005d400325bebe910aba49f745b247a9c5adb07e5

    Download Submit

  • C:\Program Files (x86)\Sofa32\curl.exe
    Filesize

    251KB

    MD5

    88923397d976899341f3b6d8e739f1b5

    SHA1

    11c389c88d7508de6fbed86bfa6a4b7cd37bbfec

    SHA256

    02cd729bdb97bcbc6e2daa1cbaf462662c0617b323c8960b8cc3c41585d1e353

    SHA512

    b3d0a133e7ffb449e478dc3a213941934f3d2d39085ef78dd71202b3dd5a97dbd1456eb021d8f5322eac27b4d3cc205ea429d3faff22a1945a281d148ca928d0

    Download Submit

  • C:\Program Files (x86)\Sofa32\libcurl.dll
    Filesize

    39KB

    MD5

    7f9dc128a376cf3f95588b312eb73fd5

    SHA1

    13a445d684656f33fc359661f7a9c47b00ca2dfe

    SHA256

    d5799703bfe2e869ae13cab59d05ee30fa66bdb40690318e8d3c910d3f819ec4

    SHA512

    23e8b0772710cb03fc45c9e574e758b1b58b1de804ce053bda33e1eb0501d160a0ec3039f4940c567c5854c008947835bc573787a42f070eafb2472e0efc89a4

    Download Submit

  • C:\ProgramData\afd.bin
    Filesize

    178KB

    MD5

    abd42bff6aa415834191ac71f95a660f

    SHA1

    2c058e276c6330a94707195d1b8ec1519d5958d7

    SHA256

    86e89e8ee6e9982ef17b1f190b9af4bdbc10d808fc0fedc53d4a62a0d28b4dcc

    SHA512

    0ce3bf4ec8eaa8686516a6ce7a0de729344c1ae07019fb26d8ce356009f75ad87f0153be0604548c3855beef2380b0b1b09dfca2722c7185f4fe2b25a676164e

    Download Submit

  • memory/1780-27-0x0000000003010000-0x00000000030BE000-memory.dmp

    Filesize

    696KB

    Download

  • memory/1780-23-0x0000000010000000-0x0000000010031000-memory.dmp

    Filesize

    196KB

    Download

  • memory/1780-28-0x0000000002F90000-0x0000000002FBA000-memory.dmp

    Filesize

    168KB

    Download