Overview

overview

10

Static

static

10

82fc444c2e...35.dll

windows7-x64

8

82fc444c2e...35.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    141s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231127-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-12-2023 15:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    82fc444c2e6ebe55046ddf5c031b7fcad832a8fd4f66b8a40e509a81ca413735.dll

  • Size

    520KB

  • MD5

    00d96db6440e496f298013ae3d4806d8

  • SHA1

    2d3801fb6264694adfe8d61d25662ec31939d49e

  • SHA256

    82fc444c2e6ebe55046ddf5c031b7fcad832a8fd4f66b8a40e509a81ca413735

  • SHA512

    2361c93d789da3a93008e37f02bc16f59eb107918260b87d6466e0a280ad14c9472c8bc60f17b2e585da72e0740905591a5300b4463d87ad00fb88b043ac8c9b

  • SSDEEP

    12288:vXLLkwykYRIZLNpxjb72MCt0LARqbdpZs:vXLLmkNZLflHCtc2qbx

Score
10/10
fatalratgh0stratinfostealerpersistenceratupx

Malware Config

Signatures

  • FatalRat

    FatalRat is a modular infostealer family written in C++ first appearing in June 2021.

    infostealerratfatalrat
  • Gh0st RAT payload 3 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • Fatal Rat payload 2 IoCs
    ratinfostealer
  • Blocklisted process makes network request 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Program crash 2 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\82fc444c2e6ebe55046ddf5c031b7fcad832a8fd4f66b8a40e509a81ca413735.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3900
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\82fc444c2e6ebe55046ddf5c031b7fcad832a8fd4f66b8a40e509a81ca413735.dll,#1
      2⤵
      • Blocklisted process makes network request
      PID:3124
  • C:\Windows\helppane.exe
    C:\Windows\helppane.exe -Embedding
    1⤵
    • Modifies registry class
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3968
    • C:\egfzwg\Agghosts.exe
      "C:\egfzwg\Agghosts.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4188
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4188 -s 1356
        3⤵
        • Program crash
        PID:4744
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4188 -s 1324
        3⤵
        • Program crash
        PID:1976
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4188 -ip 4188
    1⤵
      PID:2968
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4188 -ip 4188
      1⤵
        PID:1708

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\egfzwg\Agghosts.exe
        Filesize

        23KB

        MD5

        5aab297fa8f143bfa67310ad78b76d3f

        SHA1

        5db963c2cca1bc8c8c060c52f7df76ccb477f01a

        SHA256

        8ec64bc55e5641d7683288e5e8e27c9391f06eb4da096c3d677d8f25ca4d04df

        SHA512

        c1ee67bd4c6bcfdc4179f905c7abc4ac632c9265b61dd5fdb90eeeec39802abe2cc487a5c8ded8a0748728104170c1b4d3a88904f102e1c3f891fac7702a2256

        Download Submit

      • C:\egfzwg\Enpud.png
        Filesize

        157KB

        MD5

        4c0049dab2c53c5a6997e49734dba61c

        SHA1

        2ee93a6536e99922bf202d45631bcbaef1f79135

        SHA256

        58d7576d19f750715654041c97cf5911cf6f65b38cc39ffc08dfe346d463fca4

        SHA512

        94a1299210cdafbcded34ce1173613b7b2c388130771403462373f4389d07561987a9d4e3f87906073b05cd4511397d809242e0fa4acb1e8ef11e2c7f4829a0c

        Download Submit

      • C:\egfzwg\QiDianBrowserMgr.dll
        Filesize

        123KB

        MD5

        5e426092839f4fb2b77b10968500b6f7

        SHA1

        96e0be8e3975f93d429b27869fe3353c8462757b

        SHA256

        ed419431870a7bf25a04d1919023837b350f5956f05d683cc25ef0debf47e69c

        SHA512

        9c1d55ff14d57711d2f3a4fb04adf62f2a186ef7b4160ca37178a413ebb3b20c703d9380e6d54b3d03a4e1cd97b44f66cf6f5a67028e1a4cc34e74f576915a46

        Download Submit

      • C:\egfzwg\vcruntime140.dll
        Filesize

        77KB

        MD5

        f107a3c7371c4543bd3908ba729dd2db

        SHA1

        af8e7e8f446de74db2f31d532e46eab8bbf41e0a

        SHA256

        00df0901c101254525a219d93ff1830da3a20d3f14bc323354d8d5fee5854ec0

        SHA512

        fd776f8ceaac498f4f44819794c0fa89224712a8c476819ffc76ba4c7ff4caa9b360b9d299d9df7965387e5bbcb330f316f53759b5146a73b27a5f2e964c3530

        Download Submit

      • memory/4188-13-0x0000000001150000-0x0000000001180000-memory.dmp

        Filesize

        192KB

        Download

      • memory/4188-14-0x0000000010000000-0x0000000010029000-memory.dmp

        Filesize

        164KB

        Download

      • memory/4188-19-0x0000000003340000-0x000000000335A000-memory.dmp

        Filesize

        104KB

        Download

      • memory/4188-22-0x0000000003340000-0x000000000335A000-memory.dmp

        Filesize

        104KB

        Download

      • memory/4188-24-0x0000000003340000-0x000000000335A000-memory.dmp

        Filesize

        104KB

        Download

      • memory/4188-23-0x0000000003340000-0x000000000335A000-memory.dmp

        Filesize

        104KB

        Download