fatalrat | c2422939cbcf66f08891548d86ff2a83756ef4fd058ef89cd11afb743b69345c

Analysis

max time kernel
122s
max time network
141s
platform
windows7_x64
resource
win7-20231201-en
resource tags

arch:x64arch:x86image:win7-20231201-enlocale:en-usos:windows7-x64system
submitted
14-12-2023 07:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c2422939cbcf66f08891548d86ff2a83756ef4fd058ef89cd11afb743b69345c.exe
Size

2.2MB
MD5

9abd44a5e4b419839d37e222f86860f4
SHA1

c3355f1848dff160b14b75eefebd3d1b0f6a1c1b
SHA256

c2422939cbcf66f08891548d86ff2a83756ef4fd058ef89cd11afb743b69345c
SHA512

9dae7da70cee0b7b8ad90233920bc525a79186efe6fc7263d40287e27cc4bb661886ac4a981bdafa8b6ada0370b517653def69f16ad5303e7104aba2a2c75fae
SSDEEP

49152:c0smKY68xpKotIZLoYDHUT9LQodim4nFFgNMPq5:pJRxHhtlYDHOQodim4n4NMPY

Score

10^/10

fatalrat infostealer rat

Malware Config

Signatures

FatalRat
FatalRat is a modular infostealer family written in C++ first appearing in June 2021.
infostealer rat fatalrat

Fatal Rat payload 1 IoCs

rat infostealer

resource	yara_rule
behavioral1/memory/2896-42-0x0000000000150000-0x000000000017A000-memory.dmp	fatalrat

Executes dropped EXE 1 IoCs

pid	Process
2896	elin_render.exe

Loads dropped DLL 4 IoCs

pid	Process
2276	c2422939cbcf66f08891548d86ff2a83756ef4fd058ef89cd11afb743b69345c.exe
2896	elin_render.exe
2896	elin_render.exe
2896	elin_render.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Soga64\cvsd.xml	c2422939cbcf66f08891548d86ff2a83756ef4fd058ef89cd11afb743b69345c.exe
File created	C:\Program Files (x86)\Soga64\elin_render.exe	c2422939cbcf66f08891548d86ff2a83756ef4fd058ef89cd11afb743b69345c.exe
File created	C:\Program Files (x86)\Soga64\libcef.dll	c2422939cbcf66f08891548d86ff2a83756ef4fd058ef89cd11afb743b69345c.exe
File created	C:\Program Files (x86)\Soga64\msvcp120.dll	c2422939cbcf66f08891548d86ff2a83756ef4fd058ef89cd11afb743b69345c.exe
File created	C:\Program Files (x86)\Soga64\msvcr120.dll	c2422939cbcf66f08891548d86ff2a83756ef4fd058ef89cd11afb743b69345c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	elin_render.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	elin_render.exe

Suspicious behavior: EnumeratesProcesses 53 IoCs

pid	Process
2276	c2422939cbcf66f08891548d86ff2a83756ef4fd058ef89cd11afb743b69345c.exe
2276	c2422939cbcf66f08891548d86ff2a83756ef4fd058ef89cd11afb743b69345c.exe
2896	elin_render.exe
2896	elin_render.exe
2896	elin_render.exe
2896	elin_render.exe
2896	elin_render.exe
2896	elin_render.exe
2896	elin_render.exe
2896	elin_render.exe
2896	elin_render.exe
2896	elin_render.exe
2896	elin_render.exe
2896	elin_render.exe
2896	elin_render.exe
2896	elin_render.exe
2896	elin_render.exe
2896	elin_render.exe
2896	elin_render.exe
2896	elin_render.exe
2896	elin_render.exe
2896	elin_render.exe
2896	elin_render.exe
2896	elin_render.exe
2896	elin_render.exe
2896	elin_render.exe
2896	elin_render.exe
2896	elin_render.exe
2896	elin_render.exe
2896	elin_render.exe
2896	elin_render.exe
2896	elin_render.exe
2896	elin_render.exe
2896	elin_render.exe
2896	elin_render.exe
2896	elin_render.exe
2896	elin_render.exe
2896	elin_render.exe
2896	elin_render.exe
2896	elin_render.exe
2896	elin_render.exe
2896	elin_render.exe
2896	elin_render.exe
2896	elin_render.exe
2896	elin_render.exe
2896	elin_render.exe
2896	elin_render.exe
2896	elin_render.exe
2896	elin_render.exe
2896	elin_render.exe
2896	elin_render.exe
2896	elin_render.exe
2896	elin_render.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2896	elin_render.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2276	c2422939cbcf66f08891548d86ff2a83756ef4fd058ef89cd11afb743b69345c.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2276 wrote to memory of 2896	2276	c2422939cbcf66f08891548d86ff2a83756ef4fd058ef89cd11afb743b69345c.exe	28
PID 2276 wrote to memory of 2896	2276	c2422939cbcf66f08891548d86ff2a83756ef4fd058ef89cd11afb743b69345c.exe	28
PID 2276 wrote to memory of 2896	2276	c2422939cbcf66f08891548d86ff2a83756ef4fd058ef89cd11afb743b69345c.exe	28
PID 2276 wrote to memory of 2896	2276	c2422939cbcf66f08891548d86ff2a83756ef4fd058ef89cd11afb743b69345c.exe	28

C:\Users\Admin\AppData\Local\Temp\c2422939cbcf66f08891548d86ff2a83756ef4fd058ef89cd11afb743b69345c.exe
"C:\Users\Admin\AppData\Local\Temp\c2422939cbcf66f08891548d86ff2a83756ef4fd058ef89cd11afb743b69345c.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2276
- C:\Program Files (x86)\Soga64\elin_render.exe
  "C:\Program Files (x86)\Soga64\elin_render.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Soga64\MSVCP120.dll

Filesize
97KB

MD5
83eec1de8a5412ba0c8e759c0db952a8

SHA1
7a032e8ecf3f7d8e36a85a02d2a614371bf82075

SHA256
33c16a9fb3cd5a97a69495e1c902dc97f2c096a3a2946338261b1ccb78df06e7

SHA512
69cce4762dfdd58efdd791f9e5f099da114819ca3c5cd20dc8e04b7407a7c9a5ab47b2cd465fe5d143258ad9f75d8aa8ae74f1679eef5897b0111eb76b600924

Download Submit
C:\Program Files (x86)\Soga64\MSVCR120.dll

Filesize
103KB

MD5
9917a2a424032d5622882ae67e0bd54b

SHA1
34dd381e402a873a5eca96e26108c0391f932989

SHA256
e1cce4a184b028dee99745196867a341c6e11cf4cf76e1dc1316741a61512f8c

SHA512
75b2fe8f48a09e9bb11f8901d52383068bab055b511c8dab45f6ccfb8a2e784075de9467602c26d6e366318500bd6db79ad1ae656c8db0ff02533867b6f60861

Download Submit
C:\Program Files (x86)\Soga64\elin_render.exe

Filesize
74KB

MD5
b235f7a7ada28ce121def4e879df68dc

SHA1
211068fca604ba57c80b7f01c240cd36e8ee8a05

SHA256
d9a56f5d3472633c8edafc98ec8e3844c1efd0513741e2fb02b88347738dbd05

SHA512
4230609111f2cdfe713394d844538df09294d5cfbb064628f44616260bdc52625092ca0d0835bd74766b5109fd807a8a3c20a7809a86218ba640e34ca3ef7ebc

Download Submit
C:\Program Files (x86)\Soga64\elin_render.exe

Filesize
471KB

MD5
38b8ba7a0dd581d893e7c4f1a1b8ae11

SHA1
3e12d0260df799b063509a4359a8c0df540c4784

SHA256
6b85e080cc735e5a46a5205ed7177321b8a938fd0875157f149b4b3a414f00de

SHA512
018805a42b56245eaaef656e1cec95a028b64c370c4c5dd0628abc1d3a47c62d630140eaba5ea8d0ea2bb978deb3e0518c7f15027b4254712c5f6dca74061f1f

Download Submit
C:\ProgramData\afd.bin

Filesize
35KB

MD5
668b3d1994329feafead887a467ce280

SHA1
4b38e36bd5da669be2955b33b04fe8a1cdc56c15

SHA256
d695fac4e7523aeabbe2d3810874144769900751616f3c0037e9f3e6dae34f4e

SHA512
b30fbd50b8b9cd83262e7df00d741071ba2da0d6875434478dfd15e0305d01a323deddb2f8e9c45bf925a65496b1b61725cca85f960a7cc5b3fb8e798bd3a45e

Download Submit
\Program Files (x86)\Soga64\elin_render.exe

Filesize
83KB

MD5
49ef12f1e88d5170676958db9eb991cf

SHA1
3febf3adc6dc1e0e51618f6cd89367bc46d2040d

SHA256
b57daa15c482b1198f850f012787653721a7c352568ed3f2921819e8cb60357c

SHA512
e338111d97935660f4d2fe5afb9f18516d2e3a44e915584494a2c71bd64f42f44ac1c07137ff72b1966ef6d677677b2f5d16010495c8b52bfe0979bef132fbfd

Download Submit
\Program Files (x86)\Soga64\libcef.dll

Filesize
32KB

MD5
10553a9f09cf320bfffb1c704b5ade51

SHA1
612efa8813f9209dcdaf6bd4e1e80c3cc266c308

SHA256
bdb44b2d1bebf33dbb2ea5717f5c512d285cdc380eecf91c9380bcb9b722578e

SHA512
af2212b82e967776d46dadb4f7e35cb619898c5bf3361110b9cb34c2ce680c1488f7e6cb4e78113bb79d7a4162744a8c7b82713cd43339b2d89e7eadacedeb56

Download Submit
\Program Files (x86)\Soga64\msvcp120.dll

Filesize
65KB

MD5
d64d010e7740b5c05eff9ab2c2b784d7

SHA1
c071d1e8b7099e937edb5dfe2d54abc59c0b139b

SHA256
1ffaebadb520b26df23e7bcc37e78de5f79cab2b8dc5a7107d1e68404aeb6636

SHA512
80026ed0a18dff23015795adebce82e100f682111f8d55c6cbd474af95d54554281d3f47f504b71a8f11eb91fa4587e912c1e7410bece03b8ca1ef59c5b352ea

Download Submit
\Program Files (x86)\Soga64\msvcr120.dll

Filesize
176KB

MD5
6063e6f9a8ebd2965b6b4bcc127fb5df

SHA1
4f2f7bdff2d7689f40f2de1fb3be589ce2805a30

SHA256
2259c59633fc24fade623def39b6000723e48452c5e56c6eb25922372f85a5c3

SHA512
95e28f39299bb4e14f5abd706208068f73f9716d70a53a52d4314fe8d420d5f0e024bd7f54cc0b21c8d60dc712f2a0c1cfcf6b2408c488e91988faf0c1e2be4e

Download Submit
memory/2276-5-0x00000000002D0000-0x00000000002DC000-memory.dmp

Filesize
48KB

Download
memory/2276-7-0x0000000000250000-0x000000000029A000-memory.dmp

Filesize
296KB

Download
memory/2276-14-0x0000000000400000-0x00000000008D6000-memory.dmp

Filesize
4.8MB

Download
memory/2276-28-0x0000000000250000-0x000000000029A000-memory.dmp

Filesize
296KB

Download
memory/2276-11-0x0000000000400000-0x00000000008D6000-memory.dmp

Filesize
4.8MB

Download
memory/2276-30-0x0000000000400000-0x00000000008D6000-memory.dmp

Filesize
4.8MB

Download
memory/2276-9-0x0000000000400000-0x00000000008D6000-memory.dmp

Filesize
4.8MB

Download
memory/2276-2-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/2276-1-0x0000000000400000-0x00000000008D6000-memory.dmp

Filesize
4.8MB

Download
memory/2276-13-0x0000000000400000-0x00000000008D6000-memory.dmp

Filesize
4.8MB

Download
memory/2276-6-0x0000000000400000-0x00000000008D6000-memory.dmp

Filesize
4.8MB

Download
memory/2276-0-0x0000000000250000-0x000000000029A000-memory.dmp

Filesize
296KB

Download
memory/2276-4-0x0000000000400000-0x00000000008D6000-memory.dmp

Filesize
4.8MB

Download
memory/2276-3-0x00000000002C0000-0x00000000002D0000-memory.dmp

Filesize
64KB

Download
memory/2896-37-0x0000000010000000-0x0000000010031000-memory.dmp

Filesize
196KB

Download
memory/2896-41-0x00000000002B0000-0x000000000035E000-memory.dmp

Filesize
696KB

Download
memory/2896-42-0x0000000000150000-0x000000000017A000-memory.dmp

Filesize
168KB

Download