fatalrat | c2422939cbcf66f08891548d86ff2a83756ef4fd058ef89cd11afb743b69345c

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20231130-en
resource tags

arch:x64arch:x86image:win10v2004-20231130-enlocale:en-usos:windows10-2004-x64system
submitted
14-12-2023 07:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c2422939cbcf66f08891548d86ff2a83756ef4fd058ef89cd11afb743b69345c.exe
Size

2.2MB
MD5

9abd44a5e4b419839d37e222f86860f4
SHA1

c3355f1848dff160b14b75eefebd3d1b0f6a1c1b
SHA256

c2422939cbcf66f08891548d86ff2a83756ef4fd058ef89cd11afb743b69345c
SHA512

9dae7da70cee0b7b8ad90233920bc525a79186efe6fc7263d40287e27cc4bb661886ac4a981bdafa8b6ada0370b517653def69f16ad5303e7104aba2a2c75fae
SSDEEP

49152:c0smKY68xpKotIZLoYDHUT9LQodim4nFFgNMPq5:pJRxHhtlYDHOQodim4n4NMPY

Score

10^/10

fatalrat infostealer rat

Malware Config

Signatures

FatalRat
FatalRat is a modular infostealer family written in C++ first appearing in June 2021.
infostealer rat fatalrat

Fatal Rat payload 1 IoCs

rat infostealer

resource	yara_rule
behavioral2/memory/2800-43-0x00000000006C0000-0x00000000006EA000-memory.dmp	fatalrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-423100829-2271632622-1028104103-1000\Control Panel\International\Geo\Nation	c2422939cbcf66f08891548d86ff2a83756ef4fd058ef89cd11afb743b69345c.exe

Executes dropped EXE 1 IoCs

pid	Process
2800	elin_render.exe

Loads dropped DLL 3 IoCs

pid	Process
2800	elin_render.exe
2800	elin_render.exe
2800	elin_render.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Soga64\libcef.dll	c2422939cbcf66f08891548d86ff2a83756ef4fd058ef89cd11afb743b69345c.exe
File created	C:\Program Files (x86)\Soga64\msvcp120.dll	c2422939cbcf66f08891548d86ff2a83756ef4fd058ef89cd11afb743b69345c.exe
File created	C:\Program Files (x86)\Soga64\msvcr120.dll	c2422939cbcf66f08891548d86ff2a83756ef4fd058ef89cd11afb743b69345c.exe
File created	C:\Program Files (x86)\Soga64\cvsd.xml	c2422939cbcf66f08891548d86ff2a83756ef4fd058ef89cd11afb743b69345c.exe
File created	C:\Program Files (x86)\Soga64\elin_render.exe	c2422939cbcf66f08891548d86ff2a83756ef4fd058ef89cd11afb743b69345c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	elin_render.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	elin_render.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2348	c2422939cbcf66f08891548d86ff2a83756ef4fd058ef89cd11afb743b69345c.exe
2348	c2422939cbcf66f08891548d86ff2a83756ef4fd058ef89cd11afb743b69345c.exe
2348	c2422939cbcf66f08891548d86ff2a83756ef4fd058ef89cd11afb743b69345c.exe
2348	c2422939cbcf66f08891548d86ff2a83756ef4fd058ef89cd11afb743b69345c.exe
2800	elin_render.exe
2800	elin_render.exe
2800	elin_render.exe
2800	elin_render.exe
2800	elin_render.exe
2800	elin_render.exe
2800	elin_render.exe
2800	elin_render.exe
2800	elin_render.exe
2800	elin_render.exe
2800	elin_render.exe
2800	elin_render.exe
2800	elin_render.exe
2800	elin_render.exe
2800	elin_render.exe
2800	elin_render.exe
2800	elin_render.exe
2800	elin_render.exe
2800	elin_render.exe
2800	elin_render.exe
2800	elin_render.exe
2800	elin_render.exe
2800	elin_render.exe
2800	elin_render.exe
2800	elin_render.exe
2800	elin_render.exe
2800	elin_render.exe
2800	elin_render.exe
2800	elin_render.exe
2800	elin_render.exe
2800	elin_render.exe
2800	elin_render.exe
2800	elin_render.exe
2800	elin_render.exe
2800	elin_render.exe
2800	elin_render.exe
2800	elin_render.exe
2800	elin_render.exe
2800	elin_render.exe
2800	elin_render.exe
2800	elin_render.exe
2800	elin_render.exe
2800	elin_render.exe
2800	elin_render.exe
2800	elin_render.exe
2800	elin_render.exe
2800	elin_render.exe
2800	elin_render.exe
2800	elin_render.exe
2800	elin_render.exe
2800	elin_render.exe
2800	elin_render.exe
2800	elin_render.exe
2800	elin_render.exe
2800	elin_render.exe
2800	elin_render.exe
2800	elin_render.exe
2800	elin_render.exe
2800	elin_render.exe
2800	elin_render.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2800	elin_render.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2348	c2422939cbcf66f08891548d86ff2a83756ef4fd058ef89cd11afb743b69345c.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2348 wrote to memory of 2800	2348	c2422939cbcf66f08891548d86ff2a83756ef4fd058ef89cd11afb743b69345c.exe	92
PID 2348 wrote to memory of 2800	2348	c2422939cbcf66f08891548d86ff2a83756ef4fd058ef89cd11afb743b69345c.exe	92
PID 2348 wrote to memory of 2800	2348	c2422939cbcf66f08891548d86ff2a83756ef4fd058ef89cd11afb743b69345c.exe	92

C:\Users\Admin\AppData\Local\Temp\c2422939cbcf66f08891548d86ff2a83756ef4fd058ef89cd11afb743b69345c.exe
"C:\Users\Admin\AppData\Local\Temp\c2422939cbcf66f08891548d86ff2a83756ef4fd058ef89cd11afb743b69345c.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2348
- C:\Program Files (x86)\Soga64\elin_render.exe
  "C:\Program Files (x86)\Soga64\elin_render.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Soga64\MSVCP120.dll

Filesize
112KB

MD5
92330a0fc4dd6876fc41187039b0293b

SHA1
413a4d2abae844548eb1aa543372c82d699911fe

SHA256
76d6a5838d897fc9a7db31c1d0195ba817026da3f5bff23c83dad509b2646198

SHA512
5eaf6720d095c379049b7cba696e2f8b8cd03ef2e1be8c099e64a6c2b3daf55f1ff672d3e070934be1b36f7001ec7fcd2d990cd2e4e4136b3683fbfd5696b485

Download Submit
C:\Program Files (x86)\Soga64\MSVCR120.dll

Filesize
81KB

MD5
88ca65c5f9939179dcf6f93f47763706

SHA1
dd5769c6eee278e76b22283185984d8298ae5575

SHA256
9c066f40043cdf341d1c56fb268f9d952c6266739d32d1c96fb07dc406b02ec2

SHA512
1d8dc4731d6430949a4bf7d4d33a31c70e225b57977af412ac85a2a561e02e307c6de56d10cf82cd0fdf7b35b7f8b4d6fb5c695c514c8b360dab52f5d393b041

Download Submit
C:\Program Files (x86)\Soga64\elin_render.exe

Filesize
131KB

MD5
b991295071496f0cecfa0eef6f9c2d1f

SHA1
c6665c2a9674efcedd2d92954e2bec9432de9a3d

SHA256
c16ef1080f6284c2d2112b2ebcb894544e9355748460e5554370e257cd1dfd8f

SHA512
8bb1b7ebee987ec00715821a8a99750c3bbeddf19e128616378b5693040f1e65ad3619c380b48d48bd6a314b249619ed5e0f52c7d4e65c89b5c0b7059d864e67

Download Submit
C:\Program Files (x86)\Soga64\elin_render.exe

Filesize
80KB

MD5
a63a8142db4ffb2632c55b311a355e21

SHA1
9cff492f82df57d830b9afed1cc3482b1d7aeeb4

SHA256
3e2d1c08d16ce259bb534c7bdf5e952cf1c3079f0a06657650430e97eb0aaa88

SHA512
5c1afb7f6d16800b33993bea5533e97627e83210f0f766bc1f9bfaa41f7f4c40c359d811e7794b698d10c9c2d790bf1b42a41e478e84fcd7d6aff66e5336aecb

Download Submit
C:\Program Files (x86)\Soga64\elin_render.exe

Filesize
51KB

MD5
c8cc550fb1b06754a6a97ea465da1364

SHA1
e3b53c72acbd72a5e9d0be1d04bb6260daee8d23

SHA256
8376bd67a841fc85c5c4214f4aaaf6700f75d7471fb749f192b74c423df66960

SHA512
359edc9eb87a0664afc11ac8ae2868d375c972cdcdc4ed169d1d1a3b5432fe574b95a221fd83376a6bf945724416cce895862118cd766c4cdd63a3842136e331

Download Submit
C:\Program Files (x86)\Soga64\libcef.dll

Filesize
32KB

MD5
10553a9f09cf320bfffb1c704b5ade51

SHA1
612efa8813f9209dcdaf6bd4e1e80c3cc266c308

SHA256
bdb44b2d1bebf33dbb2ea5717f5c512d285cdc380eecf91c9380bcb9b722578e

SHA512
af2212b82e967776d46dadb4f7e35cb619898c5bf3361110b9cb34c2ce680c1488f7e6cb4e78113bb79d7a4162744a8c7b82713cd43339b2d89e7eadacedeb56

Download Submit
C:\Program Files (x86)\Soga64\msvcp120.dll

Filesize
147KB

MD5
8c752bbcd4b66c676004f3928ecffda3

SHA1
c55578bb6025e66a0bddec1b3bb51eca8239f390

SHA256
203b24ebfdffcf582e50854ae99ad8195c542b5abc21793d960c8280f2737849

SHA512
47a37da0984a38ca4eaea9f87263e08cba51e8e1f98614784b67903a8610b57c1e4da6c33e99529e9370dbbdbe89b2df62add3e318b74ffd49d005a586707597

Download Submit
C:\Program Files (x86)\Soga64\msvcr120.dll

Filesize
71KB

MD5
c5219707d30dac147996654c18e26abd

SHA1
13926205afb0887d420e5196cad207607fdfca4c

SHA256
b617f6c3314234a1d0c0bd0c5367d29ecb4ed17afc9b604d3c9df96e84f77065

SHA512
f2e7bec495954ddbf5c5e8aacbe0d739cbb8dfe15af7c7ce2740c0db8f75c05f87c988a61326fcd5b786303c02f6d866ebbe2500e9cd35ecd7ced665fbf3b0ac

Download Submit
C:\ProgramData\afd.bin

Filesize
114KB

MD5
04b3bb8045725b80df46ac0d3a2f943e

SHA1
a96f5a5be3299d2afb20025d1ecd3906b15ea847

SHA256
8e2947862bebebf4e696b109872f7c2b11b81b7e1e0707d11d71d8962e11cfbf

SHA512
97a7e4b9927e519e92f889ad6b6468f911762bb021ee387a3d8a8c20ebdd5230c0fb8f44b5a40b62699baa2904255af7686a65f5e9f670d3eaee873c3caa10e5

Download Submit
memory/2348-5-0x0000000000400000-0x00000000008D6000-memory.dmp

Filesize
4.8MB

Download
memory/2348-30-0x0000000002690000-0x00000000026DA000-memory.dmp

Filesize
296KB

Download
memory/2348-1-0x0000000002690000-0x00000000026DA000-memory.dmp

Filesize
296KB

Download
memory/2348-9-0x0000000000400000-0x00000000008D6000-memory.dmp

Filesize
4.8MB

Download
memory/2348-0-0x0000000000400000-0x00000000008D6000-memory.dmp

Filesize
4.8MB

Download
memory/2348-8-0x0000000002650000-0x000000000265C000-memory.dmp

Filesize
48KB

Download
memory/2348-3-0x0000000000400000-0x00000000008D6000-memory.dmp

Filesize
4.8MB

Download
memory/2348-36-0x0000000000400000-0x00000000008D6000-memory.dmp

Filesize
4.8MB

Download
memory/2348-14-0x0000000000400000-0x00000000008D6000-memory.dmp

Filesize
4.8MB

Download
memory/2348-13-0x0000000000400000-0x00000000008D6000-memory.dmp

Filesize
4.8MB

Download
memory/2348-2-0x0000000002690000-0x00000000026DA000-memory.dmp

Filesize
296KB

Download
memory/2348-6-0x0000000002640000-0x0000000002650000-memory.dmp

Filesize
64KB

Download
memory/2348-11-0x0000000000400000-0x00000000008D6000-memory.dmp

Filesize
4.8MB

Download
memory/2348-4-0x0000000000970000-0x0000000000971000-memory.dmp

Filesize
4KB

Download
memory/2800-38-0x0000000010000000-0x0000000010031000-memory.dmp

Filesize
196KB

Download
memory/2800-39-0x0000000002200000-0x00000000022AE000-memory.dmp

Filesize
696KB

Download
memory/2800-43-0x00000000006C0000-0x00000000006EA000-memory.dmp

Filesize
168KB

Download