fatalrat | cd9c6f0b76e00e15e91a483d23b2c66c7d9f65f296d5b70b8ba691acd82c283b

Resubmissions

14-12-2023 13:23

231214-qmryvsfch2 10

14-12-2023 12:56

231214-p6v9ysdgar 7

Analysis

max time kernel
12s
max time network
25s
platform
windows10-2004_x64
resource
win10v2004-20231127-en
resource tags

arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system
submitted
14-12-2023 13:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cd9c6f0b76e00e15e91a483d23b2c66c7d9f65f296d5b70b8ba691acd82c283b.exe
Size

6.8MB
MD5

2f00f70020c479b1fe7e32b6fdde6ad2
SHA1

13b9ad6874690af1d32eaf3ee8b2bb5674d59953
SHA256

cd9c6f0b76e00e15e91a483d23b2c66c7d9f65f296d5b70b8ba691acd82c283b
SHA512

a2f55b7c8dd3b5cd330a4c2bef957cca5cb19b873544bb2a8b57c047959233a30b6ecbc96460c65a6773161292b9571a339b4f1af273c1e7fb908b7343ea4fc9
SSDEEP

196608:pszgrJ3dUZdF+7+oHKuGKVSlo2Eaezj8/DFvYKf1JFh:pszXd6+oCeSlo6e4xAKD

Score

10^/10

fatalrat infostealer rat vmprotect

Malware Config

Signatures

FatalRat
FatalRat is a modular infostealer family written in C++ first appearing in June 2021.
infostealer rat fatalrat

Fatal Rat payload 1 IoCs

rat infostealer

Processes:

resource	yara_rule
behavioral1/memory/1464-42-0x0000000002510000-0x000000000253A000-memory.dmp	fatalrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

cd9c6f0b76e00e15e91a483d23b2c66c7d9f65f296d5b70b8ba691acd82c283b.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000\Control Panel\International\Geo\Nation	cd9c6f0b76e00e15e91a483d23b2c66c7d9f65f296d5b70b8ba691acd82c283b.exe

Executes dropped EXE 1 IoCs

Processes:

liaobei.exe

pid	Process
1464	liaobei.exe

Loads dropped DLL 1 IoCs

Processes:

liaobei.exe

pid	Process
1464	liaobei.exe

VMProtect packed file 3 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
behavioral1/memory/2720-2-0x00000000003D0000-0x0000000001098000-memory.dmp	vmprotect
behavioral1/memory/2720-8-0x00000000003D0000-0x0000000001098000-memory.dmp	vmprotect
behavioral1/memory/2720-37-0x00000000003D0000-0x0000000001098000-memory.dmp	vmprotect

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

cd9c6f0b76e00e15e91a483d23b2c66c7d9f65f296d5b70b8ba691acd82c283b.exe

pid	Process
2720	cd9c6f0b76e00e15e91a483d23b2c66c7d9f65f296d5b70b8ba691acd82c283b.exe

Drops file in Program Files directory 4 IoCs

Processes:

cd9c6f0b76e00e15e91a483d23b2c66c7d9f65f296d5b70b8ba691acd82c283b.exe

description	ioc	Process
File created	C:\Program Files (x86)\Actual\cvsd.xml	cd9c6f0b76e00e15e91a483d23b2c66c7d9f65f296d5b70b8ba691acd82c283b.exe
File created	C:\Program Files (x86)\Actual\eage.png	cd9c6f0b76e00e15e91a483d23b2c66c7d9f65f296d5b70b8ba691acd82c283b.exe
File created	C:\Program Files (x86)\Actual\liaobei.exe	cd9c6f0b76e00e15e91a483d23b2c66c7d9f65f296d5b70b8ba691acd82c283b.exe
File created	C:\Program Files (x86)\Actual\nw_elf.dll	cd9c6f0b76e00e15e91a483d23b2c66c7d9f65f296d5b70b8ba691acd82c283b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

liaobei.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	liaobei.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	liaobei.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

cd9c6f0b76e00e15e91a483d23b2c66c7d9f65f296d5b70b8ba691acd82c283b.exeliaobei.exe

pid	Process
2720	cd9c6f0b76e00e15e91a483d23b2c66c7d9f65f296d5b70b8ba691acd82c283b.exe
2720	cd9c6f0b76e00e15e91a483d23b2c66c7d9f65f296d5b70b8ba691acd82c283b.exe
2720	cd9c6f0b76e00e15e91a483d23b2c66c7d9f65f296d5b70b8ba691acd82c283b.exe
2720	cd9c6f0b76e00e15e91a483d23b2c66c7d9f65f296d5b70b8ba691acd82c283b.exe
2720	cd9c6f0b76e00e15e91a483d23b2c66c7d9f65f296d5b70b8ba691acd82c283b.exe
2720	cd9c6f0b76e00e15e91a483d23b2c66c7d9f65f296d5b70b8ba691acd82c283b.exe
1464	liaobei.exe
1464	liaobei.exe
1464	liaobei.exe
1464	liaobei.exe
1464	liaobei.exe
1464	liaobei.exe
1464	liaobei.exe
1464	liaobei.exe
1464	liaobei.exe
1464	liaobei.exe
1464	liaobei.exe
1464	liaobei.exe
1464	liaobei.exe
1464	liaobei.exe
1464	liaobei.exe
1464	liaobei.exe
1464	liaobei.exe
1464	liaobei.exe
1464	liaobei.exe
1464	liaobei.exe
1464	liaobei.exe
1464	liaobei.exe
1464	liaobei.exe
1464	liaobei.exe
1464	liaobei.exe
1464	liaobei.exe
1464	liaobei.exe
1464	liaobei.exe
1464	liaobei.exe
1464	liaobei.exe
1464	liaobei.exe
1464	liaobei.exe
1464	liaobei.exe
1464	liaobei.exe
1464	liaobei.exe
1464	liaobei.exe
1464	liaobei.exe
1464	liaobei.exe
1464	liaobei.exe
1464	liaobei.exe
1464	liaobei.exe
1464	liaobei.exe
1464	liaobei.exe
1464	liaobei.exe
1464	liaobei.exe
1464	liaobei.exe
1464	liaobei.exe
1464	liaobei.exe
1464	liaobei.exe
1464	liaobei.exe
1464	liaobei.exe
1464	liaobei.exe
1464	liaobei.exe
1464	liaobei.exe
1464	liaobei.exe
1464	liaobei.exe
1464	liaobei.exe
1464	liaobei.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

liaobei.exe

description	pid	Process
Token: SeDebugPrivilege	1464	liaobei.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

cd9c6f0b76e00e15e91a483d23b2c66c7d9f65f296d5b70b8ba691acd82c283b.exe

pid	Process
2720	cd9c6f0b76e00e15e91a483d23b2c66c7d9f65f296d5b70b8ba691acd82c283b.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

cd9c6f0b76e00e15e91a483d23b2c66c7d9f65f296d5b70b8ba691acd82c283b.exe

description	pid	Process	procid_target
PID 2720 wrote to memory of 1464	2720	cd9c6f0b76e00e15e91a483d23b2c66c7d9f65f296d5b70b8ba691acd82c283b.exe	90
PID 2720 wrote to memory of 1464	2720	cd9c6f0b76e00e15e91a483d23b2c66c7d9f65f296d5b70b8ba691acd82c283b.exe	90
PID 2720 wrote to memory of 1464	2720	cd9c6f0b76e00e15e91a483d23b2c66c7d9f65f296d5b70b8ba691acd82c283b.exe	90

C:\Users\Admin\AppData\Local\Temp\cd9c6f0b76e00e15e91a483d23b2c66c7d9f65f296d5b70b8ba691acd82c283b.exe
"C:\Users\Admin\AppData\Local\Temp\cd9c6f0b76e00e15e91a483d23b2c66c7d9f65f296d5b70b8ba691acd82c283b.exe"
1⤵
- Checks computer location settings
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2720
- C:\Program Files (x86)\Actual\liaobei.exe
  "C:\Program Files (x86)\Actual\liaobei.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Actual\liaobei.exe

Filesize
1.7MB

MD5
f36c03aebfcb87b88c8b150ccec4c626

SHA1
73834c741bc215dae54170abad1146e9c3ea1d00

SHA256
c4c2e86f8f244614b475f47efbc2219efa4bc2400d9b6c66d7d65f53f853361b

SHA512
b0062003e804ab0ea5ac6a40a6424fd430c5e6fb6509a60c3673d451ec5a8882d7b49ef789dd84262e46712190e3999a422a4f8b467ceb04af5c9554090220b6

Download Submit
C:\Program Files (x86)\Actual\liaobei.exe

Filesize
1.6MB

MD5
4a7fa43193d29819e8a660d19cabfa19

SHA1
b143db34e84254006a3d246faaaceab7b5114b17

SHA256
5cc19f26c1ab086d947e974bb30dd0aac69730650db3ce267f22f97ad7c442e1

SHA512
b5bad04db5b1e019e898c08eb5d2b37a061f6ad95da852f685b6d00dfe0c5ffeb394159b5777a6e7b524799d7902cd3aef65a079fc9a95e689ba117548d03b01

Download Submit
C:\Program Files (x86)\Actual\liaobei.exe

Filesize
490KB

MD5
30c183d125ff9a2eb401825b92542819

SHA1
e5c6bc6a3a1e38924e54101bd25be29ed1355d51

SHA256
8984631ade8b568e1fa6b5c20d58a5ca15a09ebc8d68deb9948c67c6be4a2bbd

SHA512
c73e9ffad70f8c711a76982a7d07436f731b49f74ba182fafca512364fef63ee099e20d85c9537ec250d1fc7a99c42b1aac951fae3c4e7127687b7a357b91480

Download Submit
C:\Program Files (x86)\Actual\nw_elf.dll

Filesize
1.2MB

MD5
d54fefe8d3e6ba8d29b6e60cd3f2ca29

SHA1
892fa6289e0d81bbdfb346d11226998eecf85d4d

SHA256
dd91b82eed960ae04accf095b2fe770ccc827ae0476db22c49682a7246851809

SHA512
a72407eb176432978b55af0372b9ef938986b2c5e4d4998879f5569708908a96eee34f29cb7abc42b2b8f46c38ca847f15541f8ec5578f9ca84569a3b5ff36d8

Download Submit
C:\Program Files (x86)\Actual\nw_elf.dll

Filesize
1.4MB

MD5
6f17d35c597bfca2548e2b77f64a8b12

SHA1
c776adcbaf3da634b6d3cd715343924c2b7cc4e1

SHA256
af69cccf14298351224d3ca74ad1d9fc91b6988871f4709eb2edceff1f20406b

SHA512
a182b819451571a0c39bc750c01fca81003fa69789e78608386d932442dd103c5bec02fbb17c194c553f1a6f2267bb417ec1ce908fc54c713d5a87b4ec233f4a

Download Submit
C:\ProgramData\afd.bin

Filesize
198KB

MD5
1176ae44f89438b775fa2445ea7fcadb

SHA1
8c4ff222ac8f07bc4f05af6f324ef9591425dac3

SHA256
f5363287d0e624309b76dcb5bbbffb2d8280407830daf095292d2738afc4c996

SHA512
2df1dc165977e42e790002679d1b7de09c7a38a57300f0ea710cd5a1512c5751f02f6dff430e5f03aabe5684253b5f54c44cbdf8ae48bba951ec414fe0ed281b

Download Submit
memory/1464-42-0x0000000002510000-0x000000000253A000-memory.dmp

Filesize
168KB

Download
memory/1464-36-0x0000000010000000-0x0000000010031000-memory.dmp

Filesize
196KB

Download
memory/1464-38-0x0000000002580000-0x000000000262E000-memory.dmp

Filesize
696KB

Download
memory/2720-20-0x0000000003750000-0x00000000037FE000-memory.dmp

Filesize
696KB

Download
memory/2720-0-0x0000000001750000-0x0000000001751000-memory.dmp

Filesize
4KB

Download
memory/2720-18-0x0000000010000000-0x000000001001F000-memory.dmp

Filesize
124KB

Download
memory/2720-8-0x00000000003D0000-0x0000000001098000-memory.dmp

Filesize
12.8MB

Download
memory/2720-7-0x00000000017D0000-0x00000000017D1000-memory.dmp

Filesize
4KB

Download
memory/2720-6-0x00000000017C0000-0x00000000017C1000-memory.dmp

Filesize
4KB

Download
memory/2720-37-0x00000000003D0000-0x0000000001098000-memory.dmp

Filesize
12.8MB

Download
memory/2720-5-0x00000000017B0000-0x00000000017B1000-memory.dmp

Filesize
4KB

Download
memory/2720-1-0x0000000001760000-0x0000000001761000-memory.dmp

Filesize
4KB

Download
memory/2720-3-0x0000000001770000-0x0000000001771000-memory.dmp

Filesize
4KB

Download
memory/2720-4-0x00000000017A0000-0x00000000017A1000-memory.dmp

Filesize
4KB

Download
memory/2720-2-0x00000000003D0000-0x0000000001098000-memory.dmp

Filesize
12.8MB

Download