Overview

overview

10

Static

static

7

cd9c6f0b76...3b.exe

windows10-2004-x64

10

cd9c6f0b76...3b.exe

windows11-21h2-x64

10

Resubmissions

14-12-2023 13:23

231214-qmryvsfch2 10

14-12-2023 12:56

231214-p6v9ysdgar 7

Analysis

  • max time kernel
    139s
  • max time network
    142s
  • platform
    windows11-21h2_x64
  • resource
    win11-20231129-en
  • resource tags

    arch:x64arch:x86image:win11-20231129-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    14-12-2023 13:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cd9c6f0b76e00e15e91a483d23b2c66c7d9f65f296d5b70b8ba691acd82c283b.exe

  • Size

    6.8MB

  • MD5

    2f00f70020c479b1fe7e32b6fdde6ad2

  • SHA1

    13b9ad6874690af1d32eaf3ee8b2bb5674d59953

  • SHA256

    cd9c6f0b76e00e15e91a483d23b2c66c7d9f65f296d5b70b8ba691acd82c283b

  • SHA512

    a2f55b7c8dd3b5cd330a4c2bef957cca5cb19b873544bb2a8b57c047959233a30b6ecbc96460c65a6773161292b9571a339b4f1af273c1e7fb908b7343ea4fc9

  • SSDEEP

    196608:pszgrJ3dUZdF+7+oHKuGKVSlo2Eaezj8/DFvYKf1JFh:pszXd6+oCeSlo6e4xAKD

Score
10/10
fatalratinfostealerratvmprotect

Malware Config

Signatures

  • FatalRat

    FatalRat is a modular infostealer family written in C++ first appearing in June 2021.

    infostealerratfatalrat
  • Fatal Rat payload 1 IoCs
    ratinfostealer
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • VMProtect packed file 2 IoCs

    Detects executables packed with VMProtect commercial packer.

    vmprotect
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cd9c6f0b76e00e15e91a483d23b2c66c7d9f65f296d5b70b8ba691acd82c283b.exe
    "C:\Users\Admin\AppData\Local\Temp\cd9c6f0b76e00e15e91a483d23b2c66c7d9f65f296d5b70b8ba691acd82c283b.exe"
    1⤵
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2164
    • C:\Program Files (x86)\Actual\liaobei.exe
      "C:\Program Files (x86)\Actual\liaobei.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3436

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Actual\liaobei.exe
    Filesize

    2.6MB

    MD5

    91057184eb697259e88dff99a1e957cf

    SHA1

    0aad25610df49e54b2e6af9f888eff8fb5a99e07

    SHA256

    149a58359c568d4a5ebb1fee53c5cba1dd63fdc14b165d043fd2a4c5f641ff67

    SHA512

    e5b27feea207bb7d3d35f8b11b10d64cef7b947fb9aa2612fab6e69bb270c4bfe3f1316d477c7832ecd9f7fd9cb622721e2ee5ee717cef1954ad353221068ffe

    Download Submit

  • C:\Program Files (x86)\Actual\nw_elf.dll
    Filesize

    2.7MB

    MD5

    7cd35ab70d012b1bfea123bde328ee19

    SHA1

    cc1a758af2f5c993eea24b7c8317daa4889a6502

    SHA256

    0328df98442c6043103deb870987add9b874b95b72a3c0e4822c77fe08e86e3e

    SHA512

    280a0dc72815f0be1bd275a7e2649d1610ff6e8545830f812ea3012da6cec7089fe5c136a4da39204a4ff006e1c9ee1a65a629ec7cc43a53ec8a350a43b98673

    Download Submit

  • C:\ProgramData\afd.bin
    Filesize

    198KB

    MD5

    1176ae44f89438b775fa2445ea7fcadb

    SHA1

    8c4ff222ac8f07bc4f05af6f324ef9591425dac3

    SHA256

    f5363287d0e624309b76dcb5bbbffb2d8280407830daf095292d2738afc4c996

    SHA512

    2df1dc165977e42e790002679d1b7de09c7a38a57300f0ea710cd5a1512c5751f02f6dff430e5f03aabe5684253b5f54c44cbdf8ae48bba951ec414fe0ed281b

    Download Submit

  • memory/2164-18-0x0000000010000000-0x000000001001F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/2164-3-0x00000000034E0000-0x00000000034E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2164-5-0x0000000003500000-0x0000000003501000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2164-6-0x0000000003510000-0x0000000003511000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2164-8-0x0000000000570000-0x0000000001238000-memory.dmp

    Filesize

    12.8MB

    Download

  • memory/2164-0-0x0000000003490000-0x0000000003491000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2164-23-0x0000000003FF0000-0x000000000409E000-memory.dmp

    Filesize

    696KB

    Download

  • memory/2164-4-0x00000000034F0000-0x00000000034F1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2164-2-0x00000000034B0000-0x00000000034B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2164-1-0x00000000034A0000-0x00000000034A1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2164-38-0x0000000000570000-0x0000000001238000-memory.dmp

    Filesize

    12.8MB

    Download

  • memory/3436-36-0x0000000010000000-0x0000000010031000-memory.dmp

    Filesize

    196KB

    Download

  • memory/3436-37-0x0000000002AA0000-0x0000000002B4E000-memory.dmp

    Filesize

    696KB

    Download

  • memory/3436-42-0x0000000002610000-0x000000000263A000-memory.dmp

    Filesize

    168KB

    Download