Overview

overview

10

Static

static

3

35d509fd39...05.exe

windows7-x64

35d509fd39...05.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    143s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231127-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-12-2023 14:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    35d509fd391a328efbc3997b087f16deff4034b8c91df5fc2f285eb76954d805.exe

  • Size

    3.5MB

  • MD5

    32dd6257ccccd472e3141d1df32896c8

  • SHA1

    675202bb6a79aa91fbf054b1468b1866f3203626

  • SHA256

    35d509fd391a328efbc3997b087f16deff4034b8c91df5fc2f285eb76954d805

  • SHA512

    d2be97ef8c6a71265043fe0eff4b49df069db2b05e9a05091177bd33f6e59fba1e72c12ae43f9c81a1f3740c3187f1e3b409148bb63202abc441c1676a0ae03a

  • SSDEEP

    98304:5dkXoIbndmG6tfj4yMchYwrcmt9uPS2tKEkE/bcI6aMwQIud:5d7IbkZNhMPS2tGEjcIeIud

Score
10/10
fatalratinfostealerrat

Malware Config

Signatures

  • FatalRat

    FatalRat is a modular infostealer family written in C++ first appearing in June 2021.

    infostealerratfatalrat
  • Fatal Rat payload 1 IoCs
    ratinfostealer
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 4 IoCs
  • Drops file in Program Files directory 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\35d509fd391a328efbc3997b087f16deff4034b8c91df5fc2f285eb76954d805.exe
    "C:\Users\Admin\AppData\Local\Temp\35d509fd391a328efbc3997b087f16deff4034b8c91df5fc2f285eb76954d805.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1104
    • C:\Program Files (x86)\Application Verifier\sihost32smi.exe
      "C:\Program Files (x86)\Application Verifier\sihost32smi.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of AdjustPrivilegeToken
      PID:1800

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Application Verifier\MSVCR120D.dll
    Filesize

    1.7MB

    MD5

    f67ca8d338dfd99e3c540336221f8fa7

    SHA1

    2d10397d3d84acf96097050949b88dfabede2ce1

    SHA256

    4c7bafb33eaebf8e9de81b775389d649f26502ccabd4c4540fc1b97bd43102b8

    SHA512

    ee1154abd3adbfdf8de5e6644d3ec2efea24518e64e39acff5a9f0820a6cf8defb8ad359f5f1c706d1e1b5e9f7c88542fb1ff0391a7f3cf6bc9fae996e5e29c6

    Download Submit

  • C:\Program Files (x86)\Application Verifier\afd.bin
    Filesize

    198KB

    MD5

    cf592e5d63e9f464669406927f21ca38

    SHA1

    7c92432bcf4a2a586485ee9a18112f112fda4285

    SHA256

    9552507f6e2cde1211a49bc6634333daf9f33f6ccb654b9d6c68f374337b1a72

    SHA512

    3a4eabec45a8fadccaaa47ca90ee4ff32551e3e0ce25122b4b6362cfdd322498f33041e1c3ee5516ccae7229bd2e263a476cba9475c7f2bb509320a3069542e0

    Download Submit

  • C:\Program Files (x86)\Application Verifier\libcef.dll
    Filesize

    23KB

    MD5

    cf5d10808cc788efe501d1b0a904bc71

    SHA1

    b719ba0de1a119d09c39f5c64028dd894c94abd3

    SHA256

    e341500d41869fa152a61dbc660ce8a96bf1fab39ca186eb0df9f9ffad69e678

    SHA512

    6969c36f7ccbc12ae4ab323e4b949163009c3daa6d1471f5efc46eba5b1cbe4056a28e2a7d9398615a65b960fc527276bdf037bc5e19882c9e4655e3e2afc513

    Download Submit

  • C:\Program Files (x86)\Application Verifier\msvcp120d.dll
    Filesize

    796KB

    MD5

    3049622a9a5bc219504e39aca1fb35d1

    SHA1

    021d7badb2aeb0d126839cc5b1102b7257fc5a4c

    SHA256

    f7b62920f0ebd7521baa354eb82c2d96691fdb8eaf169757368ffe38af6aa5b4

    SHA512

    77c6968d43ea147938f5872de7f5859930a37b8d7ad3d9c4eb0628ed444509e12dd0627dc21628bcf38d516ee0c1a8583e39ebd77fbfd39ebb0989ec9c6aec10

    Download Submit

  • C:\Program Files (x86)\Application Verifier\sihost32smi.exe
    Filesize

    1.4MB

    MD5

    30136be17e0f4fe52e431979e0465373

    SHA1

    6181aefff780ffb54ec06810116c3373a9d961dd

    SHA256

    20d48d2f666be4973e105bc6ead0102d26153d4603c3d787e762bb91b5d15bce

    SHA512

    7cd8c53f089ecf33e24b9b55aa012ba0fb332f1be2787bb8f78a551cb0934d2f6c4c8d9a53c5f8430a4f396568edab97d0ba4646c76ce41a3474cddca2fe560d

    Download Submit

  • memory/1104-12-0x0000000010000000-0x0000000010018000-memory.dmp

    Filesize

    96KB

    Download

  • memory/1104-13-0x00000000031D0000-0x00000000031E4000-memory.dmp

    Filesize

    80KB

    Download

  • memory/1800-36-0x0000000010000000-0x0000000010031000-memory.dmp

    Filesize

    196KB

    Download

  • memory/1800-37-0x0000000002730000-0x0000000002762000-memory.dmp

    Filesize

    200KB

    Download

  • memory/1800-41-0x0000000002770000-0x000000000279A000-memory.dmp

    Filesize

    168KB

    Download