fatalrat | 17c784cd4aea713b258cd4d740b87be2037ae7a17c09dc8fbd54b496c4f7d812

Analysis

max time kernel
141s
max time network
139s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
15-12-2023 17:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

17c784cd4aea713b258cd4d740b87be2037ae7a17c09dc8fbd54b496c4f7d812.exe
Size

4.5MB
MD5

2390f2ab0086c69d3780bd45f3a23c55
SHA1

f1a507bf4bd11f6159097b1b20e551534581c033
SHA256

17c784cd4aea713b258cd4d740b87be2037ae7a17c09dc8fbd54b496c4f7d812
SHA512

d34c4b228e2a455174a50e71cd3c44cf5ce6a16716c31e289ce099e06e0b91d6e61b63d4ad5c50f93862d52dd7b0647461dde6c3df7643abd4916a8e024e44a7
SSDEEP

98304:WSL/0AAKzg3oRug6oY3zp274J2AWYPSIJxSOz/P8vFySufuqzEEzNpCmhxY7Zm57:Wezzg3Dt9MiPSIJxSOz/0QfFzhBW7Zcz

Score

10^/10

fatalrat infostealer rat

Malware Config

Signatures

FatalRat
FatalRat is a modular infostealer family written in C++ first appearing in June 2021.
infostealer rat fatalrat

Fatal Rat payload 1 IoCs

rat infostealer

Processes:

resource	yara_rule
behavioral1/memory/2948-27-0x00000000021D0000-0x00000000021FA000-memory.dmp	fatalrat

Executes dropped EXE 1 IoCs

Processes:

liaobei.exe

pid	Process
2948	liaobei.exe

Loads dropped DLL 2 IoCs

Processes:

17c784cd4aea713b258cd4d740b87be2037ae7a17c09dc8fbd54b496c4f7d812.exeliaobei.exe

pid	Process
2316	17c784cd4aea713b258cd4d740b87be2037ae7a17c09dc8fbd54b496c4f7d812.exe
2948	liaobei.exe

Drops file in Program Files directory 4 IoCs

Processes:

17c784cd4aea713b258cd4d740b87be2037ae7a17c09dc8fbd54b496c4f7d812.exe

description	ioc	Process
File created	C:\Program Files (x86)\Actual\liaobei.exe	17c784cd4aea713b258cd4d740b87be2037ae7a17c09dc8fbd54b496c4f7d812.exe
File created	C:\Program Files (x86)\Actual\cvsd.xml	17c784cd4aea713b258cd4d740b87be2037ae7a17c09dc8fbd54b496c4f7d812.exe
File created	C:\Program Files (x86)\Actual\eage.png	17c784cd4aea713b258cd4d740b87be2037ae7a17c09dc8fbd54b496c4f7d812.exe
File created	C:\Program Files (x86)\Actual\nw_elf.dll	17c784cd4aea713b258cd4d740b87be2037ae7a17c09dc8fbd54b496c4f7d812.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

liaobei.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	liaobei.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	liaobei.exe

Suspicious behavior: EnumeratesProcesses 52 IoCs

Processes:

17c784cd4aea713b258cd4d740b87be2037ae7a17c09dc8fbd54b496c4f7d812.exeliaobei.exe

pid	Process
2316	17c784cd4aea713b258cd4d740b87be2037ae7a17c09dc8fbd54b496c4f7d812.exe
2948	liaobei.exe
2948	liaobei.exe
2948	liaobei.exe
2948	liaobei.exe
2948	liaobei.exe
2948	liaobei.exe
2948	liaobei.exe
2948	liaobei.exe
2948	liaobei.exe
2948	liaobei.exe
2948	liaobei.exe
2948	liaobei.exe
2948	liaobei.exe
2948	liaobei.exe
2948	liaobei.exe
2948	liaobei.exe
2948	liaobei.exe
2948	liaobei.exe
2948	liaobei.exe
2948	liaobei.exe
2948	liaobei.exe
2948	liaobei.exe
2948	liaobei.exe
2948	liaobei.exe
2948	liaobei.exe
2948	liaobei.exe
2948	liaobei.exe
2948	liaobei.exe
2948	liaobei.exe
2948	liaobei.exe
2948	liaobei.exe
2948	liaobei.exe
2948	liaobei.exe
2948	liaobei.exe
2948	liaobei.exe
2948	liaobei.exe
2948	liaobei.exe
2948	liaobei.exe
2948	liaobei.exe
2948	liaobei.exe
2948	liaobei.exe
2948	liaobei.exe
2948	liaobei.exe
2948	liaobei.exe
2948	liaobei.exe
2948	liaobei.exe
2948	liaobei.exe
2948	liaobei.exe
2948	liaobei.exe
2948	liaobei.exe
2948	liaobei.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

liaobei.exe

description	pid	Process
Token: SeDebugPrivilege	2948	liaobei.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

17c784cd4aea713b258cd4d740b87be2037ae7a17c09dc8fbd54b496c4f7d812.exeliaobei.exe

pid	Process
2316	17c784cd4aea713b258cd4d740b87be2037ae7a17c09dc8fbd54b496c4f7d812.exe
2948	liaobei.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

17c784cd4aea713b258cd4d740b87be2037ae7a17c09dc8fbd54b496c4f7d812.exe

description	pid	Process	procid_target
PID 2316 wrote to memory of 2948	2316	17c784cd4aea713b258cd4d740b87be2037ae7a17c09dc8fbd54b496c4f7d812.exe	28
PID 2316 wrote to memory of 2948	2316	17c784cd4aea713b258cd4d740b87be2037ae7a17c09dc8fbd54b496c4f7d812.exe	28
PID 2316 wrote to memory of 2948	2316	17c784cd4aea713b258cd4d740b87be2037ae7a17c09dc8fbd54b496c4f7d812.exe	28
PID 2316 wrote to memory of 2948	2316	17c784cd4aea713b258cd4d740b87be2037ae7a17c09dc8fbd54b496c4f7d812.exe	28

C:\Users\Admin\AppData\Local\Temp\17c784cd4aea713b258cd4d740b87be2037ae7a17c09dc8fbd54b496c4f7d812.exe
"C:\Users\Admin\AppData\Local\Temp\17c784cd4aea713b258cd4d740b87be2037ae7a17c09dc8fbd54b496c4f7d812.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2316
- C:\Program Files (x86)\Actual\liaobei.exe
  "C:\Program Files (x86)\Actual\liaobei.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Actual\liaobei.exe

Filesize
487KB

MD5
c3955d20098daf8a29b3c704edf27050

SHA1
c50d59a148756626f08ba6c6510b31dd5f34ade2

SHA256
673a55baf3593e83091201cb4a814deb718a600a101e7e558687d34c1ebfe255

SHA512
6e984e627f7ed1c9ac16d31c24abc999b4518e870757fb8cfdf68ff2ef711f43ed47474867b70620829a14a32722966e658d1278150acb2623f533bdf225e819

Download Submit
C:\Program Files (x86)\Actual\liaobei.exe

Filesize
269KB

MD5
2a3b9a89641f968e02106c2b4769c317

SHA1
a8cca6b5bb571f16da98c5f5aaa8a8d2db1e8df0

SHA256
7978718eee2f968095ab12405b20bed711798ad9b2d9319640d2b847bbef2bfb

SHA512
4182aa661ce2c95d4ba4bdc76e7c25a05e7e2c05bcd41feadebf3d890be7913e8c382bb5d83a86bcec31b189b287b38faf4501e0425b42d623dde87fa50086d7

Download Submit
C:\Program Files (x86)\Actual\nw_elf.dll

Filesize
467KB

MD5
4c790c10cfd13e4eb16294044f68b0c0

SHA1
bede6a82c8126068a41c3b527a392f6ec00250d8

SHA256
95618fcf6825b8ab8a9f7ed67d32bea4ee55b8ab18fb1d9bcf10fe78d6e625c8

SHA512
8d68057e414a25dd4859c047eeceb055fe602d815918599b9ba715147d4b3d3742f7b4f102911112e924681cdadbbdf94674facc2b0fd4fb402efb75c76cd63a

Download Submit
C:\ProgramData\afd.bin

Filesize
198KB

MD5
1176ae44f89438b775fa2445ea7fcadb

SHA1
8c4ff222ac8f07bc4f05af6f324ef9591425dac3

SHA256
f5363287d0e624309b76dcb5bbbffb2d8280407830daf095292d2738afc4c996

SHA512
2df1dc165977e42e790002679d1b7de09c7a38a57300f0ea710cd5a1512c5751f02f6dff430e5f03aabe5684253b5f54c44cbdf8ae48bba951ec414fe0ed281b

Download Submit
\Program Files (x86)\Actual\liaobei.exe

Filesize
1.3MB

MD5
260ec133aecff68f026e2d060f55a119

SHA1
358161d1eb7cae3f1de305f6ef8ab9378d458db6

SHA256
c3293af11f1c628573d45e7fab30885da5080787fdec3275657d7fc9a88680a2

SHA512
0cd9174a932b97a5d6246fc1ec76be4ee5f4b595cbb1f81a39c77e24154568d924927d4bbe7400bd4cbac5adfab008552af7802681bedd4ebee3258bc6a35b28

Download Submit
\Program Files (x86)\Actual\nw_elf.dll

Filesize
538KB

MD5
e2081aa984a673b1bd454e0b0bb98d60

SHA1
7fdc08cc249af92c7dc9e44d48d3c618bea7c665

SHA256
636003441ba35f6b00ccabc83a5f03eab2a286d7aca109208e910e6fafa7ba1a

SHA512
39bc2bbadc07b15ce4947c1f225710695d053dc739e494ec052e4b83398d44a349b202ce690af8fbeb86cae15670c60823587246aa67490d3ffee16441a4044c

Download Submit
memory/2316-12-0x0000000002470000-0x000000000251E000-memory.dmp

Filesize
696KB

Download
memory/2316-7-0x0000000010000000-0x000000001001F000-memory.dmp

Filesize
124KB

Download
memory/2948-33-0x0000000074660000-0x0000000074B8E000-memory.dmp

Filesize
5.2MB

Download
memory/2948-38-0x0000000074660000-0x0000000074B8E000-memory.dmp

Filesize
5.2MB

Download
memory/2948-26-0x00000000022E0000-0x000000000238E000-memory.dmp

Filesize
696KB

Download
memory/2948-22-0x0000000010000000-0x0000000010031000-memory.dmp

Filesize
196KB

Download
memory/2948-20-0x0000000074660000-0x0000000074B8E000-memory.dmp

Filesize
5.2MB

Download
memory/2948-34-0x0000000074660000-0x0000000074B8E000-memory.dmp

Filesize
5.2MB

Download
memory/2948-35-0x0000000074660000-0x0000000074B8E000-memory.dmp

Filesize
5.2MB

Download
memory/2948-36-0x0000000074660000-0x0000000074B8E000-memory.dmp

Filesize
5.2MB

Download
memory/2948-37-0x0000000074660000-0x0000000074B8E000-memory.dmp

Filesize
5.2MB

Download
memory/2948-27-0x00000000021D0000-0x00000000021FA000-memory.dmp

Filesize
168KB

Download
memory/2948-39-0x0000000074660000-0x0000000074B8E000-memory.dmp

Filesize
5.2MB

Download
memory/2948-40-0x0000000074660000-0x0000000074B8E000-memory.dmp

Filesize
5.2MB

Download
memory/2948-41-0x0000000074660000-0x0000000074B8E000-memory.dmp

Filesize
5.2MB

Download
memory/2948-42-0x0000000074660000-0x0000000074B8E000-memory.dmp

Filesize
5.2MB

Download
memory/2948-43-0x0000000074660000-0x0000000074B8E000-memory.dmp

Filesize
5.2MB

Download
memory/2948-44-0x0000000074660000-0x0000000074B8E000-memory.dmp

Filesize
5.2MB

Download
memory/2948-45-0x0000000074660000-0x0000000074B8E000-memory.dmp

Filesize
5.2MB

Download
memory/2948-46-0x0000000074660000-0x0000000074B8E000-memory.dmp

Filesize
5.2MB

Download
memory/2948-47-0x0000000074660000-0x0000000074B8E000-memory.dmp

Filesize
5.2MB

Download