fatalrat | a371b5d9937f2bad39c5a4c2077c4ebecb8b9a265404ea63d02f32641eb61da9

General

Target

a371b5d9937f2bad39c5a4c2077c4ebecb8b9a265404ea63d02f32641eb61da9.exe
Size

5.8MB
MD5

179f2d355033bba2d318869b5def9d66
SHA1

b61009f257da9c1f41ed01514bc70beb645b3d87
SHA256

a371b5d9937f2bad39c5a4c2077c4ebecb8b9a265404ea63d02f32641eb61da9
SHA512

3577a5137ca3ff58acca3edc36cf556c08763b4141ddd9888139004a3169dee7a16000df44b220a833d11cb82c5e81a7c3ee0a71c349050813b6cd05cbb868b7
SSDEEP

98304:9XqY+0XF02YWwteZJ2WzIgA+4rg+lAaf4/T9GifnRRpcmXsZPjLk60wGvG7z/:9XqFnb9WmRrgOAo6T9GifnRRp5ujLk6z

Score

10^/10

fatalrat infostealer rat vmprotect

Malware Config

Signatures

FatalRat
FatalRat is a modular infostealer family written in C++ first appearing in June 2021.
infostealer rat fatalrat

Fatal Rat payload 1 IoCs

rat infostealer

resource	yara_rule
behavioral1/memory/2812-34-0x0000000000100000-0x000000000012A000-memory.dmp	fatalrat

Executes dropped EXE 1 IoCs

pid	Process
2812	elin_render.exe

Loads dropped DLL 3 IoCs

pid	Process
1368	a371b5d9937f2bad39c5a4c2077c4ebecb8b9a265404ea63d02f32641eb61da9.exe
2812	elin_render.exe
2812	elin_render.exe

VMProtect packed file 3 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral1/memory/1368-2-0x0000000000E50000-0x0000000001A0B000-memory.dmp	vmprotect
behavioral1/memory/1368-6-0x0000000000E50000-0x0000000001A0B000-memory.dmp	vmprotect
behavioral1/memory/1368-29-0x0000000000E50000-0x0000000001A0B000-memory.dmp	vmprotect

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
1368	a371b5d9937f2bad39c5a4c2077c4ebecb8b9a265404ea63d02f32641eb61da9.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Soga64\cvsd.xml	a371b5d9937f2bad39c5a4c2077c4ebecb8b9a265404ea63d02f32641eb61da9.exe
File created	C:\Program Files (x86)\Soga64\msvcr100.dll	a371b5d9937f2bad39c5a4c2077c4ebecb8b9a265404ea63d02f32641eb61da9.exe
File created	C:\Program Files (x86)\Soga64\elin_render.exe	a371b5d9937f2bad39c5a4c2077c4ebecb8b9a265404ea63d02f32641eb61da9.exe
File created	C:\Program Files (x86)\Soga64\libcef.dll	a371b5d9937f2bad39c5a4c2077c4ebecb8b9a265404ea63d02f32641eb61da9.exe
File created	C:\Program Files (x86)\Soga64\msvcp100.dll	a371b5d9937f2bad39c5a4c2077c4ebecb8b9a265404ea63d02f32641eb61da9.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1368	a371b5d9937f2bad39c5a4c2077c4ebecb8b9a265404ea63d02f32641eb61da9.exe
1368	a371b5d9937f2bad39c5a4c2077c4ebecb8b9a265404ea63d02f32641eb61da9.exe
1368	a371b5d9937f2bad39c5a4c2077c4ebecb8b9a265404ea63d02f32641eb61da9.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2812	elin_render.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1368	a371b5d9937f2bad39c5a4c2077c4ebecb8b9a265404ea63d02f32641eb61da9.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1368 wrote to memory of 2812	1368	a371b5d9937f2bad39c5a4c2077c4ebecb8b9a265404ea63d02f32641eb61da9.exe	28
PID 1368 wrote to memory of 2812	1368	a371b5d9937f2bad39c5a4c2077c4ebecb8b9a265404ea63d02f32641eb61da9.exe	28
PID 1368 wrote to memory of 2812	1368	a371b5d9937f2bad39c5a4c2077c4ebecb8b9a265404ea63d02f32641eb61da9.exe	28
PID 1368 wrote to memory of 2812	1368	a371b5d9937f2bad39c5a4c2077c4ebecb8b9a265404ea63d02f32641eb61da9.exe	28

C:\Users\Admin\AppData\Local\Temp\a371b5d9937f2bad39c5a4c2077c4ebecb8b9a265404ea63d02f32641eb61da9.exe
"C:\Users\Admin\AppData\Local\Temp\a371b5d9937f2bad39c5a4c2077c4ebecb8b9a265404ea63d02f32641eb61da9.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1368
- C:\Program Files (x86)\Soga64\elin_render.exe
  "C:\Program Files (x86)\Soga64\elin_render.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  PID:2812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Soga64\MSVCR100.dll

Filesize
756KB

MD5
ef3e115c225588a680acf365158b2f4a

SHA1
ecda6d3b4642d2451817833b39248778e9c2cbb0

SHA256
25d1cc5be93c7a0b58855ad1f4c9df3cfb9ec87e5dc13db85b147b1951ac6fa8

SHA512
d51f51336b7a34eb6c8f429597c3d685eb53853ee5e9d4857c40fc7be6956f1b8363d8d34bebad15ccceae45a6eb69f105f2df6a672f15fb0e6f8d0bb1afb91a

Download Submit
C:\ProgramData\afd.bin

Filesize
198KB

MD5
c68f04b5648ffe2e351d2f3831d708e5

SHA1
e21871056c7b767bf357a1f5bc399fe7f1248a92

SHA256
e5153b805563b3d00f7a7796d313f60685cc31b3f883fe47887ade617ca076aa

SHA512
8807b38723f37c9b197a0d9f090c00fdd467ceb26ba810767676f16c29d6248a41ac6b41460a6b4972209ca0da5457622ce6b56205d0d27034bc57b6c5069d7d

Download Submit
\Program Files (x86)\Soga64\elin_render.exe

Filesize
471KB

MD5
38b8ba7a0dd581d893e7c4f1a1b8ae11

SHA1
3e12d0260df799b063509a4359a8c0df540c4784

SHA256
6b85e080cc735e5a46a5205ed7177321b8a938fd0875157f149b4b3a414f00de

SHA512
018805a42b56245eaaef656e1cec95a028b64c370c4c5dd0628abc1d3a47c62d630140eaba5ea8d0ea2bb978deb3e0518c7f15027b4254712c5f6dca74061f1f

Download Submit
\Program Files (x86)\Soga64\libcef.dll

Filesize
20KB

MD5
7c1f2006fd5b5deb8f073f47cb22193b

SHA1
415843acd73d59dd13d10254fe1ed2fb563cb835

SHA256
76ab88a981fb6fa69be18214c8c2a2b04f7f5f5945be452ce0488a754bd0dbf7

SHA512
cbcd2b1d17b6a8152147da3920494fd54f5e397aff11473e76ba38aaaca43f33c37016aa0865277f4caaa43d1bad4da787df5f0fa54c2610b3d29ddd6356a1d5

Download Submit
memory/1368-6-0x0000000000E50000-0x0000000001A0B000-memory.dmp

Filesize
11.7MB

Download
memory/1368-5-0x0000000000100000-0x0000000000101000-memory.dmp

Filesize
4KB

Download
memory/1368-0-0x0000000000100000-0x0000000000101000-memory.dmp

Filesize
4KB

Download
memory/1368-3-0x0000000000100000-0x0000000000101000-memory.dmp

Filesize
4KB

Download
memory/1368-2-0x0000000000E50000-0x0000000001A0B000-memory.dmp

Filesize
11.7MB

Download
memory/1368-29-0x0000000000E50000-0x0000000001A0B000-memory.dmp

Filesize
11.7MB

Download
memory/2812-28-0x0000000010000000-0x0000000010031000-memory.dmp

Filesize
196KB

Download
memory/2812-30-0x0000000001E70000-0x0000000001F1E000-memory.dmp

Filesize
696KB

Download
memory/2812-34-0x0000000000100000-0x000000000012A000-memory.dmp

Filesize
168KB

Download

Analysis

Sharing