fatalrat | a371b5d9937f2bad39c5a4c2077c4ebecb8b9a265404ea63d02f32641eb61da9

General

Target

a371b5d9937f2bad39c5a4c2077c4ebecb8b9a265404ea63d02f32641eb61da9.exe
Size

5.8MB
MD5

179f2d355033bba2d318869b5def9d66
SHA1

b61009f257da9c1f41ed01514bc70beb645b3d87
SHA256

a371b5d9937f2bad39c5a4c2077c4ebecb8b9a265404ea63d02f32641eb61da9
SHA512

3577a5137ca3ff58acca3edc36cf556c08763b4141ddd9888139004a3169dee7a16000df44b220a833d11cb82c5e81a7c3ee0a71c349050813b6cd05cbb868b7
SSDEEP

98304:9XqY+0XF02YWwteZJ2WzIgA+4rg+lAaf4/T9GifnRRpcmXsZPjLk60wGvG7z/:9XqFnb9WmRrgOAo6T9GifnRRp5ujLk6z

Score

10^/10

fatalrat infostealer rat vmprotect

Malware Config

Signatures

FatalRat
FatalRat is a modular infostealer family written in C++ first appearing in June 2021.
infostealer rat fatalrat

Fatal Rat payload 1 IoCs

rat infostealer

resource	yara_rule
behavioral2/memory/3272-31-0x0000000000590000-0x00000000005BA000-memory.dmp	fatalrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation	a371b5d9937f2bad39c5a4c2077c4ebecb8b9a265404ea63d02f32641eb61da9.exe

Executes dropped EXE 1 IoCs

pid	Process
3272	elin_render.exe

Loads dropped DLL 2 IoCs

pid	Process
3272	elin_render.exe
3272	elin_render.exe

VMProtect packed file 3 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral2/memory/2672-2-0x0000000000CA0000-0x000000000185B000-memory.dmp	vmprotect
behavioral2/memory/2672-4-0x0000000000CA0000-0x000000000185B000-memory.dmp	vmprotect
behavioral2/memory/2672-28-0x0000000000CA0000-0x000000000185B000-memory.dmp	vmprotect

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2672	a371b5d9937f2bad39c5a4c2077c4ebecb8b9a265404ea63d02f32641eb61da9.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Soga64\libcef.dll	a371b5d9937f2bad39c5a4c2077c4ebecb8b9a265404ea63d02f32641eb61da9.exe
File created	C:\Program Files (x86)\Soga64\msvcp100.dll	a371b5d9937f2bad39c5a4c2077c4ebecb8b9a265404ea63d02f32641eb61da9.exe
File created	C:\Program Files (x86)\Soga64\cvsd.xml	a371b5d9937f2bad39c5a4c2077c4ebecb8b9a265404ea63d02f32641eb61da9.exe
File created	C:\Program Files (x86)\Soga64\msvcr100.dll	a371b5d9937f2bad39c5a4c2077c4ebecb8b9a265404ea63d02f32641eb61da9.exe
File created	C:\Program Files (x86)\Soga64\elin_render.exe	a371b5d9937f2bad39c5a4c2077c4ebecb8b9a265404ea63d02f32641eb61da9.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2672	a371b5d9937f2bad39c5a4c2077c4ebecb8b9a265404ea63d02f32641eb61da9.exe
2672	a371b5d9937f2bad39c5a4c2077c4ebecb8b9a265404ea63d02f32641eb61da9.exe
2672	a371b5d9937f2bad39c5a4c2077c4ebecb8b9a265404ea63d02f32641eb61da9.exe
2672	a371b5d9937f2bad39c5a4c2077c4ebecb8b9a265404ea63d02f32641eb61da9.exe
2672	a371b5d9937f2bad39c5a4c2077c4ebecb8b9a265404ea63d02f32641eb61da9.exe
2672	a371b5d9937f2bad39c5a4c2077c4ebecb8b9a265404ea63d02f32641eb61da9.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3272	elin_render.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2672	a371b5d9937f2bad39c5a4c2077c4ebecb8b9a265404ea63d02f32641eb61da9.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2672 wrote to memory of 3272	2672	a371b5d9937f2bad39c5a4c2077c4ebecb8b9a265404ea63d02f32641eb61da9.exe	91
PID 2672 wrote to memory of 3272	2672	a371b5d9937f2bad39c5a4c2077c4ebecb8b9a265404ea63d02f32641eb61da9.exe	91
PID 2672 wrote to memory of 3272	2672	a371b5d9937f2bad39c5a4c2077c4ebecb8b9a265404ea63d02f32641eb61da9.exe	91

C:\Users\Admin\AppData\Local\Temp\a371b5d9937f2bad39c5a4c2077c4ebecb8b9a265404ea63d02f32641eb61da9.exe
"C:\Users\Admin\AppData\Local\Temp\a371b5d9937f2bad39c5a4c2077c4ebecb8b9a265404ea63d02f32641eb61da9.exe"
1⤵
- Checks computer location settings
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2672
- C:\Program Files (x86)\Soga64\elin_render.exe
  "C:\Program Files (x86)\Soga64\elin_render.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  PID:3272

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Soga64\elin_render.exe

Filesize
381KB

MD5
5d8c485a839787e0eb9729879e38b7ce

SHA1
4d0f660d09f3ccce48a5b0a8b960eef1e1aed6b5

SHA256
ae45c3739e4857ce44a6fe8c656003825fd7dd9dd3103316d66fc46963d11f9b

SHA512
4523535c6f1ca36f2641245becc9396801a16b9a567a2059c6b8a3812efabe3dff5930698530c2fcb893788650df14feebd093029039ed2701c730bf372c8102

Download Submit
C:\Program Files (x86)\Soga64\elin_render.exe

Filesize
92KB

MD5
fa68f2aee2f201cc05119b5ccb477a22

SHA1
94629d64bdb4005877387ccfa619afb8e76ea062

SHA256
73c22bc946c1d0dbda651b2a0fbc0a3ac76193210b7d90a18f960ed4f81beb88

SHA512
1761da8dc1a18c253e1c0d338868eb502c0380b8b82564b99ba8ef349486fcbb04c3894b1c5ef322edc2fdd570e1f0a5e8027c9d9226d0690e617c43b281389e

Download Submit
memory/2672-0-0x0000000001970000-0x0000000001971000-memory.dmp

Filesize
4KB

Download
memory/2672-2-0x0000000000CA0000-0x000000000185B000-memory.dmp

Filesize
11.7MB

Download
memory/2672-4-0x0000000000CA0000-0x000000000185B000-memory.dmp

Filesize
11.7MB

Download
memory/2672-28-0x0000000000CA0000-0x000000000185B000-memory.dmp

Filesize
11.7MB

Download
memory/3272-27-0x0000000002580000-0x000000000262E000-memory.dmp

Filesize
696KB

Download
memory/3272-25-0x0000000010000000-0x0000000010031000-memory.dmp

Filesize
196KB

Download
memory/3272-31-0x0000000000590000-0x00000000005BA000-memory.dmp

Filesize
168KB

Download

Analysis

Sharing