fatalrat | 75f785ffbadc7cc740bde0ed0c60159b1d380e203963228b5da20a94d4aa4a36

Analysis

max time kernel
93s
max time network
133s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
16-01-2024 08:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

meow.exe
Size

3.7MB
MD5

678f94cd567504b5abe86945b6853597
SHA1

a50b572e1cf2d1ac850446b6d585ef6896212054
SHA256

eb171728a9c81a6d2df309353409e9e71bb61561141ec13e66352b196656defa
SHA512

370eb393b367b30ce8bd200777b651613dd11bd4768cc39ca11debc5f93865aa002501796396be24c7eb8947b2e3e945777397ad6ba0bad7d60f411f362069f8
SSDEEP

49152:TV5econWgqDvCts/n1xHlPQTTN3IihvEF6Y4Q7jB2Xp/Td8h2OOm8CeZas5YtYQk:GqD03IfF6Y4Q8VW8daJaLz7

Score

10^/10

fatalrat infostealer rat

Malware Config

Signatures

FatalRat
FatalRat is a modular infostealer family written in C++ first appearing in June 2021.
infostealer rat fatalrat

Fatal Rat payload 1 IoCs

rat infostealer

Processes:

resource	yara_rule
behavioral3/memory/2416-46-0x0000000002600000-0x000000000262A000-memory.dmp	fatalrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

meow.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Control Panel\International\Geo\Nation	meow.exe

Executes dropped EXE 2 IoCs

Processes:

Rar.exeTigerTrade.exe

pid	Process
4040	Rar.exe
2416	TigerTrade.exe

Loads dropped DLL 3 IoCs

Processes:

TigerTrade.exe

pid	Process
2416	TigerTrade.exe
2416	TigerTrade.exe
2416	TigerTrade.exe

Drops file in Program Files directory 14 IoCs

Processes:

Rar.exemeow.exe

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Fonsd\libcurl32.dll	Rar.exe
File opened for modification	C:\Program Files (x86)\Fonsd\msvcp100d.dll	Rar.exe
File created	C:\Program Files (x86)\Fonsd\msvcr100d.dll	Rar.exe
File created	C:\Program Files (x86)\Fonsd\kxgl.rar	meow.exe
File created	C:\Program Files (x86)\Fonsd\kdsd.dat	Rar.exe
File opened for modification	C:\Program Files (x86)\Fonsd\kdsd.dat	Rar.exe
File created	C:\Program Files (x86)\Fonsd\libcurl32.dll	Rar.exe
File created	C:\Program Files (x86)\Fonsd\version.xml	Rar.exe
File created	C:\Program Files (x86)\Fonsd\Rar.exe	meow.exe
File opened for modification	C:\Program Files (x86)\Fonsd\TigerTrade.exe	Rar.exe
File created	C:\Program Files (x86)\Fonsd\msvcp100d.dll	Rar.exe
File opened for modification	C:\Program Files (x86)\Fonsd\msvcr100d.dll	Rar.exe
File created	C:\Program Files (x86)\Fonsd\TigerTrade.exe	Rar.exe
File opened for modification	C:\Program Files (x86)\Fonsd\version.xml	Rar.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TigerTrade.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TigerTrade.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TigerTrade.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

TigerTrade.exe

pid	Process
2416	TigerTrade.exe
2416	TigerTrade.exe
2416	TigerTrade.exe
2416	TigerTrade.exe
2416	TigerTrade.exe
2416	TigerTrade.exe
2416	TigerTrade.exe
2416	TigerTrade.exe
2416	TigerTrade.exe
2416	TigerTrade.exe
2416	TigerTrade.exe
2416	TigerTrade.exe
2416	TigerTrade.exe
2416	TigerTrade.exe
2416	TigerTrade.exe
2416	TigerTrade.exe
2416	TigerTrade.exe
2416	TigerTrade.exe
2416	TigerTrade.exe
2416	TigerTrade.exe
2416	TigerTrade.exe
2416	TigerTrade.exe
2416	TigerTrade.exe
2416	TigerTrade.exe
2416	TigerTrade.exe
2416	TigerTrade.exe
2416	TigerTrade.exe
2416	TigerTrade.exe
2416	TigerTrade.exe
2416	TigerTrade.exe
2416	TigerTrade.exe
2416	TigerTrade.exe
2416	TigerTrade.exe
2416	TigerTrade.exe
2416	TigerTrade.exe
2416	TigerTrade.exe
2416	TigerTrade.exe
2416	TigerTrade.exe
2416	TigerTrade.exe
2416	TigerTrade.exe
2416	TigerTrade.exe
2416	TigerTrade.exe
2416	TigerTrade.exe
2416	TigerTrade.exe
2416	TigerTrade.exe
2416	TigerTrade.exe
2416	TigerTrade.exe
2416	TigerTrade.exe
2416	TigerTrade.exe
2416	TigerTrade.exe
2416	TigerTrade.exe
2416	TigerTrade.exe
2416	TigerTrade.exe
2416	TigerTrade.exe
2416	TigerTrade.exe
2416	TigerTrade.exe
2416	TigerTrade.exe
2416	TigerTrade.exe
2416	TigerTrade.exe
2416	TigerTrade.exe
2416	TigerTrade.exe
2416	TigerTrade.exe
2416	TigerTrade.exe
2416	TigerTrade.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

TigerTrade.exe

description	pid	Process
Token: SeDebugPrivilege	2416	TigerTrade.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

meow.exe

pid	Process
4988	meow.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

meow.exe

description	pid	Process	procid_target
PID 4988 wrote to memory of 4040	4988	meow.exe	89
PID 4988 wrote to memory of 4040	4988	meow.exe	89
PID 4988 wrote to memory of 2416	4988	meow.exe	91
PID 4988 wrote to memory of 2416	4988	meow.exe	91
PID 4988 wrote to memory of 2416	4988	meow.exe	91

C:\Users\Admin\AppData\Local\Temp\meow.exe
"C:\Users\Admin\AppData\Local\Temp\meow.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4988
- C:\Program Files (x86)\Fonsd\Rar.exe
  "C:\Program Files (x86)\Fonsd\Rar.exe" -y x -pq121 "C:\Program Files (x86)\Fonsd\kxgl.rar" "C:\Program Files (x86)\Fonsd"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:4040
- C:\Program Files (x86)\Fonsd\TigerTrade.exe
  "C:\Program Files (x86)\Fonsd\TigerTrade.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2416

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Fonsd\MSVCP100D.dll

Filesize
725KB

MD5
d9b66b1509639cc71ddc703225c65823

SHA1
143d65a3f90c19ea57fd902f35c4d5ca87db2c1f

SHA256
555eb31b526096c6f6a3b6ee768dad1c1ef5cb8f0165071673164d64e7063f61

SHA512
623c60b12e5ba64d6f507766c273989d2c01aacfc5764e597cfcdb2e7c98d41359e107ff309418062ab1df78af764145a28d855637f3ebff51e8dce548cfe718

Download Submit
C:\Program Files (x86)\Fonsd\MSVCR100D.dll

Filesize
1.4MB

MD5
b245bf00ba8c1196dbf8c2bd5dec9f60

SHA1
3090b2365ef1c3dbb378d309ee4b9aa811548e07

SHA256
80e8c0147f9960c8982092a4b43329835dc394036306bdd1a763bb59eb3d751b

SHA512
45b453c117fe3ae541eb9af0f8c7fff12dba4c83c95b6ab53027ba5650e44483738cbac34b2847b5830697c66d537dcbc54e76c0235ce7bfa3f9aacdfce685a3

Download Submit
C:\Program Files (x86)\Fonsd\Rar.exe

Filesize
610KB

MD5
91b1e70294418479f6929551114a350e

SHA1
a45ca37a1d8d511d2a99e37c269a32b06d95b6ff

SHA256
3d928eec6336b69a4d706cd462f064f673cbe77906ac3d66367f53347369c25e

SHA512
f07c02a024b2beb1c6ede849a4f98b3995979085935a82b964eefafb05936a6340994489df4e56c19201e6d7277bd6e551b0e0419b5648897e5eff73a687017a

Download Submit
C:\Program Files (x86)\Fonsd\TigerTrade.exe

Filesize
714KB

MD5
7eaa5ad690d17e4486a0661c4d19390e

SHA1
616bc9cf471b8c31cf598155e276619ad8604f26

SHA256
8878e7a7a8d67efc7512c694bdb06c1d6032406625b1c4b54316389a61b7323f

SHA512
c768b88608b07fa5755d9f6c9123140b971b83a684819f75ab055568c99329c267db65da985a26a5a265053a85bee41df0bb6bb7fa7d516ebedb7f1c326973c3

Download Submit
C:\Program Files (x86)\Fonsd\kdsd.dat

Filesize
198KB

MD5
549af62420bf054e967a2e1c5bb88769

SHA1
043dc0cccd0337e83cc2aa45b572fd83584b6c82

SHA256
0c2dcd599299c084fc53384d9eb9f50ac3d74a96029b50b4bf3ccd9aa209897d

SHA512
547148f4c9c97acae26431af818e6ae94834ac85284b1fab8603ce654b2c889e9467addecb8b6db23fa36cf420bf6f5251bf3009a4926db3777dbe06cc715123

Download Submit
C:\Program Files (x86)\Fonsd\kxgl.rar

Filesize
983KB

MD5
8b6c4c199ceaec646e5327344b6a6378

SHA1
2a01e8723150dfd1d41f0d7e21ffee8cb3091274

SHA256
68eb458a1bdd633974204fcabdc8c080a07a8f38014f8b239477a3748fbbb841

SHA512
742c5975e99d454179e3ba9fb9d2a606a11b2a370b976823b01ddbcff7b6bbf12967d057754f48a517431defc3847057e38c206b72d52027f113d3aa1902eb22

Download Submit
C:\Program Files (x86)\Fonsd\libcurl32.dll

Filesize
89KB

MD5
13f6a45f1fa2a9062043187853d80b6e

SHA1
47714495a5da5ce0d618c09968f5c1eb974e58e2

SHA256
3989529d0b281fc8089c401f048ccc68779a22f15ab2cbcb2ed2f88b57f7a019

SHA512
7add760587356d402c28ee1f8325fed69504bb2c4a71bd94f19b63c27128ae6634edbef8051da196c8861f81af30e498888087aa4fe54c80944063acee500d50

Download Submit
C:\Program Files (x86)\Fonsd\version.xml

Filesize
78KB

MD5
4d131aaeb59faae63dff5a6d093974ce

SHA1
07d7ab499eb9d4bb2129da3770a12482151eed62

SHA256
ea41d914a432760b84b0bee2206eae0b28299f8d871ef02151f1ef090ad7b392

SHA512
efeecf70efafba15cbc5c193b3332162e6eec612931ff543b7517a148a7db3cd0d71282c84a08417c8e16d62054d2ec454534aa8b7275fce94ca6f1ffe7efbfc

Download Submit
memory/2416-36-0x00000000024E0000-0x00000000025B4000-memory.dmp

Filesize
848KB

Download
memory/2416-34-0x0000000010000000-0x0000000010018000-memory.dmp

Filesize
96KB

Download
memory/2416-41-0x00000000025C0000-0x00000000025F1000-memory.dmp

Filesize
196KB

Download
memory/2416-44-0x00000000028B0000-0x0000000002984000-memory.dmp

Filesize
848KB

Download
memory/2416-46-0x0000000002600000-0x000000000262A000-memory.dmp

Filesize
168KB

Download