fatalrat | f74440af1892f606cf6451e65198161aad3860682c89493212d4bccdc8c79526

General

Target

f74440af.exe
Size

116KB
MD5

f31c2f7530ca8417e023cd63275fc471
SHA1

fc93c75f476e09c23bf8d2d784786e1d3378ff3b
SHA256

f74440af1892f606cf6451e65198161aad3860682c89493212d4bccdc8c79526
SHA512

769ff5d8a755df29cc35b80866a54bc51eaaf825b25e5574feeed1eafa282facb313c75e8662a7e408c8fa85c246904e6b8745205771cdc060cfc089f4850a61
SSDEEP

1536:C9f6Z8WQMVCLpcyHruGZdpgW/auSzeA8bE5+i42V9wf9S:TagVCLWGZdpT/auCeBbErzQ9S

Score

10^/10

fatalrat infostealer rat

Malware Config

Signatures

FatalRat
FatalRat is a modular infostealer family written in C++ first appearing in June 2021.
infostealer rat fatalrat

Fatal Rat payload 3 IoCs

rat infostealer

resource	yara_rule
behavioral1/memory/4264-20-0x0000000004160000-0x000000000418A000-memory.dmp	fatalrat
behavioral1/memory/3060-54-0x0000000003810000-0x000000000383A000-memory.dmp	fatalrat
behavioral1/memory/3088-73-0x0000000003AA0000-0x0000000003ACA000-memory.dmp	fatalrat

Blocklisted process makes network request 2 IoCs

flow	pid	Process
75	452	rundll32.exe
75	452	rundll32.exe

Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	f74440af.exe

Executes dropped EXE 2 IoCs

pid	Process
3060	f74440af.exe
3088	f74440af.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\f74440af.exe	f74440af.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3088 set thread context of 452	3088	f74440af.exe	99

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4264	f74440af.exe
Token: SeDebugPrivilege	3060	f74440af.exe
Token: SeDebugPrivilege	3088	f74440af.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4264	f74440af.exe
3060	f74440af.exe
3088	f74440af.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 4264 wrote to memory of 3060	4264	f74440af.exe	94
PID 4264 wrote to memory of 3060	4264	f74440af.exe	94
PID 4264 wrote to memory of 3060	4264	f74440af.exe	94
PID 3088 wrote to memory of 452	3088	f74440af.exe	99
PID 3088 wrote to memory of 452	3088	f74440af.exe	99
PID 3088 wrote to memory of 452	3088	f74440af.exe	99
PID 3088 wrote to memory of 452	3088	f74440af.exe	99

C:\Users\Admin\AppData\Local\Temp\f74440af.exe
"C:\Users\Admin\AppData\Local\Temp\f74440af.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4264
- C:\Users\Admin\AppData\Local\f74440af.exe
  "C:\Users\Admin\AppData\Local\f74440af.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:3060

C:\Users\Admin\AppData\Local\f74440af.exe
C:\Users\Admin\AppData\Local\f74440af.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3088
- C:\Windows\SysWOW64\rundll32.exe
  "rundll32.exe"
  2⤵
  - Blocklisted process makes network request
  PID:452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0DA515F703BB9B49479E8697ADB0B955_786387CC77858B88BA3234B304062475

Filesize
1KB

MD5
ef78919c72f594ce2e315025e8001d33

SHA1
309a53ee5520d4d058e71e514d7c9b847b65ee55

SHA256
f2afd6fd4f1f811b3181a2472e3b91705f2c1cf11e0059bab9fcd84e5b07f21d

SHA512
ac0605c84404ede23b23ef96e0c29bacca1055110a5f64ec95062e5be6c52bfb1d96245495c1bf6ddbb16eb020fbc959c66bd2fa0ac1526f2249b42da94fbd8a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CF14D1855652602540DFCFECD21854DB_9D4DA425A87D27CCBC9A2D24DDA519CA

Filesize
1KB

MD5
f6ddd7c1c94ad8b901fadb917551893d

SHA1
e50d8499feb5d388c5ee60f231b49a5d04f51407

SHA256
3dee85c6e9f447baa1af1621e0bc6b5f342ccf3cf75fce54445a4bf1af479c90

SHA512
4ff7ac063443595a8f58c92e9ac9eb806ba24f0feb8d465a7d26668b14fa535711b2732c4e41626ee063605fca1d9a6761acd9b4301ac77724733d4a320c4323

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\0DA515F703BB9B49479E8697ADB0B955_786387CC77858B88BA3234B304062475

Filesize
500B

MD5
dc91dd24c9941ac9f71f6757feb64287

SHA1
549e28b30ca9a4f83407b7431069e0e78ae08956

SHA256
785acbfab6484749277de14db2146b10434127c4889fce299f63e242c29e621f

SHA512
b24c1a92b11df21078423ec50c6f11c71b45bcdd0408eed20244b8d0ae90f0314332d1a6ca79ec4be998d257b237913de1de2c44fd0edf881c2e0e27d223d225

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CF14D1855652602540DFCFECD21854DB_9D4DA425A87D27CCBC9A2D24DDA519CA

Filesize
536B

MD5
b7e7903c48b74d22ba3908ccdd59d36f

SHA1
178f77d55c8afb4618c2fa39650479455b4a6c51

SHA256
b28cb1bfcee8000aa499f94b8f43e0dbf6ddf3cc8d927e439278197f29df27d1

SHA512
ad0181868aa517bca71470e2cdceaffa193a37798ffd3fc747a51d9b22163bab0430e1e4fb9df9eb650fe5ee9832f721f2c82f41fa4a5ba022d33591356d8908

Download Submit
C:\Users\Admin\AppData\Local\f74440af.exe

Filesize
116KB

MD5
f31c2f7530ca8417e023cd63275fc471

SHA1
fc93c75f476e09c23bf8d2d784786e1d3378ff3b

SHA256
f74440af1892f606cf6451e65198161aad3860682c89493212d4bccdc8c79526

SHA512
769ff5d8a755df29cc35b80866a54bc51eaaf825b25e5574feeed1eafa282facb313c75e8662a7e408c8fa85c246904e6b8745205771cdc060cfc089f4850a61

Download Submit
memory/452-78-0x00000000007F0000-0x00000000007F1000-memory.dmp

Filesize
4KB

Download
memory/3060-42-0x00000000036B0000-0x00000000036CA000-memory.dmp

Filesize
104KB

Download
memory/3060-54-0x0000000003810000-0x000000000383A000-memory.dmp

Filesize
168KB

Download
memory/3088-61-0x0000000003920000-0x000000000393A000-memory.dmp

Filesize
104KB

Download
memory/3088-73-0x0000000003AA0000-0x0000000003ACA000-memory.dmp

Filesize
168KB

Download
memory/4264-20-0x0000000004160000-0x000000000418A000-memory.dmp

Filesize
168KB

Download
memory/4264-18-0x0000000004120000-0x0000000004152000-memory.dmp

Filesize
200KB

Download
memory/4264-7-0x0000000004100000-0x000000000411A000-memory.dmp

Filesize
104KB

Download
memory/4264-15-0x0000000010000000-0x0000000010031000-memory.dmp

Filesize
196KB

Download

Analysis

Sharing