fatalrat | e127b2751dbf53db3d7b63f55b969ffc419275446168c3c1496ca4a99b3594f6

Analysis

max time kernel
130s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
03-03-2024 16:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e127b2751dbf53db3d7b63f55b969ffc419275446168c3c1496ca4a99b3594f6.exe
Size

1.1MB
MD5

e1995e1ea6000f8382d98e22aba021ba
SHA1

716aa9a9b4ce87c92a4c9661ebdf8ce4cd0a0d51
SHA256

e127b2751dbf53db3d7b63f55b969ffc419275446168c3c1496ca4a99b3594f6
SHA512

3015d6738e3f337c63041311053d3ba3059252721eb4f2c926955d78612dd3c0c4941d806270b76db2c0676bec64e7b785ced2b6181d8ff0a5155626d35f6e79
SSDEEP

24576:jh81D9tMyR1ev8r6TmyfPT7MmaR8HzbiXEyvYhINGwApm:jhQmEr6T1fPT/HiXSI0we

Score

10^/10

fatalrat infostealer persistence rat upx

Malware Config

Signatures

FatalRat
FatalRat is a modular infostealer family written in C++ first appearing in June 2021.
infostealer rat fatalrat

Fatal Rat payload 2 IoCs

rat infostealer

Processes:

resource	yara_rule
behavioral2/memory/4588-35-0x00000000016E0000-0x0000000001710000-memory.dmp	fatalrat
behavioral2/memory/4588-36-0x0000000010000000-0x0000000010029000-memory.dmp	fatalrat

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

e127b2751dbf53db3d7b63f55b969ffc419275446168c3c1496ca4a99b3594f6.exemd.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	e127b2751dbf53db3d7b63f55b969ffc419275446168c3c1496ca4a99b3594f6.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	md.exe

Deletes itself 1 IoCs

Processes:

WScript.exe

pid	Process
3204	WScript.exe

Executes dropped EXE 2 IoCs

Processes:

md.exeAgghosts.exe

pid	Process
4028	md.exe
4588	Agghosts.exe

Loads dropped DLL 2 IoCs

Processes:

Agghosts.exe

pid	Process
4588	Agghosts.exe
4588	Agghosts.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/files/0x000c000000023224-10.dat	upx
behavioral2/memory/4028-12-0x0000000000400000-0x0000000000545000-memory.dmp	upx
behavioral2/memory/4028-20-0x0000000000400000-0x0000000000545000-memory.dmp	upx
behavioral2/memory/4028-45-0x0000000000400000-0x0000000000545000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Agghosts.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Çý¶¯Éú = "C:\\ozujru\\Agghosts.exe"	Agghosts.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Agghosts.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Agghosts.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Agghosts.exe

Modifies registry class 3 IoCs

Processes:

helppane.exemd.exee127b2751dbf53db3d7b63f55b969ffc419275446168c3c1496ca4a99b3594f6.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	helppane.exe
Key created	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings	md.exe
Key created	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings	e127b2751dbf53db3d7b63f55b969ffc419275446168c3c1496ca4a99b3594f6.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

e127b2751dbf53db3d7b63f55b969ffc419275446168c3c1496ca4a99b3594f6.exe

pid	Process
1936	e127b2751dbf53db3d7b63f55b969ffc419275446168c3c1496ca4a99b3594f6.exe
1936	e127b2751dbf53db3d7b63f55b969ffc419275446168c3c1496ca4a99b3594f6.exe
1936	e127b2751dbf53db3d7b63f55b969ffc419275446168c3c1496ca4a99b3594f6.exe
1936	e127b2751dbf53db3d7b63f55b969ffc419275446168c3c1496ca4a99b3594f6.exe
1936	e127b2751dbf53db3d7b63f55b969ffc419275446168c3c1496ca4a99b3594f6.exe
1936	e127b2751dbf53db3d7b63f55b969ffc419275446168c3c1496ca4a99b3594f6.exe
1936	e127b2751dbf53db3d7b63f55b969ffc419275446168c3c1496ca4a99b3594f6.exe
1936	e127b2751dbf53db3d7b63f55b969ffc419275446168c3c1496ca4a99b3594f6.exe
1936	e127b2751dbf53db3d7b63f55b969ffc419275446168c3c1496ca4a99b3594f6.exe
1936	e127b2751dbf53db3d7b63f55b969ffc419275446168c3c1496ca4a99b3594f6.exe
1936	e127b2751dbf53db3d7b63f55b969ffc419275446168c3c1496ca4a99b3594f6.exe
1936	e127b2751dbf53db3d7b63f55b969ffc419275446168c3c1496ca4a99b3594f6.exe
1936	e127b2751dbf53db3d7b63f55b969ffc419275446168c3c1496ca4a99b3594f6.exe
1936	e127b2751dbf53db3d7b63f55b969ffc419275446168c3c1496ca4a99b3594f6.exe
1936	e127b2751dbf53db3d7b63f55b969ffc419275446168c3c1496ca4a99b3594f6.exe
1936	e127b2751dbf53db3d7b63f55b969ffc419275446168c3c1496ca4a99b3594f6.exe
1936	e127b2751dbf53db3d7b63f55b969ffc419275446168c3c1496ca4a99b3594f6.exe
1936	e127b2751dbf53db3d7b63f55b969ffc419275446168c3c1496ca4a99b3594f6.exe
1936	e127b2751dbf53db3d7b63f55b969ffc419275446168c3c1496ca4a99b3594f6.exe
1936	e127b2751dbf53db3d7b63f55b969ffc419275446168c3c1496ca4a99b3594f6.exe
1936	e127b2751dbf53db3d7b63f55b969ffc419275446168c3c1496ca4a99b3594f6.exe
1936	e127b2751dbf53db3d7b63f55b969ffc419275446168c3c1496ca4a99b3594f6.exe
1936	e127b2751dbf53db3d7b63f55b969ffc419275446168c3c1496ca4a99b3594f6.exe
1936	e127b2751dbf53db3d7b63f55b969ffc419275446168c3c1496ca4a99b3594f6.exe
1936	e127b2751dbf53db3d7b63f55b969ffc419275446168c3c1496ca4a99b3594f6.exe
1936	e127b2751dbf53db3d7b63f55b969ffc419275446168c3c1496ca4a99b3594f6.exe
1936	e127b2751dbf53db3d7b63f55b969ffc419275446168c3c1496ca4a99b3594f6.exe
1936	e127b2751dbf53db3d7b63f55b969ffc419275446168c3c1496ca4a99b3594f6.exe
1936	e127b2751dbf53db3d7b63f55b969ffc419275446168c3c1496ca4a99b3594f6.exe
1936	e127b2751dbf53db3d7b63f55b969ffc419275446168c3c1496ca4a99b3594f6.exe
1936	e127b2751dbf53db3d7b63f55b969ffc419275446168c3c1496ca4a99b3594f6.exe
1936	e127b2751dbf53db3d7b63f55b969ffc419275446168c3c1496ca4a99b3594f6.exe
1936	e127b2751dbf53db3d7b63f55b969ffc419275446168c3c1496ca4a99b3594f6.exe
1936	e127b2751dbf53db3d7b63f55b969ffc419275446168c3c1496ca4a99b3594f6.exe
1936	e127b2751dbf53db3d7b63f55b969ffc419275446168c3c1496ca4a99b3594f6.exe
1936	e127b2751dbf53db3d7b63f55b969ffc419275446168c3c1496ca4a99b3594f6.exe
1936	e127b2751dbf53db3d7b63f55b969ffc419275446168c3c1496ca4a99b3594f6.exe
1936	e127b2751dbf53db3d7b63f55b969ffc419275446168c3c1496ca4a99b3594f6.exe
1936	e127b2751dbf53db3d7b63f55b969ffc419275446168c3c1496ca4a99b3594f6.exe
1936	e127b2751dbf53db3d7b63f55b969ffc419275446168c3c1496ca4a99b3594f6.exe
1936	e127b2751dbf53db3d7b63f55b969ffc419275446168c3c1496ca4a99b3594f6.exe
1936	e127b2751dbf53db3d7b63f55b969ffc419275446168c3c1496ca4a99b3594f6.exe
1936	e127b2751dbf53db3d7b63f55b969ffc419275446168c3c1496ca4a99b3594f6.exe
1936	e127b2751dbf53db3d7b63f55b969ffc419275446168c3c1496ca4a99b3594f6.exe
1936	e127b2751dbf53db3d7b63f55b969ffc419275446168c3c1496ca4a99b3594f6.exe
1936	e127b2751dbf53db3d7b63f55b969ffc419275446168c3c1496ca4a99b3594f6.exe
1936	e127b2751dbf53db3d7b63f55b969ffc419275446168c3c1496ca4a99b3594f6.exe
1936	e127b2751dbf53db3d7b63f55b969ffc419275446168c3c1496ca4a99b3594f6.exe
1936	e127b2751dbf53db3d7b63f55b969ffc419275446168c3c1496ca4a99b3594f6.exe
1936	e127b2751dbf53db3d7b63f55b969ffc419275446168c3c1496ca4a99b3594f6.exe
1936	e127b2751dbf53db3d7b63f55b969ffc419275446168c3c1496ca4a99b3594f6.exe
1936	e127b2751dbf53db3d7b63f55b969ffc419275446168c3c1496ca4a99b3594f6.exe
1936	e127b2751dbf53db3d7b63f55b969ffc419275446168c3c1496ca4a99b3594f6.exe
1936	e127b2751dbf53db3d7b63f55b969ffc419275446168c3c1496ca4a99b3594f6.exe
1936	e127b2751dbf53db3d7b63f55b969ffc419275446168c3c1496ca4a99b3594f6.exe
1936	e127b2751dbf53db3d7b63f55b969ffc419275446168c3c1496ca4a99b3594f6.exe
1936	e127b2751dbf53db3d7b63f55b969ffc419275446168c3c1496ca4a99b3594f6.exe
1936	e127b2751dbf53db3d7b63f55b969ffc419275446168c3c1496ca4a99b3594f6.exe
1936	e127b2751dbf53db3d7b63f55b969ffc419275446168c3c1496ca4a99b3594f6.exe
1936	e127b2751dbf53db3d7b63f55b969ffc419275446168c3c1496ca4a99b3594f6.exe
1936	e127b2751dbf53db3d7b63f55b969ffc419275446168c3c1496ca4a99b3594f6.exe
1936	e127b2751dbf53db3d7b63f55b969ffc419275446168c3c1496ca4a99b3594f6.exe
1936	e127b2751dbf53db3d7b63f55b969ffc419275446168c3c1496ca4a99b3594f6.exe
1936	e127b2751dbf53db3d7b63f55b969ffc419275446168c3c1496ca4a99b3594f6.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Agghosts.exe

description	pid	Process
Token: SeDebugPrivilege	4588	Agghosts.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

helppane.exe

pid	Process
2452	helppane.exe

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

e127b2751dbf53db3d7b63f55b969ffc419275446168c3c1496ca4a99b3594f6.exemd.exehelppane.exe

pid	Process
1936	e127b2751dbf53db3d7b63f55b969ffc419275446168c3c1496ca4a99b3594f6.exe
1936	e127b2751dbf53db3d7b63f55b969ffc419275446168c3c1496ca4a99b3594f6.exe
4028	md.exe
4028	md.exe
2452	helppane.exe
2452	helppane.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

e127b2751dbf53db3d7b63f55b969ffc419275446168c3c1496ca4a99b3594f6.exehelppane.exemd.exe

description	pid	Process	procid_target
PID 1936 wrote to memory of 4028	1936	e127b2751dbf53db3d7b63f55b969ffc419275446168c3c1496ca4a99b3594f6.exe	96
PID 1936 wrote to memory of 4028	1936	e127b2751dbf53db3d7b63f55b969ffc419275446168c3c1496ca4a99b3594f6.exe	96
PID 1936 wrote to memory of 4028	1936	e127b2751dbf53db3d7b63f55b969ffc419275446168c3c1496ca4a99b3594f6.exe	96
PID 2452 wrote to memory of 4588	2452	helppane.exe	98
PID 2452 wrote to memory of 4588	2452	helppane.exe	98
PID 2452 wrote to memory of 4588	2452	helppane.exe	98
PID 4028 wrote to memory of 1744	4028	md.exe	99
PID 4028 wrote to memory of 1744	4028	md.exe	99
PID 4028 wrote to memory of 1744	4028	md.exe	99
PID 1936 wrote to memory of 3204	1936	e127b2751dbf53db3d7b63f55b969ffc419275446168c3c1496ca4a99b3594f6.exe	100
PID 1936 wrote to memory of 3204	1936	e127b2751dbf53db3d7b63f55b969ffc419275446168c3c1496ca4a99b3594f6.exe	100
PID 1936 wrote to memory of 3204	1936	e127b2751dbf53db3d7b63f55b969ffc419275446168c3c1496ca4a99b3594f6.exe	100

C:\Users\Admin\AppData\Local\Temp\e127b2751dbf53db3d7b63f55b969ffc419275446168c3c1496ca4a99b3594f6.exe
"C:\Users\Admin\AppData\Local\Temp\e127b2751dbf53db3d7b63f55b969ffc419275446168c3c1496ca4a99b3594f6.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1936
- C:\Users\Public\Pictures\md\md.exe
  C:\Users\Public\Pictures\md\md.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4028
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Public\Pictures\md\tem.vbs"
    3⤵
    PID:1744
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\tem.vbs"
  2⤵
  - Deletes itself
  PID:3204

C:\Windows\helppane.exe
C:\Windows\helppane.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2452
- C:\ozujru\Agghosts.exe
  "C:\ozujru\Agghosts.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Checks processor information in registry
  - Suspicious use of AdjustPrivilegeToken
  PID:4588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tem.vbs

Filesize
275B

MD5
23fda4f2ea5f8aa4998f45effabff39c

SHA1
591a10ba19f057b5c550260a723364457661a903

SHA256
adc0da4808d255af2d881fba45d3fcb9decab7fb1616b2282e312109a181461f

SHA512
ddc64835a69c2e3f5057ba5ab9e56b652eea0a9694e5b68ea6573f8281e03bf5fc2da3863a62f14f4c8759aa5b712af95a64e87e8258dd646ccb2488cbe9e9f7

Download Submit
C:\Users\Public\Pictures\md\md.exe

Filesize
618KB

MD5
42e3ff02624af409baad3dbce6c75157

SHA1
e411abc73bed5fd672d3588d9db0f06f93d4969e

SHA256
678eb3f0c74171692335675e08c5d5921554c4e3dc98a29478e4d544204526be

SHA512
1f6ddffc287fa351d886c3409549f90dcee66d41dbff820c927d02cc67b787346df80fba2051d4a76a9cd5b6e417969acf3370577076bc1ea6fb2681c65a500f

Download Submit
C:\Users\Public\Pictures\md\tem.vbs

Filesize
201B

MD5
840f46b36eb4ebba01fc75cbbb51c51f

SHA1
e27aa9d445de870cee195024f5638c322eaff9c6

SHA256
d22f112666cf1e6ab94f04f302ab91f093558ec5b7602a1406e5de580312b93e

SHA512
ffe627c507c08275a1ca481bb4ea6512d03e0110876d60d55ede6314ca7b3c65ada07c88e24761ea7f6f0d4b4fc36ddf1a4ddf27e4b6286171c5d1819e280e1c

Download Submit
C:\ozujru\Agghosts.exe

Filesize
23KB

MD5
5aab297fa8f143bfa67310ad78b76d3f

SHA1
5db963c2cca1bc8c8c060c52f7df76ccb477f01a

SHA256
8ec64bc55e5641d7683288e5e8e27c9391f06eb4da096c3d677d8f25ca4d04df

SHA512
c1ee67bd4c6bcfdc4179f905c7abc4ac632c9265b61dd5fdb90eeeec39802abe2cc487a5c8ded8a0748728104170c1b4d3a88904f102e1c3f891fac7702a2256

Download Submit
C:\ozujru\Enpud.png

Filesize
157KB

MD5
083695ee2461e132175382f6e5fdb406

SHA1
a7cbca531965347369a5ad1880d1cd04e07fd495

SHA256
408fc0f25c7f15b118b62aa791d9a341766e4a9c0c68b428305f7b27c9b340d8

SHA512
edd84627591eb712320b4d4b8e239ba72c3708ec302bb7db621d4b98d7582cb5eb56b579a96c8b666381d8c636e44e1b5a54fb40de80bb15cbc157255aa951e2

Download Submit
C:\ozujru\QiDianBrowserMgr.dll

Filesize
124KB

MD5
257288f9dea07264b8f33be282582990

SHA1
2916c8e54e176086e8cfabf61afecc8bbf257a1f

SHA256
8c31cd54e0ea20795a81349af30231bf3b18c4c42c1c5a38664334140a8ab552

SHA512
ad5d275f6d774253f11ac190fe3d6368bec6ad8d80189b1837f3abc7479a00f1e297e4752b79da6de051986aaefeeb4f29eefff9b43e8a06f61a2c5765faf05a

Download Submit
C:\ozujru\vcruntime140.dll

Filesize
77KB

MD5
f107a3c7371c4543bd3908ba729dd2db

SHA1
af8e7e8f446de74db2f31d532e46eab8bbf41e0a

SHA256
00df0901c101254525a219d93ff1830da3a20d3f14bc323354d8d5fee5854ec0

SHA512
fd776f8ceaac498f4f44819794c0fa89224712a8c476819ffc76ba4c7ff4caa9b360b9d299d9df7965387e5bbcb330f316f53759b5146a73b27a5f2e964c3530

Download Submit
\??\PIPE\srvsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1936-2-0x0000000000400000-0x00000000005DA000-memory.dmp

Filesize
1.9MB

Download
memory/1936-0-0x0000000000400000-0x00000000005DA000-memory.dmp

Filesize
1.9MB

Download
memory/1936-19-0x0000000000400000-0x00000000005DA000-memory.dmp

Filesize
1.9MB

Download
memory/1936-1-0x0000000000400000-0x00000000005DA000-memory.dmp

Filesize
1.9MB

Download
memory/1936-52-0x0000000000400000-0x00000000005DA000-memory.dmp

Filesize
1.9MB

Download
memory/4028-12-0x0000000000400000-0x0000000000545000-memory.dmp

Filesize
1.3MB

Download
memory/4028-45-0x0000000000400000-0x0000000000545000-memory.dmp

Filesize
1.3MB

Download
memory/4028-20-0x0000000000400000-0x0000000000545000-memory.dmp

Filesize
1.3MB

Download
memory/4588-36-0x0000000010000000-0x0000000010029000-memory.dmp

Filesize
164KB

Download
memory/4588-35-0x00000000016E0000-0x0000000001710000-memory.dmp

Filesize
192KB

Download