fatalrat | 0b7e750fd4f4216365b186c27d56010944292fc560187caaf6927d39c0475f3d

Analysis

max time kernel
118s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
04-03-2024 10:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0b7e750fd4f4216365b186c27d56010944292fc560187caaf6927d39c0475f3d.exe
Size

1.2MB
MD5

4f3c210c1dca2812a5f5ab5204af0452
SHA1

088b32035675b4c6de57b08ca70492eb82bfe2f7
SHA256

0b7e750fd4f4216365b186c27d56010944292fc560187caaf6927d39c0475f3d
SHA512

96172a727d3e0074de190c7f1355b1825b5435c92f2328d5b9f68deaf6aa0a706d206197d0e2e467da37a1b3bd4c97fac27f3e33aa26575b0a6f337e699429ca
SSDEEP

24576:SCPiA4TZzM/LGZfnMkDdNOWvqszPUFc9OuQlzE9fzwJVjDKkdog4w+C0YdMpN5Vn:CtMk/vqszMi9OuQlzE9MJhKkSgv+CLm/

Score

10^/10

fatalrat infostealer persistence rat upx

Malware Config

Signatures

FatalRat
FatalRat is a modular infostealer family written in C++ first appearing in June 2021.
infostealer rat fatalrat

Fatal Rat payload 2 IoCs

rat infostealer

resource	yara_rule
behavioral2/memory/4224-35-0x0000000010000000-0x0000000010029000-memory.dmp	fatalrat
behavioral2/memory/4224-54-0x00000000005A0000-0x00000000005D0000-memory.dmp	fatalrat

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation	db.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation	0b7e750fd4f4216365b186c27d56010944292fc560187caaf6927d39c0475f3d.exe

Deletes itself 1 IoCs

pid	Process
2280	WScript.exe

Executes dropped EXE 2 IoCs

pid	Process
60	db.exe
4224	Agghosts.exe

Loads dropped DLL 2 IoCs

pid	Process
4224	Agghosts.exe
4224	Agghosts.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2636-0-0x0000000000400000-0x00000000005A4000-memory.dmp	upx
behavioral2/memory/2636-1-0x0000000000400000-0x00000000005A4000-memory.dmp	upx
behavioral2/files/0x000c00000002332d-9.dat	upx
behavioral2/memory/60-11-0x0000000000400000-0x0000000000545000-memory.dmp	upx
behavioral2/memory/2636-18-0x0000000000400000-0x00000000005A4000-memory.dmp	upx
behavioral2/memory/60-19-0x0000000000400000-0x0000000000545000-memory.dmp	upx
behavioral2/memory/60-45-0x0000000000400000-0x0000000000545000-memory.dmp	upx
behavioral2/memory/2636-52-0x0000000000400000-0x00000000005A4000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Çý¶¯Éú = "C:\\bdantq\\Agghosts.exe"	Agghosts.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Agghosts.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Agghosts.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	helppane.exe
Key created	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\Local Settings	db.exe
Key created	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\Local Settings	0b7e750fd4f4216365b186c27d56010944292fc560187caaf6927d39c0475f3d.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2636	0b7e750fd4f4216365b186c27d56010944292fc560187caaf6927d39c0475f3d.exe
2636	0b7e750fd4f4216365b186c27d56010944292fc560187caaf6927d39c0475f3d.exe
2636	0b7e750fd4f4216365b186c27d56010944292fc560187caaf6927d39c0475f3d.exe
2636	0b7e750fd4f4216365b186c27d56010944292fc560187caaf6927d39c0475f3d.exe
2636	0b7e750fd4f4216365b186c27d56010944292fc560187caaf6927d39c0475f3d.exe
2636	0b7e750fd4f4216365b186c27d56010944292fc560187caaf6927d39c0475f3d.exe
2636	0b7e750fd4f4216365b186c27d56010944292fc560187caaf6927d39c0475f3d.exe
2636	0b7e750fd4f4216365b186c27d56010944292fc560187caaf6927d39c0475f3d.exe
2636	0b7e750fd4f4216365b186c27d56010944292fc560187caaf6927d39c0475f3d.exe
2636	0b7e750fd4f4216365b186c27d56010944292fc560187caaf6927d39c0475f3d.exe
2636	0b7e750fd4f4216365b186c27d56010944292fc560187caaf6927d39c0475f3d.exe
2636	0b7e750fd4f4216365b186c27d56010944292fc560187caaf6927d39c0475f3d.exe
2636	0b7e750fd4f4216365b186c27d56010944292fc560187caaf6927d39c0475f3d.exe
2636	0b7e750fd4f4216365b186c27d56010944292fc560187caaf6927d39c0475f3d.exe
2636	0b7e750fd4f4216365b186c27d56010944292fc560187caaf6927d39c0475f3d.exe
2636	0b7e750fd4f4216365b186c27d56010944292fc560187caaf6927d39c0475f3d.exe
2636	0b7e750fd4f4216365b186c27d56010944292fc560187caaf6927d39c0475f3d.exe
2636	0b7e750fd4f4216365b186c27d56010944292fc560187caaf6927d39c0475f3d.exe
2636	0b7e750fd4f4216365b186c27d56010944292fc560187caaf6927d39c0475f3d.exe
2636	0b7e750fd4f4216365b186c27d56010944292fc560187caaf6927d39c0475f3d.exe
2636	0b7e750fd4f4216365b186c27d56010944292fc560187caaf6927d39c0475f3d.exe
2636	0b7e750fd4f4216365b186c27d56010944292fc560187caaf6927d39c0475f3d.exe
2636	0b7e750fd4f4216365b186c27d56010944292fc560187caaf6927d39c0475f3d.exe
2636	0b7e750fd4f4216365b186c27d56010944292fc560187caaf6927d39c0475f3d.exe
2636	0b7e750fd4f4216365b186c27d56010944292fc560187caaf6927d39c0475f3d.exe
2636	0b7e750fd4f4216365b186c27d56010944292fc560187caaf6927d39c0475f3d.exe
2636	0b7e750fd4f4216365b186c27d56010944292fc560187caaf6927d39c0475f3d.exe
2636	0b7e750fd4f4216365b186c27d56010944292fc560187caaf6927d39c0475f3d.exe
2636	0b7e750fd4f4216365b186c27d56010944292fc560187caaf6927d39c0475f3d.exe
2636	0b7e750fd4f4216365b186c27d56010944292fc560187caaf6927d39c0475f3d.exe
2636	0b7e750fd4f4216365b186c27d56010944292fc560187caaf6927d39c0475f3d.exe
2636	0b7e750fd4f4216365b186c27d56010944292fc560187caaf6927d39c0475f3d.exe
2636	0b7e750fd4f4216365b186c27d56010944292fc560187caaf6927d39c0475f3d.exe
2636	0b7e750fd4f4216365b186c27d56010944292fc560187caaf6927d39c0475f3d.exe
2636	0b7e750fd4f4216365b186c27d56010944292fc560187caaf6927d39c0475f3d.exe
2636	0b7e750fd4f4216365b186c27d56010944292fc560187caaf6927d39c0475f3d.exe
2636	0b7e750fd4f4216365b186c27d56010944292fc560187caaf6927d39c0475f3d.exe
2636	0b7e750fd4f4216365b186c27d56010944292fc560187caaf6927d39c0475f3d.exe
2636	0b7e750fd4f4216365b186c27d56010944292fc560187caaf6927d39c0475f3d.exe
2636	0b7e750fd4f4216365b186c27d56010944292fc560187caaf6927d39c0475f3d.exe
2636	0b7e750fd4f4216365b186c27d56010944292fc560187caaf6927d39c0475f3d.exe
2636	0b7e750fd4f4216365b186c27d56010944292fc560187caaf6927d39c0475f3d.exe
2636	0b7e750fd4f4216365b186c27d56010944292fc560187caaf6927d39c0475f3d.exe
2636	0b7e750fd4f4216365b186c27d56010944292fc560187caaf6927d39c0475f3d.exe
2636	0b7e750fd4f4216365b186c27d56010944292fc560187caaf6927d39c0475f3d.exe
2636	0b7e750fd4f4216365b186c27d56010944292fc560187caaf6927d39c0475f3d.exe
2636	0b7e750fd4f4216365b186c27d56010944292fc560187caaf6927d39c0475f3d.exe
2636	0b7e750fd4f4216365b186c27d56010944292fc560187caaf6927d39c0475f3d.exe
2636	0b7e750fd4f4216365b186c27d56010944292fc560187caaf6927d39c0475f3d.exe
2636	0b7e750fd4f4216365b186c27d56010944292fc560187caaf6927d39c0475f3d.exe
2636	0b7e750fd4f4216365b186c27d56010944292fc560187caaf6927d39c0475f3d.exe
2636	0b7e750fd4f4216365b186c27d56010944292fc560187caaf6927d39c0475f3d.exe
2636	0b7e750fd4f4216365b186c27d56010944292fc560187caaf6927d39c0475f3d.exe
2636	0b7e750fd4f4216365b186c27d56010944292fc560187caaf6927d39c0475f3d.exe
2636	0b7e750fd4f4216365b186c27d56010944292fc560187caaf6927d39c0475f3d.exe
2636	0b7e750fd4f4216365b186c27d56010944292fc560187caaf6927d39c0475f3d.exe
2636	0b7e750fd4f4216365b186c27d56010944292fc560187caaf6927d39c0475f3d.exe
2636	0b7e750fd4f4216365b186c27d56010944292fc560187caaf6927d39c0475f3d.exe
2636	0b7e750fd4f4216365b186c27d56010944292fc560187caaf6927d39c0475f3d.exe
2636	0b7e750fd4f4216365b186c27d56010944292fc560187caaf6927d39c0475f3d.exe
2636	0b7e750fd4f4216365b186c27d56010944292fc560187caaf6927d39c0475f3d.exe
2636	0b7e750fd4f4216365b186c27d56010944292fc560187caaf6927d39c0475f3d.exe
2636	0b7e750fd4f4216365b186c27d56010944292fc560187caaf6927d39c0475f3d.exe
2636	0b7e750fd4f4216365b186c27d56010944292fc560187caaf6927d39c0475f3d.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4224	Agghosts.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2388	helppane.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2636	0b7e750fd4f4216365b186c27d56010944292fc560187caaf6927d39c0475f3d.exe
2636	0b7e750fd4f4216365b186c27d56010944292fc560187caaf6927d39c0475f3d.exe
60	db.exe
60	db.exe
2388	helppane.exe
2388	helppane.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2636 wrote to memory of 60	2636	0b7e750fd4f4216365b186c27d56010944292fc560187caaf6927d39c0475f3d.exe	101
PID 2636 wrote to memory of 60	2636	0b7e750fd4f4216365b186c27d56010944292fc560187caaf6927d39c0475f3d.exe	101
PID 2636 wrote to memory of 60	2636	0b7e750fd4f4216365b186c27d56010944292fc560187caaf6927d39c0475f3d.exe	101
PID 2388 wrote to memory of 4224	2388	helppane.exe	104
PID 2388 wrote to memory of 4224	2388	helppane.exe	104
PID 2388 wrote to memory of 4224	2388	helppane.exe	104
PID 60 wrote to memory of 3432	60	db.exe	105
PID 60 wrote to memory of 3432	60	db.exe	105
PID 60 wrote to memory of 3432	60	db.exe	105
PID 2636 wrote to memory of 2280	2636	0b7e750fd4f4216365b186c27d56010944292fc560187caaf6927d39c0475f3d.exe	106
PID 2636 wrote to memory of 2280	2636	0b7e750fd4f4216365b186c27d56010944292fc560187caaf6927d39c0475f3d.exe	106
PID 2636 wrote to memory of 2280	2636	0b7e750fd4f4216365b186c27d56010944292fc560187caaf6927d39c0475f3d.exe	106

C:\Users\Admin\AppData\Local\Temp\0b7e750fd4f4216365b186c27d56010944292fc560187caaf6927d39c0475f3d.exe
"C:\Users\Admin\AppData\Local\Temp\0b7e750fd4f4216365b186c27d56010944292fc560187caaf6927d39c0475f3d.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2636
- C:\Users\Public\Pictures\db\db.exe
  C:\Users\Public\Pictures\db\db.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:60
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Public\Pictures\db\tem.vbs"
    3⤵
    PID:3432
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\tem.vbs"
  2⤵
  - Deletes itself
  PID:2280

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4340 --field-trial-handle=2240,i,16875000905773190493,11379096115878622792,262144 --variations-seed-version /prefetch:8
1⤵
PID:2940

C:\Windows\helppane.exe
C:\Windows\helppane.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2388
- C:\bdantq\Agghosts.exe
  "C:\bdantq\Agghosts.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Checks processor information in registry
  - Suspicious use of AdjustPrivilegeToken
  PID:4224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tem.vbs

Filesize
275B

MD5
0693877e4a90188fe92ff74791081a6c

SHA1
bd3d55f34dfa0873e69926ffb47e32148d14f626

SHA256
a49e3117718d4f83fef1e8614fccbf1a7c0d8b1a224df2f18fa6b5ec44ade416

SHA512
35c2139f575f7f07cf0a889c8758fdb3b2e453ae9a1f5faa575ef9492836418bfacef5898e13f87c528f03e8a57862455126589fe7a48e4b672cc34387a3c601

Download Submit
C:\Users\Public\Pictures\db\db.exe

Filesize
618KB

MD5
a42deae0974ab7c9122370bfba837fe6

SHA1
237ff0b63a56126542a9cb103c7cbfc397ada84b

SHA256
36ad631425f128b45e48d26d11e8750f44aa4d4802d60cff4dc7ab9577639b74

SHA512
9ea8820f7da135a9188b1cca234cdc7080e7dade8b69b9e8c79569fa9c5c49406d8e3b84bdae0b29aa5f836804f9c855f7c662ceb9d152cff1dd01478996fcad

Download Submit
C:\Users\Public\Pictures\db\tem.vbs

Filesize
201B

MD5
95740dcb990d12a2297dbac140eb8e94

SHA1
8ff4077720cbc4fc92ec95f58dbcadf6d63678ed

SHA256
7a6d4c02178dcd0125ba32233aaa32e44e4ee14924fe7cbfcedc8ad75ff2a16e

SHA512
04890f30e412fa5e0d1378a4ce7a47533233ec7d9f846eb9056ff13e8e32eae74341eadcf4283fe4b0d47f675d85a75853984f9df8217cd36d18dd58656bcf12

Download Submit
C:\bdantq\Agghosts.exe

Filesize
23KB

MD5
5aab297fa8f143bfa67310ad78b76d3f

SHA1
5db963c2cca1bc8c8c060c52f7df76ccb477f01a

SHA256
8ec64bc55e5641d7683288e5e8e27c9391f06eb4da096c3d677d8f25ca4d04df

SHA512
c1ee67bd4c6bcfdc4179f905c7abc4ac632c9265b61dd5fdb90eeeec39802abe2cc487a5c8ded8a0748728104170c1b4d3a88904f102e1c3f891fac7702a2256

Download Submit
C:\bdantq\Enpud.png

Filesize
157KB

MD5
6d4775f18b2ee05bb4763d3080d36bbe

SHA1
cdf9525b39409515b350d02b91bff61aac3cd55f

SHA256
23bb3a8e6cd6be562f57e98441888782f8f0d8d8ce456a9a40bf711a68a34c97

SHA512
45368d3468e45324362eded3905d16850136318acf88c9d8d9590f77fb912d423fe52f24ab3b0b4d001605692e2d0627ba1463de533b96724cd25a8548cf9e82

Download Submit
C:\bdantq\QiDianBrowserMgr.dll

Filesize
123KB

MD5
daa799b7defab6d9867c5d519b36611f

SHA1
4020d8587c28df934bd460b4dc953561be61e4ff

SHA256
6cec316645c5abc4f31eb25f3f09f462f843fc73b9c1db79c5f580c6773e8d00

SHA512
52979cb556129d2efd2615001cfd5dab74066c9ed45d46746c02d71f6418b92a61fc5dc4c182089d2bc66d7d1a5e461b8fa60702f872d63194412bc4fa699777

Download Submit
C:\bdantq\VCRUNTIME140.dll

Filesize
77KB

MD5
f107a3c7371c4543bd3908ba729dd2db

SHA1
af8e7e8f446de74db2f31d532e46eab8bbf41e0a

SHA256
00df0901c101254525a219d93ff1830da3a20d3f14bc323354d8d5fee5854ec0

SHA512
fd776f8ceaac498f4f44819794c0fa89224712a8c476819ffc76ba4c7ff4caa9b360b9d299d9df7965387e5bbcb330f316f53759b5146a73b27a5f2e964c3530

Download Submit
memory/60-45-0x0000000000400000-0x0000000000545000-memory.dmp

Filesize
1.3MB

Download
memory/60-19-0x0000000000400000-0x0000000000545000-memory.dmp

Filesize
1.3MB

Download
memory/60-11-0x0000000000400000-0x0000000000545000-memory.dmp

Filesize
1.3MB

Download
memory/2636-18-0x0000000000400000-0x00000000005A4000-memory.dmp

Filesize
1.6MB

Download
memory/2636-0-0x0000000000400000-0x00000000005A4000-memory.dmp

Filesize
1.6MB

Download
memory/2636-52-0x0000000000400000-0x00000000005A4000-memory.dmp

Filesize
1.6MB

Download
memory/2636-1-0x0000000000400000-0x00000000005A4000-memory.dmp

Filesize
1.6MB

Download
memory/4224-34-0x00000000005A0000-0x00000000005D0000-memory.dmp

Filesize
192KB

Download
memory/4224-35-0x0000000010000000-0x0000000010029000-memory.dmp

Filesize
164KB

Download
memory/4224-54-0x00000000005A0000-0x00000000005D0000-memory.dmp

Filesize
192KB

Download