fatalrat | 60f3c8dfebe163f474fc691bcd6ff5dd008ee01125ac0672b8561755ddb78612

Analysis

max time kernel
147s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
05-03-2024 12:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

60f3c8dfebe163f474fc691bcd6ff5dd008ee01125ac0672b8561755ddb78612.exe
Size

1.1MB
MD5

fe2b01af685e7055401f945e1da3413a
SHA1

e07d8853b67cad9130812b010cede9f47cde686b
SHA256

60f3c8dfebe163f474fc691bcd6ff5dd008ee01125ac0672b8561755ddb78612
SHA512

c4d33395bae02650c0da06259cf4bd3ecde293adde4c18d908773ef4f73b06573f4ac0d92c0156cbd623084b64a8deadf698717686996742b4e4ee3ae065a931
SSDEEP

24576:poi7PS3m+tm6PhdxOEQeygp8iJRPmBh78fNw3B4xlfVyyYzni5s:Ak/kp8GRPqh7y23B4xHyyYz

Score

10^/10

fatalrat infostealer persistence rat upx

Malware Config

Signatures

FatalRat
FatalRat is a modular infostealer family written in C++ first appearing in June 2021.
infostealer rat fatalrat

Fatal Rat payload 2 IoCs

rat infostealer

resource	yara_rule
behavioral2/memory/2320-34-0x0000000000CE0000-0x0000000000D10000-memory.dmp	fatalrat
behavioral2/memory/2320-35-0x0000000010000000-0x0000000010029000-memory.dmp	fatalrat

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	ov.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	60f3c8dfebe163f474fc691bcd6ff5dd008ee01125ac0672b8561755ddb78612.exe

Deletes itself 1 IoCs

pid	Process
2324	WScript.exe

Executes dropped EXE 2 IoCs

pid	Process
3644	ov.exe
2320	Agghosts.exe

Loads dropped DLL 2 IoCs

pid	Process
2320	Agghosts.exe
2320	Agghosts.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4920-0-0x0000000000400000-0x0000000000595000-memory.dmp	upx
behavioral2/memory/4920-1-0x0000000000400000-0x0000000000595000-memory.dmp	upx
behavioral2/files/0x0007000000023336-9.dat	upx
behavioral2/memory/3644-11-0x0000000000400000-0x0000000000545000-memory.dmp	upx
behavioral2/memory/4920-18-0x0000000000400000-0x0000000000595000-memory.dmp	upx
behavioral2/memory/3644-19-0x0000000000400000-0x0000000000545000-memory.dmp	upx
behavioral2/memory/3644-45-0x0000000000400000-0x0000000000545000-memory.dmp	upx
behavioral2/memory/4920-51-0x0000000000400000-0x0000000000595000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Çý¶¯Éú = "C:\\dhrnnj\\Agghosts.exe"	Agghosts.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Agghosts.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Agghosts.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	helppane.exe
Key created	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings	ov.exe
Key created	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings	60f3c8dfebe163f474fc691bcd6ff5dd008ee01125ac0672b8561755ddb78612.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4920	60f3c8dfebe163f474fc691bcd6ff5dd008ee01125ac0672b8561755ddb78612.exe
4920	60f3c8dfebe163f474fc691bcd6ff5dd008ee01125ac0672b8561755ddb78612.exe
4920	60f3c8dfebe163f474fc691bcd6ff5dd008ee01125ac0672b8561755ddb78612.exe
4920	60f3c8dfebe163f474fc691bcd6ff5dd008ee01125ac0672b8561755ddb78612.exe
4920	60f3c8dfebe163f474fc691bcd6ff5dd008ee01125ac0672b8561755ddb78612.exe
4920	60f3c8dfebe163f474fc691bcd6ff5dd008ee01125ac0672b8561755ddb78612.exe
4920	60f3c8dfebe163f474fc691bcd6ff5dd008ee01125ac0672b8561755ddb78612.exe
4920	60f3c8dfebe163f474fc691bcd6ff5dd008ee01125ac0672b8561755ddb78612.exe
4920	60f3c8dfebe163f474fc691bcd6ff5dd008ee01125ac0672b8561755ddb78612.exe
4920	60f3c8dfebe163f474fc691bcd6ff5dd008ee01125ac0672b8561755ddb78612.exe
4920	60f3c8dfebe163f474fc691bcd6ff5dd008ee01125ac0672b8561755ddb78612.exe
4920	60f3c8dfebe163f474fc691bcd6ff5dd008ee01125ac0672b8561755ddb78612.exe
4920	60f3c8dfebe163f474fc691bcd6ff5dd008ee01125ac0672b8561755ddb78612.exe
4920	60f3c8dfebe163f474fc691bcd6ff5dd008ee01125ac0672b8561755ddb78612.exe
4920	60f3c8dfebe163f474fc691bcd6ff5dd008ee01125ac0672b8561755ddb78612.exe
4920	60f3c8dfebe163f474fc691bcd6ff5dd008ee01125ac0672b8561755ddb78612.exe
4920	60f3c8dfebe163f474fc691bcd6ff5dd008ee01125ac0672b8561755ddb78612.exe
4920	60f3c8dfebe163f474fc691bcd6ff5dd008ee01125ac0672b8561755ddb78612.exe
4920	60f3c8dfebe163f474fc691bcd6ff5dd008ee01125ac0672b8561755ddb78612.exe
4920	60f3c8dfebe163f474fc691bcd6ff5dd008ee01125ac0672b8561755ddb78612.exe
4920	60f3c8dfebe163f474fc691bcd6ff5dd008ee01125ac0672b8561755ddb78612.exe
4920	60f3c8dfebe163f474fc691bcd6ff5dd008ee01125ac0672b8561755ddb78612.exe
4920	60f3c8dfebe163f474fc691bcd6ff5dd008ee01125ac0672b8561755ddb78612.exe
4920	60f3c8dfebe163f474fc691bcd6ff5dd008ee01125ac0672b8561755ddb78612.exe
4920	60f3c8dfebe163f474fc691bcd6ff5dd008ee01125ac0672b8561755ddb78612.exe
4920	60f3c8dfebe163f474fc691bcd6ff5dd008ee01125ac0672b8561755ddb78612.exe
4920	60f3c8dfebe163f474fc691bcd6ff5dd008ee01125ac0672b8561755ddb78612.exe
4920	60f3c8dfebe163f474fc691bcd6ff5dd008ee01125ac0672b8561755ddb78612.exe
4920	60f3c8dfebe163f474fc691bcd6ff5dd008ee01125ac0672b8561755ddb78612.exe
4920	60f3c8dfebe163f474fc691bcd6ff5dd008ee01125ac0672b8561755ddb78612.exe
4920	60f3c8dfebe163f474fc691bcd6ff5dd008ee01125ac0672b8561755ddb78612.exe
4920	60f3c8dfebe163f474fc691bcd6ff5dd008ee01125ac0672b8561755ddb78612.exe
4920	60f3c8dfebe163f474fc691bcd6ff5dd008ee01125ac0672b8561755ddb78612.exe
4920	60f3c8dfebe163f474fc691bcd6ff5dd008ee01125ac0672b8561755ddb78612.exe
4920	60f3c8dfebe163f474fc691bcd6ff5dd008ee01125ac0672b8561755ddb78612.exe
4920	60f3c8dfebe163f474fc691bcd6ff5dd008ee01125ac0672b8561755ddb78612.exe
4920	60f3c8dfebe163f474fc691bcd6ff5dd008ee01125ac0672b8561755ddb78612.exe
4920	60f3c8dfebe163f474fc691bcd6ff5dd008ee01125ac0672b8561755ddb78612.exe
4920	60f3c8dfebe163f474fc691bcd6ff5dd008ee01125ac0672b8561755ddb78612.exe
4920	60f3c8dfebe163f474fc691bcd6ff5dd008ee01125ac0672b8561755ddb78612.exe
4920	60f3c8dfebe163f474fc691bcd6ff5dd008ee01125ac0672b8561755ddb78612.exe
4920	60f3c8dfebe163f474fc691bcd6ff5dd008ee01125ac0672b8561755ddb78612.exe
4920	60f3c8dfebe163f474fc691bcd6ff5dd008ee01125ac0672b8561755ddb78612.exe
4920	60f3c8dfebe163f474fc691bcd6ff5dd008ee01125ac0672b8561755ddb78612.exe
4920	60f3c8dfebe163f474fc691bcd6ff5dd008ee01125ac0672b8561755ddb78612.exe
4920	60f3c8dfebe163f474fc691bcd6ff5dd008ee01125ac0672b8561755ddb78612.exe
4920	60f3c8dfebe163f474fc691bcd6ff5dd008ee01125ac0672b8561755ddb78612.exe
4920	60f3c8dfebe163f474fc691bcd6ff5dd008ee01125ac0672b8561755ddb78612.exe
4920	60f3c8dfebe163f474fc691bcd6ff5dd008ee01125ac0672b8561755ddb78612.exe
4920	60f3c8dfebe163f474fc691bcd6ff5dd008ee01125ac0672b8561755ddb78612.exe
4920	60f3c8dfebe163f474fc691bcd6ff5dd008ee01125ac0672b8561755ddb78612.exe
4920	60f3c8dfebe163f474fc691bcd6ff5dd008ee01125ac0672b8561755ddb78612.exe
4920	60f3c8dfebe163f474fc691bcd6ff5dd008ee01125ac0672b8561755ddb78612.exe
4920	60f3c8dfebe163f474fc691bcd6ff5dd008ee01125ac0672b8561755ddb78612.exe
4920	60f3c8dfebe163f474fc691bcd6ff5dd008ee01125ac0672b8561755ddb78612.exe
4920	60f3c8dfebe163f474fc691bcd6ff5dd008ee01125ac0672b8561755ddb78612.exe
4920	60f3c8dfebe163f474fc691bcd6ff5dd008ee01125ac0672b8561755ddb78612.exe
4920	60f3c8dfebe163f474fc691bcd6ff5dd008ee01125ac0672b8561755ddb78612.exe
4920	60f3c8dfebe163f474fc691bcd6ff5dd008ee01125ac0672b8561755ddb78612.exe
4920	60f3c8dfebe163f474fc691bcd6ff5dd008ee01125ac0672b8561755ddb78612.exe
4920	60f3c8dfebe163f474fc691bcd6ff5dd008ee01125ac0672b8561755ddb78612.exe
4920	60f3c8dfebe163f474fc691bcd6ff5dd008ee01125ac0672b8561755ddb78612.exe
4920	60f3c8dfebe163f474fc691bcd6ff5dd008ee01125ac0672b8561755ddb78612.exe
4920	60f3c8dfebe163f474fc691bcd6ff5dd008ee01125ac0672b8561755ddb78612.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2320	Agghosts.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3028	helppane.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
4920	60f3c8dfebe163f474fc691bcd6ff5dd008ee01125ac0672b8561755ddb78612.exe
4920	60f3c8dfebe163f474fc691bcd6ff5dd008ee01125ac0672b8561755ddb78612.exe
3644	ov.exe
3644	ov.exe
3028	helppane.exe
3028	helppane.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4920 wrote to memory of 3644	4920	60f3c8dfebe163f474fc691bcd6ff5dd008ee01125ac0672b8561755ddb78612.exe	101
PID 4920 wrote to memory of 3644	4920	60f3c8dfebe163f474fc691bcd6ff5dd008ee01125ac0672b8561755ddb78612.exe	101
PID 4920 wrote to memory of 3644	4920	60f3c8dfebe163f474fc691bcd6ff5dd008ee01125ac0672b8561755ddb78612.exe	101
PID 3028 wrote to memory of 2320	3028	helppane.exe	104
PID 3028 wrote to memory of 2320	3028	helppane.exe	104
PID 3028 wrote to memory of 2320	3028	helppane.exe	104
PID 3644 wrote to memory of 4696	3644	ov.exe	105
PID 3644 wrote to memory of 4696	3644	ov.exe	105
PID 3644 wrote to memory of 4696	3644	ov.exe	105
PID 4920 wrote to memory of 2324	4920	60f3c8dfebe163f474fc691bcd6ff5dd008ee01125ac0672b8561755ddb78612.exe	106
PID 4920 wrote to memory of 2324	4920	60f3c8dfebe163f474fc691bcd6ff5dd008ee01125ac0672b8561755ddb78612.exe	106
PID 4920 wrote to memory of 2324	4920	60f3c8dfebe163f474fc691bcd6ff5dd008ee01125ac0672b8561755ddb78612.exe	106

C:\Users\Admin\AppData\Local\Temp\60f3c8dfebe163f474fc691bcd6ff5dd008ee01125ac0672b8561755ddb78612.exe
"C:\Users\Admin\AppData\Local\Temp\60f3c8dfebe163f474fc691bcd6ff5dd008ee01125ac0672b8561755ddb78612.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4920
- C:\Users\Public\Pictures\ov\ov.exe
  C:\Users\Public\Pictures\ov\ov.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3644
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Public\Pictures\ov\tem.vbs"
    3⤵
    PID:4696
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\tem.vbs"
  2⤵
  - Deletes itself
  PID:2324

C:\Windows\helppane.exe
C:\Windows\helppane.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3028
- C:\dhrnnj\Agghosts.exe
  "C:\dhrnnj\Agghosts.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Checks processor information in registry
  - Suspicious use of AdjustPrivilegeToken
  PID:2320

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tem.vbs

Filesize
275B

MD5
d774e3336b7cc910f6c999c0dec27849

SHA1
2056bf57c62008e2715e270d5f414c93a71a7dbc

SHA256
f5205b1dd0b4113858fed0d3b33b0713174c54c6ff8dae37ac99427eae1b2e14

SHA512
6db90f157a4a8d5e488bfb38a6c0136bc3c1fc65ed8d33118c520f2dbda53d72cb51a94d774edb430ddbf4c96a160af4213da1844479e2d24c31c4ac29265221

Download Submit
C:\Users\Public\Pictures\ov\ov.exe

Filesize
618KB

MD5
42e3ff02624af409baad3dbce6c75157

SHA1
e411abc73bed5fd672d3588d9db0f06f93d4969e

SHA256
678eb3f0c74171692335675e08c5d5921554c4e3dc98a29478e4d544204526be

SHA512
1f6ddffc287fa351d886c3409549f90dcee66d41dbff820c927d02cc67b787346df80fba2051d4a76a9cd5b6e417969acf3370577076bc1ea6fb2681c65a500f

Download Submit
C:\Users\Public\Pictures\ov\tem.vbs

Filesize
201B

MD5
691ee8d802649eeeabe0034c35df1b06

SHA1
d2a6875bd8ff59a16bcde7a300ed5a6b9a434f8b

SHA256
fab2652c8f0404b42c49b8e030527f465dd8f5cac157b3dfa327bc85239ef67c

SHA512
1a2a379fee464604dcabcba2c800e3a2e83888bbb29b93787aa8ec4f510257e3ee3bd8d166fa5b79fa70777e09c76f24964d7eaf648bcfd2da57b3c22d9a9a2b

Download Submit
C:\dhrnnj\Agghosts.exe

Filesize
23KB

MD5
5aab297fa8f143bfa67310ad78b76d3f

SHA1
5db963c2cca1bc8c8c060c52f7df76ccb477f01a

SHA256
8ec64bc55e5641d7683288e5e8e27c9391f06eb4da096c3d677d8f25ca4d04df

SHA512
c1ee67bd4c6bcfdc4179f905c7abc4ac632c9265b61dd5fdb90eeeec39802abe2cc487a5c8ded8a0748728104170c1b4d3a88904f102e1c3f891fac7702a2256

Download Submit
C:\dhrnnj\Enpud.png

Filesize
157KB

MD5
083695ee2461e132175382f6e5fdb406

SHA1
a7cbca531965347369a5ad1880d1cd04e07fd495

SHA256
408fc0f25c7f15b118b62aa791d9a341766e4a9c0c68b428305f7b27c9b340d8

SHA512
edd84627591eb712320b4d4b8e239ba72c3708ec302bb7db621d4b98d7582cb5eb56b579a96c8b666381d8c636e44e1b5a54fb40de80bb15cbc157255aa951e2

Download Submit
C:\dhrnnj\QiDianBrowserMgr.dll

Filesize
124KB

MD5
257288f9dea07264b8f33be282582990

SHA1
2916c8e54e176086e8cfabf61afecc8bbf257a1f

SHA256
8c31cd54e0ea20795a81349af30231bf3b18c4c42c1c5a38664334140a8ab552

SHA512
ad5d275f6d774253f11ac190fe3d6368bec6ad8d80189b1837f3abc7479a00f1e297e4752b79da6de051986aaefeeb4f29eefff9b43e8a06f61a2c5765faf05a

Download Submit
C:\dhrnnj\VCRUNTIME140.dll

Filesize
77KB

MD5
f107a3c7371c4543bd3908ba729dd2db

SHA1
af8e7e8f446de74db2f31d532e46eab8bbf41e0a

SHA256
00df0901c101254525a219d93ff1830da3a20d3f14bc323354d8d5fee5854ec0

SHA512
fd776f8ceaac498f4f44819794c0fa89224712a8c476819ffc76ba4c7ff4caa9b360b9d299d9df7965387e5bbcb330f316f53759b5146a73b27a5f2e964c3530

Download Submit
memory/2320-34-0x0000000000CE0000-0x0000000000D10000-memory.dmp

Filesize
192KB

Download
memory/2320-35-0x0000000010000000-0x0000000010029000-memory.dmp

Filesize
164KB

Download
memory/3644-19-0x0000000000400000-0x0000000000545000-memory.dmp

Filesize
1.3MB

Download
memory/3644-11-0x0000000000400000-0x0000000000545000-memory.dmp

Filesize
1.3MB

Download
memory/3644-45-0x0000000000400000-0x0000000000545000-memory.dmp

Filesize
1.3MB

Download
memory/4920-0-0x0000000000400000-0x0000000000595000-memory.dmp

Filesize
1.6MB

Download
memory/4920-18-0x0000000000400000-0x0000000000595000-memory.dmp

Filesize
1.6MB

Download
memory/4920-51-0x0000000000400000-0x0000000000595000-memory.dmp

Filesize
1.6MB

Download
memory/4920-1-0x0000000000400000-0x0000000000595000-memory.dmp

Filesize
1.6MB

Download