fatalrat | 94c42770a1fcfd7ca4da5b31863e888e63937a7ef3937db52826d5a10e2f38fc

Analysis

max time kernel
160s
max time network
169s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
08-03-2024 15:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

94c42770a1fcfd7ca4da5b31863e888e63937a7ef3937db52826d5a10e2f38fc.exe
Size

888KB
MD5

0a6f134168a6b2274ecbd1ffac7f2baf
SHA1

79154b96f2fa68e98e7effe466027472fb4be523
SHA256

94c42770a1fcfd7ca4da5b31863e888e63937a7ef3937db52826d5a10e2f38fc
SHA512

27f80b5a816592ad37c65ffd70e86891ef163c74a14a8d72b3bac31023888f2f610be07fa201e3b7a8b6ce00646d5c5684768719af1a18edc26123b61091c0b3
SSDEEP

24576:BlPrXQ/dKgXwQ4DbEM7VG3dDDy7FhK0fVTwmXOry3ACK2lQE7:BlzXQ/d/M7VGNveiCBwmXSA

Score

10^/10

fatalrat infostealer rat

Malware Config

Signatures

FatalRat
FatalRat is a modular infostealer family written in C++ first appearing in June 2021.
infostealer rat fatalrat

Fatal Rat payload 2 IoCs

rat infostealer

Processes:

resource	yara_rule
behavioral1/memory/2876-8709-0x0000000000400000-0x00000000004F3000-memory.dmp	fatalrat
behavioral1/memory/1732-17411-0x0000000000400000-0x00000000004F3000-memory.dmp	fatalrat

Executes dropped EXE 1 IoCs

Processes:

94c42770a1fcfd7ca4da5b31863e888e63937a7ef3937db52826d5a10e2f38fc.exe

pid	Process
1732	94c42770a1fcfd7ca4da5b31863e888e63937a7ef3937db52826d5a10e2f38fc.exe

Loads dropped DLL 2 IoCs

Processes:

94c42770a1fcfd7ca4da5b31863e888e63937a7ef3937db52826d5a10e2f38fc.exe

pid	Process
2876	94c42770a1fcfd7ca4da5b31863e888e63937a7ef3937db52826d5a10e2f38fc.exe
2876	94c42770a1fcfd7ca4da5b31863e888e63937a7ef3937db52826d5a10e2f38fc.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 21 IoCs

Processes:

94c42770a1fcfd7ca4da5b31863e888e63937a7ef3937db52826d5a10e2f38fc.exe94c42770a1fcfd7ca4da5b31863e888e63937a7ef3937db52826d5a10e2f38fc.exe

pid	Process
2876	94c42770a1fcfd7ca4da5b31863e888e63937a7ef3937db52826d5a10e2f38fc.exe
2876	94c42770a1fcfd7ca4da5b31863e888e63937a7ef3937db52826d5a10e2f38fc.exe
1732	94c42770a1fcfd7ca4da5b31863e888e63937a7ef3937db52826d5a10e2f38fc.exe
1732	94c42770a1fcfd7ca4da5b31863e888e63937a7ef3937db52826d5a10e2f38fc.exe
1732	94c42770a1fcfd7ca4da5b31863e888e63937a7ef3937db52826d5a10e2f38fc.exe
1732	94c42770a1fcfd7ca4da5b31863e888e63937a7ef3937db52826d5a10e2f38fc.exe
1732	94c42770a1fcfd7ca4da5b31863e888e63937a7ef3937db52826d5a10e2f38fc.exe
1732	94c42770a1fcfd7ca4da5b31863e888e63937a7ef3937db52826d5a10e2f38fc.exe
1732	94c42770a1fcfd7ca4da5b31863e888e63937a7ef3937db52826d5a10e2f38fc.exe
1732	94c42770a1fcfd7ca4da5b31863e888e63937a7ef3937db52826d5a10e2f38fc.exe
1732	94c42770a1fcfd7ca4da5b31863e888e63937a7ef3937db52826d5a10e2f38fc.exe
1732	94c42770a1fcfd7ca4da5b31863e888e63937a7ef3937db52826d5a10e2f38fc.exe
1732	94c42770a1fcfd7ca4da5b31863e888e63937a7ef3937db52826d5a10e2f38fc.exe
1732	94c42770a1fcfd7ca4da5b31863e888e63937a7ef3937db52826d5a10e2f38fc.exe
1732	94c42770a1fcfd7ca4da5b31863e888e63937a7ef3937db52826d5a10e2f38fc.exe
1732	94c42770a1fcfd7ca4da5b31863e888e63937a7ef3937db52826d5a10e2f38fc.exe
1732	94c42770a1fcfd7ca4da5b31863e888e63937a7ef3937db52826d5a10e2f38fc.exe
1732	94c42770a1fcfd7ca4da5b31863e888e63937a7ef3937db52826d5a10e2f38fc.exe
1732	94c42770a1fcfd7ca4da5b31863e888e63937a7ef3937db52826d5a10e2f38fc.exe
1732	94c42770a1fcfd7ca4da5b31863e888e63937a7ef3937db52826d5a10e2f38fc.exe
1732	94c42770a1fcfd7ca4da5b31863e888e63937a7ef3937db52826d5a10e2f38fc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

94c42770a1fcfd7ca4da5b31863e888e63937a7ef3937db52826d5a10e2f38fc.exe94c42770a1fcfd7ca4da5b31863e888e63937a7ef3937db52826d5a10e2f38fc.exe

description	pid	Process
Token: SeDebugPrivilege	2876	94c42770a1fcfd7ca4da5b31863e888e63937a7ef3937db52826d5a10e2f38fc.exe
Token: SeDebugPrivilege	1732	94c42770a1fcfd7ca4da5b31863e888e63937a7ef3937db52826d5a10e2f38fc.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

94c42770a1fcfd7ca4da5b31863e888e63937a7ef3937db52826d5a10e2f38fc.exe

description	pid	Process	procid_target
PID 2876 wrote to memory of 1732	2876	94c42770a1fcfd7ca4da5b31863e888e63937a7ef3937db52826d5a10e2f38fc.exe	29
PID 2876 wrote to memory of 1732	2876	94c42770a1fcfd7ca4da5b31863e888e63937a7ef3937db52826d5a10e2f38fc.exe	29
PID 2876 wrote to memory of 1732	2876	94c42770a1fcfd7ca4da5b31863e888e63937a7ef3937db52826d5a10e2f38fc.exe	29
PID 2876 wrote to memory of 1732	2876	94c42770a1fcfd7ca4da5b31863e888e63937a7ef3937db52826d5a10e2f38fc.exe	29

C:\Users\Admin\AppData\Local\Temp\94c42770a1fcfd7ca4da5b31863e888e63937a7ef3937db52826d5a10e2f38fc.exe
"C:\Users\Admin\AppData\Local\Temp\94c42770a1fcfd7ca4da5b31863e888e63937a7ef3937db52826d5a10e2f38fc.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2876
- C:\Users\Admin\AppData\Local\94c42770a1fcfd7ca4da5b31863e888e63937a7ef3937db52826d5a10e2f38fc.exe
  "C:\Users\Admin\AppData\Local\94c42770a1fcfd7ca4da5b31863e888e63937a7ef3937db52826d5a10e2f38fc.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of AdjustPrivilegeToken
  PID:1732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\94c42770a1fcfd7ca4da5b31863e888e63937a7ef3937db52826d5a10e2f38fc.exe

Filesize
888KB

MD5
0a6f134168a6b2274ecbd1ffac7f2baf

SHA1
79154b96f2fa68e98e7effe466027472fb4be523

SHA256
94c42770a1fcfd7ca4da5b31863e888e63937a7ef3937db52826d5a10e2f38fc

SHA512
27f80b5a816592ad37c65ffd70e86891ef163c74a14a8d72b3bac31023888f2f610be07fa201e3b7a8b6ce00646d5c5684768719af1a18edc26123b61091c0b3

Download Submit
C:\Users\Admin\AppData\Local\94c42770a1fcfd7ca4da5b31863e888e63937a7ef3937db52826d5a10e2f38fc.exe

Filesize
448KB

MD5
eb96a3a75c6a421149f44f830d08a7e2

SHA1
72417254b8a41b954222f2d29d2648e9dee49461

SHA256
ee3e57a2337c3a8ea5f39749915ae91cb3f02edcf67217325409ec216ab5ecda

SHA512
a5153e04cbcc89175a29c7d14439f441f02265feee6555a22fbe6ee05c3974c17762588dbb3ddeb37c49f87e15216087d414aabd854b12e7e8c5b3fe4a647b60

Download Submit
C:\Users\Admin\AppData\Local\94c42770a1fcfd7ca4da5b31863e888e63937a7ef3937db52826d5a10e2f38fc.exe

Filesize
320KB

MD5
637aa010708609564d4639c7ff4a2fb7

SHA1
8049c5622ee140078f8f7918994e734f551a887f

SHA256
a9e0c85f62a5ee31b36b33e792e7624b83b3694ebb0a3069fd49a6074af4aa98

SHA512
4b51ad19a476eccedb902a21c3a1de240a27faf391e068670f6aa6dce95e954a8e9c1ed1a3f4351ce121e80fe239062285d11075c4ed6e7786685dd1d17a3631

Download Submit
\Users\Admin\AppData\Local\94c42770a1fcfd7ca4da5b31863e888e63937a7ef3937db52826d5a10e2f38fc.exe

Filesize
704KB

MD5
93fbc8c262993a0a3534c8c4ad4793d0

SHA1
74f44165558b59ee6200ce78509e88c13ed8d694

SHA256
3d282d3a0b06b9b78b873090e880f8afbb1fc22919258d29990f19ebf9bef9be

SHA512
c492d88dee839c368c3e6f71ff40cb043ec35cab9aa97b1e9b5cce666753f81c60788bb43656024b44c6ed4a5f15b7e268423b496e78f7328d5d46caf151466f

Download Submit
memory/1732-17411-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/1732-17402-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/1732-17397-0x0000000001FB0000-0x00000000020C1000-memory.dmp

Filesize
1.1MB

Download
memory/1732-11257-0x0000000002160000-0x00000000022E1000-memory.dmp

Filesize
1.5MB

Download
memory/1732-8710-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/2876-854-0x00000000021C0000-0x00000000022D1000-memory.dmp

Filesize
1.1MB

Download
memory/2876-862-0x00000000021C0000-0x00000000022D1000-memory.dmp

Filesize
1.1MB

Download
memory/2876-828-0x00000000021C0000-0x00000000022D1000-memory.dmp

Filesize
1.1MB

Download
memory/2876-830-0x00000000021C0000-0x00000000022D1000-memory.dmp

Filesize
1.1MB

Download
memory/2876-832-0x00000000021C0000-0x00000000022D1000-memory.dmp

Filesize
1.1MB

Download
memory/2876-834-0x00000000021C0000-0x00000000022D1000-memory.dmp

Filesize
1.1MB

Download
memory/2876-836-0x00000000021C0000-0x00000000022D1000-memory.dmp

Filesize
1.1MB

Download
memory/2876-838-0x00000000021C0000-0x00000000022D1000-memory.dmp

Filesize
1.1MB

Download
memory/2876-840-0x00000000021C0000-0x00000000022D1000-memory.dmp

Filesize
1.1MB

Download
memory/2876-844-0x00000000021C0000-0x00000000022D1000-memory.dmp

Filesize
1.1MB

Download
memory/2876-842-0x00000000021C0000-0x00000000022D1000-memory.dmp

Filesize
1.1MB

Download
memory/2876-846-0x00000000021C0000-0x00000000022D1000-memory.dmp

Filesize
1.1MB

Download
memory/2876-848-0x00000000021C0000-0x00000000022D1000-memory.dmp

Filesize
1.1MB

Download
memory/2876-850-0x00000000021C0000-0x00000000022D1000-memory.dmp

Filesize
1.1MB

Download
memory/2876-852-0x00000000021C0000-0x00000000022D1000-memory.dmp

Filesize
1.1MB

Download
memory/2876-0-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/2876-856-0x00000000021C0000-0x00000000022D1000-memory.dmp

Filesize
1.1MB

Download
memory/2876-858-0x00000000021C0000-0x00000000022D1000-memory.dmp

Filesize
1.1MB

Download
memory/2876-860-0x00000000021C0000-0x00000000022D1000-memory.dmp

Filesize
1.1MB

Download
memory/2876-826-0x00000000021C0000-0x00000000022D1000-memory.dmp

Filesize
1.1MB

Download
memory/2876-864-0x00000000021C0000-0x00000000022D1000-memory.dmp

Filesize
1.1MB

Download
memory/2876-866-0x00000000021C0000-0x00000000022D1000-memory.dmp

Filesize
1.1MB

Download
memory/2876-868-0x00000000021C0000-0x00000000022D1000-memory.dmp

Filesize
1.1MB

Download
memory/2876-870-0x00000000021C0000-0x00000000022D1000-memory.dmp

Filesize
1.1MB

Download
memory/2876-872-0x00000000021C0000-0x00000000022D1000-memory.dmp

Filesize
1.1MB

Download
memory/2876-2547-0x0000000001F10000-0x0000000002091000-memory.dmp

Filesize
1.5MB

Download
memory/2876-8686-0x00000000021C0000-0x00000000022D1000-memory.dmp

Filesize
1.1MB

Download
memory/2876-8691-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/2876-824-0x00000000021C0000-0x00000000022D1000-memory.dmp

Filesize
1.1MB

Download
memory/2876-822-0x00000000021C0000-0x00000000022D1000-memory.dmp

Filesize
1.1MB

Download
memory/2876-8709-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/2876-820-0x00000000021C0000-0x00000000022D1000-memory.dmp

Filesize
1.1MB

Download
memory/2876-8707-0x0000000002F40000-0x0000000003033000-memory.dmp

Filesize
972KB

Download
memory/2876-818-0x00000000021C0000-0x00000000022D1000-memory.dmp

Filesize
1.1MB

Download
memory/2876-816-0x00000000021C0000-0x00000000022D1000-memory.dmp

Filesize
1.1MB

Download
memory/2876-814-0x00000000021C0000-0x00000000022D1000-memory.dmp

Filesize
1.1MB

Download
memory/2876-812-0x00000000021C0000-0x00000000022D1000-memory.dmp

Filesize
1.1MB

Download
memory/2876-811-0x00000000021C0000-0x00000000022D1000-memory.dmp

Filesize
1.1MB

Download
memory/2876-1-0x00000000762F0000-0x0000000076337000-memory.dmp

Filesize
284KB

Download