fatalrat | b20b9e1d8707e147e2312ca5cf11470b401e3518bb9489d8d31e428635a82668

Analysis

max time kernel
119s
max time network
145s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
08-03-2024 20:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b20b9e1d8707e147e2312ca5cf11470b401e3518bb9489d8d31e428635a82668.exe
Size

789KB
MD5

17d107bf7243f76070c91cfeb18ed71e
SHA1

9f85566ad0ee040546411e38d9882054f396f621
SHA256

b20b9e1d8707e147e2312ca5cf11470b401e3518bb9489d8d31e428635a82668
SHA512

684a4693f527f46983f6841dddab803bc36fc37152fd3c1ab2d441d3a559dd3fda37d5a145ef528efa8eddafe87ad996c140379922cc0da77e460a2120694900
SSDEEP

12288:0ubsNSOetfARQAPyGU+UwHbLl0tgT1MeQc57fPXzU8MpNfEz6Nw9x:0ubsnafAPyjs7LPP7ff5MpNfo6NSx

Score

10^/10

fatalrat infostealer rat

Malware Config

Signatures

FatalRat
FatalRat is a modular infostealer family written in C++ first appearing in June 2021.
infostealer rat fatalrat

Fatal Rat payload 1 IoCs

rat infostealer

resource	yara_rule
behavioral1/memory/2556-20-0x0000000010000000-0x000000001002A000-memory.dmp	fatalrat

Executes dropped EXE 1 IoCs

pid	Process
2556	客户端安全防范.exe

Loads dropped DLL 4 IoCs

pid	Process
2972	b20b9e1d8707e147e2312ca5cf11470b401e3518bb9489d8d31e428635a82668.exe
2972	b20b9e1d8707e147e2312ca5cf11470b401e3518bb9489d8d31e428635a82668.exe
2972	b20b9e1d8707e147e2312ca5cf11470b401e3518bb9489d8d31e428635a82668.exe
2972	b20b9e1d8707e147e2312ca5cf11470b401e3518bb9489d8d31e428635a82668.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	客户端安全防范.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	客户端安全防范.exe

Suspicious behavior: EnumeratesProcesses 51 IoCs

pid	Process
2556	客户端安全防范.exe
2556	客户端安全防范.exe
2556	客户端安全防范.exe
2556	客户端安全防范.exe
2556	客户端安全防范.exe
2556	客户端安全防范.exe
2556	客户端安全防范.exe
2556	客户端安全防范.exe
2556	客户端安全防范.exe
2556	客户端安全防范.exe
2556	客户端安全防范.exe
2556	客户端安全防范.exe
2556	客户端安全防范.exe
2556	客户端安全防范.exe
2556	客户端安全防范.exe
2556	客户端安全防范.exe
2556	客户端安全防范.exe
2556	客户端安全防范.exe
2556	客户端安全防范.exe
2556	客户端安全防范.exe
2556	客户端安全防范.exe
2556	客户端安全防范.exe
2556	客户端安全防范.exe
2556	客户端安全防范.exe
2556	客户端安全防范.exe
2556	客户端安全防范.exe
2556	客户端安全防范.exe
2556	客户端安全防范.exe
2556	客户端安全防范.exe
2556	客户端安全防范.exe
2556	客户端安全防范.exe
2556	客户端安全防范.exe
2556	客户端安全防范.exe
2556	客户端安全防范.exe
2556	客户端安全防范.exe
2556	客户端安全防范.exe
2556	客户端安全防范.exe
2556	客户端安全防范.exe
2556	客户端安全防范.exe
2556	客户端安全防范.exe
2556	客户端安全防范.exe
2556	客户端安全防范.exe
2556	客户端安全防范.exe
2556	客户端安全防范.exe
2556	客户端安全防范.exe
2556	客户端安全防范.exe
2556	客户端安全防范.exe
2556	客户端安全防范.exe
2556	客户端安全防范.exe
2556	客户端安全防范.exe
2556	客户端安全防范.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2516	AcroRd32.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeSecurityPrivilege	2972	b20b9e1d8707e147e2312ca5cf11470b401e3518bb9489d8d31e428635a82668.exe
Token: SeRestorePrivilege	2972	b20b9e1d8707e147e2312ca5cf11470b401e3518bb9489d8d31e428635a82668.exe
Token: SeDebugPrivilege	2556	客户端安全防范.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2516	AcroRd32.exe
2516	AcroRd32.exe
2516	AcroRd32.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2972 wrote to memory of 2556	2972	b20b9e1d8707e147e2312ca5cf11470b401e3518bb9489d8d31e428635a82668.exe	28
PID 2972 wrote to memory of 2556	2972	b20b9e1d8707e147e2312ca5cf11470b401e3518bb9489d8d31e428635a82668.exe	28
PID 2972 wrote to memory of 2556	2972	b20b9e1d8707e147e2312ca5cf11470b401e3518bb9489d8d31e428635a82668.exe	28
PID 2972 wrote to memory of 2556	2972	b20b9e1d8707e147e2312ca5cf11470b401e3518bb9489d8d31e428635a82668.exe	28
PID 2972 wrote to memory of 2516	2972	b20b9e1d8707e147e2312ca5cf11470b401e3518bb9489d8d31e428635a82668.exe	29
PID 2972 wrote to memory of 2516	2972	b20b9e1d8707e147e2312ca5cf11470b401e3518bb9489d8d31e428635a82668.exe	29
PID 2972 wrote to memory of 2516	2972	b20b9e1d8707e147e2312ca5cf11470b401e3518bb9489d8d31e428635a82668.exe	29
PID 2972 wrote to memory of 2516	2972	b20b9e1d8707e147e2312ca5cf11470b401e3518bb9489d8d31e428635a82668.exe	29

C:\Users\Admin\AppData\Local\Temp\b20b9e1d8707e147e2312ca5cf11470b401e3518bb9489d8d31e428635a82668.exe
"C:\Users\Admin\AppData\Local\Temp\b20b9e1d8707e147e2312ca5cf11470b401e3518bb9489d8d31e428635a82668.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2972
- C:\Users\Admin\AppData\Local\Temp\客户端安全防范.exe
  "C:\Users\Admin\AppData\Local\Temp\客户端安全防范.exe"
  2⤵
  - Executes dropped EXE
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2556
- C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
  "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\客户端安全防范.pdf"
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:2516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\客户端安全防范.pdf

Filesize
269KB

MD5
d9a15b0221f217a9ae7e2aa169e7cff1

SHA1
f54b71f1524a9adc7654335160e06d7088b63a63

SHA256
126c9b425f2d8f1945ae175761f91de7af1538de12d68083df9fc4283eb76908

SHA512
939edd5c87fca83388044f9b75722073df1a85bb2638ad2001933c9863785eb2fa1deebeb20b2701691768dc0b4ae4a9a08cbb8557953f6f5a0a0f3261512635

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
529ca50b1d36c6a79d431dc988ee1793

SHA1
146f8e909193915fafca6a549a3256de33d48a3e

SHA256
1286c9fcbb2366a8106733041577e7b700e2de69398f8c6e01f85f9806a05f27

SHA512
df8c357052037495d4676d9f1b8e3fa217890ccc1ebf98927109b2c0c861b8cac0021a8f35439eff49a172c0dbbbb0f1374002e6635df063b365991af6c59296

Download Submit
\Users\Admin\AppData\Local\Temp\客户端安全防范.exe

Filesize
192KB

MD5
35c9b6da794925ee797ce0f6aff3b65b

SHA1
8b2b5d61fc207ffc1483af64da93b61ea6f822f3

SHA256
032fa2a25fe3191577ef3e046b524d1af6d7a94619603309a36d8746f02a8238

SHA512
bcc4576d8f61a02711823e0cc66d9e008006335a28ead8b39cbe5459cf37c88b14c5aa086467c7a3cbb0c8f9f34197fcc30996dda3fc4a030949bc72599c1ecf

Download Submit
memory/2556-20-0x0000000010000000-0x000000001002A000-memory.dmp

Filesize
168KB

Download