fatalrat | ae3efb1b411272af7b33672451bd5826202a22670de9d45e924ee4f630694aad

General

Target

ae3efb1b411272af7b33672451bd5826202a22670de9d45e924ee4f630694aad.dll
Size

988KB
MD5

9c1ef756d041773c4bbea023053137b6
SHA1

9aa542b974a7f4efb97032d9b41a3695b5c629c4
SHA256

ae3efb1b411272af7b33672451bd5826202a22670de9d45e924ee4f630694aad
SHA512

09db098308e88450f67a3c9d1d696417b7f02241879d85855d164280ed9a9596dcbe6a96d4f9bf0b473a6fbcb4d37f2681385d59b86a0dca987b8e002b80d277
SSDEEP

24576:yj3A8X9TeaAr64xW/9muOBCXMq8Xu/mjJk5YrbqIVZSySsL:CXct9xcouOsXMHXuMJZrbqIWy

Score

10^/10

fatalrat evasion infostealer rat

Malware Config

Signatures

FatalRat
FatalRat is a modular infostealer family written in C++ first appearing in June 2021.
infostealer rat fatalrat

Fatal Rat payload 17 IoCs

rat infostealer

resource	yara_rule
behavioral1/memory/2976-3-0x0000000010000000-0x000000001022E000-memory.dmp	fatalrat
behavioral1/memory/2976-4-0x0000000000AD0000-0x0000000000AFA000-memory.dmp	fatalrat
behavioral1/memory/2976-14-0x0000000010000000-0x000000001022E000-memory.dmp	fatalrat
behavioral1/memory/2976-15-0x0000000010000000-0x000000001022E000-memory.dmp	fatalrat
behavioral1/memory/2976-16-0x0000000010000000-0x000000001022E000-memory.dmp	fatalrat
behavioral1/memory/2976-17-0x0000000010000000-0x000000001022E000-memory.dmp	fatalrat
behavioral1/memory/2976-18-0x0000000010000000-0x000000001022E000-memory.dmp	fatalrat
behavioral1/memory/2976-19-0x0000000010000000-0x000000001022E000-memory.dmp	fatalrat
behavioral1/memory/2976-20-0x0000000010000000-0x000000001022E000-memory.dmp	fatalrat
behavioral1/memory/2976-21-0x0000000010000000-0x000000001022E000-memory.dmp	fatalrat
behavioral1/memory/2976-22-0x0000000010000000-0x000000001022E000-memory.dmp	fatalrat
behavioral1/memory/2976-23-0x0000000010000000-0x000000001022E000-memory.dmp	fatalrat
behavioral1/memory/2976-24-0x0000000010000000-0x000000001022E000-memory.dmp	fatalrat
behavioral1/memory/2976-25-0x0000000010000000-0x000000001022E000-memory.dmp	fatalrat
behavioral1/memory/2976-26-0x0000000010000000-0x000000001022E000-memory.dmp	fatalrat
behavioral1/memory/2976-27-0x0000000010000000-0x000000001022E000-memory.dmp	fatalrat
behavioral1/memory/2976-28-0x0000000010000000-0x000000001022E000-memory.dmp	fatalrat

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rundll32.exe

Blocklisted process makes network request 8 IoCs

flow	pid	Process
2	2976	rundll32.exe
3	2976	rundll32.exe
4	2976	rundll32.exe
5	2976	rundll32.exe
6	2976	rundll32.exe
7	2976	rundll32.exe
8	2976	rundll32.exe
9	2976	rundll32.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Wine	rundll32.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2976	rundll32.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2976	rundll32.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2976	rundll32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2956 wrote to memory of 2976	2956	rundll32.exe	28
PID 2956 wrote to memory of 2976	2956	rundll32.exe	28
PID 2956 wrote to memory of 2976	2956	rundll32.exe	28
PID 2956 wrote to memory of 2976	2956	rundll32.exe	28
PID 2956 wrote to memory of 2976	2956	rundll32.exe	28
PID 2956 wrote to memory of 2976	2956	rundll32.exe	28
PID 2956 wrote to memory of 2976	2956	rundll32.exe	28

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ae3efb1b411272af7b33672451bd5826202a22670de9d45e924ee4f630694aad.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2956
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\ae3efb1b411272af7b33672451bd5826202a22670de9d45e924ee4f630694aad.dll,#1
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Blocklisted process makes network request
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

2

T1497

Credential Access

Discovery

Query Registry

2

T1012

Virtualization/Sandbox Evasion

2

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2976-0-0x0000000010000000-0x000000001022E000-memory.dmp

Filesize
2.2MB

Download
memory/2976-1-0x0000000010000000-0x000000001022E000-memory.dmp

Filesize
2.2MB

Download
memory/2976-2-0x0000000077A90000-0x0000000077A92000-memory.dmp

Filesize
8KB

Download
memory/2976-3-0x0000000010000000-0x000000001022E000-memory.dmp

Filesize
2.2MB

Download
memory/2976-5-0x00000000007A0000-0x00000000007A2000-memory.dmp

Filesize
8KB

Download
memory/2976-7-0x00000000008E0000-0x00000000008E2000-memory.dmp

Filesize
8KB

Download
memory/2976-9-0x0000000000810000-0x0000000000811000-memory.dmp

Filesize
4KB

Download
memory/2976-11-0x0000000000790000-0x0000000000791000-memory.dmp

Filesize
4KB

Download
memory/2976-13-0x0000000000800000-0x0000000000801000-memory.dmp

Filesize
4KB

Download
memory/2976-10-0x0000000000900000-0x0000000000910000-memory.dmp

Filesize
64KB

Download
memory/2976-4-0x0000000000AD0000-0x0000000000AFA000-memory.dmp

Filesize
168KB

Download
memory/2976-14-0x0000000010000000-0x000000001022E000-memory.dmp

Filesize
2.2MB

Download
memory/2976-15-0x0000000010000000-0x000000001022E000-memory.dmp

Filesize
2.2MB

Download
memory/2976-16-0x0000000010000000-0x000000001022E000-memory.dmp

Filesize
2.2MB

Download
memory/2976-17-0x0000000010000000-0x000000001022E000-memory.dmp

Filesize
2.2MB

Download
memory/2976-18-0x0000000010000000-0x000000001022E000-memory.dmp

Filesize
2.2MB

Download
memory/2976-19-0x0000000010000000-0x000000001022E000-memory.dmp

Filesize
2.2MB

Download
memory/2976-20-0x0000000010000000-0x000000001022E000-memory.dmp

Filesize
2.2MB

Download
memory/2976-21-0x0000000010000000-0x000000001022E000-memory.dmp

Filesize
2.2MB

Download
memory/2976-22-0x0000000010000000-0x000000001022E000-memory.dmp

Filesize
2.2MB

Download
memory/2976-23-0x0000000010000000-0x000000001022E000-memory.dmp

Filesize
2.2MB

Download
memory/2976-24-0x0000000010000000-0x000000001022E000-memory.dmp

Filesize
2.2MB

Download
memory/2976-25-0x0000000010000000-0x000000001022E000-memory.dmp

Filesize
2.2MB

Download
memory/2976-26-0x0000000010000000-0x000000001022E000-memory.dmp

Filesize
2.2MB

Download
memory/2976-27-0x0000000010000000-0x000000001022E000-memory.dmp

Filesize
2.2MB

Download
memory/2976-28-0x0000000010000000-0x000000001022E000-memory.dmp

Filesize
2.2MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads