fatalrat | 0fcfc3b736ef63d17e6f9228d55c91279130686af6d35739c3baa3f383601c82

General

Target

0fcfc3b736ef63d17e6f9228d55c91279130686af6d35739c3baa3f383601c82.exe
Size

1.3MB
MD5

a9e00b6d4710def9b4ba12f1863a9ed4
SHA1

6fd5134897395d91a4c999546b5d2d2b13edbc1e
SHA256

0fcfc3b736ef63d17e6f9228d55c91279130686af6d35739c3baa3f383601c82
SHA512

17e28da55cca3a1a54c3ba5f7364d0815bba4abf92ea16db64aa1bf99a6020e0035361ada584a4fbacf94e5c808adb4dd737e00985740e2d11043ce102066d3c
SSDEEP

24576:J7UwVlkLzIenLlZQsdR4OMqR+sma7+Zk8NbxcN:JdmfnLlTb4OlR+1o+RD

Score

10^/10

fatalrat infostealer persistence rat upx

Malware Config

Signatures

FatalRat
FatalRat is a modular infostealer family written in C++ first appearing in June 2021.
infostealer rat fatalrat

Fatal Rat payload 1 IoCs

rat infostealer

Processes:

resource	yara_rule
behavioral1/memory/2348-30-0x0000000010000000-0x000000001001D000-memory.dmp	fatalrat

Deletes itself 1 IoCs

Processes:

WScript.exe

pid	Process
1476	WScript.exe

Executes dropped EXE 1 IoCs

Processes:

Agghosts.exe

pid	Process
2348	Agghosts.exe

Loads dropped DLL 2 IoCs

Processes:

Agghosts.exe

pid	Process
2348	Agghosts.exe
2348	Agghosts.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2004-0-0x0000000000400000-0x0000000000550000-memory.dmp	upx
behavioral1/memory/2004-11-0x0000000000400000-0x0000000000550000-memory.dmp	upx
behavioral1/memory/2004-39-0x0000000000400000-0x0000000000550000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Agghosts.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Çý¶¯ÎÀÉú = "C:\\qktqnp\\Agghosts.exe"	Agghosts.exe

Drops file in System32 directory 1 IoCs

Processes:

Agghosts.exe

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Agghosts.exe	Agghosts.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

0fcfc3b736ef63d17e6f9228d55c91279130686af6d35739c3baa3f383601c82.exe

pid	Process
2004	0fcfc3b736ef63d17e6f9228d55c91279130686af6d35739c3baa3f383601c82.exe
2004	0fcfc3b736ef63d17e6f9228d55c91279130686af6d35739c3baa3f383601c82.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

helppane.exeAgghosts.exe

description	pid	Process
Token: SeTakeOwnershipPrivilege	2620	helppane.exe
Token: SeDebugPrivilege	2348	Agghosts.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

helppane.exe

pid	Process
2620	helppane.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

0fcfc3b736ef63d17e6f9228d55c91279130686af6d35739c3baa3f383601c82.exehelppane.exe

pid	Process
2004	0fcfc3b736ef63d17e6f9228d55c91279130686af6d35739c3baa3f383601c82.exe
2004	0fcfc3b736ef63d17e6f9228d55c91279130686af6d35739c3baa3f383601c82.exe
2620	helppane.exe
2620	helppane.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

helppane.exe0fcfc3b736ef63d17e6f9228d55c91279130686af6d35739c3baa3f383601c82.exe

description	pid	Process	procid_target
PID 2620 wrote to memory of 2348	2620	helppane.exe	31
PID 2620 wrote to memory of 2348	2620	helppane.exe	31
PID 2620 wrote to memory of 2348	2620	helppane.exe	31
PID 2620 wrote to memory of 2348	2620	helppane.exe	31
PID 2004 wrote to memory of 1476	2004	0fcfc3b736ef63d17e6f9228d55c91279130686af6d35739c3baa3f383601c82.exe	32
PID 2004 wrote to memory of 1476	2004	0fcfc3b736ef63d17e6f9228d55c91279130686af6d35739c3baa3f383601c82.exe	32
PID 2004 wrote to memory of 1476	2004	0fcfc3b736ef63d17e6f9228d55c91279130686af6d35739c3baa3f383601c82.exe	32
PID 2004 wrote to memory of 1476	2004	0fcfc3b736ef63d17e6f9228d55c91279130686af6d35739c3baa3f383601c82.exe	32

C:\Users\Admin\AppData\Local\Temp\0fcfc3b736ef63d17e6f9228d55c91279130686af6d35739c3baa3f383601c82.exe
"C:\Users\Admin\AppData\Local\Temp\0fcfc3b736ef63d17e6f9228d55c91279130686af6d35739c3baa3f383601c82.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2004
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\tem.vbs"
  2⤵
  - Deletes itself
  PID:1476

C:\Windows\helppane.exe
C:\Windows\helppane.exe -Embedding
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2620
- C:\qktqnp\Agghosts.exe
  "C:\qktqnp\Agghosts.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  PID:2348

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tem.vbs

Filesize
275B

MD5
c7edde1977210e31657d60fc722036fc

SHA1
a5463882ca796823794f48ba51e95fdca904a426

SHA256
70002ec35a4443460df23efacac55311fa53ceb1faea483a6ae8089521a620eb

SHA512
25d58ad66cc888dee5d79329fb819fe021bb83224b836b34d103a875a350b4c1ec46c263fcd874c1d93f38fcc991a813ea1533a0e7df85ff55a4c2d7429f587b

Download Submit
C:\qktqnp\Agghosts.exe

Filesize
357KB

MD5
201bd1ec28614133f06d6b5eeaf391db

SHA1
199e42c769d3a2da770fedee28e269525b8bbbee

SHA256
3586a2c0c8a78902df81212faddb166c0117e942e53cf5c392895013fc542335

SHA512
8584b60be46c2068de31f6af20f16b802b1a40c95f4337dfca4594f13fe62b700df8010020dd9df1f6a8b9c8831200e7d182d4fb4e9d61e12467dc451b4e5113

Download Submit
C:\qktqnp\Enpud.png

Filesize
121KB

MD5
6db570a71e050759d498d81ae84ad76a

SHA1
4606eab0df235c7ba8fd0f6b3165641438cbc65e

SHA256
bd52ebde1584c4ccfc83833a57683520d46e4c4e3020186607c574b47b9829b9

SHA512
6541c64d351ae893f1dd029168e4493d528ad6e1baaacf1e8aaea6a37e26b667f6a3022b64ac25cd08fe9157eaf7f7e421bff62c72a24ca0a56a7beec19dfe6f

Download Submit
\qktqnp\libcef.dll

Filesize
18KB

MD5
1a7e2f1d4c61ab51cb0d3892574664d5

SHA1
ae63d32802473d501e4b3d0521c5b502bfb688e7

SHA256
72aaaa5a31c7458e8b02a91e53d65b2457c48b183808755a1e67646936b48b7f

SHA512
e9d374f411b5fe28dede95a17def67d09efb84315c00e85a336468c6384a6fdd3d998cd4fb5a930055f7f17af67134c2a907b9b70b32fe539ade74ec9d450cce

Download Submit
\qktqnp\vcruntime140.dll

Filesize
77KB

MD5
f107a3c7371c4543bd3908ba729dd2db

SHA1
af8e7e8f446de74db2f31d532e46eab8bbf41e0a

SHA256
00df0901c101254525a219d93ff1830da3a20d3f14bc323354d8d5fee5854ec0

SHA512
fd776f8ceaac498f4f44819794c0fa89224712a8c476819ffc76ba4c7ff4caa9b360b9d299d9df7965387e5bbcb330f316f53759b5146a73b27a5f2e964c3530

Download Submit
memory/2004-0-0x0000000000400000-0x0000000000550000-memory.dmp

Filesize
1.3MB

Download
memory/2004-11-0x0000000000400000-0x0000000000550000-memory.dmp

Filesize
1.3MB

Download
memory/2004-39-0x0000000000400000-0x0000000000550000-memory.dmp

Filesize
1.3MB

Download
memory/2348-30-0x0000000010000000-0x000000001001D000-memory.dmp

Filesize
116KB

Download
memory/2620-22-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads