Analysis
-
max time kernel
147s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
21-05-2024 09:39
Static task
static1
Behavioral task
behavioral1
Sample
8P8S8Rn.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
8P8S8Rn.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral3
Sample
ClHook.dll
Resource
win7-20240419-en
Behavioral task
behavioral4
Sample
ClHook.dll
Resource
win10v2004-20240508-en
General
-
Target
8P8S8Rn.exe
-
Size
792KB
-
MD5
db9ecd1b6cb77dba641e37c43059cd8e
-
SHA1
33f024edbbfcc3b0e6a32a1fb0dd59ebbc892737
-
SHA256
7e77b2c548c942947e6e5dc0ba340d51a90d7888fa63e411cc7293a2b88e1fae
-
SHA512
2814c5908fb7668ac238cf1fc5f7d1ab5e604e4336ca0e000f5adad2e65faa03f2e09163e45696bd93a10991b9035d83466c57f256985fee01b71fe2a99facfe
-
SSDEEP
24576:x+9JilRCA7o2hGAkP+/RG9ek7FvFZTAGeO:x+9JilRVx6P+/RuTdzTAGeO
Malware Config
Signatures
-
FatalRat
FatalRat is a modular infostealer family written in C++ first appearing in June 2021.
-
Fatal Rat payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1304-17-0x00000000027B0000-0x00000000027DA000-memory.dmp fatalrat -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
8P8S8Rn.exedescription ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz 8P8S8Rn.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 8P8S8Rn.exe -
Suspicious behavior: EnumeratesProcesses 51 IoCs
Processes:
8P8S8Rn.exepid Process 1304 8P8S8Rn.exe 1304 8P8S8Rn.exe 1304 8P8S8Rn.exe 1304 8P8S8Rn.exe 1304 8P8S8Rn.exe 1304 8P8S8Rn.exe 1304 8P8S8Rn.exe 1304 8P8S8Rn.exe 1304 8P8S8Rn.exe 1304 8P8S8Rn.exe 1304 8P8S8Rn.exe 1304 8P8S8Rn.exe 1304 8P8S8Rn.exe 1304 8P8S8Rn.exe 1304 8P8S8Rn.exe 1304 8P8S8Rn.exe 1304 8P8S8Rn.exe 1304 8P8S8Rn.exe 1304 8P8S8Rn.exe 1304 8P8S8Rn.exe 1304 8P8S8Rn.exe 1304 8P8S8Rn.exe 1304 8P8S8Rn.exe 1304 8P8S8Rn.exe 1304 8P8S8Rn.exe 1304 8P8S8Rn.exe 1304 8P8S8Rn.exe 1304 8P8S8Rn.exe 1304 8P8S8Rn.exe 1304 8P8S8Rn.exe 1304 8P8S8Rn.exe 1304 8P8S8Rn.exe 1304 8P8S8Rn.exe 1304 8P8S8Rn.exe 1304 8P8S8Rn.exe 1304 8P8S8Rn.exe 1304 8P8S8Rn.exe 1304 8P8S8Rn.exe 1304 8P8S8Rn.exe 1304 8P8S8Rn.exe 1304 8P8S8Rn.exe 1304 8P8S8Rn.exe 1304 8P8S8Rn.exe 1304 8P8S8Rn.exe 1304 8P8S8Rn.exe 1304 8P8S8Rn.exe 1304 8P8S8Rn.exe 1304 8P8S8Rn.exe 1304 8P8S8Rn.exe 1304 8P8S8Rn.exe 1304 8P8S8Rn.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
8P8S8Rn.exedescription pid Process Token: SeDebugPrivilege 1304 8P8S8Rn.exe