fatalrat | 0bdaee2789ba12e2e724bb1f6f58eb2add8febbe4d7304d8dc69970b000dc7fe

Analysis

max time kernel
135s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
01/07/2024, 21:39 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0bdaee2789ba12e2e724bb1f6f58eb2add8febbe4d7304d8dc69970b000dc7fe_NeikiAnalytics.dll
Size

196KB
MD5

f7ae8c4b91a43fb78590b02347b48530
SHA1

b59418954dcf7479726c5d463e6c611404fe6ccd
SHA256

0bdaee2789ba12e2e724bb1f6f58eb2add8febbe4d7304d8dc69970b000dc7fe
SHA512

46c7e2b58fa06fe97040c4c9368ed8a967421e575f2d08b9b808e7b50d1113be7d3838b6d76e949be0a87199caca770d0e544c1350a2232a6d76b0584ccd2953
SSDEEP

3072:fRmbICt25LZseWDzoPZ6WS6BLfvgaSlpcD+05f:5ljSzkPDNGEf

Score

10^/10

fatalrat infostealer rat

Malware Config

Signatures

FatalRat
FatalRat is a modular infostealer family written in C++ first appearing in June 2021.
infostealer rat fatalrat

Fatal Rat payload 1 IoCs

rat infostealer

resource	yara_rule
behavioral2/memory/3016-0-0x0000000001FD0000-0x0000000001FFA000-memory.dmp	fatalrat

Blocklisted process makes network request 1 IoCs

flow	pid	Process
22	3016	rundll32.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3016	rundll32.exe
3016	rundll32.exe
3016	rundll32.exe
3016	rundll32.exe
3016	rundll32.exe
3016	rundll32.exe
3016	rundll32.exe
3016	rundll32.exe
3016	rundll32.exe
3016	rundll32.exe
3016	rundll32.exe
3016	rundll32.exe
3016	rundll32.exe
3016	rundll32.exe
3016	rundll32.exe
3016	rundll32.exe
3016	rundll32.exe
3016	rundll32.exe
3016	rundll32.exe
3016	rundll32.exe
3016	rundll32.exe
3016	rundll32.exe
3016	rundll32.exe
3016	rundll32.exe
3016	rundll32.exe
3016	rundll32.exe
3016	rundll32.exe
3016	rundll32.exe
3016	rundll32.exe
3016	rundll32.exe
3016	rundll32.exe
3016	rundll32.exe
3016	rundll32.exe
3016	rundll32.exe
3016	rundll32.exe
3016	rundll32.exe
3016	rundll32.exe
3016	rundll32.exe
3016	rundll32.exe
3016	rundll32.exe
3016	rundll32.exe
3016	rundll32.exe
3016	rundll32.exe
3016	rundll32.exe
3016	rundll32.exe
3016	rundll32.exe
3016	rundll32.exe
3016	rundll32.exe
3016	rundll32.exe
3016	rundll32.exe
3016	rundll32.exe
3016	rundll32.exe
3016	rundll32.exe
3016	rundll32.exe
3016	rundll32.exe
3016	rundll32.exe
3016	rundll32.exe
3016	rundll32.exe
3016	rundll32.exe
3016	rundll32.exe
3016	rundll32.exe
3016	rundll32.exe
3016	rundll32.exe
3016	rundll32.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3016	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2520 wrote to memory of 3016	2520	rundll32.exe	83
PID 2520 wrote to memory of 3016	2520	rundll32.exe	83
PID 2520 wrote to memory of 3016	2520	rundll32.exe	83

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\0bdaee2789ba12e2e724bb1f6f58eb2add8febbe4d7304d8dc69970b000dc7fe_NeikiAnalytics.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2520
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\0bdaee2789ba12e2e724bb1f6f58eb2add8febbe4d7304d8dc69970b000dc7fe_NeikiAnalytics.dll,#1
  2⤵
  - Blocklisted process makes network request
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3016

Network

DNS

8.8.8.8.in-addr.arpa

Remote address:

8.8.8.8:53

Request

8.8.8.8.in-addr.arpa

IN PTR

Response

8.8.8.8.in-addr.arpa

IN PTR

dnsgoogle
DNS

133.211.185.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

133.211.185.52.in-addr.arpa

IN PTR

Response
DNS

203.107.17.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

203.107.17.2.in-addr.arpa

IN PTR

Response

203.107.17.2.in-addr.arpa

IN PTR

a2-17-107-203deploystaticakamaitechnologiescom
DNS

14.160.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

14.160.190.20.in-addr.arpa

IN PTR

Response
DNS

88.156.103.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

88.156.103.20.in-addr.arpa

IN PTR

Response
DNS

1-31.qq-weixin.org

rundll32.exe

Remote address:

8.8.8.8:53

Request

1-31.qq-weixin.org

IN A

Response

1-31.qq-weixin.org

IN A

103.207.165.4
DNS

4.165.207.103.in-addr.arpa

Remote address:

8.8.8.8:53

Request

4.165.207.103.in-addr.arpa

IN PTR

Response
DNS

103.169.127.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

103.169.127.40.in-addr.arpa

IN PTR

Response
DNS

18.31.95.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

18.31.95.13.in-addr.arpa

IN PTR

Response
DNS

172.210.232.199.in-addr.arpa

Remote address:

8.8.8.8:53

Request

172.210.232.199.in-addr.arpa

IN PTR

Response
DNS

57.169.31.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

57.169.31.20.in-addr.arpa

IN PTR

Response
DNS

144.107.17.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

144.107.17.2.in-addr.arpa

IN PTR

Response

144.107.17.2.in-addr.arpa

IN PTR

a2-17-107-144deploystaticakamaitechnologiescom
DNS

29.243.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

29.243.111.52.in-addr.arpa

IN PTR

Response
DNS

tse1.mm.bing.net

Remote address:

8.8.8.8:53

Request

tse1.mm.bing.net

IN A

Response

tse1.mm.bing.net

IN CNAME

mm-mm.bing.net.trafficmanager.net

mm-mm.bing.net.trafficmanager.net

IN CNAME

ax-0001.ax-msedge.net

ax-0001.ax-msedge.net

IN A

150.171.27.10

ax-0001.ax-msedge.net

IN A

150.171.28.10
GET

https://tse1.mm.bing.net/th?id=OADD2.10239351692309_12E985FV6AZCRM3HV&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

Remote address:

150.171.27.10:443

Request

GET /th?id=OADD2.10239351692309_12E985FV6AZCRM3HV&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 276211
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: D8C7F56F50FD443B9DB43FCB7FC3C1AC Ref B: LON04EDGE1014 Ref C: 2024-07-01T21:41:48Z
date: Mon, 01 Jul 2024 21:41:48 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239351692308_1QYA5IZ7RRGGSDH4Z&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

Remote address:

150.171.27.10:443

Request

GET /th?id=OADD2.10239351692308_1QYA5IZ7RRGGSDH4Z&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 383394
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 11E78AACF86947D5BE5FA056328BA6FA Ref B: LON04EDGE1014 Ref C: 2024-07-01T21:41:48Z
date: Mon, 01 Jul 2024 21:41:48 GMT
DNS

55.36.223.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

55.36.223.20.in-addr.arpa

IN PTR

Response
DNS

10.27.171.150.in-addr.arpa

Remote address:

8.8.8.8:53

Request

10.27.171.150.in-addr.arpa

IN PTR

Response

103.207.165.4:443

1-31.qq-weixin.org

https

rundll32.exe

1.0kB
461 B
12
11
150.171.27.10:443

https://tse1.mm.bing.net/th?id=OADD2.10239351692308_1QYA5IZ7RRGGSDH4Z&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

tls, http2

26.2kB
689.4kB
513
510

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239351692309_12E985FV6AZCRM3HV&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239351692308_1QYA5IZ7RRGGSDH4Z&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

HTTP Response

200

HTTP Response

200
150.171.27.10:443

tse1.mm.bing.net

tls, http2

1.2kB
6.8kB
15
12

8.8.8.8:53

8.8.8.8.in-addr.arpa

dns

66 B
90 B
1
1

DNS Request

8.8.8.8.in-addr.arpa
8.8.8.8:53

133.211.185.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

133.211.185.52.in-addr.arpa
8.8.8.8:53

203.107.17.2.in-addr.arpa

dns

71 B
135 B
1
1

DNS Request

203.107.17.2.in-addr.arpa
8.8.8.8:53

14.160.190.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

14.160.190.20.in-addr.arpa
8.8.8.8:53

88.156.103.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

88.156.103.20.in-addr.arpa
8.8.8.8:53

1-31.qq-weixin.org

dns

rundll32.exe

64 B
80 B
1
1

DNS Request

1-31.qq-weixin.org

DNS Response

103.207.165.4
8.8.8.8:53

4.165.207.103.in-addr.arpa

dns

72 B
137 B
1
1

DNS Request

4.165.207.103.in-addr.arpa
8.8.8.8:53

103.169.127.40.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

103.169.127.40.in-addr.arpa
8.8.8.8:53

18.31.95.13.in-addr.arpa

dns

70 B
144 B
1
1

DNS Request

18.31.95.13.in-addr.arpa
8.8.8.8:53

172.210.232.199.in-addr.arpa

dns

74 B
128 B
1
1

DNS Request

172.210.232.199.in-addr.arpa
8.8.8.8:53

57.169.31.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

57.169.31.20.in-addr.arpa
8.8.8.8:53

144.107.17.2.in-addr.arpa

dns

71 B
135 B
1
1

DNS Request

144.107.17.2.in-addr.arpa
8.8.8.8:53

29.243.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

29.243.111.52.in-addr.arpa
8.8.8.8:53

tse1.mm.bing.net

dns

62 B
170 B
1
1

DNS Request

tse1.mm.bing.net

DNS Response

150.171.27.10

150.171.28.10
8.8.8.8:53

55.36.223.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

55.36.223.20.in-addr.arpa
8.8.8.8:53

10.27.171.150.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

10.27.171.150.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3016-0-0x0000000001FD0000-0x0000000001FFA000-memory.dmp

Filesize
168KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Request

HTTP Response

HTTP Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.