fatalrat | 21abda79f36a35a73e04ce6d2b90abec526c5575e00697a5ce4ba250a90db9f9

Analysis

max time kernel
118s
max time network
122s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
13-08-2024 04:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2aec427bdda04e2f418336af55348490N.exe
Size

192KB
MD5

2aec427bdda04e2f418336af55348490
SHA1

19c9fc510bb60430141db6a9c2b7a10cf27c5321
SHA256

21abda79f36a35a73e04ce6d2b90abec526c5575e00697a5ce4ba250a90db9f9
SHA512

c7cbca8a6fb02a29d933e7a6aa0f0407e3d8ffd33930c7ebc63a557193165e1cd5db6a185a8e7afae6df324e3a7b9feede7f2a03b071542fdf86f682293c179d
SSDEEP

3072:T1ltd5LZseWDzoPZ6WS6BLfvgaSlpcD+05f:NSzkPDNGEf

Score

10^/10

fatalrat discovery infostealer rat

Malware Config

Signatures

FatalRat
FatalRat is a modular infostealer family written in C++ first appearing in June 2021.
infostealer rat fatalrat

Fatal Rat payload 2 IoCs

rat infostealer

Processes:

resource	yara_rule
behavioral1/memory/1288-0-0x0000000010000000-0x000000001002A000-memory.dmp	fatalrat
behavioral1/memory/1288-19-0x0000000000400000-0x0000000000430000-memory.dmp	fatalrat

Executes dropped EXE 2 IoCs

Processes:

Abcdef.exeAbcdef.exe

pid	Process
1928	Abcdef.exe
1936	Abcdef.exe

Drops file in Windows directory 4 IoCs

Processes:

2aec427bdda04e2f418336af55348490N.exeAbcdef.exe

description	ioc	Process
File created	C:\Windows\Abcdef.exe	2aec427bdda04e2f418336af55348490N.exe
File opened for modification	C:\Windows\Abcdef.exe	2aec427bdda04e2f418336af55348490N.exe
File opened for modification	C:\Windows\Abcdef.exe	Abcdef.exe
File created	C:\Windows\Abcdef.exe	Abcdef.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

Abcdef.exe2aec427bdda04e2f418336af55348490N.exeAbcdef.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abcdef.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2aec427bdda04e2f418336af55348490N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abcdef.exe

Modifies data under HKEY_USERS 6 IoCs

Processes:

Abcdef.exe

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Services\Abcdef Hijklmno	Abcdef.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM	Abcdef.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet	Abcdef.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Services	Abcdef.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Services\Abcdef Hijklmno\Group = "Fatal"	Abcdef.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Services\Abcdef Hijklmno\InstallTime = "2024-08-13 04:56"	Abcdef.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

2aec427bdda04e2f418336af55348490N.exe

pid	Process
1288	2aec427bdda04e2f418336af55348490N.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

2aec427bdda04e2f418336af55348490N.exeAbcdef.exeAbcdef.exe

description	pid	Process
Token: SeDebugPrivilege	1288	2aec427bdda04e2f418336af55348490N.exe
Token: SeDebugPrivilege	1928	Abcdef.exe
Token: SeDebugPrivilege	1936	Abcdef.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

Abcdef.exe

description	pid	Process	procid_target
PID 1928 wrote to memory of 1936	1928	Abcdef.exe	31
PID 1928 wrote to memory of 1936	1928	Abcdef.exe	31
PID 1928 wrote to memory of 1936	1928	Abcdef.exe	31
PID 1928 wrote to memory of 1936	1928	Abcdef.exe	31

C:\Users\Admin\AppData\Local\Temp\2aec427bdda04e2f418336af55348490N.exe
"C:\Users\Admin\AppData\Local\Temp\2aec427bdda04e2f418336af55348490N.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
PID:1288

C:\Windows\Abcdef.exe
C:\Windows\Abcdef.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1928
- C:\Windows\Abcdef.exe
  C:\Windows\Abcdef.exe Win7
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:1936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Abcdef.exe

Filesize
192KB

MD5
2aec427bdda04e2f418336af55348490

SHA1
19c9fc510bb60430141db6a9c2b7a10cf27c5321

SHA256
21abda79f36a35a73e04ce6d2b90abec526c5575e00697a5ce4ba250a90db9f9

SHA512
c7cbca8a6fb02a29d933e7a6aa0f0407e3d8ffd33930c7ebc63a557193165e1cd5db6a185a8e7afae6df324e3a7b9feede7f2a03b071542fdf86f682293c179d

Download Submit
memory/1288-0-0x0000000010000000-0x000000001002A000-memory.dmp

Filesize
168KB

Download
memory/1288-19-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download