Analysis
-
max time kernel
104s -
max time network
137s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
-
submitted
01-09-2024 09:11
General
-
Target
c18b16e062fb0af0bb9d4ab468d153b69a52942fed0087d8fd488a0b927a361a.exe
-
Size
379KB
-
MD5
42ef42cd023d2db3c094249ec63fbd99
-
SHA1
b0a410c4c64ec0455fa64355ee4c673ac07c3081
-
SHA256
c18b16e062fb0af0bb9d4ab468d153b69a52942fed0087d8fd488a0b927a361a
-
SHA512
8e60a394c5556d80673977e15851d23c5480523f4efacf81b4178a0cafd43a257b4c5888e3c8a46816ccbb4ef852a0a2d9f41d6bf8f677c9fdc44a52293f9816
-
SSDEEP
6144:u+4ITiKmawBUniLDGpcRbqipUdaXrMjOBvB37WNkGkYpFP41Ftcg74LlgNk+Ilal:u+4P2wDGpcRbOda7MjW53CNTdpa1zUlv
Malware Config
Signatures
-
FatalRat
FatalRat is a modular infostealer family written in C++ first appearing in June 2021.
-
Fatal Rat payload 1 IoCs
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 1 IoCs
-
Drops file in System32 directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 53 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 7 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\c18b16e062fb0af0bb9d4ab468d153b69a52942fed0087d8fd488a0b927a361a.exe"C:\Users\Admin\AppData\Local\Temp\c18b16e062fb0af0bb9d4ab468d153b69a52942fed0087d8fd488a0b927a361a.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\taskeng.exetaskeng.exe {AB7C8CCB-2D19-451F-AE0C-4195D010439D} S-1-5-21-2172136094-3310281978-782691160-1000:EXCFTDUU\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\8SBRBR\SBSBVBa.exeC:\ProgramData\8SBRBR\SBSBVBa.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
65KB
MD59948fb3376da6f0b1901f359dc706f69
SHA191924e511c3918ecc76683390e53d6a2968e17ff
SHA2566114cbd3b89aa0e1c061b2b5c38913b43093b8287340e40d49f764e1f7bc6e1f
SHA512382c8487af872ebc7eeb9cd07e3ea979a4ed4f7d2947916b1ed7131c5f0d220604cfb4f6cf898c02b88d0facde51d5b3cae1dcc6420eaa0b04748e48650693bf
-
Filesize
1.0MB
MD593e64abcdd4d337ecb72595b472da3f5
SHA16e98f60aeaefa20263cd1005e64fe4db40203997
SHA256db4055a7e6e90975346e777a3a751f30563bd0fe1c9ea562785d2906e46097c5
SHA512f5b5948951fbe5a0cdabaf8d35406a8f9d452d4f0a47cb4de2f4272bc653bd1164fb115fe8558545cdc36893e36a3463a96fc7091658cf87425e2d16aa7ee76c
-
Filesize
142KB
MD5bbaea75e78b80434b7cd699749b93a97
SHA1c7d151758cb88dee39dbb5f4cd30e7d226980dde
SHA256c9a1c52f5f5c8deef76b8e989c6a377f00061fa369cbd1cee7f53f8f03295f5c
SHA5127f41846d61452c73566554ba5f6ef356e757ff4c292ad68bbcc1b84f736c02c6b0bc52e13270e5d7be4cde743d40cfc281028d4a0e322fbeecd9b786d08bac3d
-
Filesize
756B
MD52b56c602c169c790d50a8bf4963a12ba
SHA1b2d7aa62c9a930e4c449a923c04af870f33f9a29
SHA256869f451e5905c9b486ca9fe2a36fae4d3429eb95cbdcc2b390158d06c1ab5f7b
SHA51291406eb55757999d90463fa8f3a20bf5948751618ae673d635fcd02fa333b5e1131bdb1b17cf2082955414f7e881a6bdcd2f0494a57218bb68043e1a1f56b42a
-
Filesize
3.3MB
MD58516c251cc84c68317e8b7b7e934b583
SHA1e9f91703ddeaa3b7b5cb16658f200df59b995d2d
SHA25654b61b516f187924816b116ba53fafa11d140708d0f7c815954c621a464e6a82
SHA51292243478f5948cdc2f49ac70013a49e100080890d5ff3260d9afa388546bc962368bacc7c855cf356bf00e1730010f7ab6743f41328f128138c64b8ff27377e3
-
Filesize
4.0MB
MD599cfb22d825354570755757262ca4df3
SHA17ed8df785e31deb941d50ea6dab8a6811e511492
SHA25664e6cbdd788bbd36116588e5742a01547b4224c3fc1f804cf9203cb701625408
SHA5129623ce1bd5da201e3fc8d14802c6a54ed0464c4508491e23b113680d773b7a67a7705aa8157e25b2d33a9a70e4b99d889b074f2c50db00c8a51fd68f67dd2718
-
Filesize
320KB
-
Filesize
2.8MB
-
Filesize
320KB
-
Filesize
320KB
-
Filesize
2.8MB
-
Filesize
196KB
-
Filesize
168KB