Analysis
-
max time kernel
149s -
max time network
292s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
10-09-2024 12:00
Static task
static1
Behavioral task
behavioral1
Sample
MF.rar
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
MF.rar
Resource
win10v2004-20240802-en
General
-
Target
MF.rar
-
Size
2.1MB
-
MD5
eed0d2091538ec14cf4ab86b27a896de
-
SHA1
5a9675ab6414bd8fa80ebb32d341059c4ee96513
-
SHA256
1760d602c9fc8043652f0d965c8b4f8e9810c21b9e3d85b38e5094d5d6a2843e
-
SHA512
fd853c4185100a2dd4c59238308385622aeb61d422c484989b857b6dafcbd723a761c1dde77903360f998523861120ed7248db549b58f376867cf1ffe94d4951
-
SSDEEP
49152:HtGkOOocZy+ymNHJ24Naai+DUqJ4RjZpdrDiBf61ieean7n:NGkOOocZy+ymhNaaCY4rphGBfaBn
Malware Config
Signatures
-
FatalRat
FatalRat is a modular infostealer family written in C++ first appearing in June 2021.
-
Fatal Rat payload 2 IoCs
resource yara_rule behavioral2/memory/1700-62-0x0000000002F30000-0x0000000002F5A000-memory.dmp fatalrat behavioral2/memory/1772-106-0x0000000002AB0000-0x0000000002ADA000-memory.dmp fatalrat -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation thelper.exe -
Executes dropped EXE 2 IoCs
pid Process 1700 thelper.exe 1772 thelper.exe -
Loads dropped DLL 26 IoCs
pid Process 1700 thelper.exe 1700 thelper.exe 1700 thelper.exe 1700 thelper.exe 1700 thelper.exe 1700 thelper.exe 1700 thelper.exe 1700 thelper.exe 1700 thelper.exe 1700 thelper.exe 1700 thelper.exe 1700 thelper.exe 1700 thelper.exe 1772 thelper.exe 1772 thelper.exe 1772 thelper.exe 1772 thelper.exe 1772 thelper.exe 1772 thelper.exe 1772 thelper.exe 1772 thelper.exe 1772 thelper.exe 1772 thelper.exe 1772 thelper.exe 1772 thelper.exe 1772 thelper.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thelper.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thelper.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 thelper.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz thelper.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings OpenWith.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1772 thelper.exe 1772 thelper.exe 1772 thelper.exe 1772 thelper.exe 1772 thelper.exe 1772 thelper.exe 1772 thelper.exe 1772 thelper.exe 1772 thelper.exe 1772 thelper.exe 1772 thelper.exe 1772 thelper.exe 1772 thelper.exe 1772 thelper.exe 1772 thelper.exe 1772 thelper.exe 1772 thelper.exe 1772 thelper.exe 1772 thelper.exe 1772 thelper.exe 1772 thelper.exe 1772 thelper.exe 1772 thelper.exe 1772 thelper.exe 1772 thelper.exe 1772 thelper.exe 1772 thelper.exe 1772 thelper.exe 1772 thelper.exe 1772 thelper.exe 1772 thelper.exe 1772 thelper.exe 1772 thelper.exe 1772 thelper.exe 1772 thelper.exe 1772 thelper.exe 1772 thelper.exe 1772 thelper.exe 1772 thelper.exe 1772 thelper.exe 1772 thelper.exe 1772 thelper.exe 1772 thelper.exe 1772 thelper.exe 1772 thelper.exe 1772 thelper.exe 1772 thelper.exe 1772 thelper.exe 1772 thelper.exe 1772 thelper.exe 1772 thelper.exe 1772 thelper.exe 1772 thelper.exe 1772 thelper.exe 1772 thelper.exe 1772 thelper.exe 1772 thelper.exe 1772 thelper.exe 1772 thelper.exe 1772 thelper.exe 1772 thelper.exe 1772 thelper.exe 1772 thelper.exe 1772 thelper.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeRestorePrivilege 4616 7zG.exe Token: 35 4616 7zG.exe Token: SeSecurityPrivilege 4616 7zG.exe Token: SeSecurityPrivilege 4616 7zG.exe Token: SeDebugPrivilege 1700 thelper.exe Token: SeDebugPrivilege 1772 thelper.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 4616 7zG.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2336 OpenWith.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1700 wrote to memory of 1772 1700 thelper.exe 104 PID 1700 wrote to memory of 1772 1700 thelper.exe 104 PID 1700 wrote to memory of 1772 1700 thelper.exe 104
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\MF.rar1⤵
- Modifies registry class
PID:3292
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2336
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:1200
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\MF\" -spe -an -ai#7zMap2194:84:7zEvent203301⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4616
-
C:\ProgramData\Microsoft\MF\thelper.exe"C:\ProgramData\Microsoft\MF\thelper.exe"1⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1700 -
C:\Users\Admin\AppData\Local\thelper.exe"C:\Users\Admin\AppData\Local\thelper.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1772
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
214KB
MD55d2ea1b6fd1cc5d08e455e7ad51e0f4c
SHA11b0bd077db590bcdcd5226208b02cb5a63f8c646
SHA2569fb667f6f3fa36e5c06795e09996f3c4e2a531bf722a02e999b0862d512893a9
SHA512f37b46ffa4fd75bd74a71221440fa373657fec6f943812e7f56304de5f57ad4ddf9465de9b39f338af2978c7105ca6af973556b772ffa86ca49c418861c5f3ae
-
Filesize
900KB
MD50f1dec57c5b19ce955213acdb4b8a806
SHA110fc8761f5a4b0eb03b7c71f65cddf4cad43bd18
SHA256034f10e6615ad547e54a66d2096831934ff30e72293553c4f432fb8f2f06160f
SHA51292aeadd53e682bfe35b849e751fb8eed98af643040e4da3e1bf24817ad1c540834607470a29e750e0e73525fb154f155c76a04c8435b79dcdbc1ea7464eddd5f
-
Filesize
209KB
MD51bc7af7a8512cf79d4f0efc5cb138ce3
SHA168fd202d9380cacd2f8e0ce06d8df1c03c791c5b
SHA256ef474b18f89310c067a859d55abd4e4f42fdac732e49eafe4246545e36872a62
SHA51284de4d193d22a305be2ba28fc67bd1cccf83616cead721e57347f1b2e0736d351fef1abf168f7914caa1bcc7a72db43769991016673cd4646def544802ee8960
-
Filesize
730KB
MD574c75ae5b97ad708dbe6f69d3a602430
SHA1a02764d99b44ce4b1d199ef0f8ce73431d094a6a
SHA25689fbb6b1ca9168a452e803dbdc6343db7c661ad70860a245d76b3b08830156e2
SHA51252c5f7e00dffb1c0719d18184da2cc8ec2ad178b222775f167b87320f0683a3c2846e30190bc506f12d14c07fa45896935b3d4ac396baa14d7564996e35c2ada
-
Filesize
249KB
MD55362cb2efe55c6d6e9b51849ec0706b2
SHA1d91acbe95dedc3bcac7ec0051c04ddddd5652778
SHA2561d7519acca9c8a013c31af2064fbc599a0b14cfd1dfb793a345fab14045fed40
SHA512dbd591c3d0b9847d9cef59277c03ec89e246db0e54b58fbbe9d492b75cdcb32d75444012cdfb1c77376d15db7fde1f74e694d2487c481ce29a2133342b91e1f5
-
Filesize
2.4MB
MD50abbe96e1f7a254e23a80f06a1018c69
SHA10b83322fd5e18c9da8c013a0ed952cffa34381ae
SHA25610f099f68741c179d5ad60b226d15233bb02d73f84ce51a5bbbbc4eb6a08e9d4
SHA5122924e1e11e11bd655f27eb0243f87002a50a2d4b80e0b0e3ad6fd4c3d75c44222fab426fcaa695881b0093babf544e8aeee50a065ea92274145b0f88b1db0c58
-
Filesize
1.6MB
MD56a718dd2abeb2eed131f1cc806ac5779
SHA1c33f8b477b44030efd9687e4da3fa6865a2d9ec9
SHA25643d45a8a3a80192738b62071dcb5f8d4a8bccbe5291fff4885ef0905ca6184c6
SHA512c0967fb8e40f737eb282c1ffef05f30e61b7ff7c889d43da85fb2ddd123d3f69daeabe5ea5609d5f87b1c84b27bcb3b3e11290bae5643c2dfe8c296d2e18fa6c
-
Filesize
668KB
MD55ff790879aab8078884eaac71affeb4a
SHA159352663fdcf24bb01c1f219410e49c15b51d5c5
SHA256cceca70f34bbcec861a02c3700de79ea17d80c0a7b9f33d7edd1357a714e0f2f
SHA51234fbaffc48912e3d3fa2d224e001121e8b36f5be7284a33eb31d306b9a5c00de6e23a9fdc1a17a61fb1371768f0b0e30b9c6e899a08c735fc70482d5aa8ea824
-
Filesize
157KB
MD5bb1922dfbdd99e0b89bec66c30c31b73
SHA1f7a561619c101ba9b335c0b3d318f965b8fc1dfb
SHA25676457f38cbbdd3dce078a40d42d9ac0dc26ae1c4bb68ab9c880eb7ffb400fd99
SHA5123054574dd645feb1468cee53db2fd456e4f923eaf5fd686557a01c72c0572b19d70f3885d47fe42e97cdf7ccc2c674a6e966ff19668907cf7828e0a943cf474a
-
Filesize
239KB
MD52e3ea2f95bfec380e7e79be332fd2012
SHA1ff5d3be9b93e29342a27db14a69708ab6ad7807e
SHA256b38def2980035b94f706a53b27ae7f9d31c41831b46fb70712b10a73b5068095
SHA51291d79bf7c163769bd24ecc6c3b24c642a8a72d90b059297958ac01e7a8baa270954f501c25458a3df5f27fee24510d903a9a1f4b5f664f5f4152385b7f8a0906
-
Filesize
225KB
MD58a8f890b8858b103c8b212f23530e57a
SHA1bda99503cb1d61774f6bac690d0cd2f55987c3f1
SHA256cace00054b96a7d71f42f4d838e4288b0e2872de541669114df5d79d72f67d40
SHA5126b50e5c792693d85796f9338f4a35c14ea9df2fe24b20662a664a146867708000afc39ac1cf47dbb66b4ba325bbf03fae6d4e03d9c28613402469d189e7b871d
-
Filesize
62KB
MD537163aacc5534fbab012fb505be8d647
SHA173de6343e52180a24c74f4629e38a62ed8ad5f81
SHA2560a6357a8852daaafe7aed300e2f7e69d993cac4156e882baa8a3a56b583255ba
SHA512c3bed1c9bc58652ed16b162ed16a93cf7479a0492db7e6ea577001dbe859affc0b20387d93d23e06e73f49f395e4c9a5a07680f000ebb82d32269742c16a5242