Overview

overview

10

Static

static

3

MF.rar

windows7-x64

7

MF.rar

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    292s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-09-2024 12:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    MF.rar

  • Size

    2.1MB

  • MD5

    eed0d2091538ec14cf4ab86b27a896de

  • SHA1

    5a9675ab6414bd8fa80ebb32d341059c4ee96513

  • SHA256

    1760d602c9fc8043652f0d965c8b4f8e9810c21b9e3d85b38e5094d5d6a2843e

  • SHA512

    fd853c4185100a2dd4c59238308385622aeb61d422c484989b857b6dafcbd723a761c1dde77903360f998523861120ed7248db549b58f376867cf1ffe94d4951

  • SSDEEP

    49152:HtGkOOocZy+ymNHJ24Naai+DUqJ4RjZpdrDiBf61ieean7n:NGkOOocZy+ymhNaaCY4rphGBfaBn

Score
10/10
fatalratdiscoveryinfostealerrat

Malware Config

Signatures

  • FatalRat

    FatalRat is a modular infostealer family written in C++ first appearing in June 2021.

    infostealerratfatalrat
  • Fatal Rat payload 2 IoCs
    ratinfostealer
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 26 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\MF.rar
    1⤵
    • Modifies registry class
    PID:3292
  • C:\Windows\system32\OpenWith.exe
    C:\Windows\system32\OpenWith.exe -Embedding
    1⤵
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:2336
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:1200
    • C:\Program Files\7-Zip\7zG.exe
      "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\MF\" -spe -an -ai#7zMap2194:84:7zEvent20330
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      PID:4616
    • C:\ProgramData\Microsoft\MF\thelper.exe
      "C:\ProgramData\Microsoft\MF\thelper.exe"
      1⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1700
      • C:\Users\Admin\AppData\Local\thelper.exe
        "C:\Users\Admin\AppData\Local\thelper.exe"
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Checks processor information in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1772

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\Microsoft\MF\Mi.jpg
      Filesize

      214KB

      MD5

      5d2ea1b6fd1cc5d08e455e7ad51e0f4c

      SHA1

      1b0bd077db590bcdcd5226208b02cb5a63f8c646

      SHA256

      9fb667f6f3fa36e5c06795e09996f3c4e2a531bf722a02e999b0862d512893a9

      SHA512

      f37b46ffa4fd75bd74a71221440fa373657fec6f943812e7f56304de5f57ad4ddf9465de9b39f338af2978c7105ca6af973556b772ffa86ca49c418861c5f3ae

      Download Submit

    • C:\ProgramData\Microsoft\MF\XLFSIO.dll
      Filesize

      900KB

      MD5

      0f1dec57c5b19ce955213acdb4b8a806

      SHA1

      10fc8761f5a4b0eb03b7c71f65cddf4cad43bd18

      SHA256

      034f10e6615ad547e54a66d2096831934ff30e72293553c4f432fb8f2f06160f

      SHA512

      92aeadd53e682bfe35b849e751fb8eed98af643040e4da3e1bf24817ad1c540834607470a29e750e0e73525fb154f155c76a04c8435b79dcdbc1ea7464eddd5f

      Download Submit

    • C:\ProgramData\Microsoft\MF\XLFSIO2.dll
      Filesize

      209KB

      MD5

      1bc7af7a8512cf79d4f0efc5cb138ce3

      SHA1

      68fd202d9380cacd2f8e0ce06d8df1c03c791c5b

      SHA256

      ef474b18f89310c067a859d55abd4e4f42fdac732e49eafe4246545e36872a62

      SHA512

      84de4d193d22a305be2ba28fc67bd1cccf83616cead721e57347f1b2e0736d351fef1abf168f7914caa1bcc7a72db43769991016673cd4646def544802ee8960

      Download Submit

    • C:\ProgramData\Microsoft\MF\XLGraphic.dll
      Filesize

      730KB

      MD5

      74c75ae5b97ad708dbe6f69d3a602430

      SHA1

      a02764d99b44ce4b1d199ef0f8ce73431d094a6a

      SHA256

      89fbb6b1ca9168a452e803dbdc6343db7c661ad70860a245d76b3b08830156e2

      SHA512

      52c5f7e00dffb1c0719d18184da2cc8ec2ad178b222775f167b87320f0683a3c2846e30190bc506f12d14c07fa45896935b3d4ac396baa14d7564996e35c2ada

      Download Submit

    • C:\ProgramData\Microsoft\MF\XLLuaRuntime.dll
      Filesize

      249KB

      MD5

      5362cb2efe55c6d6e9b51849ec0706b2

      SHA1

      d91acbe95dedc3bcac7ec0051c04ddddd5652778

      SHA256

      1d7519acca9c8a013c31af2064fbc599a0b14cfd1dfb793a345fab14045fed40

      SHA512

      dbd591c3d0b9847d9cef59277c03ec89e246db0e54b58fbbe9d492b75cdcb32d75444012cdfb1c77376d15db7fde1f74e694d2487c481ce29a2133342b91e1f5

      Download Submit

    • C:\ProgramData\Microsoft\MF\XLUE.dll
      Filesize

      2.4MB

      MD5

      0abbe96e1f7a254e23a80f06a1018c69

      SHA1

      0b83322fd5e18c9da8c013a0ed952cffa34381ae

      SHA256

      10f099f68741c179d5ad60b226d15233bb02d73f84ce51a5bbbbc4eb6a08e9d4

      SHA512

      2924e1e11e11bd655f27eb0243f87002a50a2d4b80e0b0e3ad6fd4c3d75c44222fab426fcaa695881b0093babf544e8aeee50a065ea92274145b0f88b1db0c58

      Download Submit

    • C:\ProgramData\Microsoft\MF\ic.dll
      Filesize

      1.6MB

      MD5

      6a718dd2abeb2eed131f1cc806ac5779

      SHA1

      c33f8b477b44030efd9687e4da3fa6865a2d9ec9

      SHA256

      43d45a8a3a80192738b62071dcb5f8d4a8bccbe5291fff4885ef0905ca6184c6

      SHA512

      c0967fb8e40f737eb282c1ffef05f30e61b7ff7c889d43da85fb2ddd123d3f69daeabe5ea5609d5f87b1c84b27bcb3b3e11290bae5643c2dfe8c296d2e18fa6c

      Download Submit

    • C:\ProgramData\Microsoft\MF\libexpat.dll
      Filesize

      668KB

      MD5

      5ff790879aab8078884eaac71affeb4a

      SHA1

      59352663fdcf24bb01c1f219410e49c15b51d5c5

      SHA256

      cceca70f34bbcec861a02c3700de79ea17d80c0a7b9f33d7edd1357a714e0f2f

      SHA512

      34fbaffc48912e3d3fa2d224e001121e8b36f5be7284a33eb31d306b9a5c00de6e23a9fdc1a17a61fb1371768f0b0e30b9c6e899a08c735fc70482d5aa8ea824

      Download Submit

    • C:\ProgramData\Microsoft\MF\libpng13.dll
      Filesize

      157KB

      MD5

      bb1922dfbdd99e0b89bec66c30c31b73

      SHA1

      f7a561619c101ba9b335c0b3d318f965b8fc1dfb

      SHA256

      76457f38cbbdd3dce078a40d42d9ac0dc26ae1c4bb68ab9c880eb7ffb400fd99

      SHA512

      3054574dd645feb1468cee53db2fd456e4f923eaf5fd686557a01c72c0572b19d70f3885d47fe42e97cdf7ccc2c674a6e966ff19668907cf7828e0a943cf474a

      Download Submit

    • C:\ProgramData\Microsoft\MF\mt.dll
      Filesize

      239KB

      MD5

      2e3ea2f95bfec380e7e79be332fd2012

      SHA1

      ff5d3be9b93e29342a27db14a69708ab6ad7807e

      SHA256

      b38def2980035b94f706a53b27ae7f9d31c41831b46fb70712b10a73b5068095

      SHA512

      91d79bf7c163769bd24ecc6c3b24c642a8a72d90b059297958ac01e7a8baa270954f501c25458a3df5f27fee24510d903a9a1f4b5f664f5f4152385b7f8a0906

      Download Submit

    • C:\ProgramData\Microsoft\MF\thelper.exe
      Filesize

      225KB

      MD5

      8a8f890b8858b103c8b212f23530e57a

      SHA1

      bda99503cb1d61774f6bac690d0cd2f55987c3f1

      SHA256

      cace00054b96a7d71f42f4d838e4288b0e2872de541669114df5d79d72f67d40

      SHA512

      6b50e5c792693d85796f9338f4a35c14ea9df2fe24b20662a664a146867708000afc39ac1cf47dbb66b4ba325bbf03fae6d4e03d9c28613402469d189e7b871d

      Download Submit

    • C:\ProgramData\Microsoft\MF\zlib1.dll
      Filesize

      62KB

      MD5

      37163aacc5534fbab012fb505be8d647

      SHA1

      73de6343e52180a24c74f4629e38a62ed8ad5f81

      SHA256

      0a6357a8852daaafe7aed300e2f7e69d993cac4156e882baa8a3a56b583255ba

      SHA512

      c3bed1c9bc58652ed16b162ed16a93cf7479a0492db7e6ea577001dbe859affc0b20387d93d23e06e73f49f395e4c9a5a07680f000ebb82d32269742c16a5242

      Download Submit

    • memory/1700-82-0x0000000021C90000-0x0000000021D7F000-memory.dmp

      Filesize

      956KB

      Download

    • memory/1700-41-0x0000000001230000-0x000000000126F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/1700-50-0x0000000001290000-0x00000000012C5000-memory.dmp

      Filesize

      212KB

      Download

    • memory/1700-56-0x0000000074A70000-0x0000000074CA6000-memory.dmp

      Filesize

      2.2MB

      Download

    • memory/1700-36-0x0000000021C90000-0x0000000021D7F000-memory.dmp

      Filesize

      956KB

      Download

    • memory/1700-59-0x0000000002EF0000-0x0000000002F21000-memory.dmp

      Filesize

      196KB

      Download

    • memory/1700-62-0x0000000002F30000-0x0000000002F5A000-memory.dmp

      Filesize

      168KB

      Download

    • memory/1700-95-0x0000000074A70000-0x0000000074CA6000-memory.dmp

      Filesize

      2.2MB

      Download

    • memory/1700-39-0x0000000001120000-0x0000000001228000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/1772-101-0x0000000074A70000-0x0000000074CA6000-memory.dmp

      Filesize

      2.2MB

      Download

    • memory/1772-106-0x0000000002AB0000-0x0000000002ADA000-memory.dmp

      Filesize

      168KB

      Download

    • memory/1772-102-0x0000000002FE0000-0x0000000003011000-memory.dmp

      Filesize

      196KB

      Download

    • memory/1772-94-0x0000000000E90000-0x0000000001106000-memory.dmp

      Filesize

      2.5MB

      Download

    • memory/1772-91-0x0000000000D00000-0x0000000000D35000-memory.dmp

      Filesize

      212KB

      Download

    • memory/1772-100-0x0000000021C90000-0x0000000021D7F000-memory.dmp

      Filesize

      956KB

      Download

    • memory/1772-88-0x00000000008D0000-0x000000000090F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/1772-111-0x0000000021C90000-0x0000000021D7F000-memory.dmp

      Filesize

      956KB

      Download

    • memory/1772-112-0x0000000074A70000-0x0000000074CA6000-memory.dmp

      Filesize

      2.2MB

      Download