Overview

overview

10

Static

static

3

名单助手I.exe

windows7-x64

10

名单助手I.exe

windows10-2004-x64

10

说明.pdf

windows7-x64

3

说明.pdf

windows10-2004-x64

3

Analysis

  • max time kernel
    121s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    12-09-2024 08:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    名单助手I.exe

  • Size

    6.1MB

  • MD5

    74f27f7c16f1df18dabb2e7cdaa1a972

  • SHA1

    d333a571677f1472d5fd26ffa43ad2f96dde18fd

  • SHA256

    fc1f2107672a4af330678c2dd2ca7a2701e8d79123c339292a72f0d31ce296a0

  • SHA512

    b07c3e66674b6809d6773a8d1387dcca6859698ecd4a0c37aac0bc6103fa25efa0d6ea6dd342c68201b21dcc54ae80c9c1fc2a9aeee70022d690570fb287b12b

  • SSDEEP

    98304:LYYX5YQmdT8PRv0J0hx09BSpKki9jBGrisYdMLU9V09DsL2qEKqjb:kiby94pFKjBGr97eL

Score
10/10
fatalratdefense_evasiondiscoveryinfostealerrat

Malware Config

Signatures

  • FatalRat

    FatalRat is a modular infostealer family written in C++ first appearing in June 2021.

    infostealerratfatalrat
  • Fatal Rat payload 2 IoCs
    ratinfostealer
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 3 IoCs
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Drops file in System32 directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 53 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\名单助手I.exe
    "C:\Users\Admin\AppData\Local\Temp\名单助手I.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    PID:2292
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {2B56B8AC-4004-4E60-BCDF-F2E5BE2A025D} S-1-5-21-3063565911-2056067323-3330884624-1000:KHBTHJFA\Admin:Interactive:[1]
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2868
    • C:\ProgramData\BRARAU\UDTDTDI.exe
      C:\ProgramData\BRARAU\UDTDTDI.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2756
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c del /q C:\ProgramData\BRARAU\UDTDTDI.exe
        3⤵
        • System Location Discovery: System Language Discovery
        PID:812

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\BRARAU\MSVCP100.dll
    Filesize

    411KB

    MD5

    bc83108b18756547013ed443b8cdb31b

    SHA1

    79bcaad3714433e01c7f153b05b781f8d7cb318d

    SHA256

    b2ad109c15eaa92079582787b7772ba0a2f034f7d075907ff87028df0eaea671

    SHA512

    6e72b2d40e47567b3e506be474dafa7cacd0b53cd2c2d160c3b5384f2f461fc91bb5fdb614a351f628d4e516b3bbdabc2cc6d4cb4710970146d2938a687dd011

    Download Submit

  • C:\ProgramData\BRARAU\MSVCR100.dll
    Filesize

    755KB

    MD5

    0e37fbfa79d349d672456923ec5fbbe3

    SHA1

    4e880fc7625ccf8d9ca799d5b94ce2b1e7597335

    SHA256

    8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18

    SHA512

    2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

    Download Submit

  • C:\ProgramData\BRARAU\UDTDTDI.exe
    Filesize

    86KB

    MD5

    03706618a4b880538f086fae374b06cd

    SHA1

    87af405c4ed70d56f555bc0c781f7f1fdd0c9b68

    SHA256

    04db5fd77a016d339c642639cd5338e7c7777d9b66344c04c325f1e4c57fa00f

    SHA512

    da5c6744f1fd5fde838af7635a48971910b08a7ca06018e05df85891e3bfbca59b65c4341763480c638ad3ddbae431a2419ac3b3c55135486b68b3e686acb682

    Download Submit

  • C:\ProgramData\BRARAU\longlq.cl
    Filesize

    1.2MB

    MD5

    226e469c4965cbabc63ef1485c5963e2

    SHA1

    e103a32e47c97f2b46b4b95bbb18314f74705872

    SHA256

    b28e21033642d097c933e68ce8ee164b059e24e5be38cb1be4a601f0b843e3a0

    SHA512

    89620eb6c344bcc5372979b9ebe6b7c764e648fe4d30ac79bafab97d9d2f962c68967857a6b2a525fb0d3b362557e304aa816b954064178467f5ba77befb664f

    Download Submit

  • C:\ProgramData\BRARAU\mfc100.dll
    Filesize

    2.2MB

    MD5

    513bff6f497ac73f2eeb1a29a2be2403

    SHA1

    dc66451379318a3758fc9da3c484ba9b1e583186

    SHA256

    a29435e99f4972d32e32f8c5355a3f2357c63062d74424afec12d09af55cc63c

    SHA512

    a71f5f3bf10dcd94320b5be3d803571dcd8dd084d39f9513f21d58c1e91ed174358e0aa8ba531d346b5a84448d27ae52f81fadcac275a908e54564227f9d251e

    Download Submit

  • C:\Users\Admin\AppData\Roaming\RBRAR\Microsoft\Windows\Start Menu\Programs\startup\website_secure_lnk.lnk
    Filesize

    756B

    MD5

    821fc85376d12fa45e8fbd9665ef41fe

    SHA1

    7889da0be1c38114257c0aca2791948b87c1ca54

    SHA256

    01468077b01d6f291b99322e78166b69389865d68f48e211d83dfbe8e8268ff4

    SHA512

    059373518709192a151c2d781bfb66d260e107147e3036c4e4497ac81cb10d9469d3375e7f72d561ea74414fbc14145fbdbec2266317e2c457d395a187b23540

    Download Submit

  • C:\Users\Admin\AppData\Roaming\RBRAR\YHYH.exe
    Filesize

    142KB

    MD5

    bbaea75e78b80434b7cd699749b93a97

    SHA1

    c7d151758cb88dee39dbb5f4cd30e7d226980dde

    SHA256

    c9a1c52f5f5c8deef76b8e989c6a377f00061fa369cbd1cee7f53f8f03295f5c

    SHA512

    7f41846d61452c73566554ba5f6ef356e757ff4c292ad68bbcc1b84f736c02c6b0bc52e13270e5d7be4cde743d40cfc281028d4a0e322fbeecd9b786d08bac3d

    Download Submit

  • C:\Users\Public\QAQAT9
    Filesize

    1.5MB

    MD5

    e9e37a7603e15e9ecfccab2c09195c1c

    SHA1

    608796a01018a79ebf99135bcd47588569f66f01

    SHA256

    b14c4e4b9a405da0301c4b2975a0043708d2b85eef4430bc898e2fca310d2c05

    SHA512

    ead174f8518a2032f3a45744dc5f0f094d851b0ade50ce1b3f1c9044504f6818428c842bd67fc63da093bfadb096621bb13850cc31a13a743d813f81f95792cc

    Download Submit

  • memory/2292-1-0x0000000180000000-0x00000001802CC000-memory.dmp

    Filesize

    2.8MB

    Download

  • memory/2292-51-0x0000000001E30000-0x0000000002419000-memory.dmp

    Filesize

    5.9MB

    Download

  • memory/2292-0-0x0000000001E30000-0x0000000002419000-memory.dmp

    Filesize

    5.9MB

    Download

  • memory/2292-3-0x0000000004170000-0x0000000004431000-memory.dmp

    Filesize

    2.8MB

    Download

  • memory/2292-87-0x0000000001E30000-0x0000000002419000-memory.dmp

    Filesize

    5.9MB

    Download

  • memory/2756-73-0x0000000000150000-0x000000000018B000-memory.dmp

    Filesize

    236KB

    Download

  • memory/2756-75-0x00000000005A0000-0x00000000005D2000-memory.dmp

    Filesize

    200KB

    Download

  • memory/2756-76-0x0000000010000000-0x000000001002A000-memory.dmp

    Filesize

    168KB

    Download

  • memory/2756-81-0x0000000000150000-0x000000000018B000-memory.dmp

    Filesize

    236KB

    Download

  • memory/2756-88-0x0000000000150000-0x000000000018B000-memory.dmp

    Filesize

    236KB

    Download