fatalrat | c6840499137c0459503885d127af9313a060b2c9ec24c861c96219db6b997d0c

Analysis

max time kernel
94s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
12-09-2024 08:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

名单助手I.exe
Size

6.1MB
MD5

74f27f7c16f1df18dabb2e7cdaa1a972
SHA1

d333a571677f1472d5fd26ffa43ad2f96dde18fd
SHA256

fc1f2107672a4af330678c2dd2ca7a2701e8d79123c339292a72f0d31ce296a0
SHA512

b07c3e66674b6809d6773a8d1387dcca6859698ecd4a0c37aac0bc6103fa25efa0d6ea6dd342c68201b21dcc54ae80c9c1fc2a9aeee70022d690570fb287b12b
SSDEEP

98304:LYYX5YQmdT8PRv0J0hx09BSpKki9jBGrisYdMLU9V09DsL2qEKqjb:kiby94pFKjBGr97eL

Score

10^/10

fatalrat gh0strat defense_evasion discovery infostealer rat upx

Malware Config

Signatures

FatalRat
FatalRat is a modular infostealer family written in C++ first appearing in June 2021.
infostealer rat fatalrat

Gh0st RAT payload 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3192-93-0x0000000003CB0000-0x0000000003DFD000-memory.dmp	family_gh0strat
behavioral2/memory/3192-95-0x0000000003CB0000-0x0000000003DFD000-memory.dmp	family_gh0strat
behavioral2/memory/3192-96-0x0000000003CB0000-0x0000000003DFD000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Fatal Rat payload 2 IoCs

rat infostealer

Processes:

resource	yara_rule
behavioral2/memory/3192-77-0x0000000010000000-0x000000001002A000-memory.dmp	fatalrat
behavioral2/memory/3192-82-0x00000000025F0000-0x0000000002622000-memory.dmp	fatalrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

P8O8R8I.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	P8O8R8I.exe

Executes dropped EXE 1 IoCs

Processes:

P8O8R8I.exe

pid	Process
3192	P8O8R8I.exe

Loads dropped DLL 3 IoCs

Processes:

P8O8R8I.exe

pid	Process
3192	P8O8R8I.exe
3192	P8O8R8I.exe
3192	P8O8R8I.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3192-90-0x0000000003CB0000-0x0000000003DFD000-memory.dmp	upx
behavioral2/memory/3192-93-0x0000000003CB0000-0x0000000003DFD000-memory.dmp	upx
behavioral2/memory/3192-95-0x0000000003CB0000-0x0000000003DFD000-memory.dmp	upx
behavioral2/memory/3192-96-0x0000000003CB0000-0x0000000003DFD000-memory.dmp	upx

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in System32 directory 1 IoCs

Processes:

P8O8R8I.exe

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\P8O8R8I.exe	P8O8R8I.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

P8O8R8I.execmd.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	P8O8R8I.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

P8O8R8I.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	P8O8R8I.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	P8O8R8I.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

名单助手I.exeP8O8R8I.exe

pid	Process
316	名单助手I.exe
316	名单助手I.exe
316	名单助手I.exe
316	名单助手I.exe
3192	P8O8R8I.exe
3192	P8O8R8I.exe
3192	P8O8R8I.exe
3192	P8O8R8I.exe
3192	P8O8R8I.exe
3192	P8O8R8I.exe
3192	P8O8R8I.exe
3192	P8O8R8I.exe
3192	P8O8R8I.exe
3192	P8O8R8I.exe
3192	P8O8R8I.exe
3192	P8O8R8I.exe
3192	P8O8R8I.exe
3192	P8O8R8I.exe
3192	P8O8R8I.exe
3192	P8O8R8I.exe
3192	P8O8R8I.exe
3192	P8O8R8I.exe
3192	P8O8R8I.exe
3192	P8O8R8I.exe
3192	P8O8R8I.exe
3192	P8O8R8I.exe
3192	P8O8R8I.exe
3192	P8O8R8I.exe
3192	P8O8R8I.exe
3192	P8O8R8I.exe
3192	P8O8R8I.exe
3192	P8O8R8I.exe
3192	P8O8R8I.exe
3192	P8O8R8I.exe
3192	P8O8R8I.exe
3192	P8O8R8I.exe
3192	P8O8R8I.exe
3192	P8O8R8I.exe
3192	P8O8R8I.exe
3192	P8O8R8I.exe
3192	P8O8R8I.exe
3192	P8O8R8I.exe
3192	P8O8R8I.exe
3192	P8O8R8I.exe
3192	P8O8R8I.exe
3192	P8O8R8I.exe
3192	P8O8R8I.exe
3192	P8O8R8I.exe
3192	P8O8R8I.exe
3192	P8O8R8I.exe
3192	P8O8R8I.exe
3192	P8O8R8I.exe
3192	P8O8R8I.exe
3192	P8O8R8I.exe
3192	P8O8R8I.exe
3192	P8O8R8I.exe
3192	P8O8R8I.exe
3192	P8O8R8I.exe
3192	P8O8R8I.exe
3192	P8O8R8I.exe
3192	P8O8R8I.exe
3192	P8O8R8I.exe
3192	P8O8R8I.exe
3192	P8O8R8I.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

P8O8R8I.exe

description	pid	Process
Token: SeDebugPrivilege	3192	P8O8R8I.exe
Token: SeDebugPrivilege	3192	P8O8R8I.exe
Token: SeIncBasePriorityPrivilege	3192	P8O8R8I.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

P8O8R8I.exe

description	pid	Process	procid_target
PID 3192 wrote to memory of 3532	3192	P8O8R8I.exe	98
PID 3192 wrote to memory of 3532	3192	P8O8R8I.exe	98
PID 3192 wrote to memory of 3532	3192	P8O8R8I.exe	98

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\名单助手I.exe
"C:\Users\Admin\AppData\Local\Temp\名单助手I.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:316

C:\ProgramData\VFYEYH\P8O8R8I.exe
C:\ProgramData\VFYEYH\P8O8R8I.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3192
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c del /q C:\ProgramData\VFYEYH\P8O8R8I.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\VFYEYH\MSVCP100.dll

Filesize
411KB

MD5
bc83108b18756547013ed443b8cdb31b

SHA1
79bcaad3714433e01c7f153b05b781f8d7cb318d

SHA256
b2ad109c15eaa92079582787b7772ba0a2f034f7d075907ff87028df0eaea671

SHA512
6e72b2d40e47567b3e506be474dafa7cacd0b53cd2c2d160c3b5384f2f461fc91bb5fdb614a351f628d4e516b3bbdabc2cc6d4cb4710970146d2938a687dd011

Download Submit
C:\ProgramData\VFYEYH\P8O8R8I.exe

Filesize
86KB

MD5
03706618a4b880538f086fae374b06cd

SHA1
87af405c4ed70d56f555bc0c781f7f1fdd0c9b68

SHA256
04db5fd77a016d339c642639cd5338e7c7777d9b66344c04c325f1e4c57fa00f

SHA512
da5c6744f1fd5fde838af7635a48971910b08a7ca06018e05df85891e3bfbca59b65c4341763480c638ad3ddbae431a2419ac3b3c55135486b68b3e686acb682

Download Submit
C:\ProgramData\VFYEYH\longlq.cl

Filesize
1.2MB

MD5
226e469c4965cbabc63ef1485c5963e2

SHA1
e103a32e47c97f2b46b4b95bbb18314f74705872

SHA256
b28e21033642d097c933e68ce8ee164b059e24e5be38cb1be4a601f0b843e3a0

SHA512
89620eb6c344bcc5372979b9ebe6b7c764e648fe4d30ac79bafab97d9d2f962c68967857a6b2a525fb0d3b362557e304aa816b954064178467f5ba77befb664f

Download Submit
C:\ProgramData\VFYEYH\mfc100.dll

Filesize
2.2MB

MD5
513bff6f497ac73f2eeb1a29a2be2403

SHA1
dc66451379318a3758fc9da3c484ba9b1e583186

SHA256
a29435e99f4972d32e32f8c5355a3f2357c63062d74424afec12d09af55cc63c

SHA512
a71f5f3bf10dcd94320b5be3d803571dcd8dd084d39f9513f21d58c1e91ed174358e0aa8ba531d346b5a84448d27ae52f81fadcac275a908e54564227f9d251e

Download Submit
C:\ProgramData\VFYEYH\msvcr100.dll

Filesize
755KB

MD5
0e37fbfa79d349d672456923ec5fbbe3

SHA1
4e880fc7625ccf8d9ca799d5b94ce2b1e7597335

SHA256
8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18

SHA512
2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

Download Submit
C:\Users\Admin\AppData\Roaming\M5M5L\UAUA.exe

Filesize
142KB

MD5
bbaea75e78b80434b7cd699749b93a97

SHA1
c7d151758cb88dee39dbb5f4cd30e7d226980dde

SHA256
c9a1c52f5f5c8deef76b8e989c6a377f00061fa369cbd1cee7f53f8f03295f5c

SHA512
7f41846d61452c73566554ba5f6ef356e757ff4c292ad68bbcc1b84f736c02c6b0bc52e13270e5d7be4cde743d40cfc281028d4a0e322fbeecd9b786d08bac3d

Download Submit
C:\Users\Admin\AppData\Roaming\M5M5L\website_secure_lnk.lnk

Filesize
797B

MD5
7fde03e25220da4df5b30157a55e328c

SHA1
dcbe95238f85f70a8e4a7d1d4ea9d66f0a5ca156

SHA256
af14585ae73070bc2652191edf0e8362f48acaf2a5f3911835f8de0944693ed3

SHA512
dc1474cd776ca4f21e4db9fec3cdb204b7ca943560764560a607adad9e63730936ed5e88f95c63c2262c4167dd2db6fd12a532bc6543293f0fb0e9c9b049ade9

Download Submit
C:\Users\Public\EYEXHX

Filesize
1.5MB

MD5
e9e37a7603e15e9ecfccab2c09195c1c

SHA1
608796a01018a79ebf99135bcd47588569f66f01

SHA256
b14c4e4b9a405da0301c4b2975a0043708d2b85eef4430bc898e2fca310d2c05

SHA512
ead174f8518a2032f3a45744dc5f0f094d851b0ade50ce1b3f1c9044504f6818428c842bd67fc63da093bfadb096621bb13850cc31a13a743d813f81f95792cc

Download Submit
memory/316-48-0x0000000003060000-0x0000000003649000-memory.dmp

Filesize
5.9MB

Download
memory/316-0-0x0000000003060000-0x0000000003649000-memory.dmp

Filesize
5.9MB

Download
memory/316-1-0x0000000180000000-0x00000001802CC000-memory.dmp

Filesize
2.8MB

Download
memory/316-6-0x00000000042B0000-0x0000000004571000-memory.dmp

Filesize
2.8MB

Download
memory/316-89-0x0000000003060000-0x0000000003649000-memory.dmp

Filesize
5.9MB

Download
memory/3192-82-0x00000000025F0000-0x0000000002622000-memory.dmp

Filesize
200KB

Download
memory/3192-77-0x0000000010000000-0x000000001002A000-memory.dmp

Filesize
168KB

Download
memory/3192-74-0x00000000025F0000-0x0000000002622000-memory.dmp

Filesize
200KB

Download
memory/3192-83-0x0000000002640000-0x000000000267B000-memory.dmp

Filesize
236KB

Download
memory/3192-75-0x0000000002640000-0x000000000267B000-memory.dmp

Filesize
236KB

Download
memory/3192-90-0x0000000003CB0000-0x0000000003DFD000-memory.dmp

Filesize
1.3MB

Download
memory/3192-93-0x0000000003CB0000-0x0000000003DFD000-memory.dmp

Filesize
1.3MB

Download
memory/3192-95-0x0000000003CB0000-0x0000000003DFD000-memory.dmp

Filesize
1.3MB

Download
memory/3192-96-0x0000000003CB0000-0x0000000003DFD000-memory.dmp

Filesize
1.3MB

Download
memory/3192-97-0x0000000002640000-0x000000000267B000-memory.dmp

Filesize
236KB

Download