fatalrat | 756667b99c18e6c13fdc86d30868e90581b53dab4230daaba2b8261a0f4ece0f

General

Target

756667b99c18e6c13fdc86d30868e90581b53dab4230daaba2b8261a0f4ece0f.exe
Size

713KB
MD5

0b7df39ea0e4d0a980ff69d34c6255cc
SHA1

fdda6465d415b9e146f55480a0831166c8a2e234
SHA256

756667b99c18e6c13fdc86d30868e90581b53dab4230daaba2b8261a0f4ece0f
SHA512

ca2d86eb519bf346c00499bf5788bc499fae23519492f32914531ec03f8c66253fa9195224206d0ad95ab7d0347c1e5e33fa35196f46064efd49aee247c67ad8
SSDEEP

6144:qcNrqbprPopMFVJnsdPq0TYU4bWmb8pRYp9HtfqQnHlETCf/MiO7OhQPdVw1iied:qcNGPlnsdPhTYUDvU9nHWTFPdxJVQX

Score

10^/10

fatalrat discovery infostealer rat upx

Malware Config

Signatures

FatalRat
FatalRat is a modular infostealer family written in C++ first appearing in June 2021.
infostealer rat fatalrat

Fatal Rat payload 1 IoCs

rat infostealer

Processes:

resource	yara_rule
behavioral1/memory/2648-79-0x0000000000160000-0x000000000018A000-memory.dmp	fatalrat

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
\ProgramData\6N6Q6Q\mfc100.dll	acprotect

Executes dropped EXE 1 IoCs

Processes:

VBVEUEf.exe

pid process

2648 VBVEUEf.exe
Loads dropped DLL 2 IoCs

Processes:

VBVEUEf.exe

pid process

2648 VBVEUEf.exe
2648 VBVEUEf.exe

pid	process
2648	VBVEUEf.exe

pid	process
2648	VBVEUEf.exe
2648	VBVEUEf.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\ProgramData\6N6Q6Q\mfc100.dll	upx
behavioral1/memory/2648-68-0x00000000747E0000-0x0000000074A47000-memory.dmp	upx
behavioral1/memory/2648-91-0x00000000747E0000-0x0000000074A47000-memory.dmp	upx
behavioral1/memory/2648-101-0x00000000747E0000-0x0000000074A47000-memory.dmp	upx
behavioral1/memory/2648-107-0x00000000747E0000-0x0000000074A47000-memory.dmp	upx

Drops file in System32 directory 1 IoCs

Processes:

VBVEUEf.exe

description ioc process

File opened for modification C:\Windows\SysWOW64\VBVEUEf.exe VBVEUEf.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
discovery

System Language Discovery
T1614.001

Processes:

VBVEUEf.exe

description ioc process

Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language VBVEUEf.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\VBVEUEf.exe	VBVEUEf.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VBVEUEf.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

756667b99c18e6c13fdc86d30868e90581b53dab4230daaba2b8261a0f4ece0f.exe

pid	process
2424	756667b99c18e6c13fdc86d30868e90581b53dab4230daaba2b8261a0f4ece0f.exe
2424	756667b99c18e6c13fdc86d30868e90581b53dab4230daaba2b8261a0f4ece0f.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

VBVEUEf.exe

description pid process

Token: SeDebugPrivilege 2648 VBVEUEf.exe

description	pid	process
Token: SeDebugPrivilege	2648	VBVEUEf.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

taskeng.exe

description	pid	process	target process
PID 2592 wrote to memory of 2648	2592	taskeng.exe	VBVEUEf.exe
PID 2592 wrote to memory of 2648	2592	taskeng.exe	VBVEUEf.exe
PID 2592 wrote to memory of 2648	2592	taskeng.exe	VBVEUEf.exe
PID 2592 wrote to memory of 2648	2592	taskeng.exe	VBVEUEf.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\756667b99c18e6c13fdc86d30868e90581b53dab4230daaba2b8261a0f4ece0f.exe
"C:\Users\Admin\AppData\Local\Temp\756667b99c18e6c13fdc86d30868e90581b53dab4230daaba2b8261a0f4ece0f.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2424

C:\Windows\system32\taskeng.exe
taskeng.exe {D8DF3396-9954-4AA6-9B2D-6A30FE2E6009} S-1-5-21-3063565911-2056067323-3330884624-1000:KHBTHJFA\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2592
- C:\ProgramData\6N6Q6Q\VBVEUEf.exe
  C:\ProgramData\6N6Q6Q\VBVEUEf.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\6N6Q6Q\MSVCR100.dll

Filesize
755KB

MD5
0e37fbfa79d349d672456923ec5fbbe3

SHA1
4e880fc7625ccf8d9ca799d5b94ce2b1e7597335

SHA256
8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18

SHA512
2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

Download Submit
C:\ProgramData\6N6Q6Q\VBVEUEf.exe

Filesize
86KB

MD5
03706618a4b880538f086fae374b06cd

SHA1
87af405c4ed70d56f555bc0c781f7f1fdd0c9b68

SHA256
04db5fd77a016d339c642639cd5338e7c7777d9b66344c04c325f1e4c57fa00f

SHA512
da5c6744f1fd5fde838af7635a48971910b08a7ca06018e05df85891e3bfbca59b65c4341763480c638ad3ddbae431a2419ac3b3c55135486b68b3e686acb682

Download Submit
C:\ProgramData\6N6Q6Q\longlq.cl

Filesize
1.2MB

MD5
1eaf8e0901eb3c862a865def25820db7

SHA1
98eb757704afc7be53d5dd9da9c802fc30650d54

SHA256
2f7b69ed3ae26ba8afb5d33f67a409232ce8d05c789e862dbbdd047e90b805ef

SHA512
e6eee6009ed1d3a92fa08fe1b791b499eeab2b36228d8f56174edaaf1c53596fc5644210dfc8aeac68333ed6db1d9792e410b2faad12d6958765bcf2ab740bf3

Download Submit
C:\Users\Admin\AppData\Roaming\S8SBS\Microsoft\Windows\Start Menu\Programs\startup\website_secure_lnk.lnk

Filesize
756B

MD5
bdd4222277dfc241cc7355dcc35a7864

SHA1
197cf999b45d9512d90782fa9b68540e58e2c5a9

SHA256
8692e85a3291a9f47cc274396035cb9b830e6bd1f4d67d93a841a3f72f506d18

SHA512
d2492794d3518247d6f65b9dbf132d8c91cecc845261139d058b8dd4e9c85905f50860237a1cd5ba36dc39cc9c5e407ecf5a99026dcdcffad8e0ea0e2134b5bc

Download Submit
C:\Users\Admin\AppData\Roaming\S8SBS\P5P8.exe

Filesize
142KB

MD5
bbaea75e78b80434b7cd699749b93a97

SHA1
c7d151758cb88dee39dbb5f4cd30e7d226980dde

SHA256
c9a1c52f5f5c8deef76b8e989c6a377f00061fa369cbd1cee7f53f8f03295f5c

SHA512
7f41846d61452c73566554ba5f6ef356e757ff4c292ad68bbcc1b84f736c02c6b0bc52e13270e5d7be4cde743d40cfc281028d4a0e322fbeecd9b786d08bac3d

Download Submit
C:\Users\Public\M6P5P5

Filesize
1.3MB

MD5
adb876923a9a22fca4a2cbbaca8fb4fd

SHA1
7e6b5306880e5b2c13ec84f2dffddbbafbf58e01

SHA256
8ff46d56ec8df149fdc77b62d2103c2300b71a34bc9c50d93a4116976a15351d

SHA512
65f8b9f028ea30f67b174c511ed61a4ae5755037d4ed6ca28208d3716858137b9637e9a504533055778634aea568f5f99754d58ca0fa019420b01ecc2fbbfac4

Download Submit
\ProgramData\6N6Q6Q\mfc100.dll

Filesize
807KB

MD5
48828df7be1cfbadf55ceb757101d2c0

SHA1
fec86693a2e680791fa38517570a0185d5728cdc

SHA256
86cf458d7330b5c564ea6d858517072095d78234009d69c2411db08af44f5b47

SHA512
348c6a7256a7b309fc5493e6f306ce2a137faffd8cedd859d97bd5bc9def3d4125f2507349cb3f2e59a1cc018d401ec36cccf01a28dba9cf06a70b11afb80b41

Download Submit
memory/2424-0-0x0000000000230000-0x00000000002B6000-memory.dmp

Filesize
536KB

Download
memory/2424-46-0x0000000000230000-0x00000000002B6000-memory.dmp

Filesize
536KB

Download
memory/2424-100-0x0000000000230000-0x00000000002B6000-memory.dmp

Filesize
536KB

Download
memory/2424-1-0x0000000180000000-0x00000001802CC000-memory.dmp

Filesize
2.8MB

Download
memory/2424-4-0x0000000003800000-0x0000000003AC1000-memory.dmp

Filesize
2.8MB

Download
memory/2648-77-0x0000000000870000-0x00000000008A2000-memory.dmp

Filesize
200KB

Download
memory/2648-73-0x0000000010000000-0x0000000010031000-memory.dmp

Filesize
196KB

Download
memory/2648-78-0x00000000008E0000-0x0000000000907000-memory.dmp

Filesize
156KB

Download
memory/2648-84-0x0000000000C00000-0x0000000000C2D000-memory.dmp

Filesize
180KB

Download
memory/2648-79-0x0000000000160000-0x000000000018A000-memory.dmp

Filesize
168KB

Download
memory/2648-90-0x0000000000C00000-0x0000000000C2D000-memory.dmp

Filesize
180KB

Download
memory/2648-89-0x0000000000C00000-0x0000000000C2D000-memory.dmp

Filesize
180KB

Download
memory/2648-91-0x00000000747E0000-0x0000000074A47000-memory.dmp

Filesize
2.4MB

Download
memory/2648-68-0x00000000747E0000-0x0000000074A47000-memory.dmp

Filesize
2.4MB

Download
memory/2648-101-0x00000000747E0000-0x0000000074A47000-memory.dmp

Filesize
2.4MB

Download
memory/2648-107-0x00000000747E0000-0x0000000074A47000-memory.dmp

Filesize
2.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads