fatalrat | 756667b99c18e6c13fdc86d30868e90581b53dab4230daaba2b8261a0f4ece0f

General

Target

756667b99c18e6c13fdc86d30868e90581b53dab4230daaba2b8261a0f4ece0f.exe
Size

713KB
MD5

0b7df39ea0e4d0a980ff69d34c6255cc
SHA1

fdda6465d415b9e146f55480a0831166c8a2e234
SHA256

756667b99c18e6c13fdc86d30868e90581b53dab4230daaba2b8261a0f4ece0f
SHA512

ca2d86eb519bf346c00499bf5788bc499fae23519492f32914531ec03f8c66253fa9195224206d0ad95ab7d0347c1e5e33fa35196f46064efd49aee247c67ad8
SSDEEP

6144:qcNrqbprPopMFVJnsdPq0TYU4bWmb8pRYp9HtfqQnHlETCf/MiO7OhQPdVw1iied:qcNGPlnsdPhTYUDvU9nHWTFPdxJVQX

Score

10^/10

fatalrat discovery infostealer rat upx

Malware Config

Signatures

FatalRat
FatalRat is a modular infostealer family written in C++ first appearing in June 2021.
infostealer rat fatalrat

Fatal Rat payload 1 IoCs

rat infostealer

Processes:

resource	yara_rule
behavioral2/memory/4004-91-0x0000000003040000-0x000000000306A000-memory.dmp	fatalrat

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
C:\ProgramData\BUBUEU\mfc100.dll	acprotect

Executes dropped EXE 1 IoCs

Processes:

EAUDTDf.exe

pid process

4004 EAUDTDf.exe
Loads dropped DLL 2 IoCs

Processes:

EAUDTDf.exe

pid process

4004 EAUDTDf.exe
4004 EAUDTDf.exe

pid	process
4004	EAUDTDf.exe

pid	process
4004	EAUDTDf.exe
4004	EAUDTDf.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\ProgramData\BUBUEU\mfc100.dll	upx
behavioral2/memory/4004-75-0x0000000074F30000-0x0000000075197000-memory.dmp	upx
behavioral2/memory/4004-98-0x0000000074F30000-0x0000000075197000-memory.dmp	upx
behavioral2/memory/4004-101-0x0000000074F30000-0x0000000075197000-memory.dmp	upx
behavioral2/memory/4004-108-0x0000000074F30000-0x0000000075197000-memory.dmp	upx

Drops file in System32 directory 1 IoCs

Processes:

EAUDTDf.exe

description ioc process

File opened for modification C:\Windows\SysWOW64\EAUDTDf.exe EAUDTDf.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
discovery

System Language Discovery
T1614.001

Processes:

EAUDTDf.exe

description ioc process

Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EAUDTDf.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\EAUDTDf.exe	EAUDTDf.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EAUDTDf.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

756667b99c18e6c13fdc86d30868e90581b53dab4230daaba2b8261a0f4ece0f.exe

pid	process
5072	756667b99c18e6c13fdc86d30868e90581b53dab4230daaba2b8261a0f4ece0f.exe
5072	756667b99c18e6c13fdc86d30868e90581b53dab4230daaba2b8261a0f4ece0f.exe
5072	756667b99c18e6c13fdc86d30868e90581b53dab4230daaba2b8261a0f4ece0f.exe
5072	756667b99c18e6c13fdc86d30868e90581b53dab4230daaba2b8261a0f4ece0f.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

EAUDTDf.exe

description pid process

Token: SeDebugPrivilege 4004 EAUDTDf.exe
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

description	pid	process
Token: SeDebugPrivilege	4004	EAUDTDf.exe

C:\Users\Admin\AppData\Local\Temp\756667b99c18e6c13fdc86d30868e90581b53dab4230daaba2b8261a0f4ece0f.exe
"C:\Users\Admin\AppData\Local\Temp\756667b99c18e6c13fdc86d30868e90581b53dab4230daaba2b8261a0f4ece0f.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:5072

C:\ProgramData\BUBUEU\EAUDTDf.exe
C:\ProgramData\BUBUEU\EAUDTDf.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\BUBUEU\EAUDTDf.exe

Filesize
86KB

MD5
03706618a4b880538f086fae374b06cd

SHA1
87af405c4ed70d56f555bc0c781f7f1fdd0c9b68

SHA256
04db5fd77a016d339c642639cd5338e7c7777d9b66344c04c325f1e4c57fa00f

SHA512
da5c6744f1fd5fde838af7635a48971910b08a7ca06018e05df85891e3bfbca59b65c4341763480c638ad3ddbae431a2419ac3b3c55135486b68b3e686acb682

Download Submit
C:\ProgramData\BUBUEU\longlq.cl

Filesize
1.2MB

MD5
1eaf8e0901eb3c862a865def25820db7

SHA1
98eb757704afc7be53d5dd9da9c802fc30650d54

SHA256
2f7b69ed3ae26ba8afb5d33f67a409232ce8d05c789e862dbbdd047e90b805ef

SHA512
e6eee6009ed1d3a92fa08fe1b791b499eeab2b36228d8f56174edaaf1c53596fc5644210dfc8aeac68333ed6db1d9792e410b2faad12d6958765bcf2ab740bf3

Download Submit
C:\ProgramData\BUBUEU\mfc100.dll

Filesize
807KB

MD5
48828df7be1cfbadf55ceb757101d2c0

SHA1
fec86693a2e680791fa38517570a0185d5728cdc

SHA256
86cf458d7330b5c564ea6d858517072095d78234009d69c2411db08af44f5b47

SHA512
348c6a7256a7b309fc5493e6f306ce2a137faffd8cedd859d97bd5bc9def3d4125f2507349cb3f2e59a1cc018d401ec36cccf01a28dba9cf06a70b11afb80b41

Download Submit
C:\ProgramData\BUBUEU\msvcr100.dll

Filesize
755KB

MD5
0e37fbfa79d349d672456923ec5fbbe3

SHA1
4e880fc7625ccf8d9ca799d5b94ce2b1e7597335

SHA256
8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18

SHA512
2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

Download Submit
C:\Users\Admin\AppData\Roaming\BVBUE\8O7O.exe

Filesize
142KB

MD5
bbaea75e78b80434b7cd699749b93a97

SHA1
c7d151758cb88dee39dbb5f4cd30e7d226980dde

SHA256
c9a1c52f5f5c8deef76b8e989c6a377f00061fa369cbd1cee7f53f8f03295f5c

SHA512
7f41846d61452c73566554ba5f6ef356e757ff4c292ad68bbcc1b84f736c02c6b0bc52e13270e5d7be4cde743d40cfc281028d4a0e322fbeecd9b786d08bac3d

Download Submit
C:\Users\Admin\AppData\Roaming\BVBUE\website_secure_lnk.lnk

Filesize
797B

MD5
e1bfebb0a631a75d41de603d7fe3f35b

SHA1
06fe7b8fc0bfd9dffe74a93e1c01c7ee85f55a28

SHA256
273eaf778968b8a276d83cd7ea037138102c928dfd9bd9ee180d52988d2ce4fb

SHA512
656a8bb20a057dd0e34417581e4987b83f19ae4c963029dea86b7338991850d600ff9e5686b2041da217b4cfe90b5588c445be38d19faf8cee21cc6febf0f982

Download Submit
C:\Users\Public\UDTDTD

Filesize
1.3MB

MD5
adb876923a9a22fca4a2cbbaca8fb4fd

SHA1
7e6b5306880e5b2c13ec84f2dffddbbafbf58e01

SHA256
8ff46d56ec8df149fdc77b62d2103c2300b71a34bc9c50d93a4116976a15351d

SHA512
65f8b9f028ea30f67b174c511ed61a4ae5755037d4ed6ca28208d3716858137b9637e9a504533055778634aea568f5f99754d58ca0fa019420b01ecc2fbbfac4

Download Submit
memory/4004-97-0x00000000030C0000-0x00000000030ED000-memory.dmp

Filesize
180KB

Download
memory/4004-80-0x0000000003080000-0x00000000030B2000-memory.dmp

Filesize
200KB

Download
memory/4004-108-0x0000000074F30000-0x0000000075197000-memory.dmp

Filesize
2.4MB

Download
memory/4004-101-0x0000000074F30000-0x0000000075197000-memory.dmp

Filesize
2.4MB

Download
memory/4004-85-0x00000000017E0000-0x0000000001807000-memory.dmp

Filesize
156KB

Download
memory/4004-98-0x0000000074F30000-0x0000000075197000-memory.dmp

Filesize
2.4MB

Download
memory/4004-93-0x00000000030C0000-0x00000000030ED000-memory.dmp

Filesize
180KB

Download
memory/4004-81-0x0000000010000000-0x0000000010031000-memory.dmp

Filesize
196KB

Download
memory/4004-75-0x0000000074F30000-0x0000000075197000-memory.dmp

Filesize
2.4MB

Download
memory/4004-86-0x00000000030C0000-0x00000000030ED000-memory.dmp

Filesize
180KB

Download
memory/4004-91-0x0000000003040000-0x000000000306A000-memory.dmp

Filesize
168KB

Download
memory/5072-40-0x0000000002650000-0x00000000026D6000-memory.dmp

Filesize
536KB

Download
memory/5072-70-0x0000000002650000-0x00000000026D6000-memory.dmp

Filesize
536KB

Download
memory/5072-1-0x0000000180000000-0x00000001802CC000-memory.dmp

Filesize
2.8MB

Download
memory/5072-5-0x0000000003600000-0x00000000038C1000-memory.dmp

Filesize
2.8MB

Download
memory/5072-0-0x0000000002650000-0x00000000026D6000-memory.dmp

Filesize
536KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads