fatalrat | ae74cae9f7949ea19ea6c891726755e76f15fcc5eef5107ad70dc9f7f797456b

General

Target

ae74cae9f7949ea19ea6c891726755e76f15fcc5eef5107ad70dc9f7f797456b.exe
Size

2.2MB
MD5

8697cd1ff14060f9ae30865c5539c5df
SHA1

1a76db7782af48e882c933156cba179882ffd580
SHA256

ae74cae9f7949ea19ea6c891726755e76f15fcc5eef5107ad70dc9f7f797456b
SHA512

e0cc09823f450794e7d5bbf40cce7bf8476a3da591f28102dd253f5bf06fe88f74cd1707cf0bfa912c32af91dc7ba64c8f8503dd92176a17b2935b62b8aa6b65
SSDEEP

24576:M25Jj/b0QGaUiB1NM4LPl0L4aV8G705GU3z1Y3Ri5yJHWkl:MQJj/b0sNM4LPlHepm5WHx

Score

10^/10

fatalrat discovery infostealer rat

Malware Config

Signatures

FatalRat
FatalRat is a modular infostealer family written in C++ first appearing in June 2021.
infostealer rat fatalrat

Fatal Rat payload 1 IoCs

rat infostealer

Processes:

resource	yara_rule
behavioral1/memory/2916-83-0x0000000001E70000-0x0000000001E9A000-memory.dmp	fatalrat

Executes dropped EXE 1 IoCs

Processes:

8O7R7Rb.exe

pid	Process
2916	8O7R7Rb.exe

Loads dropped DLL 1 IoCs

Processes:

8O7R7Rb.exe

pid	Process
2916	8O7R7Rb.exe

Drops file in System32 directory 1 IoCs

Processes:

8O7R7Rb.exe

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\8O7R7Rb.exe	8O7R7Rb.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

8O7R7Rb.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8O7R7Rb.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

ae74cae9f7949ea19ea6c891726755e76f15fcc5eef5107ad70dc9f7f797456b.exe

pid	Process
2756	ae74cae9f7949ea19ea6c891726755e76f15fcc5eef5107ad70dc9f7f797456b.exe
2756	ae74cae9f7949ea19ea6c891726755e76f15fcc5eef5107ad70dc9f7f797456b.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

8O7R7Rb.exe

description	pid	Process
Token: SeDebugPrivilege	2916	8O7R7Rb.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

taskeng.exe

description	pid	Process	procid_target
PID 2468 wrote to memory of 2916	2468	taskeng.exe	34
PID 2468 wrote to memory of 2916	2468	taskeng.exe	34
PID 2468 wrote to memory of 2916	2468	taskeng.exe	34
PID 2468 wrote to memory of 2916	2468	taskeng.exe	34
PID 2468 wrote to memory of 2916	2468	taskeng.exe	34
PID 2468 wrote to memory of 2916	2468	taskeng.exe	34
PID 2468 wrote to memory of 2916	2468	taskeng.exe	34

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\ae74cae9f7949ea19ea6c891726755e76f15fcc5eef5107ad70dc9f7f797456b.exe
"C:\Users\Admin\AppData\Local\Temp\ae74cae9f7949ea19ea6c891726755e76f15fcc5eef5107ad70dc9f7f797456b.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2756

C:\Windows\system32\taskeng.exe
taskeng.exe {4716E78F-BE93-4149-AED5-C080217685FA} S-1-5-21-1846800975-3917212583-2893086201-1000:ZQABOPWE\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2468
- C:\ProgramData\N3N3N6\8O7R7Rb.exe
  C:\ProgramData\N3N3N6\8O7R7Rb.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\N3N3N6\8O7R7Rb.exe

Filesize
176KB

MD5
f0b2a45cdf3a772d2f932fa2e9323206

SHA1
8926be096554e021b410b767fdda341340002573

SHA256
503f783c23e9211488e569d124dda5da0e52de1d51f088e4e3fde94d8a26c06b

SHA512
4079a23f65135580d1daf88f2fa346c2e6c8287ed5bdf0753e52717e179b04769f7f6e0730e7106d119d2772bae702c4cde324e4422e2897764c95af68f26d2e

Download Submit
C:\ProgramData\N3N3N6\PotPlayer.dll

Filesize
696KB

MD5
2d0bc28e3dddf732d7277ef4b7410d89

SHA1
b788799536b2ab14644265431e3566e2dbb90f9c

SHA256
90223b74b727514e30a46544d8c597547aded4ae457d6247ef8de37b4c926124

SHA512
b5e5086a076889d98d24da431521cf5cc6886b124f4937f102d4bda002cd25a185641a98c887a2265e73703bb55076f90f1562cfd76d4e81f8323aa437424448

Download Submit
C:\ProgramData\N3N3N6\longlq.cl

Filesize
1.2MB

MD5
c4625ad46bb9c1cb6b0c0cab5f6d88d1

SHA1
b9faa59e7bdd613a8a0448f70b5e01bcf7fc04b6

SHA256
9cfb6fb96968fd78f6c932fb499392a0e14eafac23dbfca5b4486008f66d5f1b

SHA512
9f1a39d4d15298e64e53003fda2933fb81cf781c1457beab57ba74756f7f40408eba7e0bc9734d42a2b5a28b96fd107904e87beacbba7aaae9d6d39e6f4db10b

Download Submit
C:\Users\Admin\AppData\Roaming\5L5O4\1L5L.exe

Filesize
142KB

MD5
bbaea75e78b80434b7cd699749b93a97

SHA1
c7d151758cb88dee39dbb5f4cd30e7d226980dde

SHA256
c9a1c52f5f5c8deef76b8e989c6a377f00061fa369cbd1cee7f53f8f03295f5c

SHA512
7f41846d61452c73566554ba5f6ef356e757ff4c292ad68bbcc1b84f736c02c6b0bc52e13270e5d7be4cde743d40cfc281028d4a0e322fbeecd9b786d08bac3d

Download Submit
C:\Users\Admin\AppData\Roaming\5L5O4\Microsoft\Windows\Start Menu\Programs\startup\website_secure_lnk.lnk

Filesize
756B

MD5
d121d42c752e18db13d7b44175056f9d

SHA1
6765881f96fb7d746717aa7a99676ec67f64b58d

SHA256
9970e7e42acc447360f18b3ddfcaed9074d7cb6ee44de9bbb2dc6d8df7b07e40

SHA512
76ffa509d4246f6293754c153f5bf53b4aeb5174b5c9e86fb688c0fdeb7f76743dba7895c60e223583d2816ae25406130179194e5cda94f929b505b7e427e272

Download Submit
C:\Users\Public\3M3M6M

Filesize
462KB

MD5
cc227d38b4ded7fc4312c0a20ebf752a

SHA1
f85c1cebab52d8a813c85d38f60f5528d91c7663

SHA256
0b28763006d53b70dce1aaa54c7c84d7982107b6a76383d10cd674e097e047df

SHA512
6fef8b8142de89e8f0ff90380fc1648717eefe77bbe9a15c2fe9e5e668cafab74b7efb781a52c16a8885693a4019367a925cfb0105b65151374459db9d3d14a1

Download Submit
memory/2756-65-0x000000013F390000-0x000000013F68F000-memory.dmp

Filesize
3.0MB

Download
memory/2756-42-0x000000013F390000-0x000000013F68F000-memory.dmp

Filesize
3.0MB

Download
memory/2756-0-0x000000013F390000-0x000000013F68F000-memory.dmp

Filesize
3.0MB

Download
memory/2756-2-0x0000000180000000-0x00000001802CC000-memory.dmp

Filesize
2.8MB

Download
memory/2756-4-0x0000000003A90000-0x0000000003D51000-memory.dmp

Filesize
2.8MB

Download
memory/2916-76-0x00000000005D0000-0x0000000000602000-memory.dmp

Filesize
200KB

Download
memory/2916-72-0x0000000000820000-0x0000000000851000-memory.dmp

Filesize
196KB

Download
memory/2916-77-0x0000000001EA0000-0x0000000001EC7000-memory.dmp

Filesize
156KB

Download
memory/2916-78-0x0000000001ED0000-0x0000000001EFD000-memory.dmp

Filesize
180KB

Download
memory/2916-83-0x0000000001E70000-0x0000000001E9A000-memory.dmp

Filesize
168KB

Download
memory/2916-89-0x0000000001ED0000-0x0000000001EFD000-memory.dmp

Filesize
180KB

Download
memory/2916-88-0x0000000001ED0000-0x0000000001EFD000-memory.dmp

Filesize
180KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads