fatalrat | ae74cae9f7949ea19ea6c891726755e76f15fcc5eef5107ad70dc9f7f797456b

General

Target

ae74cae9f7949ea19ea6c891726755e76f15fcc5eef5107ad70dc9f7f797456b.exe
Size

2.2MB
MD5

8697cd1ff14060f9ae30865c5539c5df
SHA1

1a76db7782af48e882c933156cba179882ffd580
SHA256

ae74cae9f7949ea19ea6c891726755e76f15fcc5eef5107ad70dc9f7f797456b
SHA512

e0cc09823f450794e7d5bbf40cce7bf8476a3da591f28102dd253f5bf06fe88f74cd1707cf0bfa912c32af91dc7ba64c8f8503dd92176a17b2935b62b8aa6b65
SSDEEP

24576:M25Jj/b0QGaUiB1NM4LPl0L4aV8G705GU3z1Y3Ri5yJHWkl:MQJj/b0sNM4LPlHepm5WHx

Score

10^/10

fatalrat discovery infostealer rat

Malware Config

Signatures

FatalRat
FatalRat is a modular infostealer family written in C++ first appearing in June 2021.
infostealer rat fatalrat

Fatal Rat payload 1 IoCs

rat infostealer

Processes:

resource	yara_rule
behavioral2/memory/4000-84-0x00000000024A0000-0x00000000024CA000-memory.dmp	fatalrat

Executes dropped EXE 1 IoCs

Processes:

JF_FYFb.exe

pid	Process
4000	JF_FYFb.exe

Loads dropped DLL 1 IoCs

Processes:

JF_FYFb.exe

pid	Process
4000	JF_FYFb.exe

Drops file in System32 directory 1 IoCs

Processes:

JF_FYFb.exe

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\JF_FYFb.exe	JF_FYFb.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

JF_FYFb.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JF_FYFb.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

ae74cae9f7949ea19ea6c891726755e76f15fcc5eef5107ad70dc9f7f797456b.exe

pid	Process
4756	ae74cae9f7949ea19ea6c891726755e76f15fcc5eef5107ad70dc9f7f797456b.exe
4756	ae74cae9f7949ea19ea6c891726755e76f15fcc5eef5107ad70dc9f7f797456b.exe
4756	ae74cae9f7949ea19ea6c891726755e76f15fcc5eef5107ad70dc9f7f797456b.exe
4756	ae74cae9f7949ea19ea6c891726755e76f15fcc5eef5107ad70dc9f7f797456b.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

JF_FYFb.exe

description	pid	Process
Token: SeDebugPrivilege	4000	JF_FYFb.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\ae74cae9f7949ea19ea6c891726755e76f15fcc5eef5107ad70dc9f7f797456b.exe
"C:\Users\Admin\AppData\Local\Temp\ae74cae9f7949ea19ea6c891726755e76f15fcc5eef5107ad70dc9f7f797456b.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:4756

C:\ProgramData\5L5O5O\JF_FYFb.exe
C:\ProgramData\5L5O5O\JF_FYFb.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\5L5O5O\JF_FYFb.exe

Filesize
176KB

MD5
f0b2a45cdf3a772d2f932fa2e9323206

SHA1
8926be096554e021b410b767fdda341340002573

SHA256
503f783c23e9211488e569d124dda5da0e52de1d51f088e4e3fde94d8a26c06b

SHA512
4079a23f65135580d1daf88f2fa346c2e6c8287ed5bdf0753e52717e179b04769f7f6e0730e7106d119d2772bae702c4cde324e4422e2897764c95af68f26d2e

Download Submit
C:\ProgramData\5L5O5O\PotPlayer.dll

Filesize
696KB

MD5
2d0bc28e3dddf732d7277ef4b7410d89

SHA1
b788799536b2ab14644265431e3566e2dbb90f9c

SHA256
90223b74b727514e30a46544d8c597547aded4ae457d6247ef8de37b4c926124

SHA512
b5e5086a076889d98d24da431521cf5cc6886b124f4937f102d4bda002cd25a185641a98c887a2265e73703bb55076f90f1562cfd76d4e81f8323aa437424448

Download Submit
C:\ProgramData\5L5O5O\longlq.cl

Filesize
1.2MB

MD5
c4625ad46bb9c1cb6b0c0cab5f6d88d1

SHA1
b9faa59e7bdd613a8a0448f70b5e01bcf7fc04b6

SHA256
9cfb6fb96968fd78f6c932fb499392a0e14eafac23dbfca5b4486008f66d5f1b

SHA512
9f1a39d4d15298e64e53003fda2933fb81cf781c1457beab57ba74756f7f40408eba7e0bc9734d42a2b5a28b96fd107904e87beacbba7aaae9d6d39e6f4db10b

Download Submit
C:\Users\Admin\AppData\Roaming\GWGWF\I2I1.exe

Filesize
142KB

MD5
bbaea75e78b80434b7cd699749b93a97

SHA1
c7d151758cb88dee39dbb5f4cd30e7d226980dde

SHA256
c9a1c52f5f5c8deef76b8e989c6a377f00061fa369cbd1cee7f53f8f03295f5c

SHA512
7f41846d61452c73566554ba5f6ef356e757ff4c292ad68bbcc1b84f736c02c6b0bc52e13270e5d7be4cde743d40cfc281028d4a0e322fbeecd9b786d08bac3d

Download Submit
C:\Users\Admin\AppData\Roaming\GWGWF\website_secure_lnk.lnk

Filesize
797B

MD5
459583c12c4941e64bf2ffabd9f78f7d

SHA1
2ad26d0a4263c7eb8bfe4c295b4c7c77b76a76a8

SHA256
318eea8d2bd888f3cb495936cde2f00754efea6bb8305ef8671d6de2fe16aba2

SHA512
d87d2fdfd127e15fe08c55094dc0b5c15b6fe69e12cff570b2a62155fb67b9b84614e06fe9d573c9fc21faea04471148fc6b65fcd2d7df0cf142148e8bf0dbba

Download Submit
C:\Users\Public\L4O4O7

Filesize
462KB

MD5
cc227d38b4ded7fc4312c0a20ebf752a

SHA1
f85c1cebab52d8a813c85d38f60f5528d91c7663

SHA256
0b28763006d53b70dce1aaa54c7c84d7982107b6a76383d10cd674e097e047df

SHA512
6fef8b8142de89e8f0ff90380fc1648717eefe77bbe9a15c2fe9e5e668cafab74b7efb781a52c16a8885693a4019367a925cfb0105b65151374459db9d3d14a1

Download Submit
memory/4000-79-0x0000000002BA0000-0x0000000002BCD000-memory.dmp

Filesize
180KB

Download
memory/4000-84-0x00000000024A0000-0x00000000024CA000-memory.dmp

Filesize
168KB

Download
memory/4000-90-0x0000000002BA0000-0x0000000002BCD000-memory.dmp

Filesize
180KB

Download
memory/4000-89-0x0000000002BA0000-0x0000000002BCD000-memory.dmp

Filesize
180KB

Download
memory/4000-78-0x0000000002460000-0x0000000002487000-memory.dmp

Filesize
156KB

Download
memory/4000-73-0x0000000002B20000-0x0000000002B52000-memory.dmp

Filesize
200KB

Download
memory/4000-74-0x0000000002B60000-0x0000000002B91000-memory.dmp

Filesize
196KB

Download
memory/4756-43-0x00007FF624B10000-0x00007FF624E0F000-memory.dmp

Filesize
3.0MB

Download
memory/4756-66-0x00007FF624B10000-0x00007FF624E0F000-memory.dmp

Filesize
3.0MB

Download
memory/4756-8-0x00000153173B0000-0x0000015317671000-memory.dmp

Filesize
2.8MB

Download
memory/4756-1-0x0000000180000000-0x00000001802CC000-memory.dmp

Filesize
2.8MB

Download
memory/4756-0-0x00007FF624B10000-0x00007FF624E0F000-memory.dmp

Filesize
3.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads