fatalrat | 9c203350fb212ec4e5d4b331e9b6f5cb4484f10c6e2656017e9167167cb75abc

General

Target

票助手PDFm.exe
Size

6.3MB
MD5

0d3d7ee3d8b1b32311a3f8f6b43d379b
SHA1

1c68d872ef070187544d671b45a9f17c0f347f99
SHA256

6a6b231182fd8a2df3252d3c8a1ac89054a9721255be8d6245e0fd722b38b40d
SHA512

a4dbf8754c435ecae8cbe42680ae8476158e7f16fc11765792fde05f318f861c834a7956ebbfc5e450df088205ef02d435a96a5d1680c9a45db693734810a99d
SSDEEP

98304:9iOQYYX5YQmdT8PRv0J0hx09BSpKki9jBGrisYdMLU9V09DsL2qEKqjb:jiby94pFKjBGr97eL

Score

10^/10

fatalrat discovery infostealer rat

Malware Config

Signatures

FatalRat
FatalRat is a modular infostealer family written in C++ first appearing in June 2021.
infostealer rat fatalrat

Fatal Rat payload 2 IoCs

rat infostealer

Processes:

resource	yara_rule
behavioral1/memory/2864-66-0x0000000002470000-0x00000000024A2000-memory.dmp	fatalrat
behavioral1/memory/2864-68-0x0000000010000000-0x000000001002A000-memory.dmp	fatalrat

Executes dropped EXE 1 IoCs

Processes:

SCSCVBm.exe

pid process

2864 SCSCVBm.exe
Loads dropped DLL 1 IoCs

Processes:

SCSCVBm.exe

pid process

2864 SCSCVBm.exe
Drops file in System32 directory 1 IoCs

Processes:

SCSCVBm.exe

description ioc process

File opened for modification C:\Windows\SysWOW64\SCSCVBm.exe SCSCVBm.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
discovery

System Language Discovery
T1614.001

Processes:

SCSCVBm.exe

description ioc process

Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SCSCVBm.exe

pid	process
2864	SCSCVBm.exe

pid	process
2864	SCSCVBm.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\SCSCVBm.exe	SCSCVBm.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SCSCVBm.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

SCSCVBm.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	SCSCVBm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	SCSCVBm.exe

Suspicious behavior: EnumeratesProcesses 53 IoCs

Processes:

票助手PDFm.exeSCSCVBm.exe

pid	process
848	票助手PDFm.exe
848	票助手PDFm.exe
2864	SCSCVBm.exe
2864	SCSCVBm.exe
2864	SCSCVBm.exe
2864	SCSCVBm.exe
2864	SCSCVBm.exe
2864	SCSCVBm.exe
2864	SCSCVBm.exe
2864	SCSCVBm.exe
2864	SCSCVBm.exe
2864	SCSCVBm.exe
2864	SCSCVBm.exe
2864	SCSCVBm.exe
2864	SCSCVBm.exe
2864	SCSCVBm.exe
2864	SCSCVBm.exe
2864	SCSCVBm.exe
2864	SCSCVBm.exe
2864	SCSCVBm.exe
2864	SCSCVBm.exe
2864	SCSCVBm.exe
2864	SCSCVBm.exe
2864	SCSCVBm.exe
2864	SCSCVBm.exe
2864	SCSCVBm.exe
2864	SCSCVBm.exe
2864	SCSCVBm.exe
2864	SCSCVBm.exe
2864	SCSCVBm.exe
2864	SCSCVBm.exe
2864	SCSCVBm.exe
2864	SCSCVBm.exe
2864	SCSCVBm.exe
2864	SCSCVBm.exe
2864	SCSCVBm.exe
2864	SCSCVBm.exe
2864	SCSCVBm.exe
2864	SCSCVBm.exe
2864	SCSCVBm.exe
2864	SCSCVBm.exe
2864	SCSCVBm.exe
2864	SCSCVBm.exe
2864	SCSCVBm.exe
2864	SCSCVBm.exe
2864	SCSCVBm.exe
2864	SCSCVBm.exe
2864	SCSCVBm.exe
2864	SCSCVBm.exe
2864	SCSCVBm.exe
2864	SCSCVBm.exe
2864	SCSCVBm.exe
2864	SCSCVBm.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

SCSCVBm.exe

description pid process

Token: SeDebugPrivilege 2864 SCSCVBm.exe
Token: SeDebugPrivilege 2864 SCSCVBm.exe

description	pid	process
Token: SeDebugPrivilege	2864	SCSCVBm.exe
Token: SeDebugPrivilege	2864	SCSCVBm.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

taskeng.exe

description	pid	process	target process
PID 2744 wrote to memory of 2864	2744	taskeng.exe	SCSCVBm.exe
PID 2744 wrote to memory of 2864	2744	taskeng.exe	SCSCVBm.exe
PID 2744 wrote to memory of 2864	2744	taskeng.exe	SCSCVBm.exe
PID 2744 wrote to memory of 2864	2744	taskeng.exe	SCSCVBm.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\票助手PDFm.exe
"C:\Users\Admin\AppData\Local\Temp\票助手PDFm.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:848

C:\Windows\system32\taskeng.exe
taskeng.exe {B326AEC4-020C-4CA3-88E4-2004B2C28963} S-1-5-21-2703099537-420551529-3771253338-1000:XECUDNCD\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2744
- C:\ProgramData\4N4N7N\SCSCVBm.exe
  C:\ProgramData\4N4N7N\SCSCVBm.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\4N4N7N\SCSCVBm.exe

Filesize
176KB

MD5
bada72ab726036ea84eac019bccb8ffc

SHA1
3f8aa6a04538babde8e6d2b76ab8e83cb7e61d2e

SHA256
5c7bd6c227802d6746b15b38360bf2c4ba2f553a250e1c8f7bf84591d97400a5

SHA512
bfca87ef43b34bed31990e6780b3c6c4d4072f21daf8e36b1f15033c35b3b36f6fa76d0af30c4f4180012cb98139181943f59ab5f44250452007213a8119b0c7

Download Submit
C:\ProgramData\4N4N7N\longlq.cl

Filesize
1.2MB

MD5
0dde2f5fcb760573e79b08ef31f0c9b0

SHA1
447f5e59f76e753fa5f092a44248ae1582e6617f

SHA256
91f94e74d971a5f8f7732260824cf7a45eb1a7438bd1abec12c6eaddf44f26a8

SHA512
84482b5d3ab7180edfa173260b94cbe965790b6130f1f734ab075dc8a8cb440638b39fbc4bd5ab7e8a0082bbdbd1df971f07f3f8bb43a448a7c36dd9cfda5fcf

Download Submit
C:\Users\Admin\AppData\Roaming\Q9P9S\6P6P.exe

Filesize
142KB

MD5
bbaea75e78b80434b7cd699749b93a97

SHA1
c7d151758cb88dee39dbb5f4cd30e7d226980dde

SHA256
c9a1c52f5f5c8deef76b8e989c6a377f00061fa369cbd1cee7f53f8f03295f5c

SHA512
7f41846d61452c73566554ba5f6ef356e757ff4c292ad68bbcc1b84f736c02c6b0bc52e13270e5d7be4cde743d40cfc281028d4a0e322fbeecd9b786d08bac3d

Download Submit
C:\Users\Admin\AppData\Roaming\Q9P9S\Microsoft\Windows\Start Menu\Programs\startup\website_secure_lnk.lnk

Filesize
756B

MD5
946f750ae75f4977f7946603f008109e

SHA1
68e147a38260e892ee01b23ae24c55706e0974bd

SHA256
f62d870427202950f954678f981d84538971bab254f452130f24cecaa707ea06

SHA512
79a030605b17e5b697f410967873a0531cc1ae394af1270593d4ea0a7511b324dd995540417b895d5c5cf8cfd5479c38e4678bd706e1f038bf3e2c0d757328a9

Download Submit
C:\Users\Public\N3N6M6

Filesize
903KB

MD5
36dbe670282d5727f0c44b705ff767cc

SHA1
a1417e16a602eda333e7d7bfb891f5f694ff01de

SHA256
9bf4f07491feaddd822fed4a4019f2da4cf69f20c6549bd182d020860269ae11

SHA512
ad72de707609d673d5764390d3d2e30fb9a13da5a55e60e3162e43cb0983daef8519b326c386687ac1b1e8a14c1772989412f36ffdc7b795dd155934294724a7

Download Submit
\ProgramData\4N4N7N\PotPlayer.dll

Filesize
1.6MB

MD5
e603041002b66bcd011876f1f73ef712

SHA1
0f14e961f06a3667eac666e490adb096db13c694

SHA256
209c382b56c1bcb6ef5337c94ebe7d9ce38a9286567a463cce679e476d250c00

SHA512
ec879c200e6ec5f305be4404d5a95b6651729716a94e553e86f7600170c876d1298623813e264e96cf852cc10beb7bc90926957399b8fdab686ab406f957ecfa

Download Submit
memory/848-0-0x0000000002810000-0x0000000002DF9000-memory.dmp

Filesize
5.9MB

Download
memory/848-42-0x0000000002810000-0x0000000002DF9000-memory.dmp

Filesize
5.9MB

Download
memory/848-1-0x0000000180000000-0x00000001802CC000-memory.dmp

Filesize
2.8MB

Download
memory/848-4-0x00000000048A0000-0x0000000004B61000-memory.dmp

Filesize
2.8MB

Download
memory/848-79-0x0000000002810000-0x0000000002DF9000-memory.dmp

Filesize
5.9MB

Download
memory/2864-66-0x0000000002470000-0x00000000024A2000-memory.dmp

Filesize
200KB

Download
memory/2864-67-0x00000000024B0000-0x00000000024EB000-memory.dmp

Filesize
236KB

Download
memory/2864-68-0x0000000010000000-0x000000001002A000-memory.dmp

Filesize
168KB

Download
memory/2864-73-0x00000000024B0000-0x00000000024EB000-memory.dmp

Filesize
236KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads