General
-
Target
goegloe.exe.v
-
Size
83.8MB
-
Sample
241003-bbganazcph
-
MD5
a090a99e167d2e731ac32d3907d30065
-
SHA1
55be611f05d4ca6a3c80ba57a5f34434227f7ccb
-
SHA256
872d2ce5e4ef00a59dd6241fe91b86d91a0c210f768cbe3d287055085b2b35ff
-
SHA512
ddd8c5657f8d2d921e3dabfe73b5bbf0cbdae8363e7a104b06241a58b6a75f21912a38816ce3037f18bd9d0957be55852fd10ab5f5e9853c9a2d74f0a3eecf17
-
SSDEEP
1572864:T1Budw6n4PCjmk0Pl7H7ZFMu0pgVHjMpjIyYlUB4S4UPTlszwwKmuQU:HXnavqB7vMuvBM9Yu6S4URdQU
Malware Config
Targets
-
-
Target
goegloe.exe.v
-
Size
83.8MB
-
MD5
a090a99e167d2e731ac32d3907d30065
-
SHA1
55be611f05d4ca6a3c80ba57a5f34434227f7ccb
-
SHA256
872d2ce5e4ef00a59dd6241fe91b86d91a0c210f768cbe3d287055085b2b35ff
-
SHA512
ddd8c5657f8d2d921e3dabfe73b5bbf0cbdae8363e7a104b06241a58b6a75f21912a38816ce3037f18bd9d0957be55852fd10ab5f5e9853c9a2d74f0a3eecf17
-
SSDEEP
1572864:T1Budw6n4PCjmk0Pl7H7ZFMu0pgVHjMpjIyYlUB4S4UPTlszwwKmuQU:HXnavqB7vMuvBM9Yu6S4URdQU
Score10/10-
FatalRat
FatalRat is a modular infostealer family written in C++ first appearing in June 2021.
-
UAC bypass
-
Fatal Rat payload
-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Event Triggered Execution: Image File Execution Options Injection
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Event Triggered Execution: Component Object Model Hijacking
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks system information in the registry
System information is often read in order to detect sandboxing environments.
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Active Setup
1Event Triggered Execution
2Component Object Model Hijacking
1Image File Execution Options Injection
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Active Setup
1Event Triggered Execution
2Component Object Model Hijacking
1Image File Execution Options Injection
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1