fatalrat | fbbc37747da8f78ab511de748d3a96a5c06bb405372545a31b777079ca8465db

General

Target

fbbc37747da8f78ab511de748d3a96a5c06bb405372545a31b777079ca8465db.exe
Size

6.3MB
MD5

87129b2184c78f96e0c2f6db1ee9d9dc
SHA1

4bd5645f623ff42fea9604a29629ec24d0565dde
SHA256

fbbc37747da8f78ab511de748d3a96a5c06bb405372545a31b777079ca8465db
SHA512

24000f9a6c483d3adc8d0480bf3510d0bfb0028b20a924525977608bf4b0efe2fcf8adc2d14d96617bd80f58941b5053fb7e92e59ec1171714a26b40bf139f11
SSDEEP

98304:diOQYYX5YQmdT8PRv0J0hx09BSpKki9jBGrisYdMLU9V09DsL2qEKqjbx:Diby94pFKjBGr97eL0

Score

10^/10

fatalrat discovery infostealer rat

Malware Config

Signatures

FatalRat
FatalRat is a modular infostealer family written in C++ first appearing in June 2021.
infostealer rat fatalrat

Fatal Rat payload 1 IoCs

rat infostealer

Processes:

resource	yara_rule
behavioral1/memory/2248-73-0x0000000002500000-0x000000000252A000-memory.dmp	fatalrat

Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

3N6N6Mb.exe

pid process

2248 3N6N6Mb.exe
Loads dropped DLL 1 IoCs

Processes:

3N6N6Mb.exe

pid process

2248 3N6N6Mb.exe
Drops file in System32 directory 1 IoCs

Processes:

3N6N6Mb.exe

description ioc process

File opened for modification C:\Windows\SysWOW64\3N6N6Mb.exe 3N6N6Mb.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
discovery

System Language Discovery
T1614.001

Processes:

3N6N6Mb.exe

description ioc process

Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3N6N6Mb.exe

pid	process
2248	3N6N6Mb.exe

pid	process
2248	3N6N6Mb.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\3N6N6Mb.exe	3N6N6Mb.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3N6N6Mb.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

fbbc37747da8f78ab511de748d3a96a5c06bb405372545a31b777079ca8465db.exe

pid	process
2980	fbbc37747da8f78ab511de748d3a96a5c06bb405372545a31b777079ca8465db.exe
2980	fbbc37747da8f78ab511de748d3a96a5c06bb405372545a31b777079ca8465db.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

3N6N6Mb.exe

description pid process

Token: SeDebugPrivilege 2248 3N6N6Mb.exe

description	pid	process
Token: SeDebugPrivilege	2248	3N6N6Mb.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

taskeng.exe

description	pid	process	target process
PID 1784 wrote to memory of 2248	1784	taskeng.exe	3N6N6Mb.exe
PID 1784 wrote to memory of 2248	1784	taskeng.exe	3N6N6Mb.exe
PID 1784 wrote to memory of 2248	1784	taskeng.exe	3N6N6Mb.exe
PID 1784 wrote to memory of 2248	1784	taskeng.exe	3N6N6Mb.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\fbbc37747da8f78ab511de748d3a96a5c06bb405372545a31b777079ca8465db.exe
"C:\Users\Admin\AppData\Local\Temp\fbbc37747da8f78ab511de748d3a96a5c06bb405372545a31b777079ca8465db.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2980

C:\Windows\system32\taskeng.exe
taskeng.exe {AB5F7EA8-BA70-4C6A-BA77-BC624D23E2F6} S-1-5-21-1506706701-1246725540-2219210854-1000:MUYDDIIS\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1784
- C:\ProgramData\5M5P5O\3N6N6Mb.exe
  C:\ProgramData\5M5P5O\3N6N6Mb.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2248

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\5M5P5O\3N6N6Mb.exe

Filesize
179KB

MD5
7e52644fee7705b81725a99e58e9f26c

SHA1
5650a086edca287a7881beab9ee3630e069b0ba7

SHA256
b9d12baf19a0c261398a89bb6db6600756cb9122ad08b70534ad70a245d61933

SHA512
d8f063ad6e077f348f0c80a6bd214d063ff108e9432b33cb3a56196aebcda8888a55bd65ff2cce2dd68f9783181b9293f01f02fbcecdda9dade793a248aacb90

Download Submit
C:\ProgramData\5M5P5O\PotPlayer.dll

Filesize
1.6MB

MD5
e603041002b66bcd011876f1f73ef712

SHA1
0f14e961f06a3667eac666e490adb096db13c694

SHA256
209c382b56c1bcb6ef5337c94ebe7d9ce38a9286567a463cce679e476d250c00

SHA512
ec879c200e6ec5f305be4404d5a95b6651729716a94e553e86f7600170c876d1298623813e264e96cf852cc10beb7bc90926957399b8fdab686ab406f957ecfa

Download Submit
C:\ProgramData\5M5P5O\longlq.cl

Filesize
1.2MB

MD5
c4625ad46bb9c1cb6b0c0cab5f6d88d1

SHA1
b9faa59e7bdd613a8a0448f70b5e01bcf7fc04b6

SHA256
9cfb6fb96968fd78f6c932fb499392a0e14eafac23dbfca5b4486008f66d5f1b

SHA512
9f1a39d4d15298e64e53003fda2933fb81cf781c1457beab57ba74756f7f40408eba7e0bc9734d42a2b5a28b96fd107904e87beacbba7aaae9d6d39e6f4db10b

Download Submit
C:\Users\Admin\AppData\Roaming\1K4K3\L1L4.exe

Filesize
142KB

MD5
bbaea75e78b80434b7cd699749b93a97

SHA1
c7d151758cb88dee39dbb5f4cd30e7d226980dde

SHA256
c9a1c52f5f5c8deef76b8e989c6a377f00061fa369cbd1cee7f53f8f03295f5c

SHA512
7f41846d61452c73566554ba5f6ef356e757ff4c292ad68bbcc1b84f736c02c6b0bc52e13270e5d7be4cde743d40cfc281028d4a0e322fbeecd9b786d08bac3d

Download Submit
C:\Users\Admin\AppData\Roaming\1K4K3\Microsoft\Windows\Start Menu\Programs\startup\website_secure_lnk.lnk

Filesize
756B

MD5
3e6c635c5ff634ce612dae854f715e5f

SHA1
3b8ed4360c26f2ea56157130a327d21537e01757

SHA256
60995d0ed5610942bc5d902804c95d43a911a11a6f90e3020898e71dab5a85da

SHA512
bc725b8309bfba04f4eb7a7c788ef1109fa44cfe61a3467b64ffae2eaea4471e95bcaf4b75457329e45f81c2ed61437f1dee109946fad0ab7bb982efa372ada4

Download Submit
C:\Users\Public\L5O4O4

Filesize
907KB

MD5
849ee4e102ea0c004ba2dbd79d3303d9

SHA1
0164557eb9e10e90b5f71adf414b38ea437d5911

SHA256
c283cd4c2fa9a5bd67df2987555fe90d3fd46effbec5cdc1d67eac25b195e18c

SHA512
14a7f4e9467b6f15d91ebb8ab3074b63afbb3f3ecbd2b134f6e09c56e977a6d9520a3a546e028cad89fc4292d0fa1ee078bbaad5cf815f3173cd0aff477c531f

Download Submit
memory/2248-70-0x0000000010000000-0x000000001002D000-memory.dmp

Filesize
180KB

Download
memory/2248-71-0x0000000001EB0000-0x0000000001EE2000-memory.dmp

Filesize
200KB

Download
memory/2248-66-0x0000000001F00000-0x0000000001F31000-memory.dmp

Filesize
196KB

Download
memory/2248-65-0x00000000003D0000-0x00000000003F7000-memory.dmp

Filesize
156KB

Download
memory/2248-60-0x0000000010000000-0x000000001002D000-memory.dmp

Filesize
180KB

Download
memory/2248-72-0x0000000010000000-0x000000001002D000-memory.dmp

Filesize
180KB

Download
memory/2248-73-0x0000000002500000-0x000000000252A000-memory.dmp

Filesize
168KB

Download
memory/2980-52-0x00000000047E0000-0x0000000004AAD000-memory.dmp

Filesize
2.8MB

Download
memory/2980-0-0x0000000002820000-0x0000000002E09000-memory.dmp

Filesize
5.9MB

Download
memory/2980-1-0x00000000047E0000-0x0000000004AAD000-memory.dmp

Filesize
2.8MB

Download
memory/2980-35-0x0000000002820000-0x0000000002E09000-memory.dmp

Filesize
5.9MB

Download
memory/2980-83-0x0000000002820000-0x0000000002E09000-memory.dmp

Filesize
5.9MB

Download
memory/2980-84-0x00000000047E0000-0x0000000004AAD000-memory.dmp

Filesize
2.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads