fatalrat | 98be2e4d783ddccbf3239f548458c7060947cc8d915aaf158674b122a12b6ded

General

Target

名单助手PDF.exe
Size

6.3MB
MD5

3ac0bdbd6f5c90b94980e3559ae419f5
SHA1

6b01a0ced6191140830dcc8478f5a7a19d799fa5
SHA256

6dc0f4a97c3f5e12b4de8b3b2d74afe5298679604077a0a9d62ac479c4b24923
SHA512

14e9bbd5467f7e4f0aa9d69362a3763bb731c147a661ca4294d11a4704d58ca3b53f28023efbcc0051bc1c2518a917a12b9a64135b08abc4cded85676752846c
SSDEEP

98304:6YYX5YQmdT8PRv0J0hx09BSpKki9jBGrisYdMLU9V09DsL2qEKqjbS:piby94pFKjBGr97eLT

Score

10^/10

fatalrat discovery infostealer rat

Malware Config

Signatures

FatalRat
FatalRat is a modular infostealer family written in C++ first appearing in June 2021.
infostealer rat fatalrat

Fatal Rat payload 2 IoCs

rat infostealer

Processes:

resource	yara_rule
behavioral5/memory/292-62-0x0000000010000000-0x000000001002A000-memory.dmp	fatalrat
behavioral5/memory/292-67-0x0000000000820000-0x0000000000852000-memory.dmp	fatalrat

Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

0K0K3KF.exe

pid process

292 0K0K3KF.exe
Loads dropped DLL 1 IoCs

Processes:

0K0K3KF.exe

pid process

292 0K0K3KF.exe
Drops file in System32 directory 1 IoCs

Processes:

0K0K3KF.exe

description ioc process

File opened for modification C:\Windows\SysWOW64\0K0K3KF.exe 0K0K3KF.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
discovery

System Language Discovery
T1614.001

Processes:

0K0K3KF.exe

description ioc process

Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0K0K3KF.exe

pid	process
292	0K0K3KF.exe

pid	process
292	0K0K3KF.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\0K0K3KF.exe	0K0K3KF.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0K0K3KF.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

0K0K3KF.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	0K0K3KF.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	0K0K3KF.exe

Suspicious behavior: EnumeratesProcesses 53 IoCs

Processes:

名单助手PDF.exe0K0K3KF.exe

pid	process
784	名单助手PDF.exe
784	名单助手PDF.exe
292	0K0K3KF.exe
292	0K0K3KF.exe
292	0K0K3KF.exe
292	0K0K3KF.exe
292	0K0K3KF.exe
292	0K0K3KF.exe
292	0K0K3KF.exe
292	0K0K3KF.exe
292	0K0K3KF.exe
292	0K0K3KF.exe
292	0K0K3KF.exe
292	0K0K3KF.exe
292	0K0K3KF.exe
292	0K0K3KF.exe
292	0K0K3KF.exe
292	0K0K3KF.exe
292	0K0K3KF.exe
292	0K0K3KF.exe
292	0K0K3KF.exe
292	0K0K3KF.exe
292	0K0K3KF.exe
292	0K0K3KF.exe
292	0K0K3KF.exe
292	0K0K3KF.exe
292	0K0K3KF.exe
292	0K0K3KF.exe
292	0K0K3KF.exe
292	0K0K3KF.exe
292	0K0K3KF.exe
292	0K0K3KF.exe
292	0K0K3KF.exe
292	0K0K3KF.exe
292	0K0K3KF.exe
292	0K0K3KF.exe
292	0K0K3KF.exe
292	0K0K3KF.exe
292	0K0K3KF.exe
292	0K0K3KF.exe
292	0K0K3KF.exe
292	0K0K3KF.exe
292	0K0K3KF.exe
292	0K0K3KF.exe
292	0K0K3KF.exe
292	0K0K3KF.exe
292	0K0K3KF.exe
292	0K0K3KF.exe
292	0K0K3KF.exe
292	0K0K3KF.exe
292	0K0K3KF.exe
292	0K0K3KF.exe
292	0K0K3KF.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

0K0K3KF.exe

description pid process

Token: SeDebugPrivilege 292 0K0K3KF.exe
Token: SeDebugPrivilege 292 0K0K3KF.exe

description	pid	process
Token: SeDebugPrivilege	292	0K0K3KF.exe
Token: SeDebugPrivilege	292	0K0K3KF.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

taskeng.exe

description	pid	process	target process
PID 2556 wrote to memory of 292	2556	taskeng.exe	0K0K3KF.exe
PID 2556 wrote to memory of 292	2556	taskeng.exe	0K0K3KF.exe
PID 2556 wrote to memory of 292	2556	taskeng.exe	0K0K3KF.exe
PID 2556 wrote to memory of 292	2556	taskeng.exe	0K0K3KF.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\名单助手PDF.exe
"C:\Users\Admin\AppData\Local\Temp\名单助手PDF.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:784

C:\Windows\system32\taskeng.exe
taskeng.exe {BB95505D-D8C9-4C00-97BE-EFB060FC755C} S-1-5-21-3551809350-4263495960-1443967649-1000:NNYJZAHP\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2556
- C:\ProgramData\S9SCSB\0K0K3KF.exe
  C:\ProgramData\S9SCSB\0K0K3KF.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:292

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\S9SCSB\0K0K3KF.exe

Filesize
179KB

MD5
7e52644fee7705b81725a99e58e9f26c

SHA1
5650a086edca287a7881beab9ee3630e069b0ba7

SHA256
b9d12baf19a0c261398a89bb6db6600756cb9122ad08b70534ad70a245d61933

SHA512
d8f063ad6e077f348f0c80a6bd214d063ff108e9432b33cb3a56196aebcda8888a55bd65ff2cce2dd68f9783181b9293f01f02fbcecdda9dade793a248aacb90

Download Submit
C:\ProgramData\S9SCSB\PotPlayer.dll

Filesize
1.6MB

MD5
e603041002b66bcd011876f1f73ef712

SHA1
0f14e961f06a3667eac666e490adb096db13c694

SHA256
209c382b56c1bcb6ef5337c94ebe7d9ce38a9286567a463cce679e476d250c00

SHA512
ec879c200e6ec5f305be4404d5a95b6651729716a94e553e86f7600170c876d1298623813e264e96cf852cc10beb7bc90926957399b8fdab686ab406f957ecfa

Download Submit
C:\ProgramData\S9SCSB\longlq.cl

Filesize
1.2MB

MD5
eab35abc0ae31018b3f0c64fb93b785b

SHA1
be2468ea6292889e8c58306aacbc875147e29a00

SHA256
5b8e39728ad4b2ec68d5b3e0af4dfa914a26812bbdca20198d3fe0d40397126a

SHA512
c1555252c93c314a8d26ef018afcb54937abc0b5e755fbc3d6a3bcda7ec796fddca48ffb215cdcb1a92edb2361122d273b1c40987cd2f4c2fe754a2be8f6ae06

Download Submit
C:\Users\Admin\AppData\Roaming\YHYH1\DTDT.exe

Filesize
142KB

MD5
bbaea75e78b80434b7cd699749b93a97

SHA1
c7d151758cb88dee39dbb5f4cd30e7d226980dde

SHA256
c9a1c52f5f5c8deef76b8e989c6a377f00061fa369cbd1cee7f53f8f03295f5c

SHA512
7f41846d61452c73566554ba5f6ef356e757ff4c292ad68bbcc1b84f736c02c6b0bc52e13270e5d7be4cde743d40cfc281028d4a0e322fbeecd9b786d08bac3d

Download Submit
C:\Users\Admin\AppData\Roaming\YHYH1\Microsoft\Windows\Start Menu\Programs\startup\website_secure_lnk.lnk

Filesize
756B

MD5
30268fe49a6a4a038dc1a102257e5664

SHA1
4a0798c24511c4ebfff2135c8f3b3917bf3d79a3

SHA256
a2ce05a9fec8ad0f8e2270b564d8356f180f441e20f0560303151d88f193fd3c

SHA512
57e9a2dcb7c45e4013f4544ffb902024fde98acdad1eadd0eac0620b185c64b7a653c6be042d2f048b6d4bbd3b856f387ea63c4a579570f43d73a78e072cbc96

Download Submit
C:\Users\Public\8RBRBR

Filesize
907KB

MD5
849ee4e102ea0c004ba2dbd79d3303d9

SHA1
0164557eb9e10e90b5f71adf414b38ea437d5911

SHA256
c283cd4c2fa9a5bd67df2987555fe90d3fd46effbec5cdc1d67eac25b195e18c

SHA512
14a7f4e9467b6f15d91ebb8ab3074b63afbb3f3ecbd2b134f6e09c56e977a6d9520a3a546e028cad89fc4292d0fa1ee078bbaad5cf815f3173cd0aff477c531f

Download Submit
memory/292-60-0x0000000000820000-0x0000000000852000-memory.dmp

Filesize
200KB

Download
memory/292-61-0x0000000001E20000-0x0000000001E5B000-memory.dmp

Filesize
236KB

Download
memory/292-62-0x0000000010000000-0x000000001002A000-memory.dmp

Filesize
168KB

Download
memory/292-67-0x0000000000820000-0x0000000000852000-memory.dmp

Filesize
200KB

Download
memory/292-68-0x0000000001E20000-0x0000000001E5B000-memory.dmp

Filesize
236KB

Download
memory/784-35-0x00000000020B0000-0x0000000002699000-memory.dmp

Filesize
5.9MB

Download
memory/784-0-0x00000000020B0000-0x0000000002699000-memory.dmp

Filesize
5.9MB

Download
memory/784-53-0x0000000003F80000-0x000000000424D000-memory.dmp

Filesize
2.8MB

Download
memory/784-1-0x0000000003F80000-0x000000000424D000-memory.dmp

Filesize
2.8MB

Download
memory/784-74-0x00000000020B0000-0x0000000002699000-memory.dmp

Filesize
5.9MB

Download
memory/784-75-0x0000000003F80000-0x000000000424D000-memory.dmp

Filesize
2.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads