fatalrat | 7c34fd3de3db1bee7a5501f51fc7a02adf36d82b047b38e545ddd55e10ee41b4

General

Target

7c34fd3de3db1bee7a5501f51fc7a02adf36d82b047b38e545ddd55e10ee41b4.exe
Size

780KB
MD5

dbd7ada9754add9496e7baee7347ffd0
SHA1

30569366c8158c3aa81f097ac323bd08bb8974c6
SHA256

7c34fd3de3db1bee7a5501f51fc7a02adf36d82b047b38e545ddd55e10ee41b4
SHA512

678190d61f0efcfbee877ab0cb50f380131ff14d2c85a084fc708a835555c004537abfc8c312a9d1c4efed4c79f24876a55949598e6e17bc757a66d38de1219b
SSDEEP

6144:+Cs5XapMUkF8ixk3FaAY0RzX67xUaElqmHjSqXWFSzkPDNGEfVJBgAD:Q1apMUkuixqY2zqNUaElDHhXMykLlKi

Score

10^/10

fatalrat discovery infostealer rat

Malware Config

Signatures

FatalRat
FatalRat is a modular infostealer family written in C++ first appearing in June 2021.
infostealer rat fatalrat

Fatal Rat payload 2 IoCs

rat infostealer

resource	yara_rule
behavioral2/memory/2800-1-0x0000000010000000-0x000000001002A000-memory.dmp	fatalrat
behavioral2/memory/2376-8-0x0000000010000000-0x000000001002A000-memory.dmp	fatalrat

Executes dropped EXE 2 IoCs

pid	Process
2376	Ghijkl.exe
2496	Ghijkl.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\Ghijkl.exe	7c34fd3de3db1bee7a5501f51fc7a02adf36d82b047b38e545ddd55e10ee41b4.exe
File opened for modification	C:\Windows\Ghijkl.exe	7c34fd3de3db1bee7a5501f51fc7a02adf36d82b047b38e545ddd55e10ee41b4.exe
File opened for modification	C:\Windows\Ghijkl.exe	Ghijkl.exe
File created	C:\Windows\Ghijkl.exe	Ghijkl.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7c34fd3de3db1bee7a5501f51fc7a02adf36d82b047b38e545ddd55e10ee41b4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ghijkl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ghijkl.exe

Modifies data under HKEY_USERS 16 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\System\CurrentControlSet	Ghijkl.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\System\CurrentControlSet\Services\Ghijkl Nopqrstu\Group = "Fatal"	Ghijkl.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	Ghijkl.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableLockWorkstation = "1"	Ghijkl.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Services\Ghijkl Nopqrstu	Ghijkl.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM	Ghijkl.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\System	Ghijkl.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies	Ghijkl.exe
Key created	\REGISTRY\USER\.DEFAULT\System\CurrentControlSet\Services\Ghijkl Nopqrstu	Ghijkl.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\System\CurrentControlSet\Services\Ghijkl Nopqrstu\InstallTime = "2024-10-18 06:08"	Ghijkl.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	Ghijkl.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	Ghijkl.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableLockWorkstation = "1"	Ghijkl.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\System	Ghijkl.exe
Key created	\REGISTRY\USER\.DEFAULT\System\CurrentControlSet\Services	Ghijkl.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	Ghijkl.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2800	7c34fd3de3db1bee7a5501f51fc7a02adf36d82b047b38e545ddd55e10ee41b4.exe
Token: SeDebugPrivilege	2376	Ghijkl.exe
Token: SeDebugPrivilege	2496	Ghijkl.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2376 wrote to memory of 2496	2376	Ghijkl.exe	85
PID 2376 wrote to memory of 2496	2376	Ghijkl.exe	85
PID 2376 wrote to memory of 2496	2376	Ghijkl.exe	85

C:\Users\Admin\AppData\Local\Temp\7c34fd3de3db1bee7a5501f51fc7a02adf36d82b047b38e545ddd55e10ee41b4.exe
"C:\Users\Admin\AppData\Local\Temp\7c34fd3de3db1bee7a5501f51fc7a02adf36d82b047b38e545ddd55e10ee41b4.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2800

C:\Windows\Ghijkl.exe
C:\Windows\Ghijkl.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2376
- C:\Windows\Ghijkl.exe
  C:\Windows\Ghijkl.exe Win7
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:2496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Ghijkl.exe

Filesize
780KB

MD5
dbd7ada9754add9496e7baee7347ffd0

SHA1
30569366c8158c3aa81f097ac323bd08bb8974c6

SHA256
7c34fd3de3db1bee7a5501f51fc7a02adf36d82b047b38e545ddd55e10ee41b4

SHA512
678190d61f0efcfbee877ab0cb50f380131ff14d2c85a084fc708a835555c004537abfc8c312a9d1c4efed4c79f24876a55949598e6e17bc757a66d38de1219b

Download Submit
memory/2376-8-0x0000000010000000-0x000000001002A000-memory.dmp

Filesize
168KB

Download
memory/2800-1-0x0000000010000000-0x000000001002A000-memory.dmp

Filesize
168KB

Download

Analysis

Sharing