fatalrat | d2caeb6d90e3240fd087e2180e28219651dc9f6c5ee7c2f18bd59e5b98dcfd6f

Analysis

max time kernel
147s
max time network
146s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
23-10-2024 20:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d2caeb6d90e3240fd087e2180e28219651dc9f6c5ee7c2f18bd59e5b98dcfd6f.exe
Size

6.1MB
MD5

f24efc53f425d85f86e7d4e2000dbc2a
SHA1

3d29c3ea01714fe3f757c104f44281e2335d278b
SHA256

d2caeb6d90e3240fd087e2180e28219651dc9f6c5ee7c2f18bd59e5b98dcfd6f
SHA512

ad88e648c3124fc379784887e7d6cbb3576eb9bae9cc8400c9d1ed7b093c1c8c691bd98f9a43f8a6a8cd33db403888f4106fef70697b90a8670227fd334a1813
SSDEEP

98304:4YYX5YQmdT8PRv0J0hx09BSpKki9jBGrisYdMLU9V09DsL2qEKqjb:niby94pFKjBGr97eL

Score

10^/10

fatalrat discovery infostealer rat

Malware Config

Signatures

FatalRat
FatalRat is a modular infostealer family written in C++ first appearing in June 2021.
infostealer rat fatalrat

Fatal Rat payload 2 IoCs

rat infostealer

Processes:

resource	yara_rule
behavioral1/memory/3048-62-0x0000000001D90000-0x0000000001DC2000-memory.dmp	fatalrat
behavioral1/memory/3048-64-0x0000000000490000-0x00000000004BA000-memory.dmp	fatalrat

Downloads MZ/PE file

Executes dropped EXE 1 IoCs

Processes:

9S8SBSf.exe

pid	Process
3048	9S8SBSf.exe

Loads dropped DLL 1 IoCs

Processes:

9S8SBSf.exe

pid	Process
3048	9S8SBSf.exe

Drops file in System32 directory 1 IoCs

Processes:

9S8SBSf.exe

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\9S8SBSf.exe	9S8SBSf.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

9S8SBSf.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9S8SBSf.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

9S8SBSf.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	9S8SBSf.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	9S8SBSf.exe

Suspicious behavior: EnumeratesProcesses 53 IoCs

Processes:

d2caeb6d90e3240fd087e2180e28219651dc9f6c5ee7c2f18bd59e5b98dcfd6f.exe9S8SBSf.exe

pid	Process
2060	d2caeb6d90e3240fd087e2180e28219651dc9f6c5ee7c2f18bd59e5b98dcfd6f.exe
2060	d2caeb6d90e3240fd087e2180e28219651dc9f6c5ee7c2f18bd59e5b98dcfd6f.exe
3048	9S8SBSf.exe
3048	9S8SBSf.exe
3048	9S8SBSf.exe
3048	9S8SBSf.exe
3048	9S8SBSf.exe
3048	9S8SBSf.exe
3048	9S8SBSf.exe
3048	9S8SBSf.exe
3048	9S8SBSf.exe
3048	9S8SBSf.exe
3048	9S8SBSf.exe
3048	9S8SBSf.exe
3048	9S8SBSf.exe
3048	9S8SBSf.exe
3048	9S8SBSf.exe
3048	9S8SBSf.exe
3048	9S8SBSf.exe
3048	9S8SBSf.exe
3048	9S8SBSf.exe
3048	9S8SBSf.exe
3048	9S8SBSf.exe
3048	9S8SBSf.exe
3048	9S8SBSf.exe
3048	9S8SBSf.exe
3048	9S8SBSf.exe
3048	9S8SBSf.exe
3048	9S8SBSf.exe
3048	9S8SBSf.exe
3048	9S8SBSf.exe
3048	9S8SBSf.exe
3048	9S8SBSf.exe
3048	9S8SBSf.exe
3048	9S8SBSf.exe
3048	9S8SBSf.exe
3048	9S8SBSf.exe
3048	9S8SBSf.exe
3048	9S8SBSf.exe
3048	9S8SBSf.exe
3048	9S8SBSf.exe
3048	9S8SBSf.exe
3048	9S8SBSf.exe
3048	9S8SBSf.exe
3048	9S8SBSf.exe
3048	9S8SBSf.exe
3048	9S8SBSf.exe
3048	9S8SBSf.exe
3048	9S8SBSf.exe
3048	9S8SBSf.exe
3048	9S8SBSf.exe
3048	9S8SBSf.exe
3048	9S8SBSf.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

9S8SBSf.exe

description	pid	Process
Token: SeDebugPrivilege	3048	9S8SBSf.exe
Token: SeDebugPrivilege	3048	9S8SBSf.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

taskeng.exe

description	pid	Process	procid_target
PID 3036 wrote to memory of 3048	3036	taskeng.exe	34
PID 3036 wrote to memory of 3048	3036	taskeng.exe	34
PID 3036 wrote to memory of 3048	3036	taskeng.exe	34
PID 3036 wrote to memory of 3048	3036	taskeng.exe	34

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\d2caeb6d90e3240fd087e2180e28219651dc9f6c5ee7c2f18bd59e5b98dcfd6f.exe
"C:\Users\Admin\AppData\Local\Temp\d2caeb6d90e3240fd087e2180e28219651dc9f6c5ee7c2f18bd59e5b98dcfd6f.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2060

C:\Windows\system32\taskeng.exe
taskeng.exe {0EDACF06-91A9-41F9-98C7-512985AA49DE} S-1-5-21-312935884-697965778-3955649944-1000:MXQFNXLT\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:3036
- C:\ProgramData\M5L5L5\9S8SBSf.exe
  C:\ProgramData\M5L5L5\9S8SBSf.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\M5L5L5\9S8SBSf.exe

Filesize
233KB

MD5
4f9c6e1a88e9a25dff08db5c05b07a15

SHA1
c6375b4ac7fa362064e4eeba9442c12b9bfb7238

SHA256
9714e568328990ce76669b10573032c34b8617d6c292dafbf509bb59de9d86bc

SHA512
3c0faac411137c73fa5e1dffd2c696ced0ccc221b9974fed3bd158b7b6bf4e002162c4f0d4f41105483eb16c6220e20fe48a65adf8f6278882d0d0ff0727726b

Download Submit
C:\ProgramData\M5L5L5\longlq.cl

Filesize
1.2MB

MD5
7d8def4046bf2a36e9f2bcf0be543699

SHA1
d57dfa0f16b3ceab6c7de9d1ea09a70e920983f9

SHA256
5a4a700f688627c1bf990412a21961b9092672dae9d91778ad72e535cc80be83

SHA512
1e58413dc4cff29a230da6a5ff57e23cde05cd138687c14ae11c2d326f6a7b4b5e439f202f2d1022f5d8c60485df9d6c31d5d75568ec9345cc312aec2934dfe5

Download Submit
C:\Users\Admin\AppData\Roaming\6P6P9\Microsoft\Windows\Start Menu\Programs\startup\website_secure_lnk.lnk

Filesize
756B

MD5
f03429c1356d2f1729fd385c16f3bf92

SHA1
c3cbacc7350d3b26e0cf74a4da10224cef9c9335

SHA256
5363ef8fd482c10cd6f8685c71888d4fcb34677f069e338d991f41c93e6cf529

SHA512
b8f9a4e713ff0e1ab388c8ac97f66dcddbc56a560f596896c61928d0f78b84ad89011720d9245b6738f1d7b30bb4b01cf7c772ef6a0575ab91e5c1902ea52a44

Download Submit
C:\Users\Admin\AppData\Roaming\6P6P9\RBRA.exe

Filesize
142KB

MD5
bbaea75e78b80434b7cd699749b93a97

SHA1
c7d151758cb88dee39dbb5f4cd30e7d226980dde

SHA256
c9a1c52f5f5c8deef76b8e989c6a377f00061fa369cbd1cee7f53f8f03295f5c

SHA512
7f41846d61452c73566554ba5f6ef356e757ff4c292ad68bbcc1b84f736c02c6b0bc52e13270e5d7be4cde743d40cfc281028d4a0e322fbeecd9b786d08bac3d

Download Submit
C:\Users\Public\5L4L4O

Filesize
1.1MB

MD5
9bfaab258ac336e40145a0e98c4d0639

SHA1
1bbab07dddf56f3fd43c1c61d38b11dd121795c6

SHA256
53a844c36f87b391260bfca420e9cdb46770e42a4b2a4ad4be925ad381830eb7

SHA512
5adc1903d385943fa999aa1541ee101ca0d38d9bb602c4a36e690f9099eb3b3df99b2d65c4f97f3abfcd8f8a5767d1493b59b88f9b68dc8c09205b380e782c19

Download Submit
\ProgramData\M5L5L5\PBVM90.dll

Filesize
2.2MB

MD5
6763be58feb53c3b430c94277b99adcb

SHA1
94008b6cd06888df63542969f3b1007a85d2fa1b

SHA256
c072f5f0e28cbc8cb347a7736371b57d6a9192667122fbb83fd4f436529f96ef

SHA512
4aa0814c5f296adf7dfdc8bb7879b447d6d404e3fe54af5293bfe6db55d1329bb87ccee6bc415b310f9e49e32f789fe3549d6a99045cd036362a8a4f2945c1a1

Download Submit
memory/2060-37-0x0000000001FD0000-0x00000000025B9000-memory.dmp

Filesize
5.9MB

Download
memory/2060-55-0x0000000003BC0000-0x0000000003E8D000-memory.dmp

Filesize
2.8MB

Download
memory/2060-0-0x0000000001FD0000-0x00000000025B9000-memory.dmp

Filesize
5.9MB

Download
memory/2060-1-0x0000000003BC0000-0x0000000003E8D000-memory.dmp

Filesize
2.8MB

Download
memory/2060-75-0x0000000001FD0000-0x00000000025B9000-memory.dmp

Filesize
5.9MB

Download
memory/2060-76-0x0000000003BC0000-0x0000000003E8D000-memory.dmp

Filesize
2.8MB

Download
memory/3048-62-0x0000000001D90000-0x0000000001DC2000-memory.dmp

Filesize
200KB

Download
memory/3048-63-0x0000000001DE0000-0x0000000001E1B000-memory.dmp

Filesize
236KB

Download
memory/3048-64-0x0000000000490000-0x00000000004BA000-memory.dmp

Filesize
168KB

Download
memory/3048-69-0x0000000001DE0000-0x0000000001E1B000-memory.dmp

Filesize
236KB

Download