fatalrat | d2caeb6d90e3240fd087e2180e28219651dc9f6c5ee7c2f18bd59e5b98dcfd6f

Analysis

max time kernel
149s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
23-10-2024 20:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d2caeb6d90e3240fd087e2180e28219651dc9f6c5ee7c2f18bd59e5b98dcfd6f.exe
Size

6.1MB
MD5

f24efc53f425d85f86e7d4e2000dbc2a
SHA1

3d29c3ea01714fe3f757c104f44281e2335d278b
SHA256

d2caeb6d90e3240fd087e2180e28219651dc9f6c5ee7c2f18bd59e5b98dcfd6f
SHA512

ad88e648c3124fc379784887e7d6cbb3576eb9bae9cc8400c9d1ed7b093c1c8c691bd98f9a43f8a6a8cd33db403888f4106fef70697b90a8670227fd334a1813
SSDEEP

98304:4YYX5YQmdT8PRv0J0hx09BSpKki9jBGrisYdMLU9V09DsL2qEKqjb:niby94pFKjBGr97eL

Score

10^/10

fatalrat discovery infostealer rat

Malware Config

Signatures

FatalRat
FatalRat is a modular infostealer family written in C++ first appearing in June 2021.
infostealer rat fatalrat

Fatal Rat payload 2 IoCs

rat infostealer

Processes:

resource	yara_rule
behavioral2/memory/4652-72-0x0000000003180000-0x00000000031AA000-memory.dmp	fatalrat
behavioral2/memory/4652-77-0x0000000003100000-0x0000000003132000-memory.dmp	fatalrat

Downloads MZ/PE file

Executes dropped EXE 1 IoCs

Processes:

N3M6M6f.exe

pid	Process
4652	N3M6M6f.exe

Loads dropped DLL 1 IoCs

Processes:

N3M6M6f.exe

pid	Process
4652	N3M6M6f.exe

Drops file in System32 directory 1 IoCs

Processes:

N3M6M6f.exe

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\N3M6M6f.exe	N3M6M6f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

N3M6M6f.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	N3M6M6f.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

N3M6M6f.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	N3M6M6f.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	N3M6M6f.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

d2caeb6d90e3240fd087e2180e28219651dc9f6c5ee7c2f18bd59e5b98dcfd6f.exeN3M6M6f.exe

pid	Process
4576	d2caeb6d90e3240fd087e2180e28219651dc9f6c5ee7c2f18bd59e5b98dcfd6f.exe
4576	d2caeb6d90e3240fd087e2180e28219651dc9f6c5ee7c2f18bd59e5b98dcfd6f.exe
4576	d2caeb6d90e3240fd087e2180e28219651dc9f6c5ee7c2f18bd59e5b98dcfd6f.exe
4576	d2caeb6d90e3240fd087e2180e28219651dc9f6c5ee7c2f18bd59e5b98dcfd6f.exe
4652	N3M6M6f.exe
4652	N3M6M6f.exe
4652	N3M6M6f.exe
4652	N3M6M6f.exe
4652	N3M6M6f.exe
4652	N3M6M6f.exe
4652	N3M6M6f.exe
4652	N3M6M6f.exe
4652	N3M6M6f.exe
4652	N3M6M6f.exe
4652	N3M6M6f.exe
4652	N3M6M6f.exe
4652	N3M6M6f.exe
4652	N3M6M6f.exe
4652	N3M6M6f.exe
4652	N3M6M6f.exe
4652	N3M6M6f.exe
4652	N3M6M6f.exe
4652	N3M6M6f.exe
4652	N3M6M6f.exe
4652	N3M6M6f.exe
4652	N3M6M6f.exe
4652	N3M6M6f.exe
4652	N3M6M6f.exe
4652	N3M6M6f.exe
4652	N3M6M6f.exe
4652	N3M6M6f.exe
4652	N3M6M6f.exe
4652	N3M6M6f.exe
4652	N3M6M6f.exe
4652	N3M6M6f.exe
4652	N3M6M6f.exe
4652	N3M6M6f.exe
4652	N3M6M6f.exe
4652	N3M6M6f.exe
4652	N3M6M6f.exe
4652	N3M6M6f.exe
4652	N3M6M6f.exe
4652	N3M6M6f.exe
4652	N3M6M6f.exe
4652	N3M6M6f.exe
4652	N3M6M6f.exe
4652	N3M6M6f.exe
4652	N3M6M6f.exe
4652	N3M6M6f.exe
4652	N3M6M6f.exe
4652	N3M6M6f.exe
4652	N3M6M6f.exe
4652	N3M6M6f.exe
4652	N3M6M6f.exe
4652	N3M6M6f.exe
4652	N3M6M6f.exe
4652	N3M6M6f.exe
4652	N3M6M6f.exe
4652	N3M6M6f.exe
4652	N3M6M6f.exe
4652	N3M6M6f.exe
4652	N3M6M6f.exe
4652	N3M6M6f.exe
4652	N3M6M6f.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

N3M6M6f.exe

description	pid	Process
Token: SeDebugPrivilege	4652	N3M6M6f.exe
Token: SeDebugPrivilege	4652	N3M6M6f.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\d2caeb6d90e3240fd087e2180e28219651dc9f6c5ee7c2f18bd59e5b98dcfd6f.exe
"C:\Users\Admin\AppData\Local\Temp\d2caeb6d90e3240fd087e2180e28219651dc9f6c5ee7c2f18bd59e5b98dcfd6f.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:4576

C:\ProgramData\J_J2I2\N3M6M6f.exe
C:\ProgramData\J_J2I2\N3M6M6f.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\J_J2I2\N3M6M6f.exe

Filesize
35KB

MD5
fb22835bd4e35467ea252532e27048f5

SHA1
28c0d46a124bf80c19610477c319ce4c00cf327f

SHA256
52eae07a2529d9fd994f2a8bd59474f7ec9a4e2073d852c0fca4853d193c0ec3

SHA512
d8bc2c1b9ddb3aea4f28fe0075475f9bfc2784a08f23daae3420cc6e3d3a58243f1db90ac5029a471861e004ca3b70135f8f1eccd6341b80052dd2e9658e2c04

Download Submit
C:\ProgramData\J_J2I2\PBVM90.dll

Filesize
2.2MB

MD5
6763be58feb53c3b430c94277b99adcb

SHA1
94008b6cd06888df63542969f3b1007a85d2fa1b

SHA256
c072f5f0e28cbc8cb347a7736371b57d6a9192667122fbb83fd4f436529f96ef

SHA512
4aa0814c5f296adf7dfdc8bb7879b447d6d404e3fe54af5293bfe6db55d1329bb87ccee6bc415b310f9e49e32f789fe3549d6a99045cd036362a8a4f2945c1a1

Download Submit
C:\ProgramData\J_J2I2\longlq.cl

Filesize
1.2MB

MD5
7d8def4046bf2a36e9f2bcf0be543699

SHA1
d57dfa0f16b3ceab6c7de9d1ea09a70e920983f9

SHA256
5a4a700f688627c1bf990412a21961b9092672dae9d91778ad72e535cc80be83

SHA512
1e58413dc4cff29a230da6a5ff57e23cde05cd138687c14ae11c2d326f6a7b4b5e439f202f2d1022f5d8c60485df9d6c31d5d75568ec9345cc312aec2934dfe5

Download Submit
C:\Users\Admin\AppData\Roaming\K0K3K\H0H0.exe

Filesize
142KB

MD5
bbaea75e78b80434b7cd699749b93a97

SHA1
c7d151758cb88dee39dbb5f4cd30e7d226980dde

SHA256
c9a1c52f5f5c8deef76b8e989c6a377f00061fa369cbd1cee7f53f8f03295f5c

SHA512
7f41846d61452c73566554ba5f6ef356e757ff4c292ad68bbcc1b84f736c02c6b0bc52e13270e5d7be4cde743d40cfc281028d4a0e322fbeecd9b786d08bac3d

Download Submit
C:\Users\Admin\AppData\Roaming\K0K3K\website_secure_lnk.lnk

Filesize
797B

MD5
91a87960313ff55ed22675aa28723283

SHA1
a4593d63991635c9274dfe651ea110e0bfd2fa6b

SHA256
14ebb71907aa4e172b93dcaef8dfea0ee91bf15106a79af8efe31519910353c1

SHA512
778ee1ebc88660515200e5ad0336612790f2bad7f9b05587482b560e137c66857fc0afef5e59a4acbaa737990711f18422a550d6f8b6196eee8a60d2aee47728

Download Submit
C:\Users\Public\_I2I1L

Filesize
1.1MB

MD5
ead7f2ba252b4fc71fa5076bce319c1a

SHA1
01ad4d23563aebf9b907b8bd4f57b1023cb6e9ff

SHA256
7fb84c2b2b3c75ef34ae388462da6953e9b73817ece4006d93cffeb6fee1fb45

SHA512
9f80ed48ad9f71e3d7d3cedbfd07855b81973add53af5e916047e8a1b3ba9caeb7edfe5743e6f63ca821287a67760a28ebdb8637cd7bdfdbec3f0d996ef777b3

Download Submit
memory/4576-63-0x0000000003560000-0x000000000382D000-memory.dmp

Filesize
2.8MB

Download
memory/4576-56-0x0000000003560000-0x000000000382D000-memory.dmp

Filesize
2.8MB

Download
memory/4576-0-0x0000000002250000-0x0000000002839000-memory.dmp

Filesize
5.9MB

Download
memory/4576-62-0x0000000002250000-0x0000000002839000-memory.dmp

Filesize
5.9MB

Download
memory/4576-38-0x0000000002250000-0x0000000002839000-memory.dmp

Filesize
5.9MB

Download
memory/4576-1-0x0000000003560000-0x000000000382D000-memory.dmp

Filesize
2.8MB

Download
memory/4652-71-0x0000000003140000-0x000000000317B000-memory.dmp

Filesize
236KB

Download
memory/4652-72-0x0000000003180000-0x00000000031AA000-memory.dmp

Filesize
168KB

Download
memory/4652-70-0x0000000003100000-0x0000000003132000-memory.dmp

Filesize
200KB

Download
memory/4652-77-0x0000000003100000-0x0000000003132000-memory.dmp

Filesize
200KB

Download
memory/4652-78-0x0000000003140000-0x000000000317B000-memory.dmp

Filesize
236KB

Download