fatalrat | 7d349a4f542399574898181f06575029c57ef18f1efbd91d5cc667d6cf9f4558

Analysis

max time kernel
149s
max time network
144s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
06-11-2024 10:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

名单助手F.exe
Size

6.1MB
MD5

204680a71afc51faa1408ffa2430c3f4
SHA1

1ae73b74dd260cc0568ce9d07daddf904102beff
SHA256

1bf9bdfaff5d065a120f44725ff2dbf8b20d731660168d02dbf89a4f9ee6d336
SHA512

fb1cbd9db14b71722f40956f6ca1128082eac3726241ce15cd313e9391876ed71bd0c15a22a26158331c9bcb105b54fcbace55d4aa3791f72133f98ceebc6688
SSDEEP

98304:1YYX5YQmdT8PRv0J0hx09BSpKki9jBGrisYdMLU9V09DsL2qEKqjb:eiby94pFKjBGr97eL

Score

10^/10

fatalrat discovery infostealer rat upx

Malware Config

Signatures

FatalRat
FatalRat is a modular infostealer family written in C++ first appearing in June 2021.
infostealer rat fatalrat
Fatalrat family
fatalrat

Fatal Rat payload 2 IoCs

rat infostealer

Processes:

resource	yara_rule
behavioral1/memory/2308-70-0x0000000000490000-0x00000000004BA000-memory.dmp	fatalrat
behavioral1/memory/2308-78-0x0000000000450000-0x0000000000482000-memory.dmp	fatalrat

Downloads MZ/PE file

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
behavioral1/files/0x000700000001925b-63.dat	acprotect

Executes dropped EXE 1 IoCs

Processes:

6M6P6PF.exe

pid	Process
2308	6M6P6PF.exe

Loads dropped DLL 1 IoCs

Processes:

6M6P6PF.exe

pid	Process
2308	6M6P6PF.exe

Drops file in System32 directory 1 IoCs

Processes:

6M6P6PF.exe

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\6M6P6PF.exe	6M6P6PF.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/files/0x000700000001925b-63.dat	upx
behavioral1/memory/2308-65-0x0000000010000000-0x00000000101B3000-memory.dmp	upx
behavioral1/memory/2308-75-0x0000000010000000-0x00000000101B3000-memory.dmp	upx
behavioral1/memory/2308-80-0x0000000010000000-0x00000000101B3000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

6M6P6PF.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6M6P6PF.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

6M6P6PF.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	6M6P6PF.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	6M6P6PF.exe

Suspicious behavior: EnumeratesProcesses 53 IoCs

Processes:

名单助手F.exe6M6P6PF.exe

pid	Process
2944	名单助手F.exe
2944	名单助手F.exe
2308	6M6P6PF.exe
2308	6M6P6PF.exe
2308	6M6P6PF.exe
2308	6M6P6PF.exe
2308	6M6P6PF.exe
2308	6M6P6PF.exe
2308	6M6P6PF.exe
2308	6M6P6PF.exe
2308	6M6P6PF.exe
2308	6M6P6PF.exe
2308	6M6P6PF.exe
2308	6M6P6PF.exe
2308	6M6P6PF.exe
2308	6M6P6PF.exe
2308	6M6P6PF.exe
2308	6M6P6PF.exe
2308	6M6P6PF.exe
2308	6M6P6PF.exe
2308	6M6P6PF.exe
2308	6M6P6PF.exe
2308	6M6P6PF.exe
2308	6M6P6PF.exe
2308	6M6P6PF.exe
2308	6M6P6PF.exe
2308	6M6P6PF.exe
2308	6M6P6PF.exe
2308	6M6P6PF.exe
2308	6M6P6PF.exe
2308	6M6P6PF.exe
2308	6M6P6PF.exe
2308	6M6P6PF.exe
2308	6M6P6PF.exe
2308	6M6P6PF.exe
2308	6M6P6PF.exe
2308	6M6P6PF.exe
2308	6M6P6PF.exe
2308	6M6P6PF.exe
2308	6M6P6PF.exe
2308	6M6P6PF.exe
2308	6M6P6PF.exe
2308	6M6P6PF.exe
2308	6M6P6PF.exe
2308	6M6P6PF.exe
2308	6M6P6PF.exe
2308	6M6P6PF.exe
2308	6M6P6PF.exe
2308	6M6P6PF.exe
2308	6M6P6PF.exe
2308	6M6P6PF.exe
2308	6M6P6PF.exe
2308	6M6P6PF.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

6M6P6PF.exe

description	pid	Process
Token: SeDebugPrivilege	2308	6M6P6PF.exe
Token: SeDebugPrivilege	2308	6M6P6PF.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

taskeng.exe

description	pid	Process	procid_target
PID 3048 wrote to memory of 2308	3048	taskeng.exe	34
PID 3048 wrote to memory of 2308	3048	taskeng.exe	34
PID 3048 wrote to memory of 2308	3048	taskeng.exe	34
PID 3048 wrote to memory of 2308	3048	taskeng.exe	34
PID 3048 wrote to memory of 2308	3048	taskeng.exe	34
PID 3048 wrote to memory of 2308	3048	taskeng.exe	34
PID 3048 wrote to memory of 2308	3048	taskeng.exe	34

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\名单助手F.exe
"C:\Users\Admin\AppData\Local\Temp\名单助手F.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2944

C:\Windows\system32\taskeng.exe
taskeng.exe {00320488-4244-42BD-80FB-6810EDB70140} S-1-5-21-2039016743-699959520-214465309-1000:PIDEURYY\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:3048
- C:\ProgramData\O5O4O7\6M6P6PF.exe
  C:\ProgramData\O5O4O7\6M6P6PF.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2308

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\O5O4O7\6M6P6PF.exe

Filesize
24KB

MD5
7bd122f622d85243d9de8ae0349d416b

SHA1
db8829c762744ce7ab747b765acd42e625b18cac

SHA256
50f293aeaf61f7262f38911f3db2b817604661704ff75bc0d58435e63e20be15

SHA512
46c07028be1892259bd2e0ac34a5daeb9ec15b50a4ae91037dcc0dd1259294b417d3b93497e8444f9ce46c3ff1f558cef01fefd2567761a3f078c2413d8b3c34

Download Submit
C:\ProgramData\O5O4O7\HYPERTRM.dll

Filesize
619KB

MD5
83eacc0f796782931c7deee2aff45888

SHA1
695a367591dad14b059cfcfd2e26814598067e85

SHA256
586d5d290b153334e298d033f74c8793fcdc76cce898ed282e14fb05e2f142ef

SHA512
192e975180764995d9a545b997bfc3cf93b204b9e44cf4a65a6d567342ff0a81c5d6ce8e3bbeab9cef468b28ea23f18f46a6103d85a76df45503442c22176a06

Download Submit
C:\ProgramData\O5O4O7\longlq.cl

Filesize
1.2MB

MD5
eab35abc0ae31018b3f0c64fb93b785b

SHA1
be2468ea6292889e8c58306aacbc875147e29a00

SHA256
5b8e39728ad4b2ec68d5b3e0af4dfa914a26812bbdca20198d3fe0d40397126a

SHA512
c1555252c93c314a8d26ef018afcb54937abc0b5e755fbc3d6a3bcda7ec796fddca48ffb215cdcb1a92edb2361122d273b1c40987cd2f4c2fe754a2be8f6ae06

Download Submit
C:\Users\Admin\AppData\Roaming\3K3N3\DUDT.exe

Filesize
142KB

MD5
bbaea75e78b80434b7cd699749b93a97

SHA1
c7d151758cb88dee39dbb5f4cd30e7d226980dde

SHA256
c9a1c52f5f5c8deef76b8e989c6a377f00061fa369cbd1cee7f53f8f03295f5c

SHA512
7f41846d61452c73566554ba5f6ef356e757ff4c292ad68bbcc1b84f736c02c6b0bc52e13270e5d7be4cde743d40cfc281028d4a0e322fbeecd9b786d08bac3d

Download Submit
C:\Users\Admin\AppData\Roaming\3K3N3\Microsoft\Windows\Start Menu\Programs\startup\website_secure_lnk.lnk

Filesize
756B

MD5
317055c32958301d0db10ee409e45fd7

SHA1
ea85784aa60494f486af19ef34750db22560565d

SHA256
f0b2bfddc06c4d42d9b3f23154867cd4e9bfc1d348221a1be0335e5ce97b86f9

SHA512
cef883cdb1e74cae608cb149993d604864f640b374250c85206e0ed126547699bfac049b5f7825cb444e0a9c5ade52963d6c1ec3930df0d57f99c0cde072a7f6

Download Submit
C:\Users\Public\4O4N7N

Filesize
678KB

MD5
97f34a4c5946851fb9f717b8d8e04dcb

SHA1
0c3a64155598707cee735aef6468685e3c3298a8

SHA256
0a1dbf3d668f6935658748003eb4e4c1b4d5b01be1390408fc624a7b328ae23b

SHA512
99a6622bf50104bd581e5978595233b7567f277e0e78acd138fe8b2951d2e5b12768cbc51509bbf390e4dd733f85740547e4f70434e6fa53152cb83c8df21558

Download Submit
memory/2308-70-0x0000000000490000-0x00000000004BA000-memory.dmp

Filesize
168KB

Download
memory/2308-69-0x0000000000450000-0x0000000000482000-memory.dmp

Filesize
200KB

Download
memory/2308-80-0x0000000010000000-0x00000000101B3000-memory.dmp

Filesize
1.7MB

Download
memory/2308-78-0x0000000000450000-0x0000000000482000-memory.dmp

Filesize
200KB

Download
memory/2308-76-0x0000000000410000-0x000000000044B000-memory.dmp

Filesize
236KB

Download
memory/2308-65-0x0000000010000000-0x00000000101B3000-memory.dmp

Filesize
1.7MB

Download
memory/2308-68-0x0000000000410000-0x000000000044B000-memory.dmp

Filesize
236KB

Download
memory/2308-75-0x0000000010000000-0x00000000101B3000-memory.dmp

Filesize
1.7MB

Download
memory/2944-35-0x00000000020A0000-0x0000000002689000-memory.dmp

Filesize
5.9MB

Download
memory/2944-0-0x00000000020A0000-0x0000000002689000-memory.dmp

Filesize
5.9MB

Download
memory/2944-1-0x0000000004090000-0x000000000435D000-memory.dmp

Filesize
2.8MB

Download
memory/2944-53-0x0000000004090000-0x000000000435D000-memory.dmp

Filesize
2.8MB

Download
memory/2944-60-0x0000000004090000-0x000000000435D000-memory.dmp

Filesize
2.8MB

Download
memory/2944-59-0x00000000020A0000-0x0000000002689000-memory.dmp

Filesize
5.9MB

Download