fatalrat | 7d349a4f542399574898181f06575029c57ef18f1efbd91d5cc667d6cf9f4558

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
06/11/2024, 10:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

名单助手F.exe
Size

6.1MB
MD5

204680a71afc51faa1408ffa2430c3f4
SHA1

1ae73b74dd260cc0568ce9d07daddf904102beff
SHA256

1bf9bdfaff5d065a120f44725ff2dbf8b20d731660168d02dbf89a4f9ee6d336
SHA512

fb1cbd9db14b71722f40956f6ca1128082eac3726241ce15cd313e9391876ed71bd0c15a22a26158331c9bcb105b54fcbace55d4aa3791f72133f98ceebc6688
SSDEEP

98304:1YYX5YQmdT8PRv0J0hx09BSpKki9jBGrisYdMLU9V09DsL2qEKqjb:eiby94pFKjBGr97eL

Score

10^/10

fatalrat discovery infostealer rat upx

Malware Config

Signatures

FatalRat
FatalRat is a modular infostealer family written in C++ first appearing in June 2021.
infostealer rat fatalrat
Fatalrat family
fatalrat

Fatal Rat payload 2 IoCs

rat infostealer

resource	yara_rule
behavioral2/memory/2248-71-0x0000000002240000-0x000000000226A000-memory.dmp	fatalrat
behavioral2/memory/2248-77-0x0000000002300000-0x0000000002332000-memory.dmp	fatalrat

Downloads MZ/PE file

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x000200000001e764-64.dat	acprotect

Executes dropped EXE 1 IoCs

pid	Process
2248	8O8R7RF.exe

Loads dropped DLL 1 IoCs

pid	Process
2248	8O8R7RF.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\8O8R7RF.exe	8O8R7RF.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000200000001e764-64.dat	upx
behavioral2/memory/2248-66-0x0000000010000000-0x00000000101B3000-memory.dmp	upx
behavioral2/memory/2248-76-0x0000000010000000-0x00000000101B3000-memory.dmp	upx
behavioral2/memory/2248-81-0x0000000010000000-0x00000000101B3000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8O8R7RF.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	8O8R7RF.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	8O8R7RF.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2092	名单助手F.exe
2092	名单助手F.exe
2092	名单助手F.exe
2092	名单助手F.exe
2248	8O8R7RF.exe
2248	8O8R7RF.exe
2248	8O8R7RF.exe
2248	8O8R7RF.exe
2248	8O8R7RF.exe
2248	8O8R7RF.exe
2248	8O8R7RF.exe
2248	8O8R7RF.exe
2248	8O8R7RF.exe
2248	8O8R7RF.exe
2248	8O8R7RF.exe
2248	8O8R7RF.exe
2248	8O8R7RF.exe
2248	8O8R7RF.exe
2248	8O8R7RF.exe
2248	8O8R7RF.exe
2248	8O8R7RF.exe
2248	8O8R7RF.exe
2248	8O8R7RF.exe
2248	8O8R7RF.exe
2248	8O8R7RF.exe
2248	8O8R7RF.exe
2248	8O8R7RF.exe
2248	8O8R7RF.exe
2248	8O8R7RF.exe
2248	8O8R7RF.exe
2248	8O8R7RF.exe
2248	8O8R7RF.exe
2248	8O8R7RF.exe
2248	8O8R7RF.exe
2248	8O8R7RF.exe
2248	8O8R7RF.exe
2248	8O8R7RF.exe
2248	8O8R7RF.exe
2248	8O8R7RF.exe
2248	8O8R7RF.exe
2248	8O8R7RF.exe
2248	8O8R7RF.exe
2248	8O8R7RF.exe
2248	8O8R7RF.exe
2248	8O8R7RF.exe
2248	8O8R7RF.exe
2248	8O8R7RF.exe
2248	8O8R7RF.exe
2248	8O8R7RF.exe
2248	8O8R7RF.exe
2248	8O8R7RF.exe
2248	8O8R7RF.exe
2248	8O8R7RF.exe
2248	8O8R7RF.exe
2248	8O8R7RF.exe
2248	8O8R7RF.exe
2248	8O8R7RF.exe
2248	8O8R7RF.exe
2248	8O8R7RF.exe
2248	8O8R7RF.exe
2248	8O8R7RF.exe
2248	8O8R7RF.exe
2248	8O8R7RF.exe
2248	8O8R7RF.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2248	8O8R7RF.exe
Token: SeDebugPrivilege	2248	8O8R7RF.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\名单助手F.exe
"C:\Users\Admin\AppData\Local\Temp\名单助手F.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2092

C:\ProgramData\O7N7R7\8O8R7RF.exe
C:\ProgramData\O7N7R7\8O8R7RF.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2248

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\O7N7R7\8O8R7RF.exe

Filesize
24KB

MD5
7bd122f622d85243d9de8ae0349d416b

SHA1
db8829c762744ce7ab747b765acd42e625b18cac

SHA256
50f293aeaf61f7262f38911f3db2b817604661704ff75bc0d58435e63e20be15

SHA512
46c07028be1892259bd2e0ac34a5daeb9ec15b50a4ae91037dcc0dd1259294b417d3b93497e8444f9ce46c3ff1f558cef01fefd2567761a3f078c2413d8b3c34

Download Submit
C:\ProgramData\O7N7R7\HYPERTRM.dll

Filesize
619KB

MD5
83eacc0f796782931c7deee2aff45888

SHA1
695a367591dad14b059cfcfd2e26814598067e85

SHA256
586d5d290b153334e298d033f74c8793fcdc76cce898ed282e14fb05e2f142ef

SHA512
192e975180764995d9a545b997bfc3cf93b204b9e44cf4a65a6d567342ff0a81c5d6ce8e3bbeab9cef468b28ea23f18f46a6103d85a76df45503442c22176a06

Download Submit
C:\ProgramData\O7N7R7\longlq.cl

Filesize
1.2MB

MD5
eab35abc0ae31018b3f0c64fb93b785b

SHA1
be2468ea6292889e8c58306aacbc875147e29a00

SHA256
5b8e39728ad4b2ec68d5b3e0af4dfa914a26812bbdca20198d3fe0d40397126a

SHA512
c1555252c93c314a8d26ef018afcb54937abc0b5e755fbc3d6a3bcda7ec796fddca48ffb215cdcb1a92edb2361122d273b1c40987cd2f4c2fe754a2be8f6ae06

Download Submit
C:\Users\Admin\AppData\Roaming\5L5O5\_F_F.exe

Filesize
142KB

MD5
bbaea75e78b80434b7cd699749b93a97

SHA1
c7d151758cb88dee39dbb5f4cd30e7d226980dde

SHA256
c9a1c52f5f5c8deef76b8e989c6a377f00061fa369cbd1cee7f53f8f03295f5c

SHA512
7f41846d61452c73566554ba5f6ef356e757ff4c292ad68bbcc1b84f736c02c6b0bc52e13270e5d7be4cde743d40cfc281028d4a0e322fbeecd9b786d08bac3d

Download Submit
C:\Users\Admin\AppData\Roaming\5L5O5\website_secure_lnk.lnk

Filesize
797B

MD5
2696a2105996a3321ed14831ac824028

SHA1
dcc1488314156626d4b8ca2e205d5a01b2346f0c

SHA256
0aafd25b3e78a21e89dd7cf20243a2e5eb7a099f136a217ad473923bd01f0c52

SHA512
8b6eb558a70279b065a11232a25ca50bf6c5a18845d210c7a75d5c8ca1ee5babd6c17c6a9d68c1308648d2891f98241615ada0ce3fa0054ed7536c6890ad02f1

Download Submit
C:\Users\Public\7N6Q6Q

Filesize
678KB

MD5
97f34a4c5946851fb9f717b8d8e04dcb

SHA1
0c3a64155598707cee735aef6468685e3c3298a8

SHA256
0a1dbf3d668f6935658748003eb4e4c1b4d5b01be1390408fc624a7b328ae23b

SHA512
99a6622bf50104bd581e5978595233b7567f277e0e78acd138fe8b2951d2e5b12768cbc51509bbf390e4dd733f85740547e4f70434e6fa53152cb83c8df21558

Download Submit
memory/2092-36-0x00000000021D0000-0x00000000027B9000-memory.dmp

Filesize
5.9MB

Download
memory/2092-1-0x0000000003410000-0x00000000036DD000-memory.dmp

Filesize
2.8MB

Download
memory/2092-60-0x00000000021D0000-0x00000000027B9000-memory.dmp

Filesize
5.9MB

Download
memory/2092-61-0x0000000003410000-0x00000000036DD000-memory.dmp

Filesize
2.8MB

Download
memory/2092-0-0x00000000021D0000-0x00000000027B9000-memory.dmp

Filesize
5.9MB

Download
memory/2092-54-0x0000000003410000-0x00000000036DD000-memory.dmp

Filesize
2.8MB

Download
memory/2248-69-0x0000000002300000-0x0000000002332000-memory.dmp

Filesize
200KB

Download
memory/2248-66-0x0000000010000000-0x00000000101B3000-memory.dmp

Filesize
1.7MB

Download
memory/2248-70-0x0000000002D50000-0x0000000002D8B000-memory.dmp

Filesize
236KB

Download
memory/2248-71-0x0000000002240000-0x000000000226A000-memory.dmp

Filesize
168KB

Download
memory/2248-76-0x0000000010000000-0x00000000101B3000-memory.dmp

Filesize
1.7MB

Download
memory/2248-77-0x0000000002300000-0x0000000002332000-memory.dmp

Filesize
200KB

Download
memory/2248-79-0x0000000002D50000-0x0000000002D8B000-memory.dmp

Filesize
236KB

Download
memory/2248-81-0x0000000010000000-0x00000000101B3000-memory.dmp

Filesize
1.7MB

Download