fatalrat | 5fb5be5a6126a4dff32d4cd4eef5de69ba0437b981299351852436ffb2767872

Analysis

max time kernel
146s
max time network
145s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
28-11-2024 05:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

名单助手m.exe
Size

6.1MB
MD5

204680a71afc51faa1408ffa2430c3f4
SHA1

1ae73b74dd260cc0568ce9d07daddf904102beff
SHA256

1bf9bdfaff5d065a120f44725ff2dbf8b20d731660168d02dbf89a4f9ee6d336
SHA512

fb1cbd9db14b71722f40956f6ca1128082eac3726241ce15cd313e9391876ed71bd0c15a22a26158331c9bcb105b54fcbace55d4aa3791f72133f98ceebc6688
SSDEEP

98304:1YYX5YQmdT8PRv0J0hx09BSpKki9jBGrisYdMLU9V09DsL2qEKqjb:eiby94pFKjBGr97eL

Score

10^/10

fatalrat discovery infostealer rat upx

Malware Config

Signatures

FatalRat
FatalRat is a modular infostealer family written in C++ first appearing in June 2021.
infostealer rat fatalrat
Fatalrat family
fatalrat

Fatal Rat payload 2 IoCs

rat infostealer

resource	yara_rule
behavioral1/memory/2668-60-0x0000000000310000-0x0000000000342000-memory.dmp	fatalrat
behavioral1/memory/2668-62-0x00000000002D0000-0x00000000002FA000-memory.dmp	fatalrat

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x0008000000015d78-56.dat	acprotect

Executes dropped EXE 1 IoCs

pid	Process
2668	N7Q6Q6m.exe

Loads dropped DLL 1 IoCs

pid	Process
2668	N7Q6Q6m.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\N7Q6Q6m.exe	N7Q6Q6m.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2668-57-0x0000000010000000-0x00000000101B3000-memory.dmp	upx
behavioral1/files/0x0008000000015d78-56.dat	upx
behavioral1/memory/2668-67-0x0000000010000000-0x00000000101B3000-memory.dmp	upx
behavioral1/memory/2668-71-0x0000000010000000-0x00000000101B3000-memory.dmp	upx
behavioral1/memory/2668-84-0x0000000010000000-0x00000000101B3000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	N7Q6Q6m.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	N7Q6Q6m.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	N7Q6Q6m.exe

Suspicious behavior: EnumeratesProcesses 53 IoCs

pid	Process
2368	名单助手m.exe
2368	名单助手m.exe
2668	N7Q6Q6m.exe
2668	N7Q6Q6m.exe
2668	N7Q6Q6m.exe
2668	N7Q6Q6m.exe
2668	N7Q6Q6m.exe
2668	N7Q6Q6m.exe
2668	N7Q6Q6m.exe
2668	N7Q6Q6m.exe
2668	N7Q6Q6m.exe
2668	N7Q6Q6m.exe
2668	N7Q6Q6m.exe
2668	N7Q6Q6m.exe
2668	N7Q6Q6m.exe
2668	N7Q6Q6m.exe
2668	N7Q6Q6m.exe
2668	N7Q6Q6m.exe
2668	N7Q6Q6m.exe
2668	N7Q6Q6m.exe
2668	N7Q6Q6m.exe
2668	N7Q6Q6m.exe
2668	N7Q6Q6m.exe
2668	N7Q6Q6m.exe
2668	N7Q6Q6m.exe
2668	N7Q6Q6m.exe
2668	N7Q6Q6m.exe
2668	N7Q6Q6m.exe
2668	N7Q6Q6m.exe
2668	N7Q6Q6m.exe
2668	N7Q6Q6m.exe
2668	N7Q6Q6m.exe
2668	N7Q6Q6m.exe
2668	N7Q6Q6m.exe
2668	N7Q6Q6m.exe
2668	N7Q6Q6m.exe
2668	N7Q6Q6m.exe
2668	N7Q6Q6m.exe
2668	N7Q6Q6m.exe
2668	N7Q6Q6m.exe
2668	N7Q6Q6m.exe
2668	N7Q6Q6m.exe
2668	N7Q6Q6m.exe
2668	N7Q6Q6m.exe
2668	N7Q6Q6m.exe
2668	N7Q6Q6m.exe
2668	N7Q6Q6m.exe
2668	N7Q6Q6m.exe
2668	N7Q6Q6m.exe
2668	N7Q6Q6m.exe
2668	N7Q6Q6m.exe
2668	N7Q6Q6m.exe
2668	N7Q6Q6m.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2668	N7Q6Q6m.exe
Token: SeDebugPrivilege	2668	N7Q6Q6m.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2792 wrote to memory of 2668	2792	taskeng.exe	34
PID 2792 wrote to memory of 2668	2792	taskeng.exe	34
PID 2792 wrote to memory of 2668	2792	taskeng.exe	34
PID 2792 wrote to memory of 2668	2792	taskeng.exe	34

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\名单助手m.exe
"C:\Users\Admin\AppData\Local\Temp\名单助手m.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2368

C:\Windows\system32\taskeng.exe
taskeng.exe {04C81B4B-3C36-40C4-B935-66635407740B} S-1-5-21-2872745919-2748461613-2989606286-1000:CCJBVTGQ\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2792
- C:\ProgramData\8S8RBR\N7Q6Q6m.exe
  C:\ProgramData\8S8RBR\N7Q6Q6m.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\8S8RBR\N7Q6Q6m.exe

Filesize
24KB

MD5
7bd122f622d85243d9de8ae0349d416b

SHA1
db8829c762744ce7ab747b765acd42e625b18cac

SHA256
50f293aeaf61f7262f38911f3db2b817604661704ff75bc0d58435e63e20be15

SHA512
46c07028be1892259bd2e0ac34a5daeb9ec15b50a4ae91037dcc0dd1259294b417d3b93497e8444f9ce46c3ff1f558cef01fefd2567761a3f078c2413d8b3c34

Download Submit
C:\ProgramData\8S8RBR\longlq.cl

Filesize
1.2MB

MD5
7ef0256be69b9deed9c7e16155139a3a

SHA1
2c3ff4068ea2318feaa7e6fea667650f64ebe347

SHA256
49eb5c585fc40b6d66fa06ec5d2dd48f921425ca8d682704e7ff04eaae3e626f

SHA512
409540352168e9052f8076a353552f8483a8fbfbd9e9093718c33c55044240e74cc3f4a4dd7e1970926bcc36f309a5e4a7a92248af905925399d7e648fe6bed5

Download Submit
C:\Users\Admin\AppData\Roaming\K4N4N\F_F_.exe

Filesize
142KB

MD5
bbaea75e78b80434b7cd699749b93a97

SHA1
c7d151758cb88dee39dbb5f4cd30e7d226980dde

SHA256
c9a1c52f5f5c8deef76b8e989c6a377f00061fa369cbd1cee7f53f8f03295f5c

SHA512
7f41846d61452c73566554ba5f6ef356e757ff4c292ad68bbcc1b84f736c02c6b0bc52e13270e5d7be4cde743d40cfc281028d4a0e322fbeecd9b786d08bac3d

Download Submit
C:\Users\Admin\AppData\Roaming\K4N4N\Microsoft\Windows\Start Menu\Programs\startup\website_secure_lnk.lnk

Filesize
756B

MD5
090a1eda3951dadbca8b38ca2a0a782d

SHA1
cc383076eebfd4d25e9d0a1310f73608923f45ce

SHA256
e9f871c43a08e5736a18d24e62f1555ad6c109dd45e4b4f5be60f9f8d064197d

SHA512
0b22a624b1c2f029bfb212ca3a2c569a22993b81aa47dc2f15b4dc60b78156134710c18e02749175d5520108faa7e4bfd103e9f66b6c56505fab71fb1946d213

Download Submit
C:\Users\Public\R7RARA

Filesize
678KB

MD5
97f34a4c5946851fb9f717b8d8e04dcb

SHA1
0c3a64155598707cee735aef6468685e3c3298a8

SHA256
0a1dbf3d668f6935658748003eb4e4c1b4d5b01be1390408fc624a7b328ae23b

SHA512
99a6622bf50104bd581e5978595233b7567f277e0e78acd138fe8b2951d2e5b12768cbc51509bbf390e4dd733f85740547e4f70434e6fa53152cb83c8df21558

Download Submit
\ProgramData\8S8RBR\hypertrm.dll

Filesize
619KB

MD5
83eacc0f796782931c7deee2aff45888

SHA1
695a367591dad14b059cfcfd2e26814598067e85

SHA256
586d5d290b153334e298d033f74c8793fcdc76cce898ed282e14fb05e2f142ef

SHA512
192e975180764995d9a545b997bfc3cf93b204b9e44cf4a65a6d567342ff0a81c5d6ce8e3bbeab9cef468b28ea23f18f46a6103d85a76df45503442c22176a06

Download Submit
memory/2368-35-0x0000000002160000-0x0000000002749000-memory.dmp

Filesize
5.9MB

Download
memory/2368-0-0x0000000002160000-0x0000000002749000-memory.dmp

Filesize
5.9MB

Download
memory/2368-1-0x00000000040F0000-0x00000000043B8000-memory.dmp

Filesize
2.8MB

Download
memory/2368-77-0x0000000002160000-0x0000000002749000-memory.dmp

Filesize
5.9MB

Download
memory/2668-57-0x0000000010000000-0x00000000101B3000-memory.dmp

Filesize
1.7MB

Download
memory/2668-60-0x0000000000310000-0x0000000000342000-memory.dmp

Filesize
200KB

Download
memory/2668-61-0x0000000000800000-0x000000000083B000-memory.dmp

Filesize
236KB

Download
memory/2668-62-0x00000000002D0000-0x00000000002FA000-memory.dmp

Filesize
168KB

Download
memory/2668-67-0x0000000010000000-0x00000000101B3000-memory.dmp

Filesize
1.7MB

Download
memory/2668-69-0x0000000000800000-0x000000000083B000-memory.dmp

Filesize
236KB

Download
memory/2668-71-0x0000000010000000-0x00000000101B3000-memory.dmp

Filesize
1.7MB

Download
memory/2668-84-0x0000000010000000-0x00000000101B3000-memory.dmp

Filesize
1.7MB

Download