fatalrat | 5fb5be5a6126a4dff32d4cd4eef5de69ba0437b981299351852436ffb2767872

Analysis

max time kernel
148s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
28-11-2024 05:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

名单助手m.exe
Size

6.1MB
MD5

204680a71afc51faa1408ffa2430c3f4
SHA1

1ae73b74dd260cc0568ce9d07daddf904102beff
SHA256

1bf9bdfaff5d065a120f44725ff2dbf8b20d731660168d02dbf89a4f9ee6d336
SHA512

fb1cbd9db14b71722f40956f6ca1128082eac3726241ce15cd313e9391876ed71bd0c15a22a26158331c9bcb105b54fcbace55d4aa3791f72133f98ceebc6688
SSDEEP

98304:1YYX5YQmdT8PRv0J0hx09BSpKki9jBGrisYdMLU9V09DsL2qEKqjb:eiby94pFKjBGr97eL

Score

10^/10

fatalrat discovery infostealer rat upx

Malware Config

Signatures

FatalRat
FatalRat is a modular infostealer family written in C++ first appearing in June 2021.
infostealer rat fatalrat
Fatalrat family
fatalrat

Fatal Rat payload 2 IoCs

rat infostealer

resource	yara_rule
behavioral2/memory/4176-63-0x0000000002470000-0x000000000249A000-memory.dmp	fatalrat
behavioral2/memory/4176-69-0x0000000000B30000-0x0000000000B62000-memory.dmp	fatalrat

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x0007000000023cc2-57.dat	acprotect

Executes dropped EXE 1 IoCs

pid	Process
4176	TCWCWFm.exe

Loads dropped DLL 1 IoCs

pid	Process
4176	TCWCWFm.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\TCWCWFm.exe	TCWCWFm.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0007000000023cc2-57.dat	upx
behavioral2/memory/4176-58-0x0000000010000000-0x00000000101B3000-memory.dmp	upx
behavioral2/memory/4176-68-0x0000000010000000-0x00000000101B3000-memory.dmp	upx
behavioral2/memory/4176-79-0x0000000010000000-0x00000000101B3000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TCWCWFm.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TCWCWFm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TCWCWFm.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3540	名单助手m.exe
3540	名单助手m.exe
3540	名单助手m.exe
3540	名单助手m.exe
4176	TCWCWFm.exe
4176	TCWCWFm.exe
4176	TCWCWFm.exe
4176	TCWCWFm.exe
4176	TCWCWFm.exe
4176	TCWCWFm.exe
4176	TCWCWFm.exe
4176	TCWCWFm.exe
4176	TCWCWFm.exe
4176	TCWCWFm.exe
4176	TCWCWFm.exe
4176	TCWCWFm.exe
4176	TCWCWFm.exe
4176	TCWCWFm.exe
4176	TCWCWFm.exe
4176	TCWCWFm.exe
4176	TCWCWFm.exe
4176	TCWCWFm.exe
4176	TCWCWFm.exe
4176	TCWCWFm.exe
4176	TCWCWFm.exe
4176	TCWCWFm.exe
4176	TCWCWFm.exe
4176	TCWCWFm.exe
4176	TCWCWFm.exe
4176	TCWCWFm.exe
4176	TCWCWFm.exe
4176	TCWCWFm.exe
4176	TCWCWFm.exe
4176	TCWCWFm.exe
4176	TCWCWFm.exe
4176	TCWCWFm.exe
4176	TCWCWFm.exe
4176	TCWCWFm.exe
4176	TCWCWFm.exe
4176	TCWCWFm.exe
4176	TCWCWFm.exe
4176	TCWCWFm.exe
4176	TCWCWFm.exe
4176	TCWCWFm.exe
4176	TCWCWFm.exe
4176	TCWCWFm.exe
4176	TCWCWFm.exe
4176	TCWCWFm.exe
4176	TCWCWFm.exe
4176	TCWCWFm.exe
4176	TCWCWFm.exe
4176	TCWCWFm.exe
4176	TCWCWFm.exe
4176	TCWCWFm.exe
4176	TCWCWFm.exe
4176	TCWCWFm.exe
4176	TCWCWFm.exe
4176	TCWCWFm.exe
4176	TCWCWFm.exe
4176	TCWCWFm.exe
4176	TCWCWFm.exe
4176	TCWCWFm.exe
4176	TCWCWFm.exe
4176	TCWCWFm.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4176	TCWCWFm.exe
Token: SeDebugPrivilege	4176	TCWCWFm.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\名单助手m.exe
"C:\Users\Admin\AppData\Local\Temp\名单助手m.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:3540

C:\ProgramData\R7RAQA\TCWCWFm.exe
C:\ProgramData\R7RAQA\TCWCWFm.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4176

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\R7RAQA\TCWCWFm.exe

Filesize
24KB

MD5
7bd122f622d85243d9de8ae0349d416b

SHA1
db8829c762744ce7ab747b765acd42e625b18cac

SHA256
50f293aeaf61f7262f38911f3db2b817604661704ff75bc0d58435e63e20be15

SHA512
46c07028be1892259bd2e0ac34a5daeb9ec15b50a4ae91037dcc0dd1259294b417d3b93497e8444f9ce46c3ff1f558cef01fefd2567761a3f078c2413d8b3c34

Download Submit
C:\ProgramData\R7RAQA\hypertrm.dll

Filesize
619KB

MD5
83eacc0f796782931c7deee2aff45888

SHA1
695a367591dad14b059cfcfd2e26814598067e85

SHA256
586d5d290b153334e298d033f74c8793fcdc76cce898ed282e14fb05e2f142ef

SHA512
192e975180764995d9a545b997bfc3cf93b204b9e44cf4a65a6d567342ff0a81c5d6ce8e3bbeab9cef468b28ea23f18f46a6103d85a76df45503442c22176a06

Download Submit
C:\ProgramData\R7RAQA\longlq.cl

Filesize
1.2MB

MD5
7ef0256be69b9deed9c7e16155139a3a

SHA1
2c3ff4068ea2318feaa7e6fea667650f64ebe347

SHA256
49eb5c585fc40b6d66fa06ec5d2dd48f921425ca8d682704e7ff04eaae3e626f

SHA512
409540352168e9052f8076a353552f8483a8fbfbd9e9093718c33c55044240e74cc3f4a4dd7e1970926bcc36f309a5e4a7a92248af905925399d7e648fe6bed5

Download Submit
C:\Users\Admin\AppData\Roaming\QAT9T\_J_J.exe

Filesize
142KB

MD5
bbaea75e78b80434b7cd699749b93a97

SHA1
c7d151758cb88dee39dbb5f4cd30e7d226980dde

SHA256
c9a1c52f5f5c8deef76b8e989c6a377f00061fa369cbd1cee7f53f8f03295f5c

SHA512
7f41846d61452c73566554ba5f6ef356e757ff4c292ad68bbcc1b84f736c02c6b0bc52e13270e5d7be4cde743d40cfc281028d4a0e322fbeecd9b786d08bac3d

Download Submit
C:\Users\Admin\AppData\Roaming\QAT9T\website_secure_lnk.lnk

Filesize
797B

MD5
bc2b99cc7a895c32ba3f5d0638627779

SHA1
dcd2fd1372e784aaa77ddd63ad912f5c1ec8877c

SHA256
f97bed96736794a4309adbeffea86713d8684d70518284591e8a2537d532b335

SHA512
f904a0cdbf40408ac45148eca627fe2c6646a4dbef1a71b356808694f4811f26210ecfd91e77d948a2666b260a99288a9a02a29c93a4b5c182488fe0ab58a4d9

Download Submit
C:\Users\Public\AQAQ9T

Filesize
678KB

MD5
97f34a4c5946851fb9f717b8d8e04dcb

SHA1
0c3a64155598707cee735aef6468685e3c3298a8

SHA256
0a1dbf3d668f6935658748003eb4e4c1b4d5b01be1390408fc624a7b328ae23b

SHA512
99a6622bf50104bd581e5978595233b7567f277e0e78acd138fe8b2951d2e5b12768cbc51509bbf390e4dd733f85740547e4f70434e6fa53152cb83c8df21558

Download Submit
memory/3540-77-0x00000000021D0000-0x00000000027B9000-memory.dmp

Filesize
5.9MB

Download
memory/3540-1-0x0000000003410000-0x00000000036D8000-memory.dmp

Filesize
2.8MB

Download
memory/3540-36-0x00000000021D0000-0x00000000027B9000-memory.dmp

Filesize
5.9MB

Download
memory/3540-0-0x00000000021D0000-0x00000000027B9000-memory.dmp

Filesize
5.9MB

Download
memory/4176-58-0x0000000010000000-0x00000000101B3000-memory.dmp

Filesize
1.7MB

Download
memory/4176-62-0x0000000002430000-0x000000000246B000-memory.dmp

Filesize
236KB

Download
memory/4176-63-0x0000000002470000-0x000000000249A000-memory.dmp

Filesize
168KB

Download
memory/4176-68-0x0000000010000000-0x00000000101B3000-memory.dmp

Filesize
1.7MB

Download
memory/4176-69-0x0000000000B30000-0x0000000000B62000-memory.dmp

Filesize
200KB

Download
memory/4176-71-0x0000000002430000-0x000000000246B000-memory.dmp

Filesize
236KB

Download
memory/4176-61-0x0000000000B30000-0x0000000000B62000-memory.dmp

Filesize
200KB

Download
memory/4176-79-0x0000000010000000-0x00000000101B3000-memory.dmp

Filesize
1.7MB

Download