fatalrat | 9f2eb6fb4746d9b2d399717d75b7bda2826cf420da46e67a0e8d41048d1d8cce

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
28-11-2024 06:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9f2eb6fb4746d9b2d399717d75b7bda2826cf420da46e67a0e8d41048d1d8cce.exe
Size

15.1MB
MD5

b2732ede2d21d21d9c0297054968f377
SHA1

caec13ed9863186da0ec509aeb8680237dc06133
SHA256

9f2eb6fb4746d9b2d399717d75b7bda2826cf420da46e67a0e8d41048d1d8cce
SHA512

6b3d5e0c9caaaf41e33e7b52aae0eb3c1caa93ab80c980ae1ae32eb46594be690b11dc72cced3cbeee71b9838fd2ed89aaa3bb74f88ec5d7c91a082c0fed753c
SSDEEP

393216:v1czy2O5JZIB4YYFT5aUniQTWSt+DT5D9q6F:vKm2O5JNVaUni4Wf/5Z7

Score

10^/10

fatalrat aspackv2 discovery evasion infostealer persistence rat trojan upx

Malware Config

Signatures

FatalRat
FatalRat is a modular infostealer family written in C++ first appearing in June 2021.
infostealer rat fatalrat
Fatalrat family
fatalrat

Fatal Rat payload 1 IoCs

rat infostealer

Processes:

resource	yara_rule
behavioral2/memory/5092-57-0x0000000010000000-0x0000000010029000-memory.dmp	fatalrat

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
behavioral2/files/0x000a000000023b8a-9.dat	aspack_v212_v242

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

9f2eb6fb4746d9b2d399717d75b7bda2826cf420da46e67a0e8d41048d1d8cce.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	9f2eb6fb4746d9b2d399717d75b7bda2826cf420da46e67a0e8d41048d1d8cce.exe

Executes dropped EXE 5 IoCs

Processes:

u1.exePTvrst.exespolsvt.exespolsvt.exesvcoth.exe

pid	Process
1308	u1.exe
4044	PTvrst.exe
4772	spolsvt.exe
5092	spolsvt.exe
2212	svcoth.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

u1.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Çý¶¯ÈËÉú = "C:\\Users\\Public\\Documents\\sougou\\PTvrst.exe"	u1.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

u1.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	u1.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

PTvrst.exespolsvt.exe

description	pid	Process	procid_target
PID 4044 set thread context of 4772	4044	PTvrst.exe	84
PID 4772 set thread context of 5092	4772	spolsvt.exe	85
PID 4772 set thread context of 2212	4772	spolsvt.exe	88

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4996-0-0x0000000000400000-0x0000000000433000-memory.dmp	upx
behavioral2/memory/4996-68-0x0000000000400000-0x0000000000433000-memory.dmp	upx

Drops file in Program Files directory 6 IoCs

Processes:

9f2eb6fb4746d9b2d399717d75b7bda2826cf420da46e67a0e8d41048d1d8cce.exe

description	ioc	Process
File opened for modification	C:\Program Files (x86)\u1.exe	9f2eb6fb4746d9b2d399717d75b7bda2826cf420da46e67a0e8d41048d1d8cce.exe
File created	C:\Program Files (x86)\letsvpn-latest - 副本.exe	9f2eb6fb4746d9b2d399717d75b7bda2826cf420da46e67a0e8d41048d1d8cce.exe
File opened for modification	C:\Program Files (x86)\letsvpn-latest - 副本.exe	9f2eb6fb4746d9b2d399717d75b7bda2826cf420da46e67a0e8d41048d1d8cce.exe
File created	C:\Program Files (x86)\letsvpn-latest.exe	9f2eb6fb4746d9b2d399717d75b7bda2826cf420da46e67a0e8d41048d1d8cce.exe
File opened for modification	C:\Program Files (x86)\letsvpn-latest.exe	9f2eb6fb4746d9b2d399717d75b7bda2826cf420da46e67a0e8d41048d1d8cce.exe
File created	C:\Program Files (x86)\u1.exe	9f2eb6fb4746d9b2d399717d75b7bda2826cf420da46e67a0e8d41048d1d8cce.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

u1.exePTvrst.exespolsvt.exespolsvt.execmd.exesvcoth.exe9f2eb6fb4746d9b2d399717d75b7bda2826cf420da46e67a0e8d41048d1d8cce.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	u1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PTvrst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spolsvt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spolsvt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svcoth.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9f2eb6fb4746d9b2d399717d75b7bda2826cf420da46e67a0e8d41048d1d8cce.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

spolsvt.exe

pid	Process
5092	spolsvt.exe
5092	spolsvt.exe
5092	spolsvt.exe
5092	spolsvt.exe
5092	spolsvt.exe
5092	spolsvt.exe
5092	spolsvt.exe
5092	spolsvt.exe
5092	spolsvt.exe
5092	spolsvt.exe
5092	spolsvt.exe
5092	spolsvt.exe
5092	spolsvt.exe
5092	spolsvt.exe
5092	spolsvt.exe
5092	spolsvt.exe
5092	spolsvt.exe
5092	spolsvt.exe
5092	spolsvt.exe
5092	spolsvt.exe
5092	spolsvt.exe
5092	spolsvt.exe
5092	spolsvt.exe
5092	spolsvt.exe
5092	spolsvt.exe
5092	spolsvt.exe
5092	spolsvt.exe
5092	spolsvt.exe
5092	spolsvt.exe
5092	spolsvt.exe
5092	spolsvt.exe
5092	spolsvt.exe
5092	spolsvt.exe
5092	spolsvt.exe
5092	spolsvt.exe
5092	spolsvt.exe
5092	spolsvt.exe
5092	spolsvt.exe
5092	spolsvt.exe
5092	spolsvt.exe
5092	spolsvt.exe
5092	spolsvt.exe
5092	spolsvt.exe
5092	spolsvt.exe
5092	spolsvt.exe
5092	spolsvt.exe
5092	spolsvt.exe
5092	spolsvt.exe
5092	spolsvt.exe
5092	spolsvt.exe
5092	spolsvt.exe
5092	spolsvt.exe
5092	spolsvt.exe
5092	spolsvt.exe
5092	spolsvt.exe
5092	spolsvt.exe
5092	spolsvt.exe
5092	spolsvt.exe
5092	spolsvt.exe
5092	spolsvt.exe
5092	spolsvt.exe
5092	spolsvt.exe
5092	spolsvt.exe
5092	spolsvt.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

spolsvt.exe

description	pid	Process
Token: SeDebugPrivilege	5092	spolsvt.exe

Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

u1.exePTvrst.exespolsvt.exe

pid	Process
1308	u1.exe
1308	u1.exe
4044	PTvrst.exe
4044	PTvrst.exe
4772	spolsvt.exe

Suspicious use of WriteProcessMemory 35 IoCs

Processes:

9f2eb6fb4746d9b2d399717d75b7bda2826cf420da46e67a0e8d41048d1d8cce.exeu1.exePTvrst.exespolsvt.exe

description	pid	Process	procid_target
PID 4996 wrote to memory of 1308	4996	9f2eb6fb4746d9b2d399717d75b7bda2826cf420da46e67a0e8d41048d1d8cce.exe	82
PID 4996 wrote to memory of 1308	4996	9f2eb6fb4746d9b2d399717d75b7bda2826cf420da46e67a0e8d41048d1d8cce.exe	82
PID 4996 wrote to memory of 1308	4996	9f2eb6fb4746d9b2d399717d75b7bda2826cf420da46e67a0e8d41048d1d8cce.exe	82
PID 1308 wrote to memory of 4044	1308	u1.exe	83
PID 1308 wrote to memory of 4044	1308	u1.exe	83
PID 1308 wrote to memory of 4044	1308	u1.exe	83
PID 4044 wrote to memory of 4772	4044	PTvrst.exe	84
PID 4044 wrote to memory of 4772	4044	PTvrst.exe	84
PID 4044 wrote to memory of 4772	4044	PTvrst.exe	84
PID 4044 wrote to memory of 4772	4044	PTvrst.exe	84
PID 4044 wrote to memory of 4772	4044	PTvrst.exe	84
PID 4044 wrote to memory of 4772	4044	PTvrst.exe	84
PID 4044 wrote to memory of 4772	4044	PTvrst.exe	84
PID 4044 wrote to memory of 4772	4044	PTvrst.exe	84
PID 4772 wrote to memory of 5092	4772	spolsvt.exe	85
PID 4772 wrote to memory of 5092	4772	spolsvt.exe	85
PID 4772 wrote to memory of 5092	4772	spolsvt.exe	85
PID 4772 wrote to memory of 5092	4772	spolsvt.exe	85
PID 4772 wrote to memory of 5092	4772	spolsvt.exe	85
PID 4772 wrote to memory of 5092	4772	spolsvt.exe	85
PID 4772 wrote to memory of 5092	4772	spolsvt.exe	85
PID 4772 wrote to memory of 5092	4772	spolsvt.exe	85
PID 4996 wrote to memory of 3652	4996	9f2eb6fb4746d9b2d399717d75b7bda2826cf420da46e67a0e8d41048d1d8cce.exe	86
PID 4996 wrote to memory of 3652	4996	9f2eb6fb4746d9b2d399717d75b7bda2826cf420da46e67a0e8d41048d1d8cce.exe	86
PID 4996 wrote to memory of 3652	4996	9f2eb6fb4746d9b2d399717d75b7bda2826cf420da46e67a0e8d41048d1d8cce.exe	86
PID 4772 wrote to memory of 2212	4772	spolsvt.exe	88
PID 4772 wrote to memory of 2212	4772	spolsvt.exe	88
PID 4772 wrote to memory of 2212	4772	spolsvt.exe	88
PID 4772 wrote to memory of 2212	4772	spolsvt.exe	88
PID 4772 wrote to memory of 2212	4772	spolsvt.exe	88
PID 4772 wrote to memory of 2212	4772	spolsvt.exe	88
PID 4772 wrote to memory of 2212	4772	spolsvt.exe	88
PID 4772 wrote to memory of 2212	4772	spolsvt.exe	88
PID 4772 wrote to memory of 2212	4772	spolsvt.exe	88
PID 4772 wrote to memory of 2212	4772	spolsvt.exe	88

C:\Users\Admin\AppData\Local\Temp\9f2eb6fb4746d9b2d399717d75b7bda2826cf420da46e67a0e8d41048d1d8cce.exe
"C:\Users\Admin\AppData\Local\Temp\9f2eb6fb4746d9b2d399717d75b7bda2826cf420da46e67a0e8d41048d1d8cce.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4996
- C:\Program Files (x86)\u1.exe
  "C:\Program Files (x86)\u1.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1308
- - C:\Users\Public\Documents\sougou\PTvrst.exe
    C:\Users\Public\Documents\sougou\PTvrst.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4044
  - - C:\Users\Public\Documents\sougou\spolsvt.exe
      C:\Users\Public\Documents\sougou\spolsvt.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4772
    - - C:\Users\Public\Documents\dd\spolsvt.exe
        
        C:\Users\Public\Documents\dd\spolsvt.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5092
    - - C:\Users\Public\Documents\uu\svcoth.exe
        
        C:\Users\Public\Documents\uu\svcoth.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2212
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\letsvpn-latest.exe

Filesize
14.5MB

MD5
94f6bd702b7a2e17c45d16eaf7da0d64

SHA1
45f8c05851bcf16416e087253ce962b320e9db8a

SHA256
07f44325eab13b01d536a42e90a0247c6efecf23ccd4586309828aa814f5c776

SHA512
7ffc5183d3f1fb23e38c60d55724ab9e9e1e3832c9fb09296f0635f78d81477c6894c00a28e63096fa395e1c11cbeaa1f77f910f9ff9c1f1ecf0b857aa671b3d

Download Submit
C:\Program Files (x86)\u1.exe

Filesize
793KB

MD5
47c11aea2837b96731eda50693197aa7

SHA1
1b9a1d6c72c65a8353f38e6cdb604319b5529687

SHA256
b0a3cd4a479ad347b34dce62debf0b1cf4f258c5689ac64419acdffbf012d096

SHA512
e38fc0691ec86739da9c107c00c56165fd60d9e79ff617f4dd8416ba07f1127221731e9dd22f4eaea4d0b0f44346803964c113f1d7c42de80d229c85330a210a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd

Filesize
300B

MD5
95cccac19caf278789307b067a6c626b

SHA1
08890d77e9330953c497556e82913a4a95962407

SHA256
642a1b14e8778a61389476f20f5d54d1ad3777b43a64966262f67072940b25e6

SHA512
e79cabdcf4d905a5ea1b727c27d1bfcc0cb593df9ddebee0d1cbe654161802aefbd62b3d32f1bff8c5b626a07048e5f291aa43761f7ae54c003fcce6b6a80c8f

Download Submit
C:\Users\Public\Documents\dd\spolsvt.exe

Filesize
16KB

MD5
cdce4713e784ae069d73723034a957ff

SHA1
9a393a6bab6568f1a774fb753353223f11367e09

SHA256
b29e48102ecb3d3614e8980a8b8cc63dd2b993c6346f466479244ec2b47b69d8

SHA512
0a3a59a305cc2a6fad4e1315b0bcc5a4129595dfe1e8b703363fa02528d2d7c48d3fd22d365708be84a5557cf1916873df9563c454732f93f94a66e7e3b9fb0f

Download Submit
C:\Users\Public\Documents\sougou\Mpec.mbt

Filesize
219KB

MD5
6fa8f3c5e7670094a1f66035bdce541c

SHA1
122fcba8f761eb3695a948b68be2cb803a43d903

SHA256
f2a8b444d6cc5d3a88d10e5d2388e91a17248a1191d8780c62761bae10574c45

SHA512
9e6d3b2d764e2ad716c9246c574af62eec2a6e76f1b95db7c8ac684372e6660a43d8dd2bbcabffe66013ea99612114dea28a62caaef530add20725a230672e67

Download Submit
C:\Users\Public\Documents\sougou\spolsvt.exe

Filesize
9KB

MD5
523d5c39f9d8d2375c3df68251fa2249

SHA1
d4ed365c44bec9246fc1a65a32a7791792647a10

SHA256
20e3dc90a3e83b6202e2a7f4603b60e5e859639cb68693426c400b13aaeabd78

SHA512
526e1bba30d03f1ac177c6ab7409187a730969c429cebef15da68ffcf44b3b93227781eebc827b2f7a0fa17c391e00a0e532263fd0167aeaeb0456f96cfe3ae4

Download Submit
memory/1308-16-0x0000000000E50000-0x0000000000FFC000-memory.dmp

Filesize
1.7MB

Download
memory/1308-19-0x0000000000E50000-0x0000000000FFC000-memory.dmp

Filesize
1.7MB

Download
memory/1308-20-0x0000000000E50000-0x0000000000FFC000-memory.dmp

Filesize
1.7MB

Download
memory/1308-18-0x0000000000E50000-0x0000000000FFC000-memory.dmp

Filesize
1.7MB

Download
memory/1308-48-0x0000000000E50000-0x0000000000FFC000-memory.dmp

Filesize
1.7MB

Download
memory/2212-77-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2212-74-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2212-82-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2212-78-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2212-76-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2212-75-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4044-28-0x00000000001D0000-0x000000000037C000-memory.dmp

Filesize
1.7MB

Download
memory/4044-26-0x00000000001D0000-0x000000000037C000-memory.dmp

Filesize
1.7MB

Download
memory/4044-30-0x00000000001D0000-0x000000000037C000-memory.dmp

Filesize
1.7MB

Download
memory/4044-29-0x00000000001D0000-0x000000000037C000-memory.dmp

Filesize
1.7MB

Download
memory/4044-43-0x00000000001D0000-0x000000000037C000-memory.dmp

Filesize
1.7MB

Download
memory/4772-39-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/4772-33-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/4772-34-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/4772-35-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/4772-40-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/4996-68-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4996-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5092-50-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/5092-57-0x0000000010000000-0x0000000010029000-memory.dmp

Filesize
164KB

Download
memory/5092-49-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/5092-51-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/5092-55-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download