fatalrat | 563f31f303446a6ddab50a027b3a66cad2da2ddb33c9b8eba16a62a2e73baf1e

General

Target

563f31f303446a6ddab50a027b3a66cad2da2ddb33c9b8eba16a62a2e73baf1e.exe
Size

4.4MB
MD5

47febfc18d8ac366531eb57487a46beb
SHA1

bce07154cc505d99dcc95ad2167d7979692af0b7
SHA256

563f31f303446a6ddab50a027b3a66cad2da2ddb33c9b8eba16a62a2e73baf1e
SHA512

397cc52d7ca018a982602c0857779e80ca4d46b8f75fb7bd27515cc954343fe5303ec8f22bca3f6a4f9c621831429dbaa9dc718463d0db7df55056b7c32bc123
SSDEEP

49152:9YJMpJc32PMgJjQhGp7fOU3h1hyiTrMIx7Rtpb68N54+97boAXuE+OPnmr7DvjZV:9Og51Mgr/txTbV7+6

Score

10^/10

fatalrat discovery infostealer rat

Malware Config

Signatures

FatalRat
FatalRat is a modular infostealer family written in C++ first appearing in June 2021.
infostealer rat fatalrat
Fatalrat family
fatalrat

Fatal Rat payload 1 IoCs

rat infostealer

resource	yara_rule
behavioral1/memory/1616-73-0x00000000008F0000-0x000000000091A000-memory.dmp	fatalrat

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Macromedia-Packages.lnk	Mndk37.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Macromedia-Packages.lnk	Mndk37.exe

Executes dropped EXE 2 IoCs

pid	Process
2724	Mndk37.exe
1616	Mndk37.exe

Loads dropped DLL 1 IoCs

pid	Process
1616	Mndk37.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mndk37.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mndk37.exe

Modifies data under HKEY_USERS 6 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	cmd.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	cmd.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	cmd.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	cmd.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{6C467336-8281-4E60-8204-430CED96822D} {000214E4-0000-0000-C000-000000000046} 0xFFFF = 0100000000000000e0cb479adc44db01	cmd.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{DFFACDC5-679F-4156-8947-C5C76BC0B67F} {ADD8BA80-002B-11D0-8F0F-00C04FD7D062} 0xFFFF = 0100000000000000402d4a9adc44db01	cmd.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 2 IoCs

pid	Process
2724	Mndk37.exe
1616	Mndk37.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1216	563f31f303446a6ddab50a027b3a66cad2da2ddb33c9b8eba16a62a2e73baf1e.exe
1216	563f31f303446a6ddab50a027b3a66cad2da2ddb33c9b8eba16a62a2e73baf1e.exe
1216	563f31f303446a6ddab50a027b3a66cad2da2ddb33c9b8eba16a62a2e73baf1e.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1616	Mndk37.exe
Token: SeDebugPrivilege	1616	Mndk37.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2904	wordpad.exe
2904	wordpad.exe
2904	wordpad.exe
2904	wordpad.exe
2904	wordpad.exe
1616	Mndk37.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 1216 wrote to memory of 2784	1216	563f31f303446a6ddab50a027b3a66cad2da2ddb33c9b8eba16a62a2e73baf1e.exe	33
PID 1216 wrote to memory of 2784	1216	563f31f303446a6ddab50a027b3a66cad2da2ddb33c9b8eba16a62a2e73baf1e.exe	33
PID 1216 wrote to memory of 2784	1216	563f31f303446a6ddab50a027b3a66cad2da2ddb33c9b8eba16a62a2e73baf1e.exe	33
PID 2784 wrote to memory of 2904	2784	write.exe	34
PID 2784 wrote to memory of 2904	2784	write.exe	34
PID 2784 wrote to memory of 2904	2784	write.exe	34
PID 2968 wrote to memory of 2724	2968	cmd.exe	36
PID 2968 wrote to memory of 2724	2968	cmd.exe	36
PID 2968 wrote to memory of 2724	2968	cmd.exe	36
PID 2968 wrote to memory of 2724	2968	cmd.exe	36
PID 1216 wrote to memory of 1652	1216	563f31f303446a6ddab50a027b3a66cad2da2ddb33c9b8eba16a62a2e73baf1e.exe	38
PID 1216 wrote to memory of 1652	1216	563f31f303446a6ddab50a027b3a66cad2da2ddb33c9b8eba16a62a2e73baf1e.exe	38
PID 1216 wrote to memory of 1652	1216	563f31f303446a6ddab50a027b3a66cad2da2ddb33c9b8eba16a62a2e73baf1e.exe	38
PID 1652 wrote to memory of 1616	1652	cmd.exe	39
PID 1652 wrote to memory of 1616	1652	cmd.exe	39
PID 1652 wrote to memory of 1616	1652	cmd.exe	39
PID 1652 wrote to memory of 1616	1652	cmd.exe	39

C:\Users\Admin\AppData\Local\Temp\563f31f303446a6ddab50a027b3a66cad2da2ddb33c9b8eba16a62a2e73baf1e.exe
"C:\Users\Admin\AppData\Local\Temp\563f31f303446a6ddab50a027b3a66cad2da2ddb33c9b8eba16a62a2e73baf1e.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1216
- C:\Windows\System32\write.exe
  "C:\Windows\System32\write.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2784
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:2904
- C:\Windows\System32\cmd.exe
  cmd /c start "" "C:\ProgramData\Mndk37\Mndk37.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1652
- - C:\ProgramData\Mndk37\Mndk37.exe
    "C:\ProgramData\Mndk37\Mndk37.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:1616

C:\Windows\system32\cmd.exe
cmd /c start C:\Users\Admin\Desktop\Mndk.lnk
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:2968
- C:\Users\Admin\AppData\Roaming\Mndk37.exe
  "C:\Users\Admin\AppData\Roaming\Mndk37.exe" -n C:\Users\Admin\AppData\Roaming\Mndk3.zip -d C:\Users\Admin\AppData\Roaming
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:2724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Mndk37\Mndk37.exe

Filesize
508KB

MD5
a79a2e0b7f299ab2f80ee8315679baee

SHA1
43d76adbcc19e4c8b60ffba419797a22b756e927

SHA256
0a804e7efe38d6eba358781597205519b936239e9daebcdf2f71c62c6a416f5c

SHA512
f246044eb82e2d4562081b0041ba2109cbda385b335b3bf10d3408acda6ae0c605ab1a522a7f5f363dfd6417e6825ff7d2831d42b8e4440d012fdf33ec605649

Download Submit
C:\ProgramData\Mndk37\VEDecoder.dll

Filesize
1.6MB

MD5
d6a3fed112ab4e6bfe32cbe220dc225d

SHA1
bb9190ee490c46959e2bc192009f7773222dfa12

SHA256
8d89d4282f514acf2d7ef3ff7a618bbd513a84538ad309f2a48bff77c202bd58

SHA512
043b866e32db62bf8deb4ad9aa896b8274813cf1e6e4e575a3afc595893b5e5265a0430f6a1010c80db955114a0f9d9c3f4e0b3ee47b3323fb2bbcda5b6b7f61

Download Submit
C:\ProgramData\Mndk37\longlq.cl

Filesize
1.2MB

MD5
6652b3a6e7290de3f12a5f94b9b72b8c

SHA1
4702a4305f14c8437787343de339fa4f0a4b4d75

SHA256
946d9c70c3ae9d8b22530a844547494c60668a6a3b0cf4e25f84f03a0781743e

SHA512
38950c74297de0820ba606680ad74252dc0f8a4c9d46bdb73b903da55ab7b243a4ae7fa6812f026d2b4ec47b8000454e944be587cb788d592ab30d3848b77d34

Download Submit
C:\Users\Admin\AppData\Roaming\Mndk3.zip

Filesize
686B

MD5
5d62269623ccabe31e639cd4e72e599e

SHA1
0b576487f213af9b33c758297afb33de161606b9

SHA256
d5aa417c4328fe7c8e5915c93e866f4ce6920104f4a402b1e2f03242055a0c8c

SHA512
41dd00b4865679c9d966b2ad00cf0521ccc135d26d7870f602277fbae369805a4875cdc8eaa7fd31e2a1fb4c2e06b53fe40d0f2dc6496da811458c36b5f4de8e

Download Submit
C:\Users\Admin\AppData\Roaming\Mndk37.exe

Filesize
105KB

MD5
6b8ebc942fe392c669b0b21bc8f83a03

SHA1
18fb9645a7365ae17b8386e47bec0b5ba6f5122f

SHA256
e5a35deff01c93f658ab8c4192570ad9ae5ffaa4f5f6d1b4db99f176bf5bdbe7

SHA512
0953d528c5d07b22fa0a969c98d569cf68e58450e1fc0179ddb2068cb4c429d23044a71005fd0daebe7e0c896c5a7598c5329e4c040be9099dfb1e62a2686589

Download Submit
C:\Users\Admin\Desktop\Mndk.lnk

Filesize
869B

MD5
3863c4646b793763a815eb6516d52992

SHA1
de670dcc8a9d0816bdb2618e2e09935f6efa1c18

SHA256
7eed1bb02a173ded45759ae078f1f736225f2ec48bb7e7ef9bf5b413964dfe73

SHA512
1987217aa79f54427bb9bec22a907e98c631d125dbcbe80c2646c42acdfb8e7ec7272c5f86edada915d926efc8606056d73a45aa074a466bdb4d2c8b95825874

Download Submit
C:\Users\Admin\Desktop\Mndk.lnk

Filesize
1KB

MD5
06433652e4af26f0ad0b71af84dc161e

SHA1
d599e0846ec0a83b087478adb3d98f823f2a069e

SHA256
0084fb40d6f5a6c3065069429173f83385732af4e9bc7e3277bacda8556c69e1

SHA512
d58f057d1c55446581c95f078a17c22baab18819177134fbd10f888834406034d51e59edbe40996d1c44f9ade919b03c673cb87053aa189a9efafd5e263165a3

Download Submit
memory/1216-0-0x00000000024A0000-0x0000000002886000-memory.dmp

Filesize
3.9MB

Download
memory/1216-67-0x0000000000400000-0x0000000000890000-memory.dmp

Filesize
4.6MB

Download
memory/1216-69-0x00000000024A0000-0x0000000002886000-memory.dmp

Filesize
3.9MB

Download
memory/1616-73-0x00000000008F0000-0x000000000091A000-memory.dmp

Filesize
168KB

Download
memory/2724-58-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download

Analysis

Sharing