fatalrat | 24b31819e09dd8eaa1c26a08c1a4e7ae55063c7ebb3dbd0273968d13a4f0d0e3

General

Target

24b31819e09dd8eaa1c26a08c1a4e7ae55063c7ebb3dbd0273968d13a4f0d0e3.exe
Size

4.5MB
MD5

0b002ffd1ba0c617cfd6f25f75d8432e
SHA1

9a102e169744d9a28e575efecadc53b9d77fb751
SHA256

24b31819e09dd8eaa1c26a08c1a4e7ae55063c7ebb3dbd0273968d13a4f0d0e3
SHA512

52236ec4b8d3df89a7c60937c8d886ca05285cd77e639b731075368ef6bf80f973ae978d24123127d3785c8254f718c0556dc6b55be9355c4ac77bfb88f7172b
SSDEEP

49152:9YJMpJc32PMgJjQhGp7fOU3h1hyiTrMIx7Rtpb68N54+97boAXuE+OPnmr7DvjZd:9Og51Mgr/txTbV7+6W

Score

10^/10

fatalrat discovery infostealer rat

Malware Config

Signatures

FatalRat
FatalRat is a modular infostealer family written in C++ first appearing in June 2021.
infostealer rat fatalrat
Fatalrat family
fatalrat

Fatal Rat payload 1 IoCs

rat infostealer

resource	yara_rule
behavioral1/memory/576-77-0x00000000007A0000-0x00000000007CA000-memory.dmp	fatalrat

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Macromedia-Packages.lnk	7QA1o8.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Macromedia-Packages.lnk	7QA1o8.exe

Executes dropped EXE 2 IoCs

pid	Process
2360	7QA1o8.exe
576	7QA1o8.exe

Loads dropped DLL 1 IoCs

pid	Process
576	7QA1o8.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7QA1o8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7QA1o8.exe

Modifies data under HKEY_USERS 6 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{DFFACDC5-679F-4156-8947-C5C76BC0B67F} {ADD8BA80-002B-11D0-8F0F-00C04FD7D062} 0xFFFF = 0100000000000000601429a61745db01	cmd.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	cmd.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	cmd.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	cmd.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	cmd.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{6C467336-8281-4E60-8204-430CED96822D} {000214E4-0000-0000-C000-000000000046} 0xFFFF = 010000000000000000b326a61745db01	cmd.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 2 IoCs

pid	Process
2360	7QA1o8.exe
576	7QA1o8.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2736	24b31819e09dd8eaa1c26a08c1a4e7ae55063c7ebb3dbd0273968d13a4f0d0e3.exe
2736	24b31819e09dd8eaa1c26a08c1a4e7ae55063c7ebb3dbd0273968d13a4f0d0e3.exe
2736	24b31819e09dd8eaa1c26a08c1a4e7ae55063c7ebb3dbd0273968d13a4f0d0e3.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	576	7QA1o8.exe
Token: SeDebugPrivilege	576	7QA1o8.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2548	wordpad.exe
2548	wordpad.exe
2548	wordpad.exe
2548	wordpad.exe
2548	wordpad.exe
576	7QA1o8.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 2736 wrote to memory of 2720	2736	24b31819e09dd8eaa1c26a08c1a4e7ae55063c7ebb3dbd0273968d13a4f0d0e3.exe	32
PID 2736 wrote to memory of 2720	2736	24b31819e09dd8eaa1c26a08c1a4e7ae55063c7ebb3dbd0273968d13a4f0d0e3.exe	32
PID 2736 wrote to memory of 2720	2736	24b31819e09dd8eaa1c26a08c1a4e7ae55063c7ebb3dbd0273968d13a4f0d0e3.exe	32
PID 2720 wrote to memory of 2548	2720	write.exe	33
PID 2720 wrote to memory of 2548	2720	write.exe	33
PID 2720 wrote to memory of 2548	2720	write.exe	33
PID 2556 wrote to memory of 2360	2556	cmd.exe	35
PID 2556 wrote to memory of 2360	2556	cmd.exe	35
PID 2556 wrote to memory of 2360	2556	cmd.exe	35
PID 2556 wrote to memory of 2360	2556	cmd.exe	35
PID 2736 wrote to memory of 2444	2736	24b31819e09dd8eaa1c26a08c1a4e7ae55063c7ebb3dbd0273968d13a4f0d0e3.exe	37
PID 2736 wrote to memory of 2444	2736	24b31819e09dd8eaa1c26a08c1a4e7ae55063c7ebb3dbd0273968d13a4f0d0e3.exe	37
PID 2736 wrote to memory of 2444	2736	24b31819e09dd8eaa1c26a08c1a4e7ae55063c7ebb3dbd0273968d13a4f0d0e3.exe	37
PID 2444 wrote to memory of 576	2444	cmd.exe	38
PID 2444 wrote to memory of 576	2444	cmd.exe	38
PID 2444 wrote to memory of 576	2444	cmd.exe	38
PID 2444 wrote to memory of 576	2444	cmd.exe	38

C:\Users\Admin\AppData\Local\Temp\24b31819e09dd8eaa1c26a08c1a4e7ae55063c7ebb3dbd0273968d13a4f0d0e3.exe
"C:\Users\Admin\AppData\Local\Temp\24b31819e09dd8eaa1c26a08c1a4e7ae55063c7ebb3dbd0273968d13a4f0d0e3.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2736
- C:\Windows\System32\write.exe
  "C:\Windows\System32\write.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2720
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:2548
- C:\Windows\System32\cmd.exe
  cmd /c start "" "C:\ProgramData\7QA1o8\7QA1o8.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2444
- - C:\ProgramData\7QA1o8\7QA1o8.exe
    "C:\ProgramData\7QA1o8\7QA1o8.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:576

C:\Windows\system32\cmd.exe
cmd /c start C:\Users\Admin\Desktop\7QA1.lnk
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:2556
- C:\Users\Admin\AppData\Roaming\7QA1o8.exe
  "C:\Users\Admin\AppData\Roaming\7QA1o8.exe" -n C:\Users\Admin\AppData\Roaming\7QA1o.zip -d C:\Users\Admin\AppData\Roaming
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:2360

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\7QA1o8\7QA1o8.exe

Filesize
508KB

MD5
a79a2e0b7f299ab2f80ee8315679baee

SHA1
43d76adbcc19e4c8b60ffba419797a22b756e927

SHA256
0a804e7efe38d6eba358781597205519b936239e9daebcdf2f71c62c6a416f5c

SHA512
f246044eb82e2d4562081b0041ba2109cbda385b335b3bf10d3408acda6ae0c605ab1a522a7f5f363dfd6417e6825ff7d2831d42b8e4440d012fdf33ec605649

Download Submit
C:\ProgramData\7QA1o8\VEDecoder.dll

Filesize
1.6MB

MD5
d6a3fed112ab4e6bfe32cbe220dc225d

SHA1
bb9190ee490c46959e2bc192009f7773222dfa12

SHA256
8d89d4282f514acf2d7ef3ff7a618bbd513a84538ad309f2a48bff77c202bd58

SHA512
043b866e32db62bf8deb4ad9aa896b8274813cf1e6e4e575a3afc595893b5e5265a0430f6a1010c80db955114a0f9d9c3f4e0b3ee47b3323fb2bbcda5b6b7f61

Download Submit
C:\ProgramData\7QA1o8\longlq.cl

Filesize
1.2MB

MD5
6652b3a6e7290de3f12a5f94b9b72b8c

SHA1
4702a4305f14c8437787343de339fa4f0a4b4d75

SHA256
946d9c70c3ae9d8b22530a844547494c60668a6a3b0cf4e25f84f03a0781743e

SHA512
38950c74297de0820ba606680ad74252dc0f8a4c9d46bdb73b903da55ab7b243a4ae7fa6812f026d2b4ec47b8000454e944be587cb788d592ab30d3848b77d34

Download Submit
C:\Users\Admin\AppData\Roaming\7QA1o.zip

Filesize
684B

MD5
c1c4f6c2711829bc2ab8c7624a383548

SHA1
b00cab45fc02ea4c2b8527a2a5cc4638f937f596

SHA256
8b7949c94bab4ee8c0f352d7b73ff8cbc58aaee9dfe05b07e01e14a7707930de

SHA512
84e6bc21c14c6dbfe0ea99977e7d460c0888f90966b9f6a2e6b4c3aaafaa78472a1b44198fdb7fceeaeef7058e2cdc9c9804435ba3a788f483ef48202354f7d3

Download Submit
C:\Users\Admin\AppData\Roaming\7QA1o8.exe

Filesize
105KB

MD5
6b8ebc942fe392c669b0b21bc8f83a03

SHA1
18fb9645a7365ae17b8386e47bec0b5ba6f5122f

SHA256
e5a35deff01c93f658ab8c4192570ad9ae5ffaa4f5f6d1b4db99f176bf5bdbe7

SHA512
0953d528c5d07b22fa0a969c98d569cf68e58450e1fc0179ddb2068cb4c429d23044a71005fd0daebe7e0c896c5a7598c5329e4c040be9099dfb1e62a2686589

Download Submit
C:\Users\Admin\Desktop\7QA1.lnk

Filesize
869B

MD5
9522e1a49330c18f39f6f93474363830

SHA1
3052ab46315e4b9443890dd189a6d2f68059249b

SHA256
0b5973b9329ed5704d7b826694bd7aa5d8eb989aab8a01f04fefe2b38eb03bcc

SHA512
dd55180187a4961826f689633e8adea70f2f04f60d7fce9337535d6301578dfeaea722e87d9e2cb100f5048b172d37f4108c0707dea66f63c816635caa0f5b5b

Download Submit
C:\Users\Admin\Desktop\7QA1.lnk

Filesize
1KB

MD5
797e36a5ce1458abefdc9242ea376415

SHA1
d76ace9025207f17c0e524f5ab1937646bf385a5

SHA256
885ed8cf906e17c4812f782e00abde55052b3d29527394e46c05f104737cc6d3

SHA512
2b4418f436ee36fa62c3ca4623e01b1c5961a0e2cb1bebe119f2c6fd67efe81a8f0b4e8ed03641797a3dd672a72fd33ea657c74375f752737b5a9a10b1b09326

Download Submit
memory/576-77-0x00000000007A0000-0x00000000007CA000-memory.dmp

Filesize
168KB

Download
memory/2360-61-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2736-0-0x00000000024A0000-0x0000000002886000-memory.dmp

Filesize
3.9MB

Download
memory/2736-72-0x0000000000400000-0x0000000000890000-memory.dmp

Filesize
4.6MB

Download
memory/2736-73-0x00000000024A0000-0x0000000002886000-memory.dmp

Filesize
3.9MB

Download

Analysis

Sharing