fatalrat | 8d43e247412e590f715ead2d3851e1ddf3dd37363dd164bb9b3f5105fc1deffc

Analysis

max time kernel
121s
max time network
126s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
06-12-2024 06:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8d43e247412e590f715ead2d3851e1ddf3dd37363dd164bb9b3f5105fc1deffc.exe
Size

3.5MB
MD5

37fed29952baed1e0d1ba278bc887d16
SHA1

eb13c250ccd0694c8126c78281283c40c5b8b5f9
SHA256

8d43e247412e590f715ead2d3851e1ddf3dd37363dd164bb9b3f5105fc1deffc
SHA512

9f66b91505c328167e08af5ac58c717366387fc29f0d536db12f9bfd52d118b06b87ac5968cd259ad8ef9979d3387439deb2b3b6dbf086bf635a09da87ad0a06
SSDEEP

49152:nwNuf+/VB9lCufQZ80lkiS1/KfwKX+i/hfyoZhmLomL3zcavMcc:/fKB9lBwe/Kfw2+i/MomLJkcc

Score

10^/10

fatalrat defense_evasion discovery infostealer rat

Malware Config

Signatures

FatalRat
FatalRat is a modular infostealer family written in C++ first appearing in June 2021.
infostealer rat fatalrat
Fatalrat family
fatalrat

Fatal Rat payload 1 IoCs

rat infostealer

resource	yara_rule
behavioral1/memory/1900-72-0x00000000007A0000-0x00000000007CA000-memory.dmp	fatalrat

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Macromedia-Packages.lnk	Fk6vwr.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Macromedia-Packages.lnk	Fk6vwr.exe

Executes dropped EXE 2 IoCs

pid	Process
2624	Fk6vwr.exe
1900	Fk6vwr.exe

Loads dropped DLL 1 IoCs

pid	Process
1900	Fk6vwr.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fk6vwr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fk6vwr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Fk6vwr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Fk6vwr.exe

Modifies data under HKEY_USERS 6 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	cmd.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	cmd.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{6C467336-8281-4E60-8204-430CED96822D} {000214E4-0000-0000-C000-000000000046} 0xFFFF = 0100000000000000d07994e4a447db01	cmd.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{DFFACDC5-679F-4156-8947-C5C76BC0B67F} {ADD8BA80-002B-11D0-8F0F-00C04FD7D062} 0xFFFF = 010000000000000030db96e4a447db01	cmd.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	cmd.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	cmd.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 2 IoCs

pid	Process
2624	Fk6vwr.exe
1900	Fk6vwr.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

pid	Process
2112	8d43e247412e590f715ead2d3851e1ddf3dd37363dd164bb9b3f5105fc1deffc.exe
2112	8d43e247412e590f715ead2d3851e1ddf3dd37363dd164bb9b3f5105fc1deffc.exe
2112	8d43e247412e590f715ead2d3851e1ddf3dd37363dd164bb9b3f5105fc1deffc.exe
1900	Fk6vwr.exe
1900	Fk6vwr.exe
1900	Fk6vwr.exe
1900	Fk6vwr.exe
1900	Fk6vwr.exe
1900	Fk6vwr.exe
1900	Fk6vwr.exe
1900	Fk6vwr.exe
1900	Fk6vwr.exe
1900	Fk6vwr.exe
1900	Fk6vwr.exe
1900	Fk6vwr.exe
1900	Fk6vwr.exe
1900	Fk6vwr.exe
1900	Fk6vwr.exe
1900	Fk6vwr.exe
1900	Fk6vwr.exe
1900	Fk6vwr.exe
1900	Fk6vwr.exe
1900	Fk6vwr.exe
1900	Fk6vwr.exe
1900	Fk6vwr.exe
1900	Fk6vwr.exe
1900	Fk6vwr.exe
1900	Fk6vwr.exe
1900	Fk6vwr.exe
1900	Fk6vwr.exe
1900	Fk6vwr.exe
1900	Fk6vwr.exe
1900	Fk6vwr.exe
1900	Fk6vwr.exe
1900	Fk6vwr.exe
1900	Fk6vwr.exe
1900	Fk6vwr.exe
1900	Fk6vwr.exe
1900	Fk6vwr.exe
1900	Fk6vwr.exe
1900	Fk6vwr.exe
1900	Fk6vwr.exe
1900	Fk6vwr.exe
1900	Fk6vwr.exe
1900	Fk6vwr.exe
1900	Fk6vwr.exe
1900	Fk6vwr.exe
1900	Fk6vwr.exe
1900	Fk6vwr.exe
1900	Fk6vwr.exe
1900	Fk6vwr.exe
1900	Fk6vwr.exe
1900	Fk6vwr.exe
1900	Fk6vwr.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1900	Fk6vwr.exe
Token: SeDebugPrivilege	1900	Fk6vwr.exe
Token: SeIncBasePriorityPrivilege	1900	Fk6vwr.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
2860	wordpad.exe
2860	wordpad.exe
2860	wordpad.exe
2860	wordpad.exe
2860	wordpad.exe
1900	Fk6vwr.exe
1900	Fk6vwr.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2112 wrote to memory of 2468	2112	8d43e247412e590f715ead2d3851e1ddf3dd37363dd164bb9b3f5105fc1deffc.exe	32
PID 2112 wrote to memory of 2468	2112	8d43e247412e590f715ead2d3851e1ddf3dd37363dd164bb9b3f5105fc1deffc.exe	32
PID 2112 wrote to memory of 2468	2112	8d43e247412e590f715ead2d3851e1ddf3dd37363dd164bb9b3f5105fc1deffc.exe	32
PID 2468 wrote to memory of 2860	2468	write.exe	34
PID 2468 wrote to memory of 2860	2468	write.exe	34
PID 2468 wrote to memory of 2860	2468	write.exe	34
PID 2864 wrote to memory of 2624	2864	cmd.exe	36
PID 2864 wrote to memory of 2624	2864	cmd.exe	36
PID 2864 wrote to memory of 2624	2864	cmd.exe	36
PID 2864 wrote to memory of 2624	2864	cmd.exe	36
PID 2112 wrote to memory of 1880	2112	8d43e247412e590f715ead2d3851e1ddf3dd37363dd164bb9b3f5105fc1deffc.exe	38
PID 2112 wrote to memory of 1880	2112	8d43e247412e590f715ead2d3851e1ddf3dd37363dd164bb9b3f5105fc1deffc.exe	38
PID 2112 wrote to memory of 1880	2112	8d43e247412e590f715ead2d3851e1ddf3dd37363dd164bb9b3f5105fc1deffc.exe	38
PID 1880 wrote to memory of 1900	1880	cmd.exe	39
PID 1880 wrote to memory of 1900	1880	cmd.exe	39
PID 1880 wrote to memory of 1900	1880	cmd.exe	39
PID 1880 wrote to memory of 1900	1880	cmd.exe	39
PID 1900 wrote to memory of 532	1900	Fk6vwr.exe	41
PID 1900 wrote to memory of 532	1900	Fk6vwr.exe	41
PID 1900 wrote to memory of 532	1900	Fk6vwr.exe	41
PID 1900 wrote to memory of 532	1900	Fk6vwr.exe	41

C:\Users\Admin\AppData\Local\Temp\8d43e247412e590f715ead2d3851e1ddf3dd37363dd164bb9b3f5105fc1deffc.exe
"C:\Users\Admin\AppData\Local\Temp\8d43e247412e590f715ead2d3851e1ddf3dd37363dd164bb9b3f5105fc1deffc.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2112
- C:\Windows\System32\write.exe
  "C:\Windows\System32\write.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2468
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:2860
- C:\Windows\System32\cmd.exe
  cmd /c start "" "C:\ProgramData\Fk6vwr\Fk6vwr.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1880
- - C:\ProgramData\Fk6vwr\Fk6vwr.exe
    "C:\ProgramData\Fk6vwr\Fk6vwr.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1900
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c del /q C:\ProgramData\Fk6vwr\Fk6vwr.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:532

C:\Windows\system32\cmd.exe
cmd /c start C:\Users\Admin\Desktop\Fk6v.lnk
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:2864
- C:\Users\Admin\AppData\Roaming\Fk6vwr.exe
  "C:\Users\Admin\AppData\Roaming\Fk6vwr.exe" -n C:\Users\Admin\AppData\Roaming\Fk6vw.zip -d C:\Users\Admin\AppData\Roaming
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:2624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Fk6vwr\Fk6vwr.exe

Filesize
32KB

MD5
4304b11ec93e3202ac7e407fe34d1029

SHA1
e8c9d0be7150111441b5e5cbcf9414160612d943

SHA256
46805d144490eed8a24d18d0280a766e5345b7b7e35f51792beda4b42ad6eb65

SHA512
2a9fec6e55c0e4c2ffcf885e5322f2d4f2c139ac5676c731aebb14c8467e126916e9b9e891bd4391ea00954738f921b0e2855afbd4995f9be44d00e687547f84

Download Submit
C:\ProgramData\Fk6vwr\KMFTPReg.dll

Filesize
1.6MB

MD5
b86966cb0e3f9a591e04d5332bcee783

SHA1
d1b73e4a1d563104bf0fb72e4ded1ff67282b352

SHA256
f29091d2045ad06b875a1fa400c44e04e1d39e48ac467d8c3230e231bc2eac11

SHA512
5059382018f5c65c45e9fcd49e61319b95b5798af72be6ff3fa538c092ccfd4b5fa28f86b39f39fc91618269f95719b23faabe532beabf7111c6d06ba575ea76

Download Submit
C:\ProgramData\Fk6vwr\longlq.cl

Filesize
1.2MB

MD5
630b831cf26d32988afb4abc509be230

SHA1
aaf0b566f4c818c62058b86e2e9d22f531ca0672

SHA256
ce0dffe9c5c1acafe23b4f2c22d15b5a040191b9d2d83b026617ab50aea2fe2f

SHA512
24581a12dc6d6b37bd4dbe8a46ae035c0156ce3536163919c2c2fe84044a9444b01d35cab6ca50934439e6d866300e46243e9ff078eee526eb78a2746c08e48b

Download Submit
C:\Users\Admin\AppData\Roaming\Fk6vw.zip

Filesize
686B

MD5
a589aaa3e9c89f28bed8f77f55971051

SHA1
4c78ac55aab8186efa721c8a0f99b5bfc13f986c

SHA256
ea0de93c18e0ba4d73614983f6533ab527586b74b22b4606bfbd6f3ddbbe923e

SHA512
ca689d15f4154f4f24474c91bf47dfe433821d18e73a8a6cd54313754bedeced053b12cf1a7e61d52117f5f434c1c14c33218d12a8ff482a61517fdc693d4b55

Download Submit
C:\Users\Admin\AppData\Roaming\Fk6vwr.exe

Filesize
100KB

MD5
0ca0f8efaebe3636976165528d633560

SHA1
a3e7baf0557cb42d3d7668a73fc56c1f2aa23104

SHA256
39dd69f54b934c34e84fe19747a5d3ad118b54d19158cdf641ca6f8b8d40fae3

SHA512
aaadcf234c76188380773a146d16db869d2d49dc372a127777613d863fe87764c2f30e01b8da3503abdf4dfe653587077c047cd837e556af4f29caba5c001fad

Download Submit
C:\Users\Admin\Desktop\Fk6v.lnk

Filesize
869B

MD5
e10b330127e58663400da5217dab4fa2

SHA1
f13e7be8e3f4dc5190d7609e684b638f62276d13

SHA256
2e5058bde9c914339efd702d7fda71ce144bd48682f2c07706b4a8c1d15ad59e

SHA512
33987542497d8c6959a9a9977e430287303d758709ea5e5b3a36c8f540dffb9e102584cd36bdcb8c8945661acfac0ec427657ed1bc497b6a5dff4bd7654640a2

Download Submit
C:\Users\Admin\Desktop\Fk6v.lnk

Filesize
1KB

MD5
b03d525eac0b1e8ebcd70096d6f01b45

SHA1
8af669bd1f019260554c540ae5710acc8e716375

SHA256
2632dd99e81b6eb14234823d4089e47fb88287a2de4778ffb612a8b8e478f870

SHA512
8d14cb6702d79d2570b41120d52bc88e92d483b5a82fa117f078c852843c788b1e4d154937cdc0a1305c35cfb51376a095e140a70c17f708ba159644daf6bcb9

Download Submit
memory/1900-72-0x00000000007A0000-0x00000000007CA000-memory.dmp

Filesize
168KB

Download
memory/2112-0-0x0000000002100000-0x000000000246E000-memory.dmp

Filesize
3.4MB

Download
memory/2112-69-0x0000000002100000-0x000000000246E000-memory.dmp

Filesize
3.4MB

Download
memory/2624-58-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download