fatalrat | 8d43e247412e590f715ead2d3851e1ddf3dd37363dd164bb9b3f5105fc1deffc

Analysis

max time kernel
96s
max time network
132s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
06-12-2024 06:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8d43e247412e590f715ead2d3851e1ddf3dd37363dd164bb9b3f5105fc1deffc.exe
Size

3.5MB
MD5

37fed29952baed1e0d1ba278bc887d16
SHA1

eb13c250ccd0694c8126c78281283c40c5b8b5f9
SHA256

8d43e247412e590f715ead2d3851e1ddf3dd37363dd164bb9b3f5105fc1deffc
SHA512

9f66b91505c328167e08af5ac58c717366387fc29f0d536db12f9bfd52d118b06b87ac5968cd259ad8ef9979d3387439deb2b3b6dbf086bf635a09da87ad0a06
SSDEEP

49152:nwNuf+/VB9lCufQZ80lkiS1/KfwKX+i/hfyoZhmLomL3zcavMcc:/fKB9lBwe/Kfw2+i/MomLJkcc

Score

10^/10

fatalrat defense_evasion discovery infostealer rat

Malware Config

Signatures

FatalRat
FatalRat is a modular infostealer family written in C++ first appearing in June 2021.
infostealer rat fatalrat
Fatalrat family
fatalrat

Fatal Rat payload 1 IoCs

rat infostealer

resource	yara_rule
behavioral2/memory/1316-38-0x0000000002410000-0x000000000243A000-memory.dmp	fatalrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	9XMiDi.exe

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Macromedia-Packages.lnk	9XMiDi.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Macromedia-Packages.lnk	9XMiDi.exe

Executes dropped EXE 2 IoCs

pid	Process
4664	9XMiDi.exe
1316	9XMiDi.exe

Loads dropped DLL 1 IoCs

pid	Process
1316	9XMiDi.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9XMiDi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9XMiDi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	9XMiDi.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	9XMiDi.exe

Modifies data under HKEY_USERS 9 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\SlowContextMenuEntries = 0114020000000000c0000000000000466d0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	cmd.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	cmd.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	cmd.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{00021401-0000-0000-C000-000000000046} {000214E4-0000-0000-C000-000000000046} 0xFFFF = 01000000000000004b87c2e3a447db01	cmd.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	cmd.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	cmd.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	cmd.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1948	8d43e247412e590f715ead2d3851e1ddf3dd37363dd164bb9b3f5105fc1deffc.exe
1948	8d43e247412e590f715ead2d3851e1ddf3dd37363dd164bb9b3f5105fc1deffc.exe
1948	8d43e247412e590f715ead2d3851e1ddf3dd37363dd164bb9b3f5105fc1deffc.exe
1948	8d43e247412e590f715ead2d3851e1ddf3dd37363dd164bb9b3f5105fc1deffc.exe
1948	8d43e247412e590f715ead2d3851e1ddf3dd37363dd164bb9b3f5105fc1deffc.exe
1948	8d43e247412e590f715ead2d3851e1ddf3dd37363dd164bb9b3f5105fc1deffc.exe
1316	9XMiDi.exe
1316	9XMiDi.exe
1316	9XMiDi.exe
1316	9XMiDi.exe
1316	9XMiDi.exe
1316	9XMiDi.exe
1316	9XMiDi.exe
1316	9XMiDi.exe
1316	9XMiDi.exe
1316	9XMiDi.exe
1316	9XMiDi.exe
1316	9XMiDi.exe
1316	9XMiDi.exe
1316	9XMiDi.exe
1316	9XMiDi.exe
1316	9XMiDi.exe
1316	9XMiDi.exe
1316	9XMiDi.exe
1316	9XMiDi.exe
1316	9XMiDi.exe
1316	9XMiDi.exe
1316	9XMiDi.exe
1316	9XMiDi.exe
1316	9XMiDi.exe
1316	9XMiDi.exe
1316	9XMiDi.exe
1316	9XMiDi.exe
1316	9XMiDi.exe
1316	9XMiDi.exe
1316	9XMiDi.exe
1316	9XMiDi.exe
1316	9XMiDi.exe
1316	9XMiDi.exe
1316	9XMiDi.exe
1316	9XMiDi.exe
1316	9XMiDi.exe
1316	9XMiDi.exe
1316	9XMiDi.exe
1316	9XMiDi.exe
1316	9XMiDi.exe
1316	9XMiDi.exe
1316	9XMiDi.exe
1316	9XMiDi.exe
1316	9XMiDi.exe
1316	9XMiDi.exe
1316	9XMiDi.exe
1316	9XMiDi.exe
1316	9XMiDi.exe
1316	9XMiDi.exe
1316	9XMiDi.exe
1316	9XMiDi.exe
1316	9XMiDi.exe
1316	9XMiDi.exe
1316	9XMiDi.exe
1316	9XMiDi.exe
1316	9XMiDi.exe
1316	9XMiDi.exe
1316	9XMiDi.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1316	9XMiDi.exe
Token: SeDebugPrivilege	1316	9XMiDi.exe
Token: SeIncBasePriorityPrivilege	1316	9XMiDi.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
3148	wordpad.exe
3148	wordpad.exe
3148	wordpad.exe
3148	wordpad.exe
3148	wordpad.exe
1316	9XMiDi.exe
1316	9XMiDi.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1948 wrote to memory of 1536	1948	8d43e247412e590f715ead2d3851e1ddf3dd37363dd164bb9b3f5105fc1deffc.exe	88
PID 1948 wrote to memory of 1536	1948	8d43e247412e590f715ead2d3851e1ddf3dd37363dd164bb9b3f5105fc1deffc.exe	88
PID 1536 wrote to memory of 3148	1536	write.exe	90
PID 1536 wrote to memory of 3148	1536	write.exe	90
PID 3268 wrote to memory of 4664	3268	cmd.exe	91
PID 3268 wrote to memory of 4664	3268	cmd.exe	91
PID 3268 wrote to memory of 4664	3268	cmd.exe	91
PID 1948 wrote to memory of 456	1948	8d43e247412e590f715ead2d3851e1ddf3dd37363dd164bb9b3f5105fc1deffc.exe	97
PID 1948 wrote to memory of 456	1948	8d43e247412e590f715ead2d3851e1ddf3dd37363dd164bb9b3f5105fc1deffc.exe	97
PID 456 wrote to memory of 1316	456	cmd.exe	98
PID 456 wrote to memory of 1316	456	cmd.exe	98
PID 456 wrote to memory of 1316	456	cmd.exe	98
PID 1316 wrote to memory of 4352	1316	9XMiDi.exe	103
PID 1316 wrote to memory of 4352	1316	9XMiDi.exe	103
PID 1316 wrote to memory of 4352	1316	9XMiDi.exe	103

C:\Users\Admin\AppData\Local\Temp\8d43e247412e590f715ead2d3851e1ddf3dd37363dd164bb9b3f5105fc1deffc.exe
"C:\Users\Admin\AppData\Local\Temp\8d43e247412e590f715ead2d3851e1ddf3dd37363dd164bb9b3f5105fc1deffc.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1948
- C:\Windows\System32\write.exe
  "C:\Windows\System32\write.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1536
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:3148
- C:\Windows\System32\cmd.exe
  cmd /c start "" "C:\ProgramData\9XMiDi\9XMiDi.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:456
- - C:\ProgramData\9XMiDi\9XMiDi.exe
    "C:\ProgramData\9XMiDi\9XMiDi.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1316
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c del /q C:\ProgramData\9XMiDi\9XMiDi.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:4352

C:\Windows\system32\cmd.exe
cmd /c start C:\Users\Admin\Desktop\9XMi.lnk
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:3268
- C:\Users\Admin\AppData\Roaming\9XMiDi.exe
  "C:\Users\Admin\AppData\Roaming\9XMiDi.exe" -n C:\Users\Admin\AppData\Roaming\9XMiD.zip -d C:\Users\Admin\AppData\Roaming
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4664

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:244

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\9XMiDi\9XMiDi.exe

Filesize
32KB

MD5
4304b11ec93e3202ac7e407fe34d1029

SHA1
e8c9d0be7150111441b5e5cbcf9414160612d943

SHA256
46805d144490eed8a24d18d0280a766e5345b7b7e35f51792beda4b42ad6eb65

SHA512
2a9fec6e55c0e4c2ffcf885e5322f2d4f2c139ac5676c731aebb14c8467e126916e9b9e891bd4391ea00954738f921b0e2855afbd4995f9be44d00e687547f84

Download Submit
C:\ProgramData\9XMiDi\KMFTPReg.dll

Filesize
1.6MB

MD5
b86966cb0e3f9a591e04d5332bcee783

SHA1
d1b73e4a1d563104bf0fb72e4ded1ff67282b352

SHA256
f29091d2045ad06b875a1fa400c44e04e1d39e48ac467d8c3230e231bc2eac11

SHA512
5059382018f5c65c45e9fcd49e61319b95b5798af72be6ff3fa538c092ccfd4b5fa28f86b39f39fc91618269f95719b23faabe532beabf7111c6d06ba575ea76

Download Submit
C:\ProgramData\9XMiDi\longlq.cl

Filesize
1.2MB

MD5
630b831cf26d32988afb4abc509be230

SHA1
aaf0b566f4c818c62058b86e2e9d22f531ca0672

SHA256
ce0dffe9c5c1acafe23b4f2c22d15b5a040191b9d2d83b026617ab50aea2fe2f

SHA512
24581a12dc6d6b37bd4dbe8a46ae035c0156ce3536163919c2c2fe84044a9444b01d35cab6ca50934439e6d866300e46243e9ff078eee526eb78a2746c08e48b

Download Submit
C:\Users\Admin\AppData\Roaming\9XMiD.zip

Filesize
654B

MD5
8816c26b30ea94315dfef6b51ea04291

SHA1
0fa30f6342196a3ad73a854173ffeeac04dc0e36

SHA256
9bbd3733b771b91940b8c947164aa68c9569d334d00b7f4ab25a509970b63950

SHA512
f60adedc032bb428dab1b29bd14b8ef3170583d5a397528b8b157075be7c6934a90d80d7fac2464545c9b2f92842e5352d202b0cf844f48802b2f36b1e4ae1d0

Download Submit
C:\Users\Admin\AppData\Roaming\9XMiDi.exe

Filesize
100KB

MD5
0ca0f8efaebe3636976165528d633560

SHA1
a3e7baf0557cb42d3d7668a73fc56c1f2aa23104

SHA256
39dd69f54b934c34e84fe19747a5d3ad118b54d19158cdf641ca6f8b8d40fae3

SHA512
aaadcf234c76188380773a146d16db869d2d49dc372a127777613d863fe87764c2f30e01b8da3503abdf4dfe653587077c047cd837e556af4f29caba5c001fad

Download Submit
C:\Users\Admin\Desktop\9XMi.lnk

Filesize
948B

MD5
a1da711250af36ea528e752d4772515c

SHA1
516ee2652e1f8df69e6d7de255acd61cc9938552

SHA256
dc7c7b26b1f357ee3ec8577fab141f90164bf309720f4750148666ec5c7ed5fa

SHA512
e7d7725cd8d1b24edf690498d5e8978dc5d4746ecae5de29bc6c4bec6d3f37a2c7142a3c98d95c601ba4a5a785001fce5b9285cabe4a3807147f0fe0b0e40005

Download Submit
C:\Users\Admin\Desktop\9XMi.lnk

Filesize
1KB

MD5
8d63a92938f56821e4462d6f5f2637ed

SHA1
c3749836eb724c70450d74d9596c3426280e6d0a

SHA256
25f1b4d901573b52f57cc84e133ed51498187857458f245dcf574a3b592f4432

SHA512
af5244a53f75cac75882185b2c3b3cedbb42b60e252405d85af3c29c805b28edb246a07a99fcc64c2319517c62c9bf0a5c8805610fd1a5912a6f177e80b99201

Download Submit
memory/1316-38-0x0000000002410000-0x000000000243A000-memory.dmp

Filesize
168KB

Download
memory/1948-0-0x00000000023A0000-0x000000000270E000-memory.dmp

Filesize
3.4MB

Download
memory/1948-35-0x00000000023A0000-0x000000000270E000-memory.dmp

Filesize
3.4MB

Download
memory/4664-23-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download