SYMBOLCOMMON_NAMEaka. SYNONYMS
win.fatal_rat (Back to overview)

FatalRat

According to PCrisk, FatalRAT is the name of a Remote Access Trojan (RAT). A RAT is a type of malware that allows the attacker to remotely control the infected computer and use it for various purposes.

Typically, RATs are used to access files and other data, watch computing activities on the screen and capture screenshots, steal sensitive information (e.g., login credentials, credit card details).

There are many legitimate remote administration/access tools on the Internet. It is common that cybercriminals use those tools with malicious intent too.

References
2022-03-28The Hacker NewsRavie Lakshmanan
@online{lakshmanan:20220328:purple:a7adcb0, author = {Ravie Lakshmanan}, title = {{'Purple Fox' Hackers Spotted Using New Variant of FatalRAT in Recent Malware Attacks}}, date = {2022-03-28}, organization = {The Hacker News}, url = {https://thehackernews.com/2022/03/purple-fox-hackers-spotted-using-new.html}, language = {English}, urldate = {2022-03-29} } 'Purple Fox' Hackers Spotted Using New Variant of FatalRAT in Recent Malware Attacks
DirtyMoe FatalRat PurpleFox
2022-03-25Trend MicroSherif Magdy, Abdelrhman Sharshar, Jay Yaneza
@online{magdy:20220325:purple:6bf07f5, author = {Sherif Magdy and Abdelrhman Sharshar and Jay Yaneza}, title = {{Purple Fox Uses New Arrival Vector and Improves Malware Arsenal}}, date = {2022-03-25}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/22/c/purple-fox-uses-new-arrival-vector-and-improves-malware-arsenal.html}, language = {English}, urldate = {2022-03-30} } Purple Fox Uses New Arrival Vector and Improves Malware Arsenal
FatalRat
2021-08-02AT&TOfer Caspi, Javier Ruiz
@online{caspi:20210802:new:65cbd77, author = {Ofer Caspi and Javier Ruiz}, title = {{New sophisticated RAT in town: FatalRat analysis}}, date = {2021-08-02}, organization = {AT&T}, url = {https://cybersecurity.att.com/blogs/labs-research/new-sophisticated-rat-in-town-fatalrat-analysis}, language = {English}, urldate = {2021-08-02} } New sophisticated RAT in town: FatalRat analysis
FatalRat
2021-06-03YouTube (0xca7)0xca7
@online{0xca7:20210603:fatalrat:b54478b, author = {0xca7}, title = {{FatalRAT: Dumping the "payload" aka. Cat vs RAT}}, date = {2021-06-03}, organization = {YouTube (0xca7)}, url = {https://www.youtube.com/watch?v=gjvnVZc11Vg}, language = {English}, urldate = {2022-03-15} } FatalRAT: Dumping the "payload" aka. Cat vs RAT
FatalRat
Yara Rules
[TLP:WHITE] win_fatal_rat_auto (20230407 | Detects win.fatal_rat.)
rule win_fatal_rat_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-03-28"
        version = "1"
        description = "Detects win.fatal_rat."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.fatal_rat"
        malpedia_rule_date = "20230328"
        malpedia_hash = "9d2d75cef573c1c2d861f5197df8f563b05a305d"
        malpedia_version = "20230407"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 3908 7602 8908 53 56 e8???????? 8bf8 }
            // n = 7, score = 100
            //   3908                 | cmp                 dword ptr [eax], ecx
            //   7602                 | jbe                 4
            //   8908                 | mov                 dword ptr [eax], ecx
            //   53                   | push                ebx
            //   56                   | push                esi
            //   e8????????           |                     
            //   8bf8                 | mov                 edi, eax

        $sequence_1 = { 56 57 6a40 33db 59 33c0 8dbdf5fdffff }
            // n = 7, score = 100
            //   56                   | push                esi
            //   57                   | push                edi
            //   6a40                 | push                0x40
            //   33db                 | xor                 ebx, ebx
            //   59                   | pop                 ecx
            //   33c0                 | xor                 eax, eax
            //   8dbdf5fdffff         | lea                 edi, [ebp - 0x20b]

        $sequence_2 = { c3 ff7108 ff15???????? c3 55 8bec 56 }
            // n = 7, score = 100
            //   c3                   | ret                 
            //   ff7108               | push                dword ptr [ecx + 8]
            //   ff15????????         |                     
            //   c3                   | ret                 
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   56                   | push                esi

        $sequence_3 = { 50 e8???????? 59 8d45f8 59 50 6819000200 }
            // n = 7, score = 100
            //   50                   | push                eax
            //   e8????????           |                     
            //   59                   | pop                 ecx
            //   8d45f8               | lea                 eax, [ebp - 8]
            //   59                   | pop                 ecx
            //   50                   | push                eax
            //   6819000200           | push                0x20019

        $sequence_4 = { f3ab 6a40 8dbdf5fcffff 59 f3ab 66ab aa }
            // n = 7, score = 100
            //   f3ab                 | rep stosd           dword ptr es:[edi], eax
            //   6a40                 | push                0x40
            //   8dbdf5fcffff         | lea                 edi, [ebp - 0x30b]
            //   59                   | pop                 ecx
            //   f3ab                 | rep stosd           dword ptr es:[edi], eax
            //   66ab                 | stosw               word ptr es:[edi], ax
            //   aa                   | stosb               byte ptr es:[edi], al

        $sequence_5 = { 59 59 ff15???????? 50 8d85fcfeffff 50 8d85fcfeffff }
            // n = 7, score = 100
            //   59                   | pop                 ecx
            //   59                   | pop                 ecx
            //   ff15????????         |                     
            //   50                   | push                eax
            //   8d85fcfeffff         | lea                 eax, [ebp - 0x104]
            //   50                   | push                eax
            //   8d85fcfeffff         | lea                 eax, [ebp - 0x104]

        $sequence_6 = { c6859dfeffff54 c6859efeffff50 c6859ffeffff2e c685a0feffff65 c685a1feffff78 c685a2feffff65 }
            // n = 6, score = 100
            //   c6859dfeffff54       | mov                 byte ptr [ebp - 0x163], 0x54
            //   c6859efeffff50       | mov                 byte ptr [ebp - 0x162], 0x50
            //   c6859ffeffff2e       | mov                 byte ptr [ebp - 0x161], 0x2e
            //   c685a0feffff65       | mov                 byte ptr [ebp - 0x160], 0x65
            //   c685a1feffff78       | mov                 byte ptr [ebp - 0x15f], 0x78
            //   c685a2feffff65       | mov                 byte ptr [ebp - 0x15e], 0x65

        $sequence_7 = { 57 33db 680c010000 8d85b4fcffff 53 50 e8???????? }
            // n = 7, score = 100
            //   57                   | push                edi
            //   33db                 | xor                 ebx, ebx
            //   680c010000           | push                0x10c
            //   8d85b4fcffff         | lea                 eax, [ebp - 0x34c]
            //   53                   | push                ebx
            //   50                   | push                eax
            //   e8????????           |                     

        $sequence_8 = { 85c0 0f84f7feffff 8d85c0f9ffff 50 ff15???????? 85c0 0f84e2feffff }
            // n = 7, score = 100
            //   85c0                 | test                eax, eax
            //   0f84f7feffff         | je                  0xfffffefd
            //   8d85c0f9ffff         | lea                 eax, [ebp - 0x640]
            //   50                   | push                eax
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   0f84e2feffff         | je                  0xfffffee8

        $sequence_9 = { 5d c3 55 8bec 8b4508 6a00 99 }
            // n = 7, score = 100
            //   5d                   | pop                 ebp
            //   c3                   | ret                 
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   6a00                 | push                0
            //   99                   | cdq                 

    condition:
        7 of them and filesize < 344064
}
[TLP:WHITE] win_fatal_rat_w0   (20210820 | Detects FatalRAT, unpacked malware.)
rule win_fatal_rat_w0 {
    meta: 
        author = "AT&T Alien Labs" 
        description = "Detects FatalRAT, unpacked malware." 
        type = "malware" 
        sha256 = "ec0dcfe2d8380a4bafadb3ed73b546cbf73ef78f893e32202042a5818b67ce56" 
        reference = "https://cybersecurity.att.com/blogs/labs-research/new-sophisticated-rat-in-town-fatalrat-analysis"
        copyright = "Alienvault Inc. 2021" 
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.fatal_rat"
        malpedia_rule_date = "20210820"
        malpedia_version = "20210820"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings: 
        $decrypt_func = {EC 0F B6 45 10 99 B9 AB 05 00 00 56 F7 F9 8B 75 0C 80 C2 3D 85 F6 76 0F 8B 45 08 8A 08 32 CA 02 CA 88 08 40 4E 75 F4 5E 5D C3} 
        $s1 = "SVP7-Thread running..." 
        $s2 = "nw_elf.dll" 
    condition: 
        uint16(0) == 0x5a4d and all of them
}
Download all Yara Rules