SYMBOLCOMMON_NAMEaka. SYNONYMS
win.fatal_rat (Back to overview)

FatalRat

aka: Sainbox RAT

According to PCrisk, FatalRAT is the name of a Remote Access Trojan (RAT). A RAT is a type of malware that allows the attacker to remotely control the infected computer and use it for various purposes.

Typically, RATs are used to access files and other data, watch computing activities on the screen and capture screenshots, steal sensitive information (e.g., login credentials, credit card details).

There are many legitimate remote administration/access tools on the Internet. It is common that cybercriminals use those tools with malicious intent too.

References
2023-09-20ProofpointProofpoint Threat Research Team
@online{team:20230920:chinese:25abe7e, author = {Proofpoint Threat Research Team}, title = {{Chinese Malware Appears in Earnest Across Cybercrime Threat Landscape}}, date = {2023-09-20}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/blog/threat-insight/chinese-malware-appears-earnest-across-cybercrime-threat-landscape}, language = {English}, urldate = {2023-09-22} } Chinese Malware Appears in Earnest Across Cybercrime Threat Landscape
FatalRat PurpleFox ValleyRAT
2022-03-28The Hacker NewsRavie Lakshmanan
@online{lakshmanan:20220328:purple:a7adcb0, author = {Ravie Lakshmanan}, title = {{'Purple Fox' Hackers Spotted Using New Variant of FatalRAT in Recent Malware Attacks}}, date = {2022-03-28}, organization = {The Hacker News}, url = {https://thehackernews.com/2022/03/purple-fox-hackers-spotted-using-new.html}, language = {English}, urldate = {2022-03-29} } 'Purple Fox' Hackers Spotted Using New Variant of FatalRAT in Recent Malware Attacks
DirtyMoe FatalRat PurpleFox
2022-03-25Trend MicroSherif Magdy, Abdelrhman Sharshar, Jay Yaneza
@online{magdy:20220325:purple:6bf07f5, author = {Sherif Magdy and Abdelrhman Sharshar and Jay Yaneza}, title = {{Purple Fox Uses New Arrival Vector and Improves Malware Arsenal}}, date = {2022-03-25}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/22/c/purple-fox-uses-new-arrival-vector-and-improves-malware-arsenal.html}, language = {English}, urldate = {2023-08-23} } Purple Fox Uses New Arrival Vector and Improves Malware Arsenal
FatalRat PurpleFox
2021-08-02AT&TOfer Caspi, Javier Ruiz
@online{caspi:20210802:new:65cbd77, author = {Ofer Caspi and Javier Ruiz}, title = {{New sophisticated RAT in town: FatalRat analysis}}, date = {2021-08-02}, organization = {AT&T}, url = {https://cybersecurity.att.com/blogs/labs-research/new-sophisticated-rat-in-town-fatalrat-analysis}, language = {English}, urldate = {2021-08-02} } New sophisticated RAT in town: FatalRat analysis
FatalRat
2021-06-03YouTube (0xca7)0xca7
@online{0xca7:20210603:fatalrat:b54478b, author = {0xca7}, title = {{FatalRAT: Dumping the "payload" aka. Cat vs RAT}}, date = {2021-06-03}, organization = {YouTube (0xca7)}, url = {https://www.youtube.com/watch?v=gjvnVZc11Vg}, language = {English}, urldate = {2022-03-15} } FatalRAT: Dumping the "payload" aka. Cat vs RAT
FatalRat
Yara Rules
[TLP:WHITE] win_fatal_rat_auto (20230715 | Detects win.fatal_rat.)
rule win_fatal_rat_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-07-11"
        version = "1"
        description = "Detects win.fatal_rat."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.fatal_rat"
        malpedia_rule_date = "20230705"
        malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
        malpedia_version = "20230715"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { c685a0fdffff76 c685a1fdffff63 c685a2fdffff2e c685a3fdffff65 c685a4fdffff78 }
            // n = 5, score = 100
            //   c685a0fdffff76       | mov                 byte ptr [ebp - 0x260], 0x76
            //   c685a1fdffff63       | mov                 byte ptr [ebp - 0x25f], 0x63
            //   c685a2fdffff2e       | mov                 byte ptr [ebp - 0x25e], 0x2e
            //   c685a3fdffff65       | mov                 byte ptr [ebp - 0x25d], 0x65
            //   c685a4fdffff78       | mov                 byte ptr [ebp - 0x25c], 0x78

        $sequence_1 = { 50 53 ff15???????? 8d85f0feffff 50 ff15???????? 85c0 }
            // n = 7, score = 100
            //   50                   | push                eax
            //   53                   | push                ebx
            //   ff15????????         |                     
            //   8d85f0feffff         | lea                 eax, [ebp - 0x110]
            //   50                   | push                eax
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax

        $sequence_2 = { c3 55 8bec b8???????? 56 85c0 57 }
            // n = 7, score = 100
            //   c3                   | ret                 
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   b8????????           |                     
            //   56                   | push                esi
            //   85c0                 | test                eax, eax
            //   57                   | push                edi

        $sequence_3 = { eb34 8b4e44 6a00 03c8 51 }
            // n = 5, score = 100
            //   eb34                 | jmp                 0x36
            //   8b4e44               | mov                 ecx, dword ptr [esi + 0x44]
            //   6a00                 | push                0
            //   03c8                 | add                 ecx, eax
            //   51                   | push                ecx

        $sequence_4 = { 8955fc f3a5 8d88e00e0000 8db8b40f0000 894de4 8bcb 8d75e4 }
            // n = 7, score = 100
            //   8955fc               | mov                 dword ptr [ebp - 4], edx
            //   f3a5                 | rep movsd           dword ptr es:[edi], dword ptr [esi]
            //   8d88e00e0000         | lea                 ecx, [eax + 0xee0]
            //   8db8b40f0000         | lea                 edi, [eax + 0xfb4]
            //   894de4               | mov                 dword ptr [ebp - 0x1c], ecx
            //   8bcb                 | mov                 ecx, ebx
            //   8d75e4               | lea                 esi, [ebp - 0x1c]

        $sequence_5 = { 56 56 685c400700 57 ff15???????? 57 ff15???????? }
            // n = 7, score = 100
            //   56                   | push                esi
            //   56                   | push                esi
            //   685c400700           | push                0x7405c
            //   57                   | push                edi
            //   ff15????????         |                     
            //   57                   | push                edi
            //   ff15????????         |                     

        $sequence_6 = { 8bd0 8b0c8db0e10110 25ff000000 c1ea18 33cb 83c604 8b1c95b0dd0110 }
            // n = 7, score = 100
            //   8bd0                 | mov                 edx, eax
            //   8b0c8db0e10110       | mov                 ecx, dword ptr [ecx*4 + 0x1001e1b0]
            //   25ff000000           | and                 eax, 0xff
            //   c1ea18               | shr                 edx, 0x18
            //   33cb                 | xor                 ecx, ebx
            //   83c604               | add                 esi, 4
            //   8b1c95b0dd0110       | mov                 ebx, dword ptr [edx*4 + 0x1001ddb0]

        $sequence_7 = { 7447 56 53 50 ff15???????? }
            // n = 5, score = 100
            //   7447                 | je                  0x49
            //   56                   | push                esi
            //   53                   | push                ebx
            //   50                   | push                eax
            //   ff15????????         |                     

        $sequence_8 = { 50 56 e8???????? 83c40c be???????? 57 56 }
            // n = 7, score = 100
            //   50                   | push                eax
            //   56                   | push                esi
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   be????????           |                     
            //   57                   | push                edi
            //   56                   | push                esi

        $sequence_9 = { 89472c 8b450c 6a00 56 57 894738 e8???????? }
            // n = 7, score = 100
            //   89472c               | mov                 dword ptr [edi + 0x2c], eax
            //   8b450c               | mov                 eax, dword ptr [ebp + 0xc]
            //   6a00                 | push                0
            //   56                   | push                esi
            //   57                   | push                edi
            //   894738               | mov                 dword ptr [edi + 0x38], eax
            //   e8????????           |                     

    condition:
        7 of them and filesize < 344064
}
[TLP:WHITE] win_fatal_rat_w0   (20210820 | Detects FatalRAT, unpacked malware.)
rule win_fatal_rat_w0 {
    meta: 
        author = "AT&T Alien Labs" 
        description = "Detects FatalRAT, unpacked malware." 
        type = "malware" 
        sha256 = "ec0dcfe2d8380a4bafadb3ed73b546cbf73ef78f893e32202042a5818b67ce56" 
        reference = "https://cybersecurity.att.com/blogs/labs-research/new-sophisticated-rat-in-town-fatalrat-analysis"
        copyright = "Alienvault Inc. 2021" 
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.fatal_rat"
        malpedia_rule_date = "20210820"
        malpedia_version = "20210820"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings: 
        $decrypt_func = {EC 0F B6 45 10 99 B9 AB 05 00 00 56 F7 F9 8B 75 0C 80 C2 3D 85 F6 76 0F 8B 45 08 8A 08 32 CA 02 CA 88 08 40 4E 75 F4 5E 5D C3} 
        $s1 = "SVP7-Thread running..." 
        $s2 = "nw_elf.dll" 
    condition: 
        uint16(0) == 0x5a4d and all of them
}
Download all Yara Rules