fatalrat | ec945f2d6b7a41cd6f9ed4b370f8a0bc595db3cfd8abfeb9edc06aa88b67729a

General

Target

ec945f2d6b7a41cd6f9ed4b370f8a0bc595db3cfd8abfeb9edc06aa88b67729a.exe
Size

5.5MB
MD5

d414027b4174b50f1b66b4591414673e
SHA1

633efc9e4ee12c0eae5431b434adcf410731950b
SHA256

ec945f2d6b7a41cd6f9ed4b370f8a0bc595db3cfd8abfeb9edc06aa88b67729a
SHA512

581333ed6ca5e13c7e21ffc51422fdf5cd34592c9c3d91ef5241cdd1ccdd1cf8ca455762f3688d4faa4adff246b219ae1cc24f1098909b78f59fd7c72be42218
SSDEEP

98304:YclLQZyVp1vSIpvrU38WSJWN5orrj6/GGQGSZ2P4SNuF2Fo0i+M7xdI:V1BnU38WNibGSYP4w0RxX7xdI

Score

10^/10

fatalrat infostealer rat upx

Malware Config

Signatures

FatalRat
FatalRat is a modular infostealer family written in C++ first appearing in June 2021.
infostealer rat fatalrat

Fatal Rat payload 1 IoCs

rat infostealer

resource	yara_rule
behavioral1/memory/2040-28-0x00000000005B0000-0x00000000005DA000-memory.dmp	fatalrat

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x0007000000015d0f-19.dat	acprotect
behavioral1/files/0x0007000000015d0f-18.dat	acprotect

Executes dropped EXE 1 IoCs

pid	Process
2040	Updater.exe

Loads dropped DLL 3 IoCs

pid	Process
2924	ec945f2d6b7a41cd6f9ed4b370f8a0bc595db3cfd8abfeb9edc06aa88b67729a.exe
2040	Updater.exe
2040	Updater.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2040-20-0x0000000010000000-0x000000001008D000-memory.dmp	upx
behavioral1/files/0x0007000000015d0f-19.dat	upx
behavioral1/files/0x0007000000015d0f-18.dat	upx
behavioral1/memory/2040-42-0x0000000010000000-0x000000001008D000-memory.dmp	upx
behavioral1/memory/2040-45-0x0000000010000000-0x000000001008D000-memory.dmp	upx

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2924	ec945f2d6b7a41cd6f9ed4b370f8a0bc595db3cfd8abfeb9edc06aa88b67729a.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Funshion\cvsd.xml	ec945f2d6b7a41cd6f9ed4b370f8a0bc595db3cfd8abfeb9edc06aa88b67729a.exe
File created	C:\Program Files (x86)\Funshion\HttpFtp.dll	ec945f2d6b7a41cd6f9ed4b370f8a0bc595db3cfd8abfeb9edc06aa88b67729a.exe
File created	C:\Program Files (x86)\Funshion\libcurl.dll	ec945f2d6b7a41cd6f9ed4b370f8a0bc595db3cfd8abfeb9edc06aa88b67729a.exe
File created	C:\Program Files (x86)\Funshion\Updater.exe	ec945f2d6b7a41cd6f9ed4b370f8a0bc595db3cfd8abfeb9edc06aa88b67729a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2924	ec945f2d6b7a41cd6f9ed4b370f8a0bc595db3cfd8abfeb9edc06aa88b67729a.exe
2924	ec945f2d6b7a41cd6f9ed4b370f8a0bc595db3cfd8abfeb9edc06aa88b67729a.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2040	Updater.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2924	ec945f2d6b7a41cd6f9ed4b370f8a0bc595db3cfd8abfeb9edc06aa88b67729a.exe
2924	ec945f2d6b7a41cd6f9ed4b370f8a0bc595db3cfd8abfeb9edc06aa88b67729a.exe
2040	Updater.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2924 wrote to memory of 2040	2924	ec945f2d6b7a41cd6f9ed4b370f8a0bc595db3cfd8abfeb9edc06aa88b67729a.exe	28
PID 2924 wrote to memory of 2040	2924	ec945f2d6b7a41cd6f9ed4b370f8a0bc595db3cfd8abfeb9edc06aa88b67729a.exe	28
PID 2924 wrote to memory of 2040	2924	ec945f2d6b7a41cd6f9ed4b370f8a0bc595db3cfd8abfeb9edc06aa88b67729a.exe	28
PID 2924 wrote to memory of 2040	2924	ec945f2d6b7a41cd6f9ed4b370f8a0bc595db3cfd8abfeb9edc06aa88b67729a.exe	28
PID 2924 wrote to memory of 2040	2924	ec945f2d6b7a41cd6f9ed4b370f8a0bc595db3cfd8abfeb9edc06aa88b67729a.exe	28
PID 2924 wrote to memory of 2040	2924	ec945f2d6b7a41cd6f9ed4b370f8a0bc595db3cfd8abfeb9edc06aa88b67729a.exe	28
PID 2924 wrote to memory of 2040	2924	ec945f2d6b7a41cd6f9ed4b370f8a0bc595db3cfd8abfeb9edc06aa88b67729a.exe	28

C:\Users\Admin\AppData\Local\Temp\ec945f2d6b7a41cd6f9ed4b370f8a0bc595db3cfd8abfeb9edc06aa88b67729a.exe
"C:\Users\Admin\AppData\Local\Temp\ec945f2d6b7a41cd6f9ed4b370f8a0bc595db3cfd8abfeb9edc06aa88b67729a.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2924
- C:\Program Files (x86)\Funshion\Updater.exe
  "C:\Program Files (x86)\Funshion\Updater.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Funshion\HttpFtp.dll

Filesize
234KB

MD5
49fdb26643239695c5faa0677965a94c

SHA1
308bdcac85a1a61b0e8efccb6603a58c0c68e8ef

SHA256
7b56b12a0e16f2123110222e3884ac44fddf2cb9c780b053d3e29c3468b3a256

SHA512
64fc81965a5e564b2896f01f5419a3644f4b3f251422b0e81ad125f7c3145a9a23df58d7a0dcf8da06963a70f974d223646d7fa0e1e532f46e2d06d721b1e22d

Download Submit
C:\Program Files (x86)\Funshion\Updater.exe

Filesize
3.4MB

MD5
3e70fba5ef28862d49f63ac683859aa6

SHA1
7f74f5e0106d89e5c5e9b8cac71d28afaa790115

SHA256
48c0f15c264d00bf7053531de69bc44a8d31246a1f867acfc5f48ec705624bd1

SHA512
0be2e7d7dd1c07c348f2d1010d452972cba1db501c6ee69a1a40d68908866fb744a24f58caf9430b7ab48b78f4d0be06ce7ba7e0ce3fb0b4d8f903670e30ee1a

Download Submit
C:\Program Files (x86)\Funshion\libcurl.dll

Filesize
181KB

MD5
aad80396201a6e9ce14d806f5ba1f507

SHA1
abc52c284ef9727d99ef596114b03cdce8a0fc38

SHA256
b66225b2e4fd0f445518a3a21469da2af0a3fb95b42cf386a1f6b09a0c4ccc6e

SHA512
b491723224790464187b9a5facfaf69ae48c4134957a07ca3ce6f3773cc7d515caca9a39b71903a91657fe568e14ca8f26515b2539dcb2dd88202a1cc792c94d

Download Submit
C:\ProgramData\afd.bin

Filesize
198KB

MD5
c68f04b5648ffe2e351d2f3831d708e5

SHA1
e21871056c7b767bf357a1f5bc399fe7f1248a92

SHA256
e5153b805563b3d00f7a7796d313f60685cc31b3f883fe47887ade617ca076aa

SHA512
8807b38723f37c9b197a0d9f090c00fdd467ceb26ba810767676f16c29d6248a41ac6b41460a6b4972209ca0da5457622ce6b56205d0d27034bc57b6c5069d7d

Download Submit
\Program Files (x86)\Funshion\HttpFtp.dll

Filesize
234KB

MD5
49fdb26643239695c5faa0677965a94c

SHA1
308bdcac85a1a61b0e8efccb6603a58c0c68e8ef

SHA256
7b56b12a0e16f2123110222e3884ac44fddf2cb9c780b053d3e29c3468b3a256

SHA512
64fc81965a5e564b2896f01f5419a3644f4b3f251422b0e81ad125f7c3145a9a23df58d7a0dcf8da06963a70f974d223646d7fa0e1e532f46e2d06d721b1e22d

Download Submit
\Program Files (x86)\Funshion\Updater.exe

Filesize
3.4MB

MD5
3e70fba5ef28862d49f63ac683859aa6

SHA1
7f74f5e0106d89e5c5e9b8cac71d28afaa790115

SHA256
48c0f15c264d00bf7053531de69bc44a8d31246a1f867acfc5f48ec705624bd1

SHA512
0be2e7d7dd1c07c348f2d1010d452972cba1db501c6ee69a1a40d68908866fb744a24f58caf9430b7ab48b78f4d0be06ce7ba7e0ce3fb0b4d8f903670e30ee1a

Download Submit
\Program Files (x86)\Funshion\libcurl.dll

Filesize
181KB

MD5
aad80396201a6e9ce14d806f5ba1f507

SHA1
abc52c284ef9727d99ef596114b03cdce8a0fc38

SHA256
b66225b2e4fd0f445518a3a21469da2af0a3fb95b42cf386a1f6b09a0c4ccc6e

SHA512
b491723224790464187b9a5facfaf69ae48c4134957a07ca3ce6f3773cc7d515caca9a39b71903a91657fe568e14ca8f26515b2539dcb2dd88202a1cc792c94d

Download Submit
memory/2040-20-0x0000000010000000-0x000000001008D000-memory.dmp

Filesize
564KB

Download
memory/2040-24-0x0000000000370000-0x00000000003D4000-memory.dmp

Filesize
400KB

Download
memory/2040-22-0x00000000003E0000-0x0000000000411000-memory.dmp

Filesize
196KB

Download
memory/2040-28-0x00000000005B0000-0x00000000005DA000-memory.dmp

Filesize
168KB

Download
memory/2040-42-0x0000000010000000-0x000000001008D000-memory.dmp

Filesize
564KB

Download
memory/2040-45-0x0000000010000000-0x000000001008D000-memory.dmp

Filesize
564KB

Download
memory/2924-0-0x0000000000E00000-0x0000000001B85000-memory.dmp

Filesize
13.5MB

Download
memory/2924-17-0x0000000000E00000-0x0000000001B85000-memory.dmp

Filesize
13.5MB

Download
memory/2924-2-0x0000000077550000-0x0000000077551000-memory.dmp

Filesize
4KB

Download
memory/2924-1-0x000000007EBD0000-0x000000007EFA1000-memory.dmp

Filesize
3.8MB

Download
memory/2924-23-0x000000007EBD0000-0x000000007EFA1000-memory.dmp

Filesize
3.8MB

Download

Analysis

Sharing