fatalrat | 709956e92a73b796c223db19ce910449f2f1a7067bfb0d4ac2b9563ca63c287b

General

Target

709956e92a73b796c223db19ce910449f2f1a7067bfb0d4ac2b9563ca63c287b.exe
Size

3.6MB
MD5

2a874105f09f91663d087bde2c0676a7
SHA1

bcec5c048f4cfde187c515027186aa05804bab57
SHA256

709956e92a73b796c223db19ce910449f2f1a7067bfb0d4ac2b9563ca63c287b
SHA512

9f7f80dce069d5445ab4ad40c864c22844310de16265226a58f297f4ecdf2e69b62a544a8ed0c050b2add6a6798b6ebb9f0db2efaacaf055d7922629bba8b1cc
SSDEEP

49152:vS2XlIwMHmFvbm2alfxOLWLrev6H8aa01YORhHq3HeMP:62XlIw5C2alJFjfzHIHl

Score

10^/10

fatalrat infostealer rat

Malware Config

Signatures

FatalRat
FatalRat is a modular infostealer family written in C++ first appearing in June 2021.
infostealer rat fatalrat

Fatal Rat payload 1 IoCs

rat infostealer

resource	yara_rule
behavioral1/memory/1888-20-0x0000000000270000-0x000000000029A000-memory.dmp	fatalrat

Executes dropped EXE 1 IoCs

pid	Process
1888	Pepper.exe

Loads dropped DLL 2 IoCs

pid	Process
2188	709956e92a73b796c223db19ce910449f2f1a7067bfb0d4ac2b9563ca63c287b.exe
1888	Pepper.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Funshion\cvsd.xml	709956e92a73b796c223db19ce910449f2f1a7067bfb0d4ac2b9563ca63c287b.exe
File created	C:\Program Files (x86)\Funshion\Pepper.exe	709956e92a73b796c223db19ce910449f2f1a7067bfb0d4ac2b9563ca63c287b.exe
File created	C:\Program Files (x86)\Funshion\libcef.dll	709956e92a73b796c223db19ce910449f2f1a7067bfb0d4ac2b9563ca63c287b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2188	709956e92a73b796c223db19ce910449f2f1a7067bfb0d4ac2b9563ca63c287b.exe
2188	709956e92a73b796c223db19ce910449f2f1a7067bfb0d4ac2b9563ca63c287b.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1888	Pepper.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2188	709956e92a73b796c223db19ce910449f2f1a7067bfb0d4ac2b9563ca63c287b.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2188 wrote to memory of 1888	2188	709956e92a73b796c223db19ce910449f2f1a7067bfb0d4ac2b9563ca63c287b.exe	28
PID 2188 wrote to memory of 1888	2188	709956e92a73b796c223db19ce910449f2f1a7067bfb0d4ac2b9563ca63c287b.exe	28
PID 2188 wrote to memory of 1888	2188	709956e92a73b796c223db19ce910449f2f1a7067bfb0d4ac2b9563ca63c287b.exe	28
PID 2188 wrote to memory of 1888	2188	709956e92a73b796c223db19ce910449f2f1a7067bfb0d4ac2b9563ca63c287b.exe	28

C:\Users\Admin\AppData\Local\Temp\709956e92a73b796c223db19ce910449f2f1a7067bfb0d4ac2b9563ca63c287b.exe
"C:\Users\Admin\AppData\Local\Temp\709956e92a73b796c223db19ce910449f2f1a7067bfb0d4ac2b9563ca63c287b.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2188
- C:\Program Files (x86)\Funshion\Pepper.exe
  "C:\Program Files (x86)\Funshion\Pepper.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  PID:1888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Funshion\Pepper.exe

Filesize
418KB

MD5
c174034e771afebd7272e5820afe013f

SHA1
85f73a76f9897786a32aad1ebefa4aaabf9d4c78

SHA256
c42da2f6d8a4842918017c292c1071d72d898f5fbf3510cf5f98800c7fcb08f0

SHA512
b43ac1cd1f455d5bc447738304d02642e118de3ed800da4ac44b4bc00fbb6c8118632cad4d079a870256c34195c649fcf1112ef1f97f479c98aca265e8219d5d

Download Submit
C:\Program Files (x86)\Funshion\libcef.dll

Filesize
100KB

MD5
8a675f90a3af0c8be0851d193caebec3

SHA1
114c4a2929fe567999fe0b6e7e0abab9d1929019

SHA256
892f8aa9fb0c0d2d0375ce923ecf62f6596022fd1a6d1970413998aa46500631

SHA512
42349359b592d2e40b390adef8769ce005eb9989f17d45dd7e70a206c0df8e5b13b3da8cd66eb9016d6953fbeadee96db033839c45ccdf06f9e5434f358a2540

Download Submit
C:\ProgramData\afd.bin

Filesize
198KB

MD5
f618881abb247efacf40058de8ed591d

SHA1
4e3ccd93688b0bd747cffd1a0d02213b4e89573c

SHA256
618505c71052ffbbfa4efc3b1eb79358bd244b4c3670ff6625a57d989950d3da

SHA512
86f58f8577e8bf576cdc7b480ae5cb2741a175b03657bdec88587f90fda7cc5cf76fe3dae40fa1ad096c0922df3b4d6b01f1cba0cfd9ee3970554b03ed338cf0

Download Submit
\Program Files (x86)\Funshion\Pepper.exe

Filesize
418KB

MD5
c174034e771afebd7272e5820afe013f

SHA1
85f73a76f9897786a32aad1ebefa4aaabf9d4c78

SHA256
c42da2f6d8a4842918017c292c1071d72d898f5fbf3510cf5f98800c7fcb08f0

SHA512
b43ac1cd1f455d5bc447738304d02642e118de3ed800da4ac44b4bc00fbb6c8118632cad4d079a870256c34195c649fcf1112ef1f97f479c98aca265e8219d5d

Download Submit
\Program Files (x86)\Funshion\libcef.dll

Filesize
100KB

MD5
8a675f90a3af0c8be0851d193caebec3

SHA1
114c4a2929fe567999fe0b6e7e0abab9d1929019

SHA256
892f8aa9fb0c0d2d0375ce923ecf62f6596022fd1a6d1970413998aa46500631

SHA512
42349359b592d2e40b390adef8769ce005eb9989f17d45dd7e70a206c0df8e5b13b3da8cd66eb9016d6953fbeadee96db033839c45ccdf06f9e5434f358a2540

Download Submit
memory/1888-14-0x0000000010000000-0x0000000010031000-memory.dmp

Filesize
196KB

Download
memory/1888-20-0x0000000000270000-0x000000000029A000-memory.dmp

Filesize
168KB

Download
memory/1888-19-0x00000000001A0000-0x0000000000204000-memory.dmp

Filesize
400KB

Download
memory/1888-18-0x0000000077250000-0x0000000077360000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing