fatalrat | ee1f34934049869dd608a6f1bea4aa5e0d27af7d197c96a21df301b60af64f53

Analysis

max time kernel
146s
max time network
153s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
05-12-2023 17:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ee1f34934049869dd608a6f1bea4aa5e0d27af7d197c96a21df301b60af64f53.exe
Size

10.0MB
MD5

73035d421b0a5db8728c28888ad73593
SHA1

5b3279de1d7991d93e07f1efde31d5b0872114b0
SHA256

ee1f34934049869dd608a6f1bea4aa5e0d27af7d197c96a21df301b60af64f53
SHA512

3f28920e9d6458dd0d3b7ad9bd30b5199e1d61c735563c0b1bf52cf4b8c5e473e5b7a938fa1244d98bb3704bb9ea32bc14e6bce406f810e8ed4a5c4314da1246
SSDEEP

196608:DrudeaplDyMSWKFPQwRX/taBdeTDClnHdcUQiBQ+rEKRquFYj+Ibho7:Dxaple9Fr5tp/Cl9/xFrt5FYj+G

Score

10^/10

fatalrat evasion infostealer rat themida trojan upx

Malware Config

Signatures

FatalRat
FatalRat is a modular infostealer family written in C++ first appearing in June 2021.
infostealer rat fatalrat

Fatal Rat payload 1 IoCs

rat infostealer

resource	yara_rule
behavioral1/memory/2752-38-0x0000000000580000-0x00000000005AA000-memory.dmp	fatalrat

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Updater.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ee1f34934049869dd608a6f1bea4aa5e0d27af7d197c96a21df301b60af64f53.exe

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x0007000000016c24-25.dat	acprotect
behavioral1/files/0x0007000000016c24-26.dat	acprotect

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ee1f34934049869dd608a6f1bea4aa5e0d27af7d197c96a21df301b60af64f53.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ee1f34934049869dd608a6f1bea4aa5e0d27af7d197c96a21df301b60af64f53.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Updater.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Updater.exe

Executes dropped EXE 1 IoCs

pid	Process
2752	Updater.exe

Loads dropped DLL 3 IoCs

pid	Process
2584	ee1f34934049869dd608a6f1bea4aa5e0d27af7d197c96a21df301b60af64f53.exe
2752	Updater.exe
2752	Updater.exe

Themida packer 20 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/memory/2584-0-0x00000000009F0000-0x000000000198E000-memory.dmp	themida
behavioral1/memory/2584-2-0x00000000009F0000-0x000000000198E000-memory.dmp	themida
behavioral1/memory/2584-3-0x00000000009F0000-0x000000000198E000-memory.dmp	themida
behavioral1/memory/2584-4-0x00000000009F0000-0x000000000198E000-memory.dmp	themida
behavioral1/memory/2584-5-0x00000000009F0000-0x000000000198E000-memory.dmp	themida
behavioral1/memory/2584-6-0x00000000009F0000-0x000000000198E000-memory.dmp	themida
behavioral1/memory/2584-7-0x00000000009F0000-0x000000000198E000-memory.dmp	themida
behavioral1/memory/2584-8-0x00000000009F0000-0x000000000198E000-memory.dmp	themida
behavioral1/files/0x0007000000016c2e-21.dat	themida
behavioral1/memory/2584-22-0x00000000009F0000-0x000000000198E000-memory.dmp	themida
behavioral1/files/0x0007000000016c2e-23.dat	themida
behavioral1/memory/2752-24-0x0000000073550000-0x0000000073F88000-memory.dmp	themida
behavioral1/memory/2752-28-0x0000000073550000-0x0000000073F88000-memory.dmp	themida
behavioral1/memory/2752-29-0x0000000073550000-0x0000000073F88000-memory.dmp	themida
behavioral1/memory/2752-30-0x0000000073550000-0x0000000073F88000-memory.dmp	themida
behavioral1/memory/2752-31-0x0000000073550000-0x0000000073F88000-memory.dmp	themida
behavioral1/memory/2752-44-0x0000000073550000-0x0000000073F88000-memory.dmp	themida
behavioral1/memory/2752-50-0x0000000073550000-0x0000000073F88000-memory.dmp	themida
behavioral1/memory/2752-64-0x0000000073550000-0x0000000073F88000-memory.dmp	themida
behavioral1/memory/2752-70-0x0000000073550000-0x0000000073F88000-memory.dmp	themida

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0007000000016c24-25.dat	upx
behavioral1/files/0x0007000000016c24-26.dat	upx
behavioral1/memory/2752-27-0x0000000010000000-0x000000001008D000-memory.dmp	upx
behavioral1/memory/2752-45-0x0000000010000000-0x000000001008D000-memory.dmp	upx
behavioral1/memory/2752-65-0x0000000010000000-0x000000001008D000-memory.dmp	upx
behavioral1/memory/2752-71-0x0000000010000000-0x000000001008D000-memory.dmp	upx

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ee1f34934049869dd608a6f1bea4aa5e0d27af7d197c96a21df301b60af64f53.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Updater.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2584	ee1f34934049869dd608a6f1bea4aa5e0d27af7d197c96a21df301b60af64f53.exe
2752	Updater.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Funshion\cvsd.xml	ee1f34934049869dd608a6f1bea4aa5e0d27af7d197c96a21df301b60af64f53.exe
File created	C:\Program Files (x86)\Funshion\HttpFtp.dll	ee1f34934049869dd608a6f1bea4aa5e0d27af7d197c96a21df301b60af64f53.exe
File created	C:\Program Files (x86)\Funshion\libcurl.dll	ee1f34934049869dd608a6f1bea4aa5e0d27af7d197c96a21df301b60af64f53.exe
File created	C:\Program Files (x86)\Funshion\Updater.exe	ee1f34934049869dd608a6f1bea4aa5e0d27af7d197c96a21df301b60af64f53.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Updater.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Updater.exe

Suspicious behavior: EnumeratesProcesses 55 IoCs

pid	Process
2584	ee1f34934049869dd608a6f1bea4aa5e0d27af7d197c96a21df301b60af64f53.exe
2584	ee1f34934049869dd608a6f1bea4aa5e0d27af7d197c96a21df301b60af64f53.exe
2584	ee1f34934049869dd608a6f1bea4aa5e0d27af7d197c96a21df301b60af64f53.exe
2752	Updater.exe
2752	Updater.exe
2752	Updater.exe
2752	Updater.exe
2752	Updater.exe
2752	Updater.exe
2752	Updater.exe
2752	Updater.exe
2752	Updater.exe
2752	Updater.exe
2752	Updater.exe
2752	Updater.exe
2752	Updater.exe
2752	Updater.exe
2752	Updater.exe
2752	Updater.exe
2752	Updater.exe
2752	Updater.exe
2752	Updater.exe
2752	Updater.exe
2752	Updater.exe
2752	Updater.exe
2752	Updater.exe
2752	Updater.exe
2752	Updater.exe
2752	Updater.exe
2752	Updater.exe
2752	Updater.exe
2752	Updater.exe
2752	Updater.exe
2752	Updater.exe
2752	Updater.exe
2752	Updater.exe
2752	Updater.exe
2752	Updater.exe
2752	Updater.exe
2752	Updater.exe
2752	Updater.exe
2752	Updater.exe
2752	Updater.exe
2752	Updater.exe
2752	Updater.exe
2752	Updater.exe
2752	Updater.exe
2752	Updater.exe
2752	Updater.exe
2752	Updater.exe
2752	Updater.exe
2752	Updater.exe
2752	Updater.exe
2752	Updater.exe
2752	Updater.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2752	Updater.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2584	ee1f34934049869dd608a6f1bea4aa5e0d27af7d197c96a21df301b60af64f53.exe
2752	Updater.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2584 wrote to memory of 2752	2584	ee1f34934049869dd608a6f1bea4aa5e0d27af7d197c96a21df301b60af64f53.exe	28
PID 2584 wrote to memory of 2752	2584	ee1f34934049869dd608a6f1bea4aa5e0d27af7d197c96a21df301b60af64f53.exe	28
PID 2584 wrote to memory of 2752	2584	ee1f34934049869dd608a6f1bea4aa5e0d27af7d197c96a21df301b60af64f53.exe	28
PID 2584 wrote to memory of 2752	2584	ee1f34934049869dd608a6f1bea4aa5e0d27af7d197c96a21df301b60af64f53.exe	28
PID 2584 wrote to memory of 2752	2584	ee1f34934049869dd608a6f1bea4aa5e0d27af7d197c96a21df301b60af64f53.exe	28
PID 2584 wrote to memory of 2752	2584	ee1f34934049869dd608a6f1bea4aa5e0d27af7d197c96a21df301b60af64f53.exe	28
PID 2584 wrote to memory of 2752	2584	ee1f34934049869dd608a6f1bea4aa5e0d27af7d197c96a21df301b60af64f53.exe	28

C:\Users\Admin\AppData\Local\Temp\ee1f34934049869dd608a6f1bea4aa5e0d27af7d197c96a21df301b60af64f53.exe
"C:\Users\Admin\AppData\Local\Temp\ee1f34934049869dd608a6f1bea4aa5e0d27af7d197c96a21df301b60af64f53.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2584
- C:\Program Files (x86)\Funshion\Updater.exe
  "C:\Program Files (x86)\Funshion\Updater.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Funshion\HttpFtp.dll

Filesize
234KB

MD5
49fdb26643239695c5faa0677965a94c

SHA1
308bdcac85a1a61b0e8efccb6603a58c0c68e8ef

SHA256
7b56b12a0e16f2123110222e3884ac44fddf2cb9c780b053d3e29c3468b3a256

SHA512
64fc81965a5e564b2896f01f5419a3644f4b3f251422b0e81ad125f7c3145a9a23df58d7a0dcf8da06963a70f974d223646d7fa0e1e532f46e2d06d721b1e22d

Download Submit
C:\Program Files (x86)\Funshion\Updater.exe

Filesize
3.4MB

MD5
3e70fba5ef28862d49f63ac683859aa6

SHA1
7f74f5e0106d89e5c5e9b8cac71d28afaa790115

SHA256
48c0f15c264d00bf7053531de69bc44a8d31246a1f867acfc5f48ec705624bd1

SHA512
0be2e7d7dd1c07c348f2d1010d452972cba1db501c6ee69a1a40d68908866fb744a24f58caf9430b7ab48b78f4d0be06ce7ba7e0ce3fb0b4d8f903670e30ee1a

Download Submit
C:\Program Files (x86)\Funshion\Updater.exe

Filesize
3.4MB

MD5
3e70fba5ef28862d49f63ac683859aa6

SHA1
7f74f5e0106d89e5c5e9b8cac71d28afaa790115

SHA256
48c0f15c264d00bf7053531de69bc44a8d31246a1f867acfc5f48ec705624bd1

SHA512
0be2e7d7dd1c07c348f2d1010d452972cba1db501c6ee69a1a40d68908866fb744a24f58caf9430b7ab48b78f4d0be06ce7ba7e0ce3fb0b4d8f903670e30ee1a

Download Submit
C:\Program Files (x86)\Funshion\libcurl.dll

Filesize
4.1MB

MD5
92f6caf3d0638a6d704f3eacbecb1a22

SHA1
90f0127e5fcce30d5466f469327f55f1810d330f

SHA256
c570ec6625dc1d230df9f71176504477e49a37295e686c18272dcaa4d27abaa8

SHA512
338da2ea8463b83248a5f818e77819506aeb6f10218395f6db73713c79bc8a316d17f4531eb196b98fe70a286ee10da14826816617a6bfcd1eea1a3364ef6e5c

Download Submit
C:\ProgramData\afd.bin

Filesize
198KB

MD5
0a3e7298368aad0d573436d1ba82edd0

SHA1
f1ba74aa2e5ec4350c59377bbc459d023d3b66c5

SHA256
b889501c0ea0be389ddb310e2cd8de1d54397ed609c02247426bdf12e487229a

SHA512
b0fae7327216cc49d2ec09d0d164ca9cdcd24dadb6c98358a5b5eecb7b60e3966554880535ba63cc1b7f26dfd1b4410dcc7a0cba2b64890c4fe7567dce652bbf

Download Submit
\Program Files (x86)\Funshion\HttpFtp.dll

Filesize
234KB

MD5
49fdb26643239695c5faa0677965a94c

SHA1
308bdcac85a1a61b0e8efccb6603a58c0c68e8ef

SHA256
7b56b12a0e16f2123110222e3884ac44fddf2cb9c780b053d3e29c3468b3a256

SHA512
64fc81965a5e564b2896f01f5419a3644f4b3f251422b0e81ad125f7c3145a9a23df58d7a0dcf8da06963a70f974d223646d7fa0e1e532f46e2d06d721b1e22d

Download Submit
\Program Files (x86)\Funshion\Updater.exe

Filesize
3.4MB

MD5
3e70fba5ef28862d49f63ac683859aa6

SHA1
7f74f5e0106d89e5c5e9b8cac71d28afaa790115

SHA256
48c0f15c264d00bf7053531de69bc44a8d31246a1f867acfc5f48ec705624bd1

SHA512
0be2e7d7dd1c07c348f2d1010d452972cba1db501c6ee69a1a40d68908866fb744a24f58caf9430b7ab48b78f4d0be06ce7ba7e0ce3fb0b4d8f903670e30ee1a

Download Submit
\Program Files (x86)\Funshion\libcurl.dll

Filesize
4.1MB

MD5
92f6caf3d0638a6d704f3eacbecb1a22

SHA1
90f0127e5fcce30d5466f469327f55f1810d330f

SHA256
c570ec6625dc1d230df9f71176504477e49a37295e686c18272dcaa4d27abaa8

SHA512
338da2ea8463b83248a5f818e77819506aeb6f10218395f6db73713c79bc8a316d17f4531eb196b98fe70a286ee10da14826816617a6bfcd1eea1a3364ef6e5c

Download Submit
memory/2584-6-0x00000000009F0000-0x000000000198E000-memory.dmp

Filesize
15.6MB

Download
memory/2584-7-0x00000000009F0000-0x000000000198E000-memory.dmp

Filesize
15.6MB

Download
memory/2584-8-0x00000000009F0000-0x000000000198E000-memory.dmp

Filesize
15.6MB

Download
memory/2584-5-0x00000000009F0000-0x000000000198E000-memory.dmp

Filesize
15.6MB

Download
memory/2584-4-0x00000000009F0000-0x000000000198E000-memory.dmp

Filesize
15.6MB

Download
memory/2584-22-0x00000000009F0000-0x000000000198E000-memory.dmp

Filesize
15.6MB

Download
memory/2584-1-0x0000000076EC0000-0x0000000076EC2000-memory.dmp

Filesize
8KB

Download
memory/2584-3-0x00000000009F0000-0x000000000198E000-memory.dmp

Filesize
15.6MB

Download
memory/2584-0-0x00000000009F0000-0x000000000198E000-memory.dmp

Filesize
15.6MB

Download
memory/2584-2-0x00000000009F0000-0x000000000198E000-memory.dmp

Filesize
15.6MB

Download
memory/2752-30-0x0000000073550000-0x0000000073F88000-memory.dmp

Filesize
10.2MB

Download
memory/2752-38-0x0000000000580000-0x00000000005AA000-memory.dmp

Filesize
168KB

Download
memory/2752-28-0x0000000073550000-0x0000000073F88000-memory.dmp

Filesize
10.2MB

Download
memory/2752-31-0x0000000073550000-0x0000000073F88000-memory.dmp

Filesize
10.2MB

Download
memory/2752-33-0x00000000004D0000-0x0000000000501000-memory.dmp

Filesize
196KB

Download
memory/2752-34-0x0000000002640000-0x00000000026EE000-memory.dmp

Filesize
696KB

Download
memory/2752-27-0x0000000010000000-0x000000001008D000-memory.dmp

Filesize
564KB

Download
memory/2752-29-0x0000000073550000-0x0000000073F88000-memory.dmp

Filesize
10.2MB

Download
memory/2752-24-0x0000000073550000-0x0000000073F88000-memory.dmp

Filesize
10.2MB

Download
memory/2752-44-0x0000000073550000-0x0000000073F88000-memory.dmp

Filesize
10.2MB

Download
memory/2752-45-0x0000000010000000-0x000000001008D000-memory.dmp

Filesize
564KB

Download
memory/2752-50-0x0000000073550000-0x0000000073F88000-memory.dmp

Filesize
10.2MB

Download
memory/2752-64-0x0000000073550000-0x0000000073F88000-memory.dmp

Filesize
10.2MB

Download
memory/2752-65-0x0000000010000000-0x000000001008D000-memory.dmp

Filesize
564KB

Download
memory/2752-70-0x0000000073550000-0x0000000073F88000-memory.dmp

Filesize
10.2MB

Download
memory/2752-71-0x0000000010000000-0x000000001008D000-memory.dmp

Filesize
564KB

Download