fatalrat | ee1f34934049869dd608a6f1bea4aa5e0d27af7d197c96a21df301b60af64f53

Analysis

max time kernel
142s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20231201-en
resource tags

arch:x64arch:x86image:win10v2004-20231201-enlocale:en-usos:windows10-2004-x64system
submitted
05-12-2023 17:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ee1f34934049869dd608a6f1bea4aa5e0d27af7d197c96a21df301b60af64f53.exe
Size

10.0MB
MD5

73035d421b0a5db8728c28888ad73593
SHA1

5b3279de1d7991d93e07f1efde31d5b0872114b0
SHA256

ee1f34934049869dd608a6f1bea4aa5e0d27af7d197c96a21df301b60af64f53
SHA512

3f28920e9d6458dd0d3b7ad9bd30b5199e1d61c735563c0b1bf52cf4b8c5e473e5b7a938fa1244d98bb3704bb9ea32bc14e6bce406f810e8ed4a5c4314da1246
SSDEEP

196608:DrudeaplDyMSWKFPQwRX/taBdeTDClnHdcUQiBQ+rEKRquFYj+Ibho7:Dxaple9Fr5tp/Cl9/xFrt5FYj+G

Score

10^/10

fatalrat evasion infostealer rat themida trojan upx

Malware Config

Signatures

FatalRat
FatalRat is a modular infostealer family written in C++ first appearing in June 2021.
infostealer rat fatalrat

Fatal Rat payload 1 IoCs

rat infostealer

resource	yara_rule
behavioral2/memory/3348-43-0x0000000002E10000-0x0000000002E3A000-memory.dmp	fatalrat

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ee1f34934049869dd608a6f1bea4aa5e0d27af7d197c96a21df301b60af64f53.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Updater.exe

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x00070000000231f1-27.dat	acprotect
behavioral2/files/0x00070000000231f1-29.dat	acprotect

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ee1f34934049869dd608a6f1bea4aa5e0d27af7d197c96a21df301b60af64f53.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ee1f34934049869dd608a6f1bea4aa5e0d27af7d197c96a21df301b60af64f53.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Updater.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Updater.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2192493100-457715857-1189582111-1000\Control Panel\International\Geo\Nation	ee1f34934049869dd608a6f1bea4aa5e0d27af7d197c96a21df301b60af64f53.exe

Executes dropped EXE 1 IoCs

pid	Process
3348	Updater.exe

Loads dropped DLL 2 IoCs

pid	Process
3348	Updater.exe
3348	Updater.exe

Themida packer 19 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral2/memory/1916-0-0x0000000000120000-0x00000000010BE000-memory.dmp	themida
behavioral2/memory/1916-2-0x0000000000120000-0x00000000010BE000-memory.dmp	themida
behavioral2/memory/1916-3-0x0000000000120000-0x00000000010BE000-memory.dmp	themida
behavioral2/memory/1916-4-0x0000000000120000-0x00000000010BE000-memory.dmp	themida
behavioral2/memory/1916-5-0x0000000000120000-0x00000000010BE000-memory.dmp	themida
behavioral2/memory/1916-6-0x0000000000120000-0x00000000010BE000-memory.dmp	themida
behavioral2/memory/1916-7-0x0000000000120000-0x00000000010BE000-memory.dmp	themida
behavioral2/memory/1916-8-0x0000000000120000-0x00000000010BE000-memory.dmp	themida
behavioral2/memory/1916-28-0x0000000000120000-0x00000000010BE000-memory.dmp	themida
behavioral2/files/0x00060000000231f2-30.dat	themida
behavioral2/memory/3348-32-0x00000000725B0000-0x0000000072FE8000-memory.dmp	themida
behavioral2/memory/3348-34-0x00000000725B0000-0x0000000072FE8000-memory.dmp	themida
behavioral2/memory/3348-33-0x00000000725B0000-0x0000000072FE8000-memory.dmp	themida
behavioral2/memory/3348-35-0x00000000725B0000-0x0000000072FE8000-memory.dmp	themida
behavioral2/files/0x00060000000231f2-26.dat	themida
behavioral2/memory/3348-36-0x00000000725B0000-0x0000000072FE8000-memory.dmp	themida
behavioral2/memory/3348-49-0x00000000725B0000-0x0000000072FE8000-memory.dmp	themida
behavioral2/memory/3348-53-0x00000000725B0000-0x0000000072FE8000-memory.dmp	themida
behavioral2/memory/3348-75-0x00000000725B0000-0x0000000072FE8000-memory.dmp	themida

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x00070000000231f1-27.dat	upx
behavioral2/memory/3348-31-0x0000000010000000-0x000000001008D000-memory.dmp	upx
behavioral2/files/0x00070000000231f1-29.dat	upx
behavioral2/memory/3348-48-0x0000000010000000-0x000000001008D000-memory.dmp	upx
behavioral2/memory/3348-74-0x0000000010000000-0x000000001008D000-memory.dmp	upx

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ee1f34934049869dd608a6f1bea4aa5e0d27af7d197c96a21df301b60af64f53.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Updater.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
1916	ee1f34934049869dd608a6f1bea4aa5e0d27af7d197c96a21df301b60af64f53.exe
3348	Updater.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Funshion\cvsd.xml	ee1f34934049869dd608a6f1bea4aa5e0d27af7d197c96a21df301b60af64f53.exe
File created	C:\Program Files (x86)\Funshion\HttpFtp.dll	ee1f34934049869dd608a6f1bea4aa5e0d27af7d197c96a21df301b60af64f53.exe
File created	C:\Program Files (x86)\Funshion\libcurl.dll	ee1f34934049869dd608a6f1bea4aa5e0d27af7d197c96a21df301b60af64f53.exe
File created	C:\Program Files (x86)\Funshion\Updater.exe	ee1f34934049869dd608a6f1bea4aa5e0d27af7d197c96a21df301b60af64f53.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1916	ee1f34934049869dd608a6f1bea4aa5e0d27af7d197c96a21df301b60af64f53.exe
1916	ee1f34934049869dd608a6f1bea4aa5e0d27af7d197c96a21df301b60af64f53.exe
1916	ee1f34934049869dd608a6f1bea4aa5e0d27af7d197c96a21df301b60af64f53.exe
1916	ee1f34934049869dd608a6f1bea4aa5e0d27af7d197c96a21df301b60af64f53.exe
1916	ee1f34934049869dd608a6f1bea4aa5e0d27af7d197c96a21df301b60af64f53.exe
1916	ee1f34934049869dd608a6f1bea4aa5e0d27af7d197c96a21df301b60af64f53.exe
3348	Updater.exe
3348	Updater.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3348	Updater.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1916	ee1f34934049869dd608a6f1bea4aa5e0d27af7d197c96a21df301b60af64f53.exe
3348	Updater.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1916 wrote to memory of 3348	1916	ee1f34934049869dd608a6f1bea4aa5e0d27af7d197c96a21df301b60af64f53.exe	89
PID 1916 wrote to memory of 3348	1916	ee1f34934049869dd608a6f1bea4aa5e0d27af7d197c96a21df301b60af64f53.exe	89
PID 1916 wrote to memory of 3348	1916	ee1f34934049869dd608a6f1bea4aa5e0d27af7d197c96a21df301b60af64f53.exe	89

C:\Users\Admin\AppData\Local\Temp\ee1f34934049869dd608a6f1bea4aa5e0d27af7d197c96a21df301b60af64f53.exe
"C:\Users\Admin\AppData\Local\Temp\ee1f34934049869dd608a6f1bea4aa5e0d27af7d197c96a21df301b60af64f53.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1916
- C:\Program Files (x86)\Funshion\Updater.exe
  "C:\Program Files (x86)\Funshion\Updater.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:3348

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Funshion\HttpFtp.dll

Filesize
234KB

MD5
49fdb26643239695c5faa0677965a94c

SHA1
308bdcac85a1a61b0e8efccb6603a58c0c68e8ef

SHA256
7b56b12a0e16f2123110222e3884ac44fddf2cb9c780b053d3e29c3468b3a256

SHA512
64fc81965a5e564b2896f01f5419a3644f4b3f251422b0e81ad125f7c3145a9a23df58d7a0dcf8da06963a70f974d223646d7fa0e1e532f46e2d06d721b1e22d

Download Submit
C:\Program Files (x86)\Funshion\HttpFtp.dll

Filesize
234KB

MD5
49fdb26643239695c5faa0677965a94c

SHA1
308bdcac85a1a61b0e8efccb6603a58c0c68e8ef

SHA256
7b56b12a0e16f2123110222e3884ac44fddf2cb9c780b053d3e29c3468b3a256

SHA512
64fc81965a5e564b2896f01f5419a3644f4b3f251422b0e81ad125f7c3145a9a23df58d7a0dcf8da06963a70f974d223646d7fa0e1e532f46e2d06d721b1e22d

Download Submit
C:\Program Files (x86)\Funshion\Updater.exe

Filesize
3.4MB

MD5
3e70fba5ef28862d49f63ac683859aa6

SHA1
7f74f5e0106d89e5c5e9b8cac71d28afaa790115

SHA256
48c0f15c264d00bf7053531de69bc44a8d31246a1f867acfc5f48ec705624bd1

SHA512
0be2e7d7dd1c07c348f2d1010d452972cba1db501c6ee69a1a40d68908866fb744a24f58caf9430b7ab48b78f4d0be06ce7ba7e0ce3fb0b4d8f903670e30ee1a

Download Submit
C:\Program Files (x86)\Funshion\Updater.exe

Filesize
3.4MB

MD5
3e70fba5ef28862d49f63ac683859aa6

SHA1
7f74f5e0106d89e5c5e9b8cac71d28afaa790115

SHA256
48c0f15c264d00bf7053531de69bc44a8d31246a1f867acfc5f48ec705624bd1

SHA512
0be2e7d7dd1c07c348f2d1010d452972cba1db501c6ee69a1a40d68908866fb744a24f58caf9430b7ab48b78f4d0be06ce7ba7e0ce3fb0b4d8f903670e30ee1a

Download Submit
C:\Program Files (x86)\Funshion\Updater.exe

Filesize
3.4MB

MD5
3e70fba5ef28862d49f63ac683859aa6

SHA1
7f74f5e0106d89e5c5e9b8cac71d28afaa790115

SHA256
48c0f15c264d00bf7053531de69bc44a8d31246a1f867acfc5f48ec705624bd1

SHA512
0be2e7d7dd1c07c348f2d1010d452972cba1db501c6ee69a1a40d68908866fb744a24f58caf9430b7ab48b78f4d0be06ce7ba7e0ce3fb0b4d8f903670e30ee1a

Download Submit
C:\Program Files (x86)\Funshion\libcurl.dll

Filesize
4.1MB

MD5
92f6caf3d0638a6d704f3eacbecb1a22

SHA1
90f0127e5fcce30d5466f469327f55f1810d330f

SHA256
c570ec6625dc1d230df9f71176504477e49a37295e686c18272dcaa4d27abaa8

SHA512
338da2ea8463b83248a5f818e77819506aeb6f10218395f6db73713c79bc8a316d17f4531eb196b98fe70a286ee10da14826816617a6bfcd1eea1a3364ef6e5c

Download Submit
C:\Program Files (x86)\Funshion\libcurl.dll

Filesize
4.1MB

MD5
92f6caf3d0638a6d704f3eacbecb1a22

SHA1
90f0127e5fcce30d5466f469327f55f1810d330f

SHA256
c570ec6625dc1d230df9f71176504477e49a37295e686c18272dcaa4d27abaa8

SHA512
338da2ea8463b83248a5f818e77819506aeb6f10218395f6db73713c79bc8a316d17f4531eb196b98fe70a286ee10da14826816617a6bfcd1eea1a3364ef6e5c

Download Submit
C:\ProgramData\afd.bin

Filesize
198KB

MD5
0a3e7298368aad0d573436d1ba82edd0

SHA1
f1ba74aa2e5ec4350c59377bbc459d023d3b66c5

SHA256
b889501c0ea0be389ddb310e2cd8de1d54397ed609c02247426bdf12e487229a

SHA512
b0fae7327216cc49d2ec09d0d164ca9cdcd24dadb6c98358a5b5eecb7b60e3966554880535ba63cc1b7f26dfd1b4410dcc7a0cba2b64890c4fe7567dce652bbf

Download Submit
memory/1916-8-0x0000000000120000-0x00000000010BE000-memory.dmp

Filesize
15.6MB

Download
memory/1916-7-0x0000000000120000-0x00000000010BE000-memory.dmp

Filesize
15.6MB

Download
memory/1916-6-0x0000000000120000-0x00000000010BE000-memory.dmp

Filesize
15.6MB

Download
memory/1916-5-0x0000000000120000-0x00000000010BE000-memory.dmp

Filesize
15.6MB

Download
memory/1916-28-0x0000000000120000-0x00000000010BE000-memory.dmp

Filesize
15.6MB

Download
memory/1916-4-0x0000000000120000-0x00000000010BE000-memory.dmp

Filesize
15.6MB

Download
memory/1916-3-0x0000000000120000-0x00000000010BE000-memory.dmp

Filesize
15.6MB

Download
memory/1916-2-0x0000000000120000-0x00000000010BE000-memory.dmp

Filesize
15.6MB

Download
memory/1916-0-0x0000000000120000-0x00000000010BE000-memory.dmp

Filesize
15.6MB

Download
memory/1916-1-0x0000000076F04000-0x0000000076F06000-memory.dmp

Filesize
8KB

Download
memory/3348-33-0x00000000725B0000-0x0000000072FE8000-memory.dmp

Filesize
10.2MB

Download
memory/3348-35-0x00000000725B0000-0x0000000072FE8000-memory.dmp

Filesize
10.2MB

Download
memory/3348-36-0x00000000725B0000-0x0000000072FE8000-memory.dmp

Filesize
10.2MB

Download
memory/3348-34-0x00000000725B0000-0x0000000072FE8000-memory.dmp

Filesize
10.2MB

Download
memory/3348-32-0x00000000725B0000-0x0000000072FE8000-memory.dmp

Filesize
10.2MB

Download
memory/3348-38-0x0000000002900000-0x0000000002931000-memory.dmp

Filesize
196KB

Download
memory/3348-43-0x0000000002E10000-0x0000000002E3A000-memory.dmp

Filesize
168KB

Download
memory/3348-42-0x0000000002E80000-0x0000000002F2E000-memory.dmp

Filesize
696KB

Download
memory/3348-31-0x0000000010000000-0x000000001008D000-memory.dmp

Filesize
564KB

Download
memory/3348-48-0x0000000010000000-0x000000001008D000-memory.dmp

Filesize
564KB

Download
memory/3348-49-0x00000000725B0000-0x0000000072FE8000-memory.dmp

Filesize
10.2MB

Download
memory/3348-53-0x00000000725B0000-0x0000000072FE8000-memory.dmp

Filesize
10.2MB

Download
memory/3348-74-0x0000000010000000-0x000000001008D000-memory.dmp

Filesize
564KB

Download
memory/3348-75-0x00000000725B0000-0x0000000072FE8000-memory.dmp

Filesize
10.2MB

Download