Overview

overview

10

Static

static

3

ec945f2d6b...9a.exe

windows7-x64

10

ec945f2d6b...9a.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    145s
  • platform
    windows7_x64
  • resource
    win7-20231023-en
  • resource tags

    arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
  • submitted
    05-12-2023 17:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ec945f2d6b7a41cd6f9ed4b370f8a0bc595db3cfd8abfeb9edc06aa88b67729a.exe

  • Size

    5.5MB

  • MD5

    d414027b4174b50f1b66b4591414673e

  • SHA1

    633efc9e4ee12c0eae5431b434adcf410731950b

  • SHA256

    ec945f2d6b7a41cd6f9ed4b370f8a0bc595db3cfd8abfeb9edc06aa88b67729a

  • SHA512

    581333ed6ca5e13c7e21ffc51422fdf5cd34592c9c3d91ef5241cdd1ccdd1cf8ca455762f3688d4faa4adff246b219ae1cc24f1098909b78f59fd7c72be42218

  • SSDEEP

    98304:YclLQZyVp1vSIpvrU38WSJWN5orrj6/GGQGSZ2P4SNuF2Fo0i+M7xdI:V1BnU38WNibGSYP4w0RxX7xdI

Score
10/10
fatalratinfostealerratupx

Malware Config

Signatures

  • FatalRat

    FatalRat is a modular infostealer family written in C++ first appearing in June 2021.

    infostealerratfatalrat
  • Fatal Rat payload 1 IoCs
    ratinfostealer
  • ACProtect 1.3x - 1.4x DLL software 2 IoCs

    Detects file using ACProtect software.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 3 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 53 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ec945f2d6b7a41cd6f9ed4b370f8a0bc595db3cfd8abfeb9edc06aa88b67729a.exe
    "C:\Users\Admin\AppData\Local\Temp\ec945f2d6b7a41cd6f9ed4b370f8a0bc595db3cfd8abfeb9edc06aa88b67729a.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1348
    • C:\Program Files (x86)\Funshion\Updater.exe
      "C:\Program Files (x86)\Funshion\Updater.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:3008

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Funshion\HttpFtp.dll
    Filesize

    234KB

    MD5

    49fdb26643239695c5faa0677965a94c

    SHA1

    308bdcac85a1a61b0e8efccb6603a58c0c68e8ef

    SHA256

    7b56b12a0e16f2123110222e3884ac44fddf2cb9c780b053d3e29c3468b3a256

    SHA512

    64fc81965a5e564b2896f01f5419a3644f4b3f251422b0e81ad125f7c3145a9a23df58d7a0dcf8da06963a70f974d223646d7fa0e1e532f46e2d06d721b1e22d

    Download Submit

  • C:\Program Files (x86)\Funshion\Updater.exe
    Filesize

    3.4MB

    MD5

    3e70fba5ef28862d49f63ac683859aa6

    SHA1

    7f74f5e0106d89e5c5e9b8cac71d28afaa790115

    SHA256

    48c0f15c264d00bf7053531de69bc44a8d31246a1f867acfc5f48ec705624bd1

    SHA512

    0be2e7d7dd1c07c348f2d1010d452972cba1db501c6ee69a1a40d68908866fb744a24f58caf9430b7ab48b78f4d0be06ce7ba7e0ce3fb0b4d8f903670e30ee1a

    Download Submit

  • C:\Program Files (x86)\Funshion\Updater.exe
    Filesize

    3.4MB

    MD5

    3e70fba5ef28862d49f63ac683859aa6

    SHA1

    7f74f5e0106d89e5c5e9b8cac71d28afaa790115

    SHA256

    48c0f15c264d00bf7053531de69bc44a8d31246a1f867acfc5f48ec705624bd1

    SHA512

    0be2e7d7dd1c07c348f2d1010d452972cba1db501c6ee69a1a40d68908866fb744a24f58caf9430b7ab48b78f4d0be06ce7ba7e0ce3fb0b4d8f903670e30ee1a

    Download Submit

  • C:\Program Files (x86)\Funshion\libcurl.dll
    Filesize

    181KB

    MD5

    aad80396201a6e9ce14d806f5ba1f507

    SHA1

    abc52c284ef9727d99ef596114b03cdce8a0fc38

    SHA256

    b66225b2e4fd0f445518a3a21469da2af0a3fb95b42cf386a1f6b09a0c4ccc6e

    SHA512

    b491723224790464187b9a5facfaf69ae48c4134957a07ca3ce6f3773cc7d515caca9a39b71903a91657fe568e14ca8f26515b2539dcb2dd88202a1cc792c94d

    Download Submit

  • C:\ProgramData\afd.bin
    Filesize

    198KB

    MD5

    c68f04b5648ffe2e351d2f3831d708e5

    SHA1

    e21871056c7b767bf357a1f5bc399fe7f1248a92

    SHA256

    e5153b805563b3d00f7a7796d313f60685cc31b3f883fe47887ade617ca076aa

    SHA512

    8807b38723f37c9b197a0d9f090c00fdd467ceb26ba810767676f16c29d6248a41ac6b41460a6b4972209ca0da5457622ce6b56205d0d27034bc57b6c5069d7d

    Download Submit

  • \Program Files (x86)\Funshion\HttpFtp.dll
    Filesize

    234KB

    MD5

    49fdb26643239695c5faa0677965a94c

    SHA1

    308bdcac85a1a61b0e8efccb6603a58c0c68e8ef

    SHA256

    7b56b12a0e16f2123110222e3884ac44fddf2cb9c780b053d3e29c3468b3a256

    SHA512

    64fc81965a5e564b2896f01f5419a3644f4b3f251422b0e81ad125f7c3145a9a23df58d7a0dcf8da06963a70f974d223646d7fa0e1e532f46e2d06d721b1e22d

    Download Submit

  • \Program Files (x86)\Funshion\Updater.exe
    Filesize

    3.4MB

    MD5

    3e70fba5ef28862d49f63ac683859aa6

    SHA1

    7f74f5e0106d89e5c5e9b8cac71d28afaa790115

    SHA256

    48c0f15c264d00bf7053531de69bc44a8d31246a1f867acfc5f48ec705624bd1

    SHA512

    0be2e7d7dd1c07c348f2d1010d452972cba1db501c6ee69a1a40d68908866fb744a24f58caf9430b7ab48b78f4d0be06ce7ba7e0ce3fb0b4d8f903670e30ee1a

    Download Submit

  • \Program Files (x86)\Funshion\libcurl.dll
    Filesize

    181KB

    MD5

    aad80396201a6e9ce14d806f5ba1f507

    SHA1

    abc52c284ef9727d99ef596114b03cdce8a0fc38

    SHA256

    b66225b2e4fd0f445518a3a21469da2af0a3fb95b42cf386a1f6b09a0c4ccc6e

    SHA512

    b491723224790464187b9a5facfaf69ae48c4134957a07ca3ce6f3773cc7d515caca9a39b71903a91657fe568e14ca8f26515b2539dcb2dd88202a1cc792c94d

    Download Submit

  • memory/1348-16-0x00000000001D0000-0x0000000000F55000-memory.dmp

    Filesize

    13.5MB

    Download

  • memory/1348-21-0x000000007EBD0000-0x000000007EFA1000-memory.dmp

    Filesize

    3.8MB

    Download

  • memory/1348-0-0x00000000001D0000-0x0000000000F55000-memory.dmp

    Filesize

    13.5MB

    Download

  • memory/1348-2-0x00000000778C0000-0x00000000778C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1348-1-0x000000007EBD0000-0x000000007EFA1000-memory.dmp

    Filesize

    3.8MB

    Download

  • memory/3008-24-0x00000000002D0000-0x0000000000334000-memory.dmp

    Filesize

    400KB

    Download

  • memory/3008-23-0x0000000000210000-0x0000000000241000-memory.dmp

    Filesize

    196KB

    Download

  • memory/3008-20-0x0000000010000000-0x000000001008D000-memory.dmp

    Filesize

    564KB

    Download

  • memory/3008-28-0x0000000000340000-0x000000000036A000-memory.dmp

    Filesize

    168KB

    Download

  • memory/3008-43-0x0000000010000000-0x000000001008D000-memory.dmp

    Filesize

    564KB

    Download

  • memory/3008-46-0x0000000010000000-0x000000001008D000-memory.dmp

    Filesize

    564KB

    Download