fatalrat | 528a351fceffb986a5cde9cfb1e2b57eeb5a103b316b9d1ddfdcad21687d6d9e

General

Target

528a351fceffb986a5cde9cfb1e2b57eeb5a103b316b9d1ddfdcad21687d6d9e.exe
Size

12.5MB
MD5

67936b36035ec07f0362d7eb6cbde7d4
SHA1

9230af5f1c88607a4db5cd5016b829ab42700c1f
SHA256

528a351fceffb986a5cde9cfb1e2b57eeb5a103b316b9d1ddfdcad21687d6d9e
SHA512

f6dc5c24c82d76afd12d71e8a8aee1bf23f990830b7a3868a23b671edf50a9818a739f1542e3b6fe57e91d0454ea2432f7cd5a0b927eb358628c60776ff0d077
SSDEEP

393216:Ylav2Bij4wv1ENiPAetUsFSdVTVEwF71vJYT:ua34RNiYhJVv1vqT

Score

10^/10

fatalrat infostealer rat upx vmprotect

Malware Config

Signatures

FatalRat
FatalRat is a modular infostealer family written in C++ first appearing in June 2021.
infostealer rat fatalrat

Fatal Rat payload 1 IoCs

rat infostealer

resource	yara_rule
behavioral1/memory/2956-67-0x00000000002D0000-0x00000000002FA000-memory.dmp	fatalrat

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x000900000001448a-58.dat	acprotect
behavioral1/files/0x000900000001448a-57.dat	acprotect

Executes dropped EXE 1 IoCs

pid	Process
2956	Updater.exe

Loads dropped DLL 3 IoCs

pid	Process
2208	528a351fceffb986a5cde9cfb1e2b57eeb5a103b316b9d1ddfdcad21687d6d9e.exe
2956	Updater.exe
2956	Updater.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000900000001448a-58.dat	upx
behavioral1/memory/2956-60-0x0000000010000000-0x000000001008D000-memory.dmp	upx
behavioral1/files/0x000900000001448a-57.dat	upx
behavioral1/memory/2956-81-0x0000000010000000-0x000000001008D000-memory.dmp	upx
behavioral1/memory/2956-84-0x0000000010000000-0x000000001008D000-memory.dmp	upx

VMProtect packed file 3 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral1/memory/2208-0-0x0000000000EA0000-0x0000000001B35000-memory.dmp	vmprotect
behavioral1/memory/2208-41-0x0000000000EA0000-0x0000000001B35000-memory.dmp	vmprotect
behavioral1/memory/2208-59-0x0000000000EA0000-0x0000000001B35000-memory.dmp	vmprotect

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2208	528a351fceffb986a5cde9cfb1e2b57eeb5a103b316b9d1ddfdcad21687d6d9e.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Funshion\HttpFtp.dll	528a351fceffb986a5cde9cfb1e2b57eeb5a103b316b9d1ddfdcad21687d6d9e.exe
File created	C:\Program Files (x86)\Funshion\libcurl.dll	528a351fceffb986a5cde9cfb1e2b57eeb5a103b316b9d1ddfdcad21687d6d9e.exe
File created	C:\Program Files (x86)\Funshion\Updater.exe	528a351fceffb986a5cde9cfb1e2b57eeb5a103b316b9d1ddfdcad21687d6d9e.exe
File created	C:\Program Files (x86)\Funshion\cvsd.xml	528a351fceffb986a5cde9cfb1e2b57eeb5a103b316b9d1ddfdcad21687d6d9e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2208	528a351fceffb986a5cde9cfb1e2b57eeb5a103b316b9d1ddfdcad21687d6d9e.exe
2208	528a351fceffb986a5cde9cfb1e2b57eeb5a103b316b9d1ddfdcad21687d6d9e.exe
2208	528a351fceffb986a5cde9cfb1e2b57eeb5a103b316b9d1ddfdcad21687d6d9e.exe
2208	528a351fceffb986a5cde9cfb1e2b57eeb5a103b316b9d1ddfdcad21687d6d9e.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2956	Updater.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2208	528a351fceffb986a5cde9cfb1e2b57eeb5a103b316b9d1ddfdcad21687d6d9e.exe
2956	Updater.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2208 wrote to memory of 2956	2208	528a351fceffb986a5cde9cfb1e2b57eeb5a103b316b9d1ddfdcad21687d6d9e.exe	28
PID 2208 wrote to memory of 2956	2208	528a351fceffb986a5cde9cfb1e2b57eeb5a103b316b9d1ddfdcad21687d6d9e.exe	28
PID 2208 wrote to memory of 2956	2208	528a351fceffb986a5cde9cfb1e2b57eeb5a103b316b9d1ddfdcad21687d6d9e.exe	28
PID 2208 wrote to memory of 2956	2208	528a351fceffb986a5cde9cfb1e2b57eeb5a103b316b9d1ddfdcad21687d6d9e.exe	28
PID 2208 wrote to memory of 2956	2208	528a351fceffb986a5cde9cfb1e2b57eeb5a103b316b9d1ddfdcad21687d6d9e.exe	28
PID 2208 wrote to memory of 2956	2208	528a351fceffb986a5cde9cfb1e2b57eeb5a103b316b9d1ddfdcad21687d6d9e.exe	28
PID 2208 wrote to memory of 2956	2208	528a351fceffb986a5cde9cfb1e2b57eeb5a103b316b9d1ddfdcad21687d6d9e.exe	28

C:\Users\Admin\AppData\Local\Temp\528a351fceffb986a5cde9cfb1e2b57eeb5a103b316b9d1ddfdcad21687d6d9e.exe
"C:\Users\Admin\AppData\Local\Temp\528a351fceffb986a5cde9cfb1e2b57eeb5a103b316b9d1ddfdcad21687d6d9e.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2208
- C:\Program Files (x86)\Funshion\Updater.exe
  "C:\Program Files (x86)\Funshion\Updater.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Funshion\HttpFtp.dll

Filesize
234KB

MD5
49fdb26643239695c5faa0677965a94c

SHA1
308bdcac85a1a61b0e8efccb6603a58c0c68e8ef

SHA256
7b56b12a0e16f2123110222e3884ac44fddf2cb9c780b053d3e29c3468b3a256

SHA512
64fc81965a5e564b2896f01f5419a3644f4b3f251422b0e81ad125f7c3145a9a23df58d7a0dcf8da06963a70f974d223646d7fa0e1e532f46e2d06d721b1e22d

Download Submit
C:\Program Files (x86)\Funshion\Updater.exe

Filesize
3.4MB

MD5
3e70fba5ef28862d49f63ac683859aa6

SHA1
7f74f5e0106d89e5c5e9b8cac71d28afaa790115

SHA256
48c0f15c264d00bf7053531de69bc44a8d31246a1f867acfc5f48ec705624bd1

SHA512
0be2e7d7dd1c07c348f2d1010d452972cba1db501c6ee69a1a40d68908866fb744a24f58caf9430b7ab48b78f4d0be06ce7ba7e0ce3fb0b4d8f903670e30ee1a

Download Submit
C:\Program Files (x86)\Funshion\libcurl.dll

Filesize
121KB

MD5
d90f53ba4bdf19d1ab57354eb52edaa1

SHA1
9338a9dede3f9c2746f3578eebbe6279899ce9aa

SHA256
e43fb38e152363bd0886fe84a3247db739eb27dd7eec23cbfb1a22f88ad05b20

SHA512
421f02c08c330bbe5fa836d9c75dca57fd35864f42a028c6939e56db4f509f387bf58b79f3fe3b1845f7e0bd7f65c16ac573c6fddd5c6feb7922ba8f658d1028

Download Submit
C:\ProgramData\afd.bin

Filesize
198KB

MD5
c68f04b5648ffe2e351d2f3831d708e5

SHA1
e21871056c7b767bf357a1f5bc399fe7f1248a92

SHA256
e5153b805563b3d00f7a7796d313f60685cc31b3f883fe47887ade617ca076aa

SHA512
8807b38723f37c9b197a0d9f090c00fdd467ceb26ba810767676f16c29d6248a41ac6b41460a6b4972209ca0da5457622ce6b56205d0d27034bc57b6c5069d7d

Download Submit
\Program Files (x86)\Funshion\HttpFtp.dll

Filesize
234KB

MD5
49fdb26643239695c5faa0677965a94c

SHA1
308bdcac85a1a61b0e8efccb6603a58c0c68e8ef

SHA256
7b56b12a0e16f2123110222e3884ac44fddf2cb9c780b053d3e29c3468b3a256

SHA512
64fc81965a5e564b2896f01f5419a3644f4b3f251422b0e81ad125f7c3145a9a23df58d7a0dcf8da06963a70f974d223646d7fa0e1e532f46e2d06d721b1e22d

Download Submit
\Program Files (x86)\Funshion\Updater.exe

Filesize
3.4MB

MD5
3e70fba5ef28862d49f63ac683859aa6

SHA1
7f74f5e0106d89e5c5e9b8cac71d28afaa790115

SHA256
48c0f15c264d00bf7053531de69bc44a8d31246a1f867acfc5f48ec705624bd1

SHA512
0be2e7d7dd1c07c348f2d1010d452972cba1db501c6ee69a1a40d68908866fb744a24f58caf9430b7ab48b78f4d0be06ce7ba7e0ce3fb0b4d8f903670e30ee1a

Download Submit
\Program Files (x86)\Funshion\libcurl.dll

Filesize
121KB

MD5
d90f53ba4bdf19d1ab57354eb52edaa1

SHA1
9338a9dede3f9c2746f3578eebbe6279899ce9aa

SHA256
e43fb38e152363bd0886fe84a3247db739eb27dd7eec23cbfb1a22f88ad05b20

SHA512
421f02c08c330bbe5fa836d9c75dca57fd35864f42a028c6939e56db4f509f387bf58b79f3fe3b1845f7e0bd7f65c16ac573c6fddd5c6feb7922ba8f658d1028

Download Submit
memory/2208-36-0x0000000000350000-0x0000000000351000-memory.dmp

Filesize
4KB

Download
memory/2208-42-0x0000000077810000-0x0000000077811000-memory.dmp

Filesize
4KB

Download
memory/2208-30-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/2208-23-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download
memory/2208-20-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/2208-18-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/2208-15-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/2208-13-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/2208-31-0x0000000000340000-0x0000000000341000-memory.dmp

Filesize
4KB

Download
memory/2208-33-0x0000000000340000-0x0000000000341000-memory.dmp

Filesize
4KB

Download
memory/2208-35-0x0000000000340000-0x0000000000341000-memory.dmp

Filesize
4KB

Download
memory/2208-0-0x0000000000EA0000-0x0000000001B35000-memory.dmp

Filesize
12.6MB

Download
memory/2208-38-0x0000000000350000-0x0000000000351000-memory.dmp

Filesize
4KB

Download
memory/2208-40-0x0000000000350000-0x0000000000351000-memory.dmp

Filesize
4KB

Download
memory/2208-41-0x0000000000EA0000-0x0000000001B35000-memory.dmp

Filesize
12.6MB

Download
memory/2208-25-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download
memory/2208-28-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/2208-10-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/2208-8-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/2208-1-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2208-3-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2208-6-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/2208-5-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2208-59-0x0000000000EA0000-0x0000000001B35000-memory.dmp

Filesize
12.6MB

Download
memory/2956-60-0x0000000010000000-0x000000001008D000-memory.dmp

Filesize
564KB

Download
memory/2956-63-0x00000000009E0000-0x0000000000A8E000-memory.dmp

Filesize
696KB

Download
memory/2956-62-0x00000000001C0000-0x00000000001F1000-memory.dmp

Filesize
196KB

Download
memory/2956-67-0x00000000002D0000-0x00000000002FA000-memory.dmp

Filesize
168KB

Download
memory/2956-81-0x0000000010000000-0x000000001008D000-memory.dmp

Filesize
564KB

Download
memory/2956-84-0x0000000010000000-0x000000001008D000-memory.dmp

Filesize
564KB

Download

Analysis

Sharing