fatalrat | 528a351fceffb986a5cde9cfb1e2b57eeb5a103b316b9d1ddfdcad21687d6d9e

General

Target

528a351fceffb986a5cde9cfb1e2b57eeb5a103b316b9d1ddfdcad21687d6d9e.exe
Size

12.5MB
MD5

67936b36035ec07f0362d7eb6cbde7d4
SHA1

9230af5f1c88607a4db5cd5016b829ab42700c1f
SHA256

528a351fceffb986a5cde9cfb1e2b57eeb5a103b316b9d1ddfdcad21687d6d9e
SHA512

f6dc5c24c82d76afd12d71e8a8aee1bf23f990830b7a3868a23b671edf50a9818a739f1542e3b6fe57e91d0454ea2432f7cd5a0b927eb358628c60776ff0d077
SSDEEP

393216:Ylav2Bij4wv1ENiPAetUsFSdVTVEwF71vJYT:ua34RNiYhJVv1vqT

Score

10^/10

fatalrat infostealer rat upx vmprotect

Malware Config

Signatures

FatalRat
FatalRat is a modular infostealer family written in C++ first appearing in June 2021.
infostealer rat fatalrat

Fatal Rat payload 1 IoCs

rat infostealer

resource	yara_rule
behavioral2/memory/3948-39-0x0000000002CE0000-0x0000000002D0A000-memory.dmp	fatalrat

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x00080000000231e9-29.dat	acprotect
behavioral2/files/0x00080000000231e9-30.dat	acprotect

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2192493100-457715857-1189582111-1000\Control Panel\International\Geo\Nation	528a351fceffb986a5cde9cfb1e2b57eeb5a103b316b9d1ddfdcad21687d6d9e.exe

Executes dropped EXE 1 IoCs

pid	Process
3948	Updater.exe

Loads dropped DLL 2 IoCs

pid	Process
3948	Updater.exe
3948	Updater.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x00080000000231e9-29.dat	upx
behavioral2/files/0x00080000000231e9-30.dat	upx
behavioral2/memory/3948-31-0x0000000010000000-0x000000001008D000-memory.dmp	upx
behavioral2/memory/3948-44-0x0000000010000000-0x000000001008D000-memory.dmp	upx
behavioral2/memory/3948-57-0x0000000010000000-0x000000001008D000-memory.dmp	upx

VMProtect packed file 3 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral2/memory/5012-0-0x0000000000510000-0x00000000011A5000-memory.dmp	vmprotect
behavioral2/memory/5012-9-0x0000000000510000-0x00000000011A5000-memory.dmp	vmprotect
behavioral2/memory/5012-32-0x0000000000510000-0x00000000011A5000-memory.dmp	vmprotect

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
5012	528a351fceffb986a5cde9cfb1e2b57eeb5a103b316b9d1ddfdcad21687d6d9e.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Funshion\cvsd.xml	528a351fceffb986a5cde9cfb1e2b57eeb5a103b316b9d1ddfdcad21687d6d9e.exe
File created	C:\Program Files (x86)\Funshion\HttpFtp.dll	528a351fceffb986a5cde9cfb1e2b57eeb5a103b316b9d1ddfdcad21687d6d9e.exe
File created	C:\Program Files (x86)\Funshion\libcurl.dll	528a351fceffb986a5cde9cfb1e2b57eeb5a103b316b9d1ddfdcad21687d6d9e.exe
File created	C:\Program Files (x86)\Funshion\Updater.exe	528a351fceffb986a5cde9cfb1e2b57eeb5a103b316b9d1ddfdcad21687d6d9e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
5012	528a351fceffb986a5cde9cfb1e2b57eeb5a103b316b9d1ddfdcad21687d6d9e.exe
5012	528a351fceffb986a5cde9cfb1e2b57eeb5a103b316b9d1ddfdcad21687d6d9e.exe
5012	528a351fceffb986a5cde9cfb1e2b57eeb5a103b316b9d1ddfdcad21687d6d9e.exe
5012	528a351fceffb986a5cde9cfb1e2b57eeb5a103b316b9d1ddfdcad21687d6d9e.exe
5012	528a351fceffb986a5cde9cfb1e2b57eeb5a103b316b9d1ddfdcad21687d6d9e.exe
5012	528a351fceffb986a5cde9cfb1e2b57eeb5a103b316b9d1ddfdcad21687d6d9e.exe
5012	528a351fceffb986a5cde9cfb1e2b57eeb5a103b316b9d1ddfdcad21687d6d9e.exe
5012	528a351fceffb986a5cde9cfb1e2b57eeb5a103b316b9d1ddfdcad21687d6d9e.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3948	Updater.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
5012	528a351fceffb986a5cde9cfb1e2b57eeb5a103b316b9d1ddfdcad21687d6d9e.exe
3948	Updater.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 5012 wrote to memory of 3948	5012	528a351fceffb986a5cde9cfb1e2b57eeb5a103b316b9d1ddfdcad21687d6d9e.exe	91
PID 5012 wrote to memory of 3948	5012	528a351fceffb986a5cde9cfb1e2b57eeb5a103b316b9d1ddfdcad21687d6d9e.exe	91
PID 5012 wrote to memory of 3948	5012	528a351fceffb986a5cde9cfb1e2b57eeb5a103b316b9d1ddfdcad21687d6d9e.exe	91

C:\Users\Admin\AppData\Local\Temp\528a351fceffb986a5cde9cfb1e2b57eeb5a103b316b9d1ddfdcad21687d6d9e.exe
"C:\Users\Admin\AppData\Local\Temp\528a351fceffb986a5cde9cfb1e2b57eeb5a103b316b9d1ddfdcad21687d6d9e.exe"
1⤵
- Checks computer location settings
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5012
- C:\Program Files (x86)\Funshion\Updater.exe
  "C:\Program Files (x86)\Funshion\Updater.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:3948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Funshion\HttpFtp.dll

Filesize
234KB

MD5
49fdb26643239695c5faa0677965a94c

SHA1
308bdcac85a1a61b0e8efccb6603a58c0c68e8ef

SHA256
7b56b12a0e16f2123110222e3884ac44fddf2cb9c780b053d3e29c3468b3a256

SHA512
64fc81965a5e564b2896f01f5419a3644f4b3f251422b0e81ad125f7c3145a9a23df58d7a0dcf8da06963a70f974d223646d7fa0e1e532f46e2d06d721b1e22d

Download Submit
C:\Program Files (x86)\Funshion\HttpFtp.dll

Filesize
234KB

MD5
49fdb26643239695c5faa0677965a94c

SHA1
308bdcac85a1a61b0e8efccb6603a58c0c68e8ef

SHA256
7b56b12a0e16f2123110222e3884ac44fddf2cb9c780b053d3e29c3468b3a256

SHA512
64fc81965a5e564b2896f01f5419a3644f4b3f251422b0e81ad125f7c3145a9a23df58d7a0dcf8da06963a70f974d223646d7fa0e1e532f46e2d06d721b1e22d

Download Submit
C:\Program Files (x86)\Funshion\Updater.exe

Filesize
3.4MB

MD5
3e70fba5ef28862d49f63ac683859aa6

SHA1
7f74f5e0106d89e5c5e9b8cac71d28afaa790115

SHA256
48c0f15c264d00bf7053531de69bc44a8d31246a1f867acfc5f48ec705624bd1

SHA512
0be2e7d7dd1c07c348f2d1010d452972cba1db501c6ee69a1a40d68908866fb744a24f58caf9430b7ab48b78f4d0be06ce7ba7e0ce3fb0b4d8f903670e30ee1a

Download Submit
C:\Program Files (x86)\Funshion\Updater.exe

Filesize
3.4MB

MD5
3e70fba5ef28862d49f63ac683859aa6

SHA1
7f74f5e0106d89e5c5e9b8cac71d28afaa790115

SHA256
48c0f15c264d00bf7053531de69bc44a8d31246a1f867acfc5f48ec705624bd1

SHA512
0be2e7d7dd1c07c348f2d1010d452972cba1db501c6ee69a1a40d68908866fb744a24f58caf9430b7ab48b78f4d0be06ce7ba7e0ce3fb0b4d8f903670e30ee1a

Download Submit
C:\Program Files (x86)\Funshion\Updater.exe

Filesize
3.4MB

MD5
3e70fba5ef28862d49f63ac683859aa6

SHA1
7f74f5e0106d89e5c5e9b8cac71d28afaa790115

SHA256
48c0f15c264d00bf7053531de69bc44a8d31246a1f867acfc5f48ec705624bd1

SHA512
0be2e7d7dd1c07c348f2d1010d452972cba1db501c6ee69a1a40d68908866fb744a24f58caf9430b7ab48b78f4d0be06ce7ba7e0ce3fb0b4d8f903670e30ee1a

Download Submit
C:\Program Files (x86)\Funshion\libcurl.dll

Filesize
121KB

MD5
d90f53ba4bdf19d1ab57354eb52edaa1

SHA1
9338a9dede3f9c2746f3578eebbe6279899ce9aa

SHA256
e43fb38e152363bd0886fe84a3247db739eb27dd7eec23cbfb1a22f88ad05b20

SHA512
421f02c08c330bbe5fa836d9c75dca57fd35864f42a028c6939e56db4f509f387bf58b79f3fe3b1845f7e0bd7f65c16ac573c6fddd5c6feb7922ba8f658d1028

Download Submit
C:\Program Files (x86)\Funshion\libcurl.dll

Filesize
121KB

MD5
d90f53ba4bdf19d1ab57354eb52edaa1

SHA1
9338a9dede3f9c2746f3578eebbe6279899ce9aa

SHA256
e43fb38e152363bd0886fe84a3247db739eb27dd7eec23cbfb1a22f88ad05b20

SHA512
421f02c08c330bbe5fa836d9c75dca57fd35864f42a028c6939e56db4f509f387bf58b79f3fe3b1845f7e0bd7f65c16ac573c6fddd5c6feb7922ba8f658d1028

Download Submit
C:\ProgramData\afd.bin

Filesize
198KB

MD5
c68f04b5648ffe2e351d2f3831d708e5

SHA1
e21871056c7b767bf357a1f5bc399fe7f1248a92

SHA256
e5153b805563b3d00f7a7796d313f60685cc31b3f883fe47887ade617ca076aa

SHA512
8807b38723f37c9b197a0d9f090c00fdd467ceb26ba810767676f16c29d6248a41ac6b41460a6b4972209ca0da5457622ce6b56205d0d27034bc57b6c5069d7d

Download Submit
memory/3948-34-0x0000000002CA0000-0x0000000002CD1000-memory.dmp

Filesize
196KB

Download
memory/3948-31-0x0000000010000000-0x000000001008D000-memory.dmp

Filesize
564KB

Download
memory/3948-57-0x0000000010000000-0x000000001008D000-memory.dmp

Filesize
564KB

Download
memory/3948-44-0x0000000010000000-0x000000001008D000-memory.dmp

Filesize
564KB

Download
memory/3948-39-0x0000000002CE0000-0x0000000002D0A000-memory.dmp

Filesize
168KB

Download
memory/3948-36-0x00000000031D0000-0x000000000327E000-memory.dmp

Filesize
696KB

Download
memory/5012-4-0x0000000003450000-0x0000000003451000-memory.dmp

Filesize
4KB

Download
memory/5012-5-0x0000000003460000-0x0000000003461000-memory.dmp

Filesize
4KB

Download
memory/5012-3-0x0000000003420000-0x0000000003421000-memory.dmp

Filesize
4KB

Download
memory/5012-2-0x0000000003410000-0x0000000003411000-memory.dmp

Filesize
4KB

Download
memory/5012-0-0x0000000000510000-0x00000000011A5000-memory.dmp

Filesize
12.6MB

Download
memory/5012-6-0x0000000003470000-0x0000000003471000-memory.dmp

Filesize
4KB

Download
memory/5012-32-0x0000000000510000-0x00000000011A5000-memory.dmp

Filesize
12.6MB

Download
memory/5012-9-0x0000000000510000-0x00000000011A5000-memory.dmp

Filesize
12.6MB

Download
memory/5012-1-0x0000000003300000-0x0000000003301000-memory.dmp

Filesize
4KB

Download
memory/5012-7-0x0000000003480000-0x0000000003481000-memory.dmp

Filesize
4KB

Download
memory/5012-8-0x00000000034A0000-0x00000000034A1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing