fatalrat | 297782811cb69f269c4397e7bb71ce93875d5af3c9477bb0b6b22b11a92b135e

Analysis

max time kernel
148s
max time network
149s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
07/12/2023, 04:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

297782811cb69f269c4397e7bb71ce93875d5af3c9477bb0b6b22b11a92b135e.exe
Size

9.8MB
MD5

0d73e8c3d996fdb9f796472e2270f18e
SHA1

ce891cba235832d3e7a62b899786a215f0c94dff
SHA256

297782811cb69f269c4397e7bb71ce93875d5af3c9477bb0b6b22b11a92b135e
SHA512

592aeea7acbdc214a50e463fc1a424e5c8898b723b8c626216a18bbd24e933e2cd2011d3136ca9307094673f8effb51c8b5a3bf87b397cd9618a30448ae118f6
SSDEEP

196608:9mO/7OgB71cJEfK2DkGztjKWZpoz6QQ+dKFl1x6Ew5ynPnH45u5Hx:9mOjbcJIK2DXhWWpshQ7h6Xy/Y5O

Score

10^/10

fatalrat evasion infostealer rat themida trojan upx

Malware Config

Signatures

FatalRat
FatalRat is a modular infostealer family written in C++ first appearing in June 2021.
infostealer rat fatalrat

Fatal Rat payload 1 IoCs

rat infostealer

resource	yara_rule
behavioral1/memory/2776-35-0x0000000000180000-0x00000000001AA000-memory.dmp	fatalrat

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	297782811cb69f269c4397e7bb71ce93875d5af3c9477bb0b6b22b11a92b135e.exe

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x0033000000015604-27.dat	acprotect
behavioral1/files/0x0033000000015604-26.dat	acprotect

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	297782811cb69f269c4397e7bb71ce93875d5af3c9477bb0b6b22b11a92b135e.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	297782811cb69f269c4397e7bb71ce93875d5af3c9477bb0b6b22b11a92b135e.exe

Executes dropped EXE 1 IoCs

pid	Process
2776	Updater.exe

Loads dropped DLL 3 IoCs

pid	Process
2212	297782811cb69f269c4397e7bb71ce93875d5af3c9477bb0b6b22b11a92b135e.exe
2776	Updater.exe
2776	Updater.exe

Themida packer 11 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/memory/2212-0-0x0000000000F90000-0x0000000002519000-memory.dmp	themida
behavioral1/memory/2212-2-0x0000000000F90000-0x0000000002519000-memory.dmp	themida
behavioral1/memory/2212-3-0x0000000000F90000-0x0000000002519000-memory.dmp	themida
behavioral1/memory/2212-4-0x0000000000F90000-0x0000000002519000-memory.dmp	themida
behavioral1/memory/2212-5-0x0000000000F90000-0x0000000002519000-memory.dmp	themida
behavioral1/memory/2212-6-0x0000000000F90000-0x0000000002519000-memory.dmp	themida
behavioral1/memory/2212-7-0x0000000000F90000-0x0000000002519000-memory.dmp	themida
behavioral1/memory/2212-8-0x0000000000F90000-0x0000000002519000-memory.dmp	themida
behavioral1/memory/2212-9-0x0000000000F90000-0x0000000002519000-memory.dmp	themida
behavioral1/memory/2212-10-0x0000000000F90000-0x0000000002519000-memory.dmp	themida
behavioral1/memory/2212-24-0x0000000000F90000-0x0000000002519000-memory.dmp	themida

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0033000000015604-27.dat	upx
behavioral1/memory/2776-28-0x0000000010000000-0x000000001008D000-memory.dmp	upx
behavioral1/files/0x0033000000015604-26.dat	upx
behavioral1/memory/2776-50-0x0000000010000000-0x000000001008D000-memory.dmp	upx
behavioral1/memory/2776-53-0x0000000010000000-0x000000001008D000-memory.dmp	upx

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	297782811cb69f269c4397e7bb71ce93875d5af3c9477bb0b6b22b11a92b135e.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2212	297782811cb69f269c4397e7bb71ce93875d5af3c9477bb0b6b22b11a92b135e.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Funshion\cvsd.xml	297782811cb69f269c4397e7bb71ce93875d5af3c9477bb0b6b22b11a92b135e.exe
File created	C:\Program Files (x86)\Funshion\HttpFtp.dll	297782811cb69f269c4397e7bb71ce93875d5af3c9477bb0b6b22b11a92b135e.exe
File created	C:\Program Files (x86)\Funshion\libcurl.dll	297782811cb69f269c4397e7bb71ce93875d5af3c9477bb0b6b22b11a92b135e.exe
File created	C:\Program Files (x86)\Funshion\Updater.exe	297782811cb69f269c4397e7bb71ce93875d5af3c9477bb0b6b22b11a92b135e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Updater.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Updater.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

pid	Process
2212	297782811cb69f269c4397e7bb71ce93875d5af3c9477bb0b6b22b11a92b135e.exe
2212	297782811cb69f269c4397e7bb71ce93875d5af3c9477bb0b6b22b11a92b135e.exe
2212	297782811cb69f269c4397e7bb71ce93875d5af3c9477bb0b6b22b11a92b135e.exe
2776	Updater.exe
2776	Updater.exe
2776	Updater.exe
2776	Updater.exe
2776	Updater.exe
2776	Updater.exe
2776	Updater.exe
2776	Updater.exe
2776	Updater.exe
2776	Updater.exe
2776	Updater.exe
2776	Updater.exe
2776	Updater.exe
2776	Updater.exe
2776	Updater.exe
2776	Updater.exe
2776	Updater.exe
2776	Updater.exe
2776	Updater.exe
2776	Updater.exe
2776	Updater.exe
2776	Updater.exe
2776	Updater.exe
2776	Updater.exe
2776	Updater.exe
2776	Updater.exe
2776	Updater.exe
2776	Updater.exe
2776	Updater.exe
2776	Updater.exe
2776	Updater.exe
2776	Updater.exe
2776	Updater.exe
2776	Updater.exe
2776	Updater.exe
2776	Updater.exe
2776	Updater.exe
2776	Updater.exe
2776	Updater.exe
2776	Updater.exe
2776	Updater.exe
2776	Updater.exe
2776	Updater.exe
2776	Updater.exe
2776	Updater.exe
2776	Updater.exe
2776	Updater.exe
2776	Updater.exe
2776	Updater.exe
2776	Updater.exe
2776	Updater.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2776	Updater.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2212	297782811cb69f269c4397e7bb71ce93875d5af3c9477bb0b6b22b11a92b135e.exe
2776	Updater.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2212 wrote to memory of 2776	2212	297782811cb69f269c4397e7bb71ce93875d5af3c9477bb0b6b22b11a92b135e.exe	28
PID 2212 wrote to memory of 2776	2212	297782811cb69f269c4397e7bb71ce93875d5af3c9477bb0b6b22b11a92b135e.exe	28
PID 2212 wrote to memory of 2776	2212	297782811cb69f269c4397e7bb71ce93875d5af3c9477bb0b6b22b11a92b135e.exe	28
PID 2212 wrote to memory of 2776	2212	297782811cb69f269c4397e7bb71ce93875d5af3c9477bb0b6b22b11a92b135e.exe	28
PID 2212 wrote to memory of 2776	2212	297782811cb69f269c4397e7bb71ce93875d5af3c9477bb0b6b22b11a92b135e.exe	28
PID 2212 wrote to memory of 2776	2212	297782811cb69f269c4397e7bb71ce93875d5af3c9477bb0b6b22b11a92b135e.exe	28
PID 2212 wrote to memory of 2776	2212	297782811cb69f269c4397e7bb71ce93875d5af3c9477bb0b6b22b11a92b135e.exe	28

C:\Users\Admin\AppData\Local\Temp\297782811cb69f269c4397e7bb71ce93875d5af3c9477bb0b6b22b11a92b135e.exe
"C:\Users\Admin\AppData\Local\Temp\297782811cb69f269c4397e7bb71ce93875d5af3c9477bb0b6b22b11a92b135e.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2212
- C:\Program Files (x86)\Funshion\Updater.exe
  "C:\Program Files (x86)\Funshion\Updater.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Funshion\HttpFtp.dll

Filesize
234KB

MD5
49fdb26643239695c5faa0677965a94c

SHA1
308bdcac85a1a61b0e8efccb6603a58c0c68e8ef

SHA256
7b56b12a0e16f2123110222e3884ac44fddf2cb9c780b053d3e29c3468b3a256

SHA512
64fc81965a5e564b2896f01f5419a3644f4b3f251422b0e81ad125f7c3145a9a23df58d7a0dcf8da06963a70f974d223646d7fa0e1e532f46e2d06d721b1e22d

Download Submit
C:\Program Files (x86)\Funshion\Updater.exe

Filesize
3.4MB

MD5
3e70fba5ef28862d49f63ac683859aa6

SHA1
7f74f5e0106d89e5c5e9b8cac71d28afaa790115

SHA256
48c0f15c264d00bf7053531de69bc44a8d31246a1f867acfc5f48ec705624bd1

SHA512
0be2e7d7dd1c07c348f2d1010d452972cba1db501c6ee69a1a40d68908866fb744a24f58caf9430b7ab48b78f4d0be06ce7ba7e0ce3fb0b4d8f903670e30ee1a

Download Submit
C:\Program Files (x86)\Funshion\Updater.exe

Filesize
3.4MB

MD5
3e70fba5ef28862d49f63ac683859aa6

SHA1
7f74f5e0106d89e5c5e9b8cac71d28afaa790115

SHA256
48c0f15c264d00bf7053531de69bc44a8d31246a1f867acfc5f48ec705624bd1

SHA512
0be2e7d7dd1c07c348f2d1010d452972cba1db501c6ee69a1a40d68908866fb744a24f58caf9430b7ab48b78f4d0be06ce7ba7e0ce3fb0b4d8f903670e30ee1a

Download Submit
C:\Program Files (x86)\Funshion\libcurl.dll

Filesize
121KB

MD5
d90f53ba4bdf19d1ab57354eb52edaa1

SHA1
9338a9dede3f9c2746f3578eebbe6279899ce9aa

SHA256
e43fb38e152363bd0886fe84a3247db739eb27dd7eec23cbfb1a22f88ad05b20

SHA512
421f02c08c330bbe5fa836d9c75dca57fd35864f42a028c6939e56db4f509f387bf58b79f3fe3b1845f7e0bd7f65c16ac573c6fddd5c6feb7922ba8f658d1028

Download Submit
C:\ProgramData\afd.bin

Filesize
198KB

MD5
c68f04b5648ffe2e351d2f3831d708e5

SHA1
e21871056c7b767bf357a1f5bc399fe7f1248a92

SHA256
e5153b805563b3d00f7a7796d313f60685cc31b3f883fe47887ade617ca076aa

SHA512
8807b38723f37c9b197a0d9f090c00fdd467ceb26ba810767676f16c29d6248a41ac6b41460a6b4972209ca0da5457622ce6b56205d0d27034bc57b6c5069d7d

Download Submit
\Program Files (x86)\Funshion\HttpFtp.dll

Filesize
234KB

MD5
49fdb26643239695c5faa0677965a94c

SHA1
308bdcac85a1a61b0e8efccb6603a58c0c68e8ef

SHA256
7b56b12a0e16f2123110222e3884ac44fddf2cb9c780b053d3e29c3468b3a256

SHA512
64fc81965a5e564b2896f01f5419a3644f4b3f251422b0e81ad125f7c3145a9a23df58d7a0dcf8da06963a70f974d223646d7fa0e1e532f46e2d06d721b1e22d

Download Submit
\Program Files (x86)\Funshion\Updater.exe

Filesize
3.4MB

MD5
3e70fba5ef28862d49f63ac683859aa6

SHA1
7f74f5e0106d89e5c5e9b8cac71d28afaa790115

SHA256
48c0f15c264d00bf7053531de69bc44a8d31246a1f867acfc5f48ec705624bd1

SHA512
0be2e7d7dd1c07c348f2d1010d452972cba1db501c6ee69a1a40d68908866fb744a24f58caf9430b7ab48b78f4d0be06ce7ba7e0ce3fb0b4d8f903670e30ee1a

Download Submit
\Program Files (x86)\Funshion\libcurl.dll

Filesize
121KB

MD5
d90f53ba4bdf19d1ab57354eb52edaa1

SHA1
9338a9dede3f9c2746f3578eebbe6279899ce9aa

SHA256
e43fb38e152363bd0886fe84a3247db739eb27dd7eec23cbfb1a22f88ad05b20

SHA512
421f02c08c330bbe5fa836d9c75dca57fd35864f42a028c6939e56db4f509f387bf58b79f3fe3b1845f7e0bd7f65c16ac573c6fddd5c6feb7922ba8f658d1028

Download Submit
memory/2212-24-0x0000000000F90000-0x0000000002519000-memory.dmp

Filesize
21.5MB

Download
memory/2212-2-0x0000000000F90000-0x0000000002519000-memory.dmp

Filesize
21.5MB

Download
memory/2212-10-0x0000000000F90000-0x0000000002519000-memory.dmp

Filesize
21.5MB

Download
memory/2212-8-0x0000000000F90000-0x0000000002519000-memory.dmp

Filesize
21.5MB

Download
memory/2212-4-0x0000000000F90000-0x0000000002519000-memory.dmp

Filesize
21.5MB

Download
memory/2212-3-0x0000000000F90000-0x0000000002519000-memory.dmp

Filesize
21.5MB

Download
memory/2212-7-0x0000000000F90000-0x0000000002519000-memory.dmp

Filesize
21.5MB

Download
memory/2212-5-0x0000000000F90000-0x0000000002519000-memory.dmp

Filesize
21.5MB

Download
memory/2212-6-0x0000000000F90000-0x0000000002519000-memory.dmp

Filesize
21.5MB

Download
memory/2212-1-0x0000000077590000-0x0000000077592000-memory.dmp

Filesize
8KB

Download
memory/2212-0-0x0000000000F90000-0x0000000002519000-memory.dmp

Filesize
21.5MB

Download
memory/2212-9-0x0000000000F90000-0x0000000002519000-memory.dmp

Filesize
21.5MB

Download
memory/2776-32-0x0000000000370000-0x000000000041E000-memory.dmp

Filesize
696KB

Download
memory/2776-28-0x0000000010000000-0x000000001008D000-memory.dmp

Filesize
564KB

Download
memory/2776-35-0x0000000000180000-0x00000000001AA000-memory.dmp

Filesize
168KB

Download
memory/2776-30-0x0000000000470000-0x00000000004A1000-memory.dmp

Filesize
196KB

Download
memory/2776-50-0x0000000010000000-0x000000001008D000-memory.dmp

Filesize
564KB

Download
memory/2776-53-0x0000000010000000-0x000000001008D000-memory.dmp

Filesize
564KB

Download