Overview

overview

10

Static

static

3

ddecb22fb6...b6.exe

windows7-x64

10

ddecb22fb6...b6.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231130-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231130-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-12-2023 05:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ddecb22fb6cd998ef88d3f56de51377beb5cf165988196d312206b850ed090b6.exe

  • Size

    4.0MB

  • MD5

    3850fe533e6cfa28bd851d310dad970c

  • SHA1

    1b9aaa74d647cd720c377a026c046c996fdaeed1

  • SHA256

    ddecb22fb6cd998ef88d3f56de51377beb5cf165988196d312206b850ed090b6

  • SHA512

    825c0fbc5b468f59607f93a23afb371ab4aa440ad17774244cd2e1ad4d090951cc5a22c75aaedad1f958e1ed27dac5f1d922011f55666f9c484f2fe57feb54ca

  • SSDEEP

    49152:C8y4+H/MA9KvdXjuvugsDwy9p6a7ZIcQ2R8+06QlCQ1U2V+6kYS3e+/skGV8rOv1:a/MOeDp6l08+06QxUZ6kb/skbrOO

Score
10/10
fatalratinfostealerrat

Malware Config

Signatures

  • FatalRat

    FatalRat is a modular infostealer family written in C++ first appearing in June 2021.

    infostealerratfatalrat
  • Fatal Rat payload 1 IoCs
    ratinfostealer
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\ddecb22fb6cd998ef88d3f56de51377beb5cf165988196d312206b850ed090b6.exe
    "C:\Users\Admin\AppData\Local\Temp\ddecb22fb6cd998ef88d3f56de51377beb5cf165988196d312206b850ed090b6.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4620
    • C:\Program Files (x86)\Funshion\DySDKController.exe
      "C:\Program Files (x86)\Funshion\DySDKController.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of AdjustPrivilegeToken
      PID:4288

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Funshion\DyCrashRpt.dll
    Filesize

    155KB

    MD5

    068a45ed0c24060c3a8d45be44087f65

    SHA1

    fc7b7a4f021cb71b6a81daf62046d3fd5dc1653a

    SHA256

    5c5f0030940704c174600b3ded8d90a168b2cb406bfbd1c5de1df3057de42f0e

    SHA512

    54f5871515667708cd47980a96a57aa1386887ffb343360a2b2bd05da53e0474ff175818657ae39a4f3516bb191e50961a3b84538f8ff3296b773abb38e0d447

    Download Submit

  • C:\Program Files (x86)\Funshion\DySDKController.exe
    Filesize

    100KB

    MD5

    ec8f16038d260449a6e122214ea2b2c0

    SHA1

    f2b445e857d6fb3bb087f28958ddcb5a2bb4ea71

    SHA256

    9c14e6a69b8a7abcabaf096a98548294c775a3623fb17f94e0343120de63da11

    SHA512

    a7912e3ec522f3cd449a7b961af74916fedc43ba6694895701f2ca2cd571a267afe75fdae2ea2d7ede50cfbd5300639f4cb154e864c69d8ceac4ca9a825190fa

    Download Submit

  • C:\Program Files (x86)\Funshion\DySDKController.exe
    Filesize

    81KB

    MD5

    42ca9eb662748632758ad2f1cfc7e167

    SHA1

    e00a89e5402979b29cf93ef7e591310268238c87

    SHA256

    5b11b804cb814f171076588695bef6debdd5e313107e7af844ad1c04015b8a09

    SHA512

    0ec21f0b434c667bd52549d8a030a6edb9b1b4b09f3dbfe3763538b0f54587a5ce16d3b4c10e29cb983a6b040185e84b1289772f4648360f7834c0a8cd075c0c

    Download Submit

  • C:\Program Files (x86)\Funshion\DySDKController.exe
    Filesize

    515KB

    MD5

    88a32ffaef7d969636a0ce12553703cd

    SHA1

    ad5b604e282eb919d9d855f88a87a892005be89e

    SHA256

    b40ff4986cd04d076cde02f0b276819d6efb5e633a07e204ab1d565a7cf2e5c9

    SHA512

    40454e249fc29e8f176174a53216e8794160ced2ff85a4b3da35b62e980cef606f177a174142d40f748780d15fbf71524ef5a8f71a7722e419db94c8b727a072

    Download Submit

  • C:\ProgramData\afd.bin
    Filesize

    126KB

    MD5

    84c5de236944bd6e25c0092e0214be5d

    SHA1

    d7cccef46a25ddbef1000c8e725612618bb9701a

    SHA256

    dc0bf32238cc27596aca555b95b4931f49a2026b38457cd9d87e4ff8d94d7364

    SHA512

    4bacd498aa104d720db4065461c6c4aea1bb03c543a20ee80750747296ce2618e2667d4cdfc8730331583bbd2f311019ad376d98efd7fc955bd28ed6d0599140

    Download Submit

  • memory/4288-23-0x0000000010000000-0x0000000010031000-memory.dmp

    Filesize

    196KB

    Download

  • memory/4288-26-0x00000000025C0000-0x0000000002624000-memory.dmp

    Filesize

    400KB

    Download

  • memory/4288-21-0x0000000075030000-0x0000000075058000-memory.dmp

    Filesize

    160KB

    Download

  • memory/4288-28-0x00000000008E0000-0x000000000090A000-memory.dmp

    Filesize

    168KB

    Download

  • memory/4288-33-0x0000000075030000-0x0000000075058000-memory.dmp

    Filesize

    160KB

    Download