fatalrat | b763b94b3c8b81a43774b1dcd29755066b6ecc96391b4685152e97b483f3bb12

General

Target

b763b94b3c8b81a43774b1dcd29755066b6ecc96391b4685152e97b483f3bb12.exe
Size

2.5MB
MD5

09793c047cf01b0d7e977693140729c4
SHA1

905407707de3b030c9ba94fe775410fca9deb88e
SHA256

b763b94b3c8b81a43774b1dcd29755066b6ecc96391b4685152e97b483f3bb12
SHA512

55a3ca23ed7474bd7a14af38164ff75b7901dc94df2c0d3f6adef3948f818b7dde6d4b59d077dbf937ce6c9f0c588f49edd0c71d11ed4f70d552f0c31d62f8dd
SSDEEP

49152:p1xaSFbj2EGOvbdDtu1DMs+OGz8xLSS4aZodKGMXiTcbvcQaGBw3/quciHW80BqG:p1nFVGOjdDtu1Dv+OGzA4a+K3iTBQaGR

Score

10^/10

fatalrat infostealer rat

Malware Config

Signatures

FatalRat
FatalRat is a modular infostealer family written in C++ first appearing in June 2021.
infostealer rat fatalrat

Fatal Rat payload 1 IoCs

rat infostealer

resource	yara_rule
behavioral1/memory/1748-23-0x00000000001D0000-0x00000000001FA000-memory.dmp	fatalrat

Executes dropped EXE 1 IoCs

pid	Process
1748	DySDKController.exe

Loads dropped DLL 2 IoCs

pid	Process
2868	b763b94b3c8b81a43774b1dcd29755066b6ecc96391b4685152e97b483f3bb12.exe
1748	DySDKController.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Bonjour32\cvsd.xml	b763b94b3c8b81a43774b1dcd29755066b6ecc96391b4685152e97b483f3bb12.exe
File created	C:\Program Files (x86)\Bonjour32\decvsd.xml	b763b94b3c8b81a43774b1dcd29755066b6ecc96391b4685152e97b483f3bb12.exe
File created	C:\Program Files (x86)\Bonjour32\afd.bin	b763b94b3c8b81a43774b1dcd29755066b6ecc96391b4685152e97b483f3bb12.exe
File created	C:\Program Files (x86)\Bonjour32\DyCrashRpt.dll	b763b94b3c8b81a43774b1dcd29755066b6ecc96391b4685152e97b483f3bb12.exe
File created	C:\Program Files (x86)\Bonjour32\DySDKController.exe	b763b94b3c8b81a43774b1dcd29755066b6ecc96391b4685152e97b483f3bb12.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2868	b763b94b3c8b81a43774b1dcd29755066b6ecc96391b4685152e97b483f3bb12.exe
2868	b763b94b3c8b81a43774b1dcd29755066b6ecc96391b4685152e97b483f3bb12.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1748	DySDKController.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2868	b763b94b3c8b81a43774b1dcd29755066b6ecc96391b4685152e97b483f3bb12.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2868 wrote to memory of 1748	2868	b763b94b3c8b81a43774b1dcd29755066b6ecc96391b4685152e97b483f3bb12.exe	28
PID 2868 wrote to memory of 1748	2868	b763b94b3c8b81a43774b1dcd29755066b6ecc96391b4685152e97b483f3bb12.exe	28
PID 2868 wrote to memory of 1748	2868	b763b94b3c8b81a43774b1dcd29755066b6ecc96391b4685152e97b483f3bb12.exe	28
PID 2868 wrote to memory of 1748	2868	b763b94b3c8b81a43774b1dcd29755066b6ecc96391b4685152e97b483f3bb12.exe	28

C:\Users\Admin\AppData\Local\Temp\b763b94b3c8b81a43774b1dcd29755066b6ecc96391b4685152e97b483f3bb12.exe
"C:\Users\Admin\AppData\Local\Temp\b763b94b3c8b81a43774b1dcd29755066b6ecc96391b4685152e97b483f3bb12.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2868
- C:\Program Files (x86)\Bonjour32\DySDKController.exe
  "C:\Program Files (x86)\Bonjour32\DySDKController.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  PID:1748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Bonjour32\DySDKController.exe

Filesize
1.1MB

MD5
5441bc3e3ceb2162a65cbfb4b6e7acd3

SHA1
103a0ec0f23e90def158eff9be7f63f6ca9af420

SHA256
90fe10bb10fbc95285696423e0ba4bfc10f4dcb63ea8d94fe29871036e4859f6

SHA512
f76ae8e1e43223e1fa06e5911b06dc7b2b3d60e3758fc5201c4dbd8df601b59be11e65f42ffe43a5823a71aa1cc328c7a2f625ca50893b1101d73d59b13b4ed4

Download Submit
C:\Program Files (x86)\Bonjour32\afd.bin

Filesize
198KB

MD5
b13ffe8963d3f536bcbd88d4f6ebae93

SHA1
dcfdb4fa21a16dd417672c78ccdea8d5904c5f5e

SHA256
ab766c0fbcc5610ff5dca17b085d0ef5ed96ef23f0fc8b6a9e8dbe40821830c9

SHA512
0a6e3bf78aa2196dda368b3492bd017b4ea562ed0763359619faf6967aae1c88739fb662771bdce3084326e0db5ce0f55f9172f1a598e2d42c489d03500b2672

Download Submit
\Program Files (x86)\Bonjour32\DyCrashRpt.dll

Filesize
179KB

MD5
9d795919985be015d7b7925b534768dd

SHA1
e6641d2979f0ef09dfb7ac4a61cc943e82dc8ec5

SHA256
a23dcb37f608533021842ec61de94b2db84251b8926d867b90321c74285f9608

SHA512
35f9fcdee60d382c28d951c28f234d6b9a4c06644f623725a383f9bab54a8f6df8f57d7e8852c2d52f9ea93530946a05e7eaf42111dc21d16538ca8c2bf7010f

Download Submit
\Program Files (x86)\Bonjour32\DySDKController.exe

Filesize
629KB

MD5
87368b71aca2daa2ac0519a140daee2a

SHA1
7a20bf98eef1b23e46c4cb9be33984e5dcc622b4

SHA256
b34ae41b91f70b515d02e4a4ccf071068980a947d3723662b18be2cba2df20fb

SHA512
b4955c61de8017c023a5196d5e0490c52aaa4313c7796b145f150685f06ab7025709f189831f54c50420871f74bab66c6f4755826bde4bcb81d4fc5564f337aa

Download Submit
memory/1748-16-0x0000000074820000-0x0000000074853000-memory.dmp

Filesize
204KB

Download
memory/1748-18-0x0000000010000000-0x0000000010031000-memory.dmp

Filesize
196KB

Download
memory/1748-21-0x0000000000100000-0x0000000000164000-memory.dmp

Filesize
400KB

Download
memory/1748-23-0x00000000001D0000-0x00000000001FA000-memory.dmp

Filesize
168KB

Download
memory/1748-28-0x0000000074820000-0x0000000074853000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing