Analysis
-
max time kernel
119s -
max time network
142s -
platform
windows7_x64 -
resource
win7-20231025-en -
resource tags
-
submitted
13/12/2023, 10:58
General
-
Target
8102e9bee1323da3bc9ddd5232f8bcb3843e1ddd7bbf7859ee9f167b2ab1593d.exe
-
Size
4.0MB
-
MD5
9ae7830ff4ead1194119e4151b09d7b6
-
SHA1
e36741257c0d133c59bebf2aa3fe33344d4e5694
-
SHA256
8102e9bee1323da3bc9ddd5232f8bcb3843e1ddd7bbf7859ee9f167b2ab1593d
-
SHA512
e40ca551ba98869fc8aafdec3b8521d09c49d4e094c17f9df60a9056fab3cfce08de5c961b34daac46c1a4b274733d4e5a36ef024baa9322baf1ea64c1bbe241
-
SSDEEP
49152:C8y4+H/MA9KvdXjuvugsDwy9p6a7ZIcQ2R8+06QlCQ1U2V+6kYS3e+/skGV8rOv1:a/MOeDp6l08+06QxUZ6kb/skbrOO
Malware Config
Signatures
-
FatalRat
FatalRat is a modular infostealer family written in C++ first appearing in June 2021.
-
Fatal Rat payload 1 IoCs
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 1 IoCs
-
Drops file in Program Files directory 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 53 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 4 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\8102e9bee1323da3bc9ddd5232f8bcb3843e1ddd7bbf7859ee9f167b2ab1593d.exe"C:\Users\Admin\AppData\Local\Temp\8102e9bee1323da3bc9ddd5232f8bcb3843e1ddd7bbf7859ee9f167b2ab1593d.exe"1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Funshion\DySDKController.exe"C:\Program Files (x86)\Funshion\DySDKController.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
155KB
MD5068a45ed0c24060c3a8d45be44087f65
SHA1fc7b7a4f021cb71b6a81daf62046d3fd5dc1653a
SHA2565c5f0030940704c174600b3ded8d90a168b2cb406bfbd1c5de1df3057de42f0e
SHA51254f5871515667708cd47980a96a57aa1386887ffb343360a2b2bd05da53e0474ff175818657ae39a4f3516bb191e50961a3b84538f8ff3296b773abb38e0d447
-
Filesize
1.1MB
MD55441bc3e3ceb2162a65cbfb4b6e7acd3
SHA1103a0ec0f23e90def158eff9be7f63f6ca9af420
SHA25690fe10bb10fbc95285696423e0ba4bfc10f4dcb63ea8d94fe29871036e4859f6
SHA512f76ae8e1e43223e1fa06e5911b06dc7b2b3d60e3758fc5201c4dbd8df601b59be11e65f42ffe43a5823a71aa1cc328c7a2f625ca50893b1101d73d59b13b4ed4
-
Filesize
198KB
MD5b13ffe8963d3f536bcbd88d4f6ebae93
SHA1dcfdb4fa21a16dd417672c78ccdea8d5904c5f5e
SHA256ab766c0fbcc5610ff5dca17b085d0ef5ed96ef23f0fc8b6a9e8dbe40821830c9
SHA5120a6e3bf78aa2196dda368b3492bd017b4ea562ed0763359619faf6967aae1c88739fb662771bdce3084326e0db5ce0f55f9172f1a598e2d42c489d03500b2672
-
Filesize
160KB
-
Filesize
196KB
-
Filesize
400KB
-
Filesize
168KB
-
Filesize
160KB