fatalrat | d95d7da7bc04833b132d7b612522cd4058f052e84ee8c82f34687bc548d3e36a

General

Target

d95d7da7bc04833b132d7b612522cd4058f052e84ee8c82f34687bc548d3e36a.exe
Size

7.8MB
MD5

0ff89a747039fda2b552d6dd405b3dca
SHA1

c0abfbfe54e09e312be89111d8f5b770c038be8e
SHA256

d95d7da7bc04833b132d7b612522cd4058f052e84ee8c82f34687bc548d3e36a
SHA512

c9e5f35d6637a4bcf600a414d556f6221f24991c23378d24a811ed85806ac797058c49e805e2600523f90dab2e4607b4551334cf93210a01e93a29ce3b5c3424
SSDEEP

196608:RfYOSYUX/C+TFsIsESAxj0dUv1RJsASY8Wb2PVpu9Q3AJ:RrU6+ZsNU0YsE8b/

Score

10^/10

fatalrat infostealer rat vmprotect

Malware Config

Signatures

FatalRat
FatalRat is a modular infostealer family written in C++ first appearing in June 2021.
infostealer rat fatalrat

Fatal Rat payload 1 IoCs

rat infostealer

Processes:

resource	yara_rule
behavioral2/memory/3888-36-0x0000000000680000-0x00000000006AA000-memory.dmp	fatalrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

d95d7da7bc04833b132d7b612522cd4058f052e84ee8c82f34687bc548d3e36a.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000\Control Panel\International\Geo\Nation	d95d7da7bc04833b132d7b612522cd4058f052e84ee8c82f34687bc548d3e36a.exe

Executes dropped EXE 1 IoCs

Processes:

GNCEFExternal.exe

pid	Process
3888	GNCEFExternal.exe

Loads dropped DLL 2 IoCs

Processes:

GNCEFExternal.exe

pid	Process
3888	GNCEFExternal.exe
3888	GNCEFExternal.exe

VMProtect packed file 3 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
behavioral2/memory/3432-2-0x0000000000730000-0x0000000001690000-memory.dmp	vmprotect
behavioral2/memory/3432-1-0x0000000000730000-0x0000000001690000-memory.dmp	vmprotect
behavioral2/memory/3432-27-0x0000000000730000-0x0000000001690000-memory.dmp	vmprotect

Drops file in Program Files directory 6 IoCs

Processes:

d95d7da7bc04833b132d7b612522cd4058f052e84ee8c82f34687bc548d3e36a.exeGNCEFExternal.exe

description	ioc	Process
File created	C:\Program Files (x86)\Funshion\msvcr100.dll	d95d7da7bc04833b132d7b612522cd4058f052e84ee8c82f34687bc548d3e36a.exe
File opened for modification	C:\Program Files (x86)\Log\2023-12-15 GNCef.log	GNCEFExternal.exe
File created	C:\Program Files (x86)\Funshion\cvsd.xml	d95d7da7bc04833b132d7b612522cd4058f052e84ee8c82f34687bc548d3e36a.exe
File created	C:\Program Files (x86)\Funshion\GNCEFExternal.exe	d95d7da7bc04833b132d7b612522cd4058f052e84ee8c82f34687bc548d3e36a.exe
File created	C:\Program Files (x86)\Funshion\libcef.dll	d95d7da7bc04833b132d7b612522cd4058f052e84ee8c82f34687bc548d3e36a.exe
File created	C:\Program Files (x86)\Funshion\msvcp100.dll	d95d7da7bc04833b132d7b612522cd4058f052e84ee8c82f34687bc548d3e36a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

d95d7da7bc04833b132d7b612522cd4058f052e84ee8c82f34687bc548d3e36a.exe

pid	Process
3432	d95d7da7bc04833b132d7b612522cd4058f052e84ee8c82f34687bc548d3e36a.exe
3432	d95d7da7bc04833b132d7b612522cd4058f052e84ee8c82f34687bc548d3e36a.exe
3432	d95d7da7bc04833b132d7b612522cd4058f052e84ee8c82f34687bc548d3e36a.exe
3432	d95d7da7bc04833b132d7b612522cd4058f052e84ee8c82f34687bc548d3e36a.exe
3432	d95d7da7bc04833b132d7b612522cd4058f052e84ee8c82f34687bc548d3e36a.exe
3432	d95d7da7bc04833b132d7b612522cd4058f052e84ee8c82f34687bc548d3e36a.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

GNCEFExternal.exe

description	pid	Process
Token: SeDebugPrivilege	3888	GNCEFExternal.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

d95d7da7bc04833b132d7b612522cd4058f052e84ee8c82f34687bc548d3e36a.exe

pid	Process
3432	d95d7da7bc04833b132d7b612522cd4058f052e84ee8c82f34687bc548d3e36a.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

d95d7da7bc04833b132d7b612522cd4058f052e84ee8c82f34687bc548d3e36a.exe

description	pid	Process	procid_target
PID 3432 wrote to memory of 3888	3432	d95d7da7bc04833b132d7b612522cd4058f052e84ee8c82f34687bc548d3e36a.exe	94
PID 3432 wrote to memory of 3888	3432	d95d7da7bc04833b132d7b612522cd4058f052e84ee8c82f34687bc548d3e36a.exe	94
PID 3432 wrote to memory of 3888	3432	d95d7da7bc04833b132d7b612522cd4058f052e84ee8c82f34687bc548d3e36a.exe	94

C:\Users\Admin\AppData\Local\Temp\d95d7da7bc04833b132d7b612522cd4058f052e84ee8c82f34687bc548d3e36a.exe
"C:\Users\Admin\AppData\Local\Temp\d95d7da7bc04833b132d7b612522cd4058f052e84ee8c82f34687bc548d3e36a.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3432
- C:\Program Files (x86)\Funshion\GNCEFExternal.exe
  "C:\Program Files (x86)\Funshion\GNCEFExternal.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious use of AdjustPrivilegeToken
  PID:3888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Funshion\GNCEFExternal.exe

Filesize
550KB

MD5
37f24d777f06a274be6091e876910295

SHA1
fca8aa72cad4f30aac459d76bd71e8cfc9a7b367

SHA256
baa59def8aaad78906b5f1bde287224df378e6dfda62fa5a2279e6875d4d94f4

SHA512
f037d8c138de63cff11e96bb219c0f630d43434cf27c6c328108f508c0619238668803f9ef249b0f9fdc377f99ce7a56b60e5642397bc23cd7a1ff36e0d285e4

Download Submit
C:\Program Files (x86)\Funshion\MSVCR100.dll

Filesize
756KB

MD5
ef3e115c225588a680acf365158b2f4a

SHA1
ecda6d3b4642d2451817833b39248778e9c2cbb0

SHA256
25d1cc5be93c7a0b58855ad1f4c9df3cfb9ec87e5dc13db85b147b1951ac6fa8

SHA512
d51f51336b7a34eb6c8f429597c3d685eb53853ee5e9d4857c40fc7be6956f1b8363d8d34bebad15ccceae45a6eb69f105f2df6a672f15fb0e6f8d0bb1afb91a

Download Submit
C:\Program Files (x86)\Funshion\libcef.dll

Filesize
18KB

MD5
38619b5de44247530eae8e6682aee536

SHA1
97f1f9b717d300482ca35dba6ab48f0e7458178e

SHA256
2e85458d05bef20852c5afcff5d6f783feda7da106aeea7a7fc830e56921fd58

SHA512
7130096df695021c8dfe4e561bd1e94e8b1f40a980ed6101475dc075f2f4fa687bce69aaa7bad0a5790e7856ac5059a2fe9940835c9210a897fbd7da9fa97760

Download Submit
C:\ProgramData\afd.bin

Filesize
198KB

MD5
c227081c485d962210c24dd3e2656ffd

SHA1
19804d32bf47438d7b0f7e910343f468ceff981b

SHA256
cf880632ce06a144dc356768c40233526792e7932f0278ce580f8967e14bdae1

SHA512
64b298b39fa8fc940c820f923cd189cd7157006e16752e7ab731aa479ce476105d0267cfa30d1a8b3e0f66b5410cf7331700bebf5b6e8aa56ea932f1c44a2017

Download Submit
memory/3432-0-0x0000000001C30000-0x0000000001C31000-memory.dmp

Filesize
4KB

Download
memory/3432-2-0x0000000000730000-0x0000000001690000-memory.dmp

Filesize
15.4MB

Download
memory/3432-1-0x0000000000730000-0x0000000001690000-memory.dmp

Filesize
15.4MB

Download
memory/3432-27-0x0000000000730000-0x0000000001690000-memory.dmp

Filesize
15.4MB

Download
memory/3888-31-0x0000000010000000-0x0000000010031000-memory.dmp

Filesize
196KB

Download
memory/3888-34-0x00000000023D0000-0x000000000247E000-memory.dmp

Filesize
696KB

Download
memory/3888-36-0x0000000000680000-0x00000000006AA000-memory.dmp

Filesize
168KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads