fatalrat | 6c6d7f7d566de84cd12a53e3c6007982042626e906d8189932e3cca828ed2bf6

General

Target

6c6d7f7d566de84cd12a53e3c6007982042626e906d8189932e3cca828ed2bf6.exe
Size

3.7MB
MD5

8257dbbadbf1508e030161cffa5ab3b0
SHA1

8666310ea7d1b9b1f1519ab614c3100bf6a55b68
SHA256

6c6d7f7d566de84cd12a53e3c6007982042626e906d8189932e3cca828ed2bf6
SHA512

070622c925eacbc4e10c4179d78a526f79dd13377c9beef3fd398dbb1830f1ce7962385b8bbe8d91e26953e134be226253fba76f06e5c319e79fbb97ca5335f0
SSDEEP

49152:F8y4+H/MA9KvdXjuvugsDwy9p6a7ZIcQ2R8+06QlCQ1U2V+6kYdke+/skGV8rOvN:J/MOeDp6l08+06QxUZ6kB/skbrOl

Score

10^/10

fatalrat infostealer rat

Malware Config

Signatures

FatalRat
FatalRat is a modular infostealer family written in C++ first appearing in June 2021.
infostealer rat fatalrat

Fatal Rat payload 1 IoCs

rat infostealer

Processes:

resource	yara_rule
behavioral1/memory/1216-22-0x00000000001D0000-0x00000000001FA000-memory.dmp	fatalrat

Executes dropped EXE 1 IoCs

Processes:

DySDKController.exe

pid	Process
1216	DySDKController.exe

Loads dropped DLL 1 IoCs

Processes:

DySDKController.exe

pid	Process
1216	DySDKController.exe

Drops file in Program Files directory 4 IoCs

Processes:

6c6d7f7d566de84cd12a53e3c6007982042626e906d8189932e3cca828ed2bf6.exe

description	ioc	Process
File created	C:\Program Files (x86)\Funshion\cvsd.xml	6c6d7f7d566de84cd12a53e3c6007982042626e906d8189932e3cca828ed2bf6.exe
File created	C:\Program Files (x86)\Funshion\decvsd.xml	6c6d7f7d566de84cd12a53e3c6007982042626e906d8189932e3cca828ed2bf6.exe
File created	C:\Program Files (x86)\Funshion\DyCrashRpt.dll	6c6d7f7d566de84cd12a53e3c6007982042626e906d8189932e3cca828ed2bf6.exe
File created	C:\Program Files (x86)\Funshion\DySDKController.exe	6c6d7f7d566de84cd12a53e3c6007982042626e906d8189932e3cca828ed2bf6.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

6c6d7f7d566de84cd12a53e3c6007982042626e906d8189932e3cca828ed2bf6.exe

pid	Process
2216	6c6d7f7d566de84cd12a53e3c6007982042626e906d8189932e3cca828ed2bf6.exe
2216	6c6d7f7d566de84cd12a53e3c6007982042626e906d8189932e3cca828ed2bf6.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

DySDKController.exe

description	pid	Process
Token: SeDebugPrivilege	1216	DySDKController.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

6c6d7f7d566de84cd12a53e3c6007982042626e906d8189932e3cca828ed2bf6.exe

pid	Process
2216	6c6d7f7d566de84cd12a53e3c6007982042626e906d8189932e3cca828ed2bf6.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

6c6d7f7d566de84cd12a53e3c6007982042626e906d8189932e3cca828ed2bf6.exe

description	pid	Process	procid_target
PID 2216 wrote to memory of 1216	2216	6c6d7f7d566de84cd12a53e3c6007982042626e906d8189932e3cca828ed2bf6.exe	28
PID 2216 wrote to memory of 1216	2216	6c6d7f7d566de84cd12a53e3c6007982042626e906d8189932e3cca828ed2bf6.exe	28
PID 2216 wrote to memory of 1216	2216	6c6d7f7d566de84cd12a53e3c6007982042626e906d8189932e3cca828ed2bf6.exe	28
PID 2216 wrote to memory of 1216	2216	6c6d7f7d566de84cd12a53e3c6007982042626e906d8189932e3cca828ed2bf6.exe	28

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\6c6d7f7d566de84cd12a53e3c6007982042626e906d8189932e3cca828ed2bf6.exe
"C:\Users\Admin\AppData\Local\Temp\6c6d7f7d566de84cd12a53e3c6007982042626e906d8189932e3cca828ed2bf6.exe"
1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2216
- C:\Program Files (x86)\Funshion\DySDKController.exe
  "C:\Program Files (x86)\Funshion\DySDKController.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  PID:1216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Funshion\DyCrashRpt.dll

Filesize
28KB

MD5
469912710c302ff7f295c029dba7d2dd

SHA1
827acaa15d6d87db1f64666fbcfa0da05d7127a2

SHA256
4308b1ba1bf63da04114b6f01d28ceb34d7f59cfbb8a4e6af6c5c469e676653a

SHA512
1ede2228c23a038f84eec1d17f17f9a95679b42019e6cc5bb1cfaec8d921424ee1560c8c4d086d7b5545060809a21872c964717056600f0270119c1e68a58531

Download Submit
C:\Program Files (x86)\Funshion\DySDKController.exe

Filesize
42KB

MD5
e556470ab201442b3a8291e394bec61a

SHA1
027b9b673c7db2fe9023c9bfea9a65139287f5dd

SHA256
62270f54a19141433d2f11a3ccd90de9d6557aea361cc14dd3c7021d5c71a6d0

SHA512
05eb2d9867afaaf0734eb249fc583ef5f5b3d4bcb07ccc1827f901bc323209048ae6cf4a9dac4bb46b97e956bec9414bd0fb0800ac930b9fc0f555e073c8b0b8

Download Submit
C:\ProgramData\afd.bin

Filesize
26KB

MD5
0b607ff55df0b5acfcb7c5f3dc1ecf33

SHA1
9aa83e9fd691cdd2a1390d41c2c05a7de4608ba4

SHA256
57efa81ba3b097c2328e6686439451fb31be3d05a53e24e709e43d33ab6766de

SHA512
dcc791377465acf72afbfcb7d6dc8cd6b36e01929ecfe3d4d4c19d9793f2518591b7c7e3a4de87e6988fdd18071e8baa93bf884ef388c481d7717c0ff4bfad1e

Download Submit
\Program Files (x86)\Funshion\DyCrashRpt.dll

Filesize
51KB

MD5
580658d954eb40d8a9328769be10b74d

SHA1
3363face37fac6eaf09829d3f7dee8896dcaa3dd

SHA256
c72772a35b8b9b4c84e1aa336f0fac7615d5d975aa10ac9e0eaba500527f8e19

SHA512
233103004bb7342dc9b88049354300bf92cf720126fce63568f331ddb83db4dcd9555f9f5e315179602db5b5389f837b37a8398d534f3b98b7e6b4e0287fc3a8

Download Submit
memory/1216-15-0x0000000074CB0000-0x0000000074CD8000-memory.dmp

Filesize
160KB

Download
memory/1216-21-0x0000000000100000-0x0000000000164000-memory.dmp

Filesize
400KB

Download
memory/1216-22-0x00000000001D0000-0x00000000001FA000-memory.dmp

Filesize
168KB

Download
memory/1216-17-0x0000000010000000-0x0000000010031000-memory.dmp

Filesize
196KB

Download
memory/1216-27-0x0000000074CB0000-0x0000000074CD8000-memory.dmp

Filesize
160KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads