fatalrat | 6c6d7f7d566de84cd12a53e3c6007982042626e906d8189932e3cca828ed2bf6

General

Target

6c6d7f7d566de84cd12a53e3c6007982042626e906d8189932e3cca828ed2bf6.exe
Size

3.7MB
MD5

8257dbbadbf1508e030161cffa5ab3b0
SHA1

8666310ea7d1b9b1f1519ab614c3100bf6a55b68
SHA256

6c6d7f7d566de84cd12a53e3c6007982042626e906d8189932e3cca828ed2bf6
SHA512

070622c925eacbc4e10c4179d78a526f79dd13377c9beef3fd398dbb1830f1ce7962385b8bbe8d91e26953e134be226253fba76f06e5c319e79fbb97ca5335f0
SSDEEP

49152:F8y4+H/MA9KvdXjuvugsDwy9p6a7ZIcQ2R8+06QlCQ1U2V+6kYdke+/skGV8rOvN:J/MOeDp6l08+06QxUZ6kB/skbrOl

Score

10^/10

fatalrat infostealer rat

Malware Config

Signatures

FatalRat
FatalRat is a modular infostealer family written in C++ first appearing in June 2021.
infostealer rat fatalrat

Fatal Rat payload 1 IoCs

rat infostealer

Processes:

resource	yara_rule
behavioral2/memory/3732-28-0x0000000002930000-0x000000000295A000-memory.dmp	fatalrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

6c6d7f7d566de84cd12a53e3c6007982042626e906d8189932e3cca828ed2bf6.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	6c6d7f7d566de84cd12a53e3c6007982042626e906d8189932e3cca828ed2bf6.exe

Executes dropped EXE 1 IoCs

Processes:

DySDKController.exe

pid	Process
3732	DySDKController.exe

Loads dropped DLL 1 IoCs

Processes:

DySDKController.exe

pid	Process
3732	DySDKController.exe

Drops file in Program Files directory 4 IoCs

Processes:

6c6d7f7d566de84cd12a53e3c6007982042626e906d8189932e3cca828ed2bf6.exe

description	ioc	Process
File created	C:\Program Files (x86)\Funshion\cvsd.xml	6c6d7f7d566de84cd12a53e3c6007982042626e906d8189932e3cca828ed2bf6.exe
File created	C:\Program Files (x86)\Funshion\decvsd.xml	6c6d7f7d566de84cd12a53e3c6007982042626e906d8189932e3cca828ed2bf6.exe
File created	C:\Program Files (x86)\Funshion\DyCrashRpt.dll	6c6d7f7d566de84cd12a53e3c6007982042626e906d8189932e3cca828ed2bf6.exe
File created	C:\Program Files (x86)\Funshion\DySDKController.exe	6c6d7f7d566de84cd12a53e3c6007982042626e906d8189932e3cca828ed2bf6.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

6c6d7f7d566de84cd12a53e3c6007982042626e906d8189932e3cca828ed2bf6.exe

pid	Process
996	6c6d7f7d566de84cd12a53e3c6007982042626e906d8189932e3cca828ed2bf6.exe
996	6c6d7f7d566de84cd12a53e3c6007982042626e906d8189932e3cca828ed2bf6.exe
996	6c6d7f7d566de84cd12a53e3c6007982042626e906d8189932e3cca828ed2bf6.exe
996	6c6d7f7d566de84cd12a53e3c6007982042626e906d8189932e3cca828ed2bf6.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

DySDKController.exe

description	pid	Process
Token: SeDebugPrivilege	3732	DySDKController.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

6c6d7f7d566de84cd12a53e3c6007982042626e906d8189932e3cca828ed2bf6.exe

pid	Process
996	6c6d7f7d566de84cd12a53e3c6007982042626e906d8189932e3cca828ed2bf6.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

6c6d7f7d566de84cd12a53e3c6007982042626e906d8189932e3cca828ed2bf6.exe

description	pid	Process	procid_target
PID 996 wrote to memory of 3732	996	6c6d7f7d566de84cd12a53e3c6007982042626e906d8189932e3cca828ed2bf6.exe	41
PID 996 wrote to memory of 3732	996	6c6d7f7d566de84cd12a53e3c6007982042626e906d8189932e3cca828ed2bf6.exe	41
PID 996 wrote to memory of 3732	996	6c6d7f7d566de84cd12a53e3c6007982042626e906d8189932e3cca828ed2bf6.exe	41

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\6c6d7f7d566de84cd12a53e3c6007982042626e906d8189932e3cca828ed2bf6.exe
"C:\Users\Admin\AppData\Local\Temp\6c6d7f7d566de84cd12a53e3c6007982042626e906d8189932e3cca828ed2bf6.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:996
- C:\Program Files (x86)\Funshion\DySDKController.exe
  "C:\Program Files (x86)\Funshion\DySDKController.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  PID:3732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Funshion\DyCrashRpt.dll

Filesize
99KB

MD5
81c0aabb8c45040e2af75fd8473b8990

SHA1
57525da259632a3f0695a5754444d63a4a46d61d

SHA256
e348983d3c4800a3637c337d67d6954f17a1c2014a09aa9cb73490fe91cc174e

SHA512
7b36864bd71f253a26cd9070caaa485fa4d2b2d6e84ec8dd502a50da7c43e29ee24c6796dc17d21130db493f413f6ea81a94abda12f154ed1dd9f29b7ef3ebc6

Download Submit
C:\Program Files (x86)\Funshion\DyCrashRpt.dll

Filesize
94KB

MD5
0b400be3159802445950a5ea2d1d68e1

SHA1
11aa090b8675748f6fb4ca8d5b9929497a8e01f5

SHA256
865afa2d6a43a885c80c68e6cbb180f8357adc1511e15724dc27251925a32558

SHA512
84650711ce07fbd8dafa05aef5860374c0b498ec6670aa69d21c36beaec07d21a9296660ed25afbe6a92ce9eee739a332be1dde91464d45496151b57989128a6

Download Submit
C:\Program Files (x86)\Funshion\DySDKController.exe

Filesize
81KB

MD5
cba1f039f042c507098606bab20068ca

SHA1
75dddbfd709bb6798d25a86e2c76f3c9130480d3

SHA256
b3b3898bcebded10f124b7397b7c05ec700060020ef1a36cf046893ea3ff5542

SHA512
ec13d35d5c6bba29570c8a104f4a6bc815c3df2bfa3611d950386b7a2671010c43f416cd81793f5cca41b1885bde6d0c87ff6a0b426750c5dabc16a5f79b9141

Download Submit
C:\Program Files (x86)\Funshion\DySDKController.exe

Filesize
18KB

MD5
5806664e84f3c3fc12d8d7b17d97c498

SHA1
0685eb8d5591ddcf9bbfb419dcd1984957e2ff41

SHA256
18bc55b074e61fbe6295634ce5de51cf9b01751d447b6495c21662115fa85975

SHA512
c53bcae97e04b4e11be9befca1399d7550a78670aefcb708fc2c720d74f4d4e7ce46f098ce5c86a5a9953fb7f1d78ccc1ee8ebffda79d8682d23951e24d20fb5

Download Submit
C:\ProgramData\afd.bin

Filesize
41KB

MD5
c8a38f40c6d3aa6d1086fc5e6894d878

SHA1
60fd06d804267c7b156dbaa92045caa450485a43

SHA256
ff70318fc6216e4a90511c8d386e34277c784ea23245ba4e3bdbfc8e69568347

SHA512
54f94ffdf821fa96c63884c36ae3060d2d8646bb863543932c24a631669e0a02a20db5872ecd05eaaa911def1f729489c9c837890f9d800e30db620272500471

Download Submit
memory/3732-21-0x0000000075AA0000-0x0000000075AC8000-memory.dmp

Filesize
160KB

Download
memory/3732-23-0x0000000010000000-0x0000000010031000-memory.dmp

Filesize
196KB

Download
memory/3732-26-0x0000000000E20000-0x0000000000E84000-memory.dmp

Filesize
400KB

Download
memory/3732-28-0x0000000002930000-0x000000000295A000-memory.dmp

Filesize
168KB

Download
memory/3732-33-0x0000000075AA0000-0x0000000075AC8000-memory.dmp

Filesize
160KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads