Overview

overview

10

Static

static

1

9b9d900dc9...60.exe

windows7-x64

7

9b9d900dc9...60.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    153s
  • max time network
    168s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-12-2023 08:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9b9d900dc96e20a67c03c6fe3157e9ca96f993b310fff8f5108aeff29af7c160.exe

  • Size

    2.4MB

  • MD5

    251a07949290769a2a5a949d8f2b225b

  • SHA1

    99bcddbe92c39a378b29c81950019abaeb175774

  • SHA256

    9b9d900dc96e20a67c03c6fe3157e9ca96f993b310fff8f5108aeff29af7c160

  • SHA512

    ce2530d64f5ef3d2d0eb06a1d2aad62b8334486335fe76e4489199ea9ea8fe27639f02e6e459c475925d77b8af83f741cde460b481f3e283e0c25556981a6cb9

  • SSDEEP

    49152:1e8Pbe4aJLOeOQD63cqM91/3/yPpjfNBqWUa5mAlOKVtSquYS66p5yBtroB8qXIV:1eSgJLDOQD6MV91/3/yRbNBqWUBLKVYU

Score
10/10
fatalratinfostealerrat

Malware Config

Signatures

  • FatalRat

    FatalRat is a modular infostealer family written in C++ first appearing in June 2021.

    infostealerratfatalrat
  • Fatal Rat payload 1 IoCs
    ratinfostealer
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9b9d900dc96e20a67c03c6fe3157e9ca96f993b310fff8f5108aeff29af7c160.exe
    "C:\Users\Admin\AppData\Local\Temp\9b9d900dc96e20a67c03c6fe3157e9ca96f993b310fff8f5108aeff29af7c160.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1104
    • C:\Program Files (x86)\Funshion\DySDKController.exe
      "C:\Program Files (x86)\Funshion\DySDKController.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4360

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Funshion\DyCrashRpt.dll
    Filesize

    91KB

    MD5

    64da0cc00e2affa50a9cae9b361da59b

    SHA1

    4dc57d02d0e72273035f960f6dbec4aecad66b56

    SHA256

    2947fa497fa8be603f0d950568068ac032d473a4c3b422355d76f77f8b775a6f

    SHA512

    504b1ea08f6155b93b113deb522b28e1935d78b256348be3108dd79c8a5953177ab38542dad57e286733fb6e9466e0af0ff056bacdf4631e81daf97f61396819

    Download Submit

  • C:\Program Files (x86)\Funshion\DyCrashRpt.dll
    Filesize

    92KB

    MD5

    7c2ba0de0b394b1723dff7e9b8ff4abf

    SHA1

    f3c61601d57050ff1233a2b115c9e0e321baf994

    SHA256

    c80e542588f896eb858c08be9c8abf3739319ec65b129a7e7530e459a2f05d4b

    SHA512

    2c9ad5885e2a9d39283a2de62ae0212ca967f347a889d0dfeacbf4acee8e66d78201f7a3e7d9bc33f5800a5d3267fc47b1969d6f098fb9e7c8e12b82676ceab4

    Download Submit

  • C:\Program Files (x86)\Funshion\DySDKController.exe
    Filesize

    893KB

    MD5

    4222e3402ee40050f286bb29ecd65c3d

    SHA1

    825470624c594812959d475e4f6ec0dea18b7222

    SHA256

    12b63f9e04aa7c712da95524b044fb88e87f9b8230954d4dc28c17ed87d392a9

    SHA512

    d26c3b2b1c2af568b0821c52fb6aad62680dbf6305cb071a1d488ab2f2ea5a605256c40f00c9625fca237931f7201c168c5c40e74f2d1f73f7a23dd6f7a86435

    Download Submit

  • C:\Program Files (x86)\Funshion\DySDKController.exe
    Filesize

    381KB

    MD5

    165be40d03321cfe503d9abeb930b9f0

    SHA1

    fbcbda939ebbf45d1dabb125da21efe327948463

    SHA256

    b743d673c4c37f2c752b79be241c431e536b681e287fe7e9f818652c87eeaca3

    SHA512

    c6ea788cc1063e68ce513edcf74879b4ed0af9c7c8ed34a45164fbb3d62d3fc10e20400b3e9dbd771d9d1e6126abe9e3a33fbc623ef524b8eab133ab96c51c3c

    Download Submit

  • C:\Program Files (x86)\Funshion\DySDKController.exe
    Filesize

    1.1MB

    MD5

    5441bc3e3ceb2162a65cbfb4b6e7acd3

    SHA1

    103a0ec0f23e90def158eff9be7f63f6ca9af420

    SHA256

    90fe10bb10fbc95285696423e0ba4bfc10f4dcb63ea8d94fe29871036e4859f6

    SHA512

    f76ae8e1e43223e1fa06e5911b06dc7b2b3d60e3758fc5201c4dbd8df601b59be11e65f42ffe43a5823a71aa1cc328c7a2f625ca50893b1101d73d59b13b4ed4

    Download Submit

  • memory/4360-24-0x00000000029B0000-0x0000000002A14000-memory.dmp

    Filesize

    400KB

    Download

  • memory/4360-20-0x0000000010000000-0x0000000010031000-memory.dmp

    Filesize

    196KB

    Download

  • memory/4360-18-0x0000000075740000-0x0000000075768000-memory.dmp

    Filesize

    160KB

    Download

  • memory/4360-25-0x0000000000E70000-0x0000000000E9A000-memory.dmp

    Filesize

    168KB

    Download

  • memory/4360-30-0x0000000075740000-0x0000000075768000-memory.dmp

    Filesize

    160KB

    Download