fatalrat | ef784be3a22fd220f7e409d9d821e9b8802afb63ba611c68a6d0887f85d5584c

General

Target

ef784be3a22fd220f7e409d9d821e9b8802afb63ba611c68a6d0887f85d5584c.exe
Size

4.0MB
MD5

c1c1898e903d510a040ba12b7838b2e5
SHA1

91e814f99ace82cad8cc8bde919e7148bd3582a7
SHA256

ef784be3a22fd220f7e409d9d821e9b8802afb63ba611c68a6d0887f85d5584c
SHA512

fa073c10de4f3abc897f4f19bb6c4b6e72a5f0e3a27d6266a158bc8a236a44fe01c2e52a37d3a2b0cf6f78a6bc9e3a1bf69affa476b95e1060a6d3e226fee4c2
SSDEEP

98304:t3/+58f1r2yIrOqFH3aCv6M8mqHS4sjsmRzhIn98E3z9ADmrQ9CZlT:tv+y23Zt8mqRsfRKnWE3uDmwCf

Score

10^/10

fatalrat infostealer rat

Malware Config

Signatures

FatalRat
FatalRat is a modular infostealer family written in C++ first appearing in June 2021.
infostealer rat fatalrat

Fatal Rat payload 1 IoCs

rat infostealer

resource	yara_rule
behavioral1/memory/1180-25-0x0000000000140000-0x000000000016A000-memory.dmp	fatalrat

Executes dropped EXE 1 IoCs

pid	Process
1180	Pepper.exe

Loads dropped DLL 2 IoCs

pid	Process
2220	ef784be3a22fd220f7e409d9d821e9b8802afb63ba611c68a6d0887f85d5584c.exe
1180	Pepper.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2220	ef784be3a22fd220f7e409d9d821e9b8802afb63ba611c68a6d0887f85d5584c.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Funshion\cvsd.xml	ef784be3a22fd220f7e409d9d821e9b8802afb63ba611c68a6d0887f85d5584c.exe
File created	C:\Program Files (x86)\Funshion\Pepper.exe	ef784be3a22fd220f7e409d9d821e9b8802afb63ba611c68a6d0887f85d5584c.exe
File created	C:\Program Files (x86)\Funshion\libcef.dll	ef784be3a22fd220f7e409d9d821e9b8802afb63ba611c68a6d0887f85d5584c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2220	ef784be3a22fd220f7e409d9d821e9b8802afb63ba611c68a6d0887f85d5584c.exe
2220	ef784be3a22fd220f7e409d9d821e9b8802afb63ba611c68a6d0887f85d5584c.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1180	Pepper.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2220	ef784be3a22fd220f7e409d9d821e9b8802afb63ba611c68a6d0887f85d5584c.exe
2220	ef784be3a22fd220f7e409d9d821e9b8802afb63ba611c68a6d0887f85d5584c.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2220 wrote to memory of 1180	2220	ef784be3a22fd220f7e409d9d821e9b8802afb63ba611c68a6d0887f85d5584c.exe	28
PID 2220 wrote to memory of 1180	2220	ef784be3a22fd220f7e409d9d821e9b8802afb63ba611c68a6d0887f85d5584c.exe	28
PID 2220 wrote to memory of 1180	2220	ef784be3a22fd220f7e409d9d821e9b8802afb63ba611c68a6d0887f85d5584c.exe	28
PID 2220 wrote to memory of 1180	2220	ef784be3a22fd220f7e409d9d821e9b8802afb63ba611c68a6d0887f85d5584c.exe	28

C:\Users\Admin\AppData\Local\Temp\ef784be3a22fd220f7e409d9d821e9b8802afb63ba611c68a6d0887f85d5584c.exe
"C:\Users\Admin\AppData\Local\Temp\ef784be3a22fd220f7e409d9d821e9b8802afb63ba611c68a6d0887f85d5584c.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2220
- C:\Program Files (x86)\Funshion\Pepper.exe
  "C:\Program Files (x86)\Funshion\Pepper.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  PID:1180

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Funshion\Pepper.exe

Filesize
116KB

MD5
562d40948c0346e53d1b377cd075b074

SHA1
51a6e707440c7175a08c7380dd47dca1add857a4

SHA256
3df16acc2429ddd7324bd58a5ea3bec7094939a1617e7fe7755d43ed8d00dd63

SHA512
48eb5831b10d671f22b66df92df8752a7927bd52a9999922240eb945fcafa2cc0ace51a913358201484e7720572b0f202528b3c06c399867f08b0ff763e92661

Download Submit
C:\Program Files (x86)\Funshion\libcef.dll

Filesize
100KB

MD5
8a675f90a3af0c8be0851d193caebec3

SHA1
114c4a2929fe567999fe0b6e7e0abab9d1929019

SHA256
892f8aa9fb0c0d2d0375ce923ecf62f6596022fd1a6d1970413998aa46500631

SHA512
42349359b592d2e40b390adef8769ce005eb9989f17d45dd7e70a206c0df8e5b13b3da8cd66eb9016d6953fbeadee96db033839c45ccdf06f9e5434f358a2540

Download Submit
C:\ProgramData\afd.bin

Filesize
100KB

MD5
ab7f6226f4dba571f6e0e406ac3337ab

SHA1
32edc43e35437a53d72427fbd0254ab0b7218306

SHA256
0bfe39cdaf741fc12025728b781bc64f7a6f15f3fe4e5b6e66c293186880eaf9

SHA512
c29435f7d99f131e4fde04c3ef0c42f8bd960ba2306bdfdb7590cc9f7c3b245cba9d5a52478064b9d9a2ef8a83444bba785005ca500f1b57b9e26938ee9b82a5

Download Submit
\Program Files (x86)\Funshion\Pepper.exe

Filesize
162KB

MD5
eae742be4cc1f8eb8cc39233bf7a6889

SHA1
7d177d10cf433d8ed60f36f6e2cdd34ede8e4c4b

SHA256
cec93d630d6f2f2ff2f7a4cd42bdbae48f500dad9186364fe5c88ef9ba533f5d

SHA512
7a5efb9f6a7f0c6db7b9196f7d8ac882c3a9c8da3d36b6ec7c68f116d1605a665631fec2841007b70e1e48bb7f53592db55e4c0186053ecfd302ae01f71ba6ba

Download Submit
\Program Files (x86)\Funshion\libcef.dll

Filesize
65KB

MD5
edc855f768e8f97336105a9922ad25f0

SHA1
48fd0f16c6b2a220e53cd82bdfc7e87f96c6594f

SHA256
4f0c031979ce84c94ff9c62af2be4d0c82b12ae1940e09d3d29a0d1e081dc738

SHA512
1867d50d4d049037724ecb8234f44a460491c9edb04f08eddce8859ec838c955d4aa9d7f29a103679ae0c1b95d88daf9e883883abf301b739f485cde68d684ef

Download Submit
memory/1180-22-0x0000000075530000-0x0000000075640000-memory.dmp

Filesize
1.1MB

Download
memory/1180-23-0x0000000000370000-0x00000000003D4000-memory.dmp

Filesize
400KB

Download
memory/1180-25-0x0000000000140000-0x000000000016A000-memory.dmp

Filesize
168KB

Download
memory/1180-18-0x0000000010000000-0x0000000010031000-memory.dmp

Filesize
196KB

Download
memory/1180-30-0x0000000075530000-0x0000000075640000-memory.dmp

Filesize
1.1MB

Download
memory/2220-0-0x0000000000CD0000-0x00000000019F8000-memory.dmp

Filesize
13.2MB

Download
memory/2220-24-0x000000007EBD0000-0x000000007EFA1000-memory.dmp

Filesize
3.8MB

Download
memory/2220-14-0x0000000000CD0000-0x00000000019F8000-memory.dmp

Filesize
13.2MB

Download
memory/2220-2-0x00000000775E0000-0x00000000775E1000-memory.dmp

Filesize
4KB

Download
memory/2220-1-0x000000007EBD0000-0x000000007EFA1000-memory.dmp

Filesize
3.8MB

Download

Analysis

Sharing