Overview

overview

10

Static

static

3

ef784be3a2...4c.exe

windows7-x64

10

ef784be3a2...4c.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    153s
  • max time network
    161s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-12-2023 11:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ef784be3a22fd220f7e409d9d821e9b8802afb63ba611c68a6d0887f85d5584c.exe

  • Size

    4.0MB

  • MD5

    c1c1898e903d510a040ba12b7838b2e5

  • SHA1

    91e814f99ace82cad8cc8bde919e7148bd3582a7

  • SHA256

    ef784be3a22fd220f7e409d9d821e9b8802afb63ba611c68a6d0887f85d5584c

  • SHA512

    fa073c10de4f3abc897f4f19bb6c4b6e72a5f0e3a27d6266a158bc8a236a44fe01c2e52a37d3a2b0cf6f78a6bc9e3a1bf69affa476b95e1060a6d3e226fee4c2

  • SSDEEP

    98304:t3/+58f1r2yIrOqFH3aCv6M8mqHS4sjsmRzhIn98E3z9ADmrQ9CZlT:tv+y23Zt8mqRsfRKnWE3uDmwCf

Score
10/10
fatalratinfostealerrat

Malware Config

Signatures

  • FatalRat

    FatalRat is a modular infostealer family written in C++ first appearing in June 2021.

    infostealerratfatalrat
  • Fatal Rat payload 1 IoCs
    ratinfostealer
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ef784be3a22fd220f7e409d9d821e9b8802afb63ba611c68a6d0887f85d5584c.exe
    "C:\Users\Admin\AppData\Local\Temp\ef784be3a22fd220f7e409d9d821e9b8802afb63ba611c68a6d0887f85d5584c.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4436
    • C:\Program Files (x86)\Funshion\Pepper.exe
      "C:\Program Files (x86)\Funshion\Pepper.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of AdjustPrivilegeToken
      PID:3464

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Funshion\Pepper.exe
    Filesize

    418KB

    MD5

    c174034e771afebd7272e5820afe013f

    SHA1

    85f73a76f9897786a32aad1ebefa4aaabf9d4c78

    SHA256

    c42da2f6d8a4842918017c292c1071d72d898f5fbf3510cf5f98800c7fcb08f0

    SHA512

    b43ac1cd1f455d5bc447738304d02642e118de3ed800da4ac44b4bc00fbb6c8118632cad4d079a870256c34195c649fcf1112ef1f97f479c98aca265e8219d5d

    Download Submit

  • C:\Program Files (x86)\Funshion\libcef.dll
    Filesize

    100KB

    MD5

    8a675f90a3af0c8be0851d193caebec3

    SHA1

    114c4a2929fe567999fe0b6e7e0abab9d1929019

    SHA256

    892f8aa9fb0c0d2d0375ce923ecf62f6596022fd1a6d1970413998aa46500631

    SHA512

    42349359b592d2e40b390adef8769ce005eb9989f17d45dd7e70a206c0df8e5b13b3da8cd66eb9016d6953fbeadee96db033839c45ccdf06f9e5434f358a2540

    Download Submit

  • C:\ProgramData\afd.bin
    Filesize

    198KB

    MD5

    f618881abb247efacf40058de8ed591d

    SHA1

    4e3ccd93688b0bd747cffd1a0d02213b4e89573c

    SHA256

    618505c71052ffbbfa4efc3b1eb79358bd244b4c3670ff6625a57d989950d3da

    SHA512

    86f58f8577e8bf576cdc7b480ae5cb2741a175b03657bdec88587f90fda7cc5cf76fe3dae40fa1ad096c0922df3b4d6b01f1cba0cfd9ee3970554b03ed338cf0

    Download Submit

  • memory/3464-20-0x0000000010000000-0x0000000010031000-memory.dmp

    Filesize

    196KB

    Download

  • memory/3464-25-0x0000000002D00000-0x0000000002D64000-memory.dmp

    Filesize

    400KB

    Download

  • memory/3464-26-0x0000000001210000-0x000000000123A000-memory.dmp

    Filesize

    168KB

    Download

  • memory/4436-0-0x0000000000E60000-0x0000000001B88000-memory.dmp

    Filesize

    13.2MB

    Download

  • memory/4436-1-0x000000007F040000-0x000000007F411000-memory.dmp

    Filesize

    3.8MB

    Download

  • memory/4436-2-0x00000000775D2000-0x00000000775D3000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4436-19-0x0000000000E60000-0x0000000001B88000-memory.dmp

    Filesize

    13.2MB

    Download

  • memory/4436-31-0x000000007F040000-0x000000007F411000-memory.dmp

    Filesize

    3.8MB

    Download