fatalrat | 23731d084a2418d4a284a2b70eccf69bd7b1e07d92aaad652ee9653b27affc38

General

Target

23731d084a2418d4a284a2b70eccf69bd7b1e07d92aaad652ee9653b27affc38.exe
Size

3.8MB
MD5

1198f58e6ec170af26028143ce0b6b8d
SHA1

a9c72a67e1574b4589aaee146f6251a4488a6c22
SHA256

23731d084a2418d4a284a2b70eccf69bd7b1e07d92aaad652ee9653b27affc38
SHA512

475f01395b52b19269d455bd568e9c3ca75b901d46c9fccbcaa66e5c65c57a3c66ddd7e44fdcb48fc2c216784b124209030786b89de66916ab5f5647dd6aa314
SSDEEP

49152:qhMG0vhGhZSDHFRsTfgeqTIcfPBtroB8qXzjpia:qh0vNFRsTknB+X

Score

10^/10

fatalrat infostealer rat

Malware Config

Signatures

FatalRat
FatalRat is a modular infostealer family written in C++ first appearing in June 2021.
infostealer rat fatalrat

Fatal Rat payload 1 IoCs

rat infostealer

resource	yara_rule
behavioral2/memory/4812-25-0x0000000000B70000-0x0000000000B9A000-memory.dmp	fatalrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation	23731d084a2418d4a284a2b70eccf69bd7b1e07d92aaad652ee9653b27affc38.exe

Executes dropped EXE 1 IoCs

pid	Process
4812	DySDKController.exe

Loads dropped DLL 1 IoCs

pid	Process
4812	DySDKController.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Funshion\cvsd.xml	23731d084a2418d4a284a2b70eccf69bd7b1e07d92aaad652ee9653b27affc38.exe
File created	C:\Program Files (x86)\Funshion\DyCrashRpt.dll	23731d084a2418d4a284a2b70eccf69bd7b1e07d92aaad652ee9653b27affc38.exe
File created	C:\Program Files (x86)\Funshion\DySDKController.exe	23731d084a2418d4a284a2b70eccf69bd7b1e07d92aaad652ee9653b27affc38.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4860	23731d084a2418d4a284a2b70eccf69bd7b1e07d92aaad652ee9653b27affc38.exe
4860	23731d084a2418d4a284a2b70eccf69bd7b1e07d92aaad652ee9653b27affc38.exe
4860	23731d084a2418d4a284a2b70eccf69bd7b1e07d92aaad652ee9653b27affc38.exe
4860	23731d084a2418d4a284a2b70eccf69bd7b1e07d92aaad652ee9653b27affc38.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4812	DySDKController.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4860	23731d084a2418d4a284a2b70eccf69bd7b1e07d92aaad652ee9653b27affc38.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4860 wrote to memory of 4812	4860	23731d084a2418d4a284a2b70eccf69bd7b1e07d92aaad652ee9653b27affc38.exe	91
PID 4860 wrote to memory of 4812	4860	23731d084a2418d4a284a2b70eccf69bd7b1e07d92aaad652ee9653b27affc38.exe	91
PID 4860 wrote to memory of 4812	4860	23731d084a2418d4a284a2b70eccf69bd7b1e07d92aaad652ee9653b27affc38.exe	91

C:\Users\Admin\AppData\Local\Temp\23731d084a2418d4a284a2b70eccf69bd7b1e07d92aaad652ee9653b27affc38.exe
"C:\Users\Admin\AppData\Local\Temp\23731d084a2418d4a284a2b70eccf69bd7b1e07d92aaad652ee9653b27affc38.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4860
- C:\Program Files (x86)\Funshion\DySDKController.exe
  "C:\Program Files (x86)\Funshion\DySDKController.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  PID:4812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Funshion\DyCrashRpt.dll

Filesize
142KB

MD5
f4e8f95ef1dc8ac0406511fb489d5aa3

SHA1
259d274b31c7fe8152a0cc9aa2966164fe1d4113

SHA256
237a17b9d328255a03bd00578d9e4b9643201c367db4de7ed3a0912ce6c362b8

SHA512
f38b12cd4c8c7c96d36d92237cd1ddc8120443247150c826f9b590b08068d1f450aebe874c3efbaba4b191e81b856af022b5dd81932f23daf4df7b426efb61cd

Download Submit
C:\Program Files (x86)\Funshion\DyCrashRpt.dll

Filesize
95KB

MD5
1460461db87351d0846e90b831c19ab0

SHA1
7517fb8f0a6086ebd793acaa419a79fd6eb6b68c

SHA256
af4990e462c8fab3b5c76630b4ceba830869a8b46dd38c0451933ce44125cccc

SHA512
5e3dde7b798f63633253a27fbf45fd2305db800d4c68890e2f4d76a04a84e27929cadc7dbf08e06ca785a8708364c8c711ef7ec553181b1c6bc93b4daa951579

Download Submit
C:\Program Files (x86)\Funshion\DySDKController.exe

Filesize
640KB

MD5
b0eaf64f871de90d09e7f29426673bd2

SHA1
c2cef5be272a10689cc37273d80cfc6231291ff1

SHA256
f891f0660ffe39047649b76a788567140c82fbe38e733ca7217446b0a555b228

SHA512
48aa05db236d49997a4a10031fb08c3f6ffc2be494b90943d01ee3cda39bc11451855b9a301b110457d6d248d047cd909d840a418c190129b29e223dc387f070

Download Submit
C:\Program Files (x86)\Funshion\DySDKController.exe

Filesize
256KB

MD5
d6ac581100a25fb0d766b42efa353dfd

SHA1
c69c86d69354cf2f69e61bebeb5ac4ca840d0f97

SHA256
1a0ed9bcd21fe1a4a4e934fedfc69a787994942f7e691ac8f02b99afc1d115a6

SHA512
a14e13c96de848b57409ed2a56c53b10eafc319535b9be6caea3705dc9fec785c22e9ecf5550652c17e6f1110f3136fe24bdb16407af08abc25de80d38ea09ab

Download Submit
C:\Program Files (x86)\Funshion\DySDKController.exe

Filesize
1024KB

MD5
10cf53c80502d28f077c177b46e710c1

SHA1
1aebc93f653e865231a0fe39b3f9c0350a51e25f

SHA256
ba61dbefbdc995574a9b33595797b0fc03fc385f48e086d4aa36ed888db7f2bd

SHA512
ec9e6577f42a47e94d20b9a9325c224c04217469ed87aa3ba41d2ed31bff2c718048919e7da6b0476156c30f7b01b1be3df6ee40039bb2b6f11b8601ba5d7075

Download Submit
C:\ProgramData\afd.bin

Filesize
198KB

MD5
e4813426c6d32d0ed3eb21369194f539

SHA1
f23b558f9917765a5e7848b05bd04aef813b46e5

SHA256
56bb0f8be5e06c1e394adbd88a97bbef4d5119a3b38d066c79a523790bb8a8d0

SHA512
2197a288939e21bb83682ac64b280a4fd029e629229c1190f2cc9839064b6ff6486d4c32d84c9c89f565460bae8a10a03a13b6cc5bf7a351b68d5bdf51a321a8

Download Submit
memory/4812-21-0x00000000025D0000-0x0000000002634000-memory.dmp

Filesize
400KB

Download
memory/4812-20-0x0000000010000000-0x0000000010031000-memory.dmp

Filesize
196KB

Download
memory/4812-25-0x0000000000B70000-0x0000000000B9A000-memory.dmp

Filesize
168KB

Download
memory/4812-18-0x0000000073C70000-0x0000000073C98000-memory.dmp

Filesize
160KB

Download
memory/4812-30-0x0000000073C70000-0x0000000073C98000-memory.dmp

Filesize
160KB

Download

Analysis

Sharing