Overview

overview

10

Static

static

1

23731d084a...38.exe

windows7-x64

7

23731d084a...38.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-01-2024 11:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    23731d084a2418d4a284a2b70eccf69bd7b1e07d92aaad652ee9653b27affc38.exe

  • Size

    3.8MB

  • MD5

    1198f58e6ec170af26028143ce0b6b8d

  • SHA1

    a9c72a67e1574b4589aaee146f6251a4488a6c22

  • SHA256

    23731d084a2418d4a284a2b70eccf69bd7b1e07d92aaad652ee9653b27affc38

  • SHA512

    475f01395b52b19269d455bd568e9c3ca75b901d46c9fccbcaa66e5c65c57a3c66ddd7e44fdcb48fc2c216784b124209030786b89de66916ab5f5647dd6aa314

  • SSDEEP

    49152:qhMG0vhGhZSDHFRsTfgeqTIcfPBtroB8qXzjpia:qh0vNFRsTknB+X

Score
10/10
fatalratinfostealerrat

Malware Config

Signatures

  • FatalRat

    FatalRat is a modular infostealer family written in C++ first appearing in June 2021.

    infostealerratfatalrat
  • Fatal Rat payload 1 IoCs
    ratinfostealer
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\23731d084a2418d4a284a2b70eccf69bd7b1e07d92aaad652ee9653b27affc38.exe
    "C:\Users\Admin\AppData\Local\Temp\23731d084a2418d4a284a2b70eccf69bd7b1e07d92aaad652ee9653b27affc38.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4860
    • C:\Program Files (x86)\Funshion\DySDKController.exe
      "C:\Program Files (x86)\Funshion\DySDKController.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of AdjustPrivilegeToken
      PID:4812

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Funshion\DyCrashRpt.dll
    Filesize

    142KB

    MD5

    f4e8f95ef1dc8ac0406511fb489d5aa3

    SHA1

    259d274b31c7fe8152a0cc9aa2966164fe1d4113

    SHA256

    237a17b9d328255a03bd00578d9e4b9643201c367db4de7ed3a0912ce6c362b8

    SHA512

    f38b12cd4c8c7c96d36d92237cd1ddc8120443247150c826f9b590b08068d1f450aebe874c3efbaba4b191e81b856af022b5dd81932f23daf4df7b426efb61cd

    Download Submit

  • C:\Program Files (x86)\Funshion\DyCrashRpt.dll
    Filesize

    95KB

    MD5

    1460461db87351d0846e90b831c19ab0

    SHA1

    7517fb8f0a6086ebd793acaa419a79fd6eb6b68c

    SHA256

    af4990e462c8fab3b5c76630b4ceba830869a8b46dd38c0451933ce44125cccc

    SHA512

    5e3dde7b798f63633253a27fbf45fd2305db800d4c68890e2f4d76a04a84e27929cadc7dbf08e06ca785a8708364c8c711ef7ec553181b1c6bc93b4daa951579

    Download Submit

  • C:\Program Files (x86)\Funshion\DySDKController.exe
    Filesize

    640KB

    MD5

    b0eaf64f871de90d09e7f29426673bd2

    SHA1

    c2cef5be272a10689cc37273d80cfc6231291ff1

    SHA256

    f891f0660ffe39047649b76a788567140c82fbe38e733ca7217446b0a555b228

    SHA512

    48aa05db236d49997a4a10031fb08c3f6ffc2be494b90943d01ee3cda39bc11451855b9a301b110457d6d248d047cd909d840a418c190129b29e223dc387f070

    Download Submit

  • C:\Program Files (x86)\Funshion\DySDKController.exe
    Filesize

    256KB

    MD5

    d6ac581100a25fb0d766b42efa353dfd

    SHA1

    c69c86d69354cf2f69e61bebeb5ac4ca840d0f97

    SHA256

    1a0ed9bcd21fe1a4a4e934fedfc69a787994942f7e691ac8f02b99afc1d115a6

    SHA512

    a14e13c96de848b57409ed2a56c53b10eafc319535b9be6caea3705dc9fec785c22e9ecf5550652c17e6f1110f3136fe24bdb16407af08abc25de80d38ea09ab

    Download Submit

  • C:\Program Files (x86)\Funshion\DySDKController.exe
    Filesize

    1024KB

    MD5

    10cf53c80502d28f077c177b46e710c1

    SHA1

    1aebc93f653e865231a0fe39b3f9c0350a51e25f

    SHA256

    ba61dbefbdc995574a9b33595797b0fc03fc385f48e086d4aa36ed888db7f2bd

    SHA512

    ec9e6577f42a47e94d20b9a9325c224c04217469ed87aa3ba41d2ed31bff2c718048919e7da6b0476156c30f7b01b1be3df6ee40039bb2b6f11b8601ba5d7075

    Download Submit

  • C:\ProgramData\afd.bin
    Filesize

    198KB

    MD5

    e4813426c6d32d0ed3eb21369194f539

    SHA1

    f23b558f9917765a5e7848b05bd04aef813b46e5

    SHA256

    56bb0f8be5e06c1e394adbd88a97bbef4d5119a3b38d066c79a523790bb8a8d0

    SHA512

    2197a288939e21bb83682ac64b280a4fd029e629229c1190f2cc9839064b6ff6486d4c32d84c9c89f565460bae8a10a03a13b6cc5bf7a351b68d5bdf51a321a8

    Download Submit

  • memory/4812-21-0x00000000025D0000-0x0000000002634000-memory.dmp

    Filesize

    400KB

    Download

  • memory/4812-20-0x0000000010000000-0x0000000010031000-memory.dmp

    Filesize

    196KB

    Download

  • memory/4812-25-0x0000000000B70000-0x0000000000B9A000-memory.dmp

    Filesize

    168KB

    Download

  • memory/4812-18-0x0000000073C70000-0x0000000073C98000-memory.dmp

    Filesize

    160KB

    Download

  • memory/4812-30-0x0000000073C70000-0x0000000073C98000-memory.dmp

    Filesize

    160KB

    Download