fatalrat | 7a8087eef21400d5a6ba7a7c6474fc60cb520064756ea1c17d5cf8d066a0fa52

General

Target

7a8087eef21400d5a6ba7a7c6474fc60cb520064756ea1c17d5cf8d066a0fa52.exe
Size

3.2MB
MD5

091bb98737891920aafa39a9d09f5ad3
SHA1

6b4aaf96ac3df5ecdbce6dc51b0efa64c3435260
SHA256

7a8087eef21400d5a6ba7a7c6474fc60cb520064756ea1c17d5cf8d066a0fa52
SHA512

4d9cd1d57cdb97be5a053d220472b98ca19e66013c1a0ae7c913a56501909bb7ef05556e17d8f627b9d7761a4fee6dbc11ffdb772e6571d6f13fb652dacbea34
SSDEEP

49152:JS2XlIwMHmFvbm2alfxOLWLrev6H8aa01YORgTqPO5MJ:s2XlIw5C2alJFjfRF

Score

10^/10

fatalrat infostealer rat

Malware Config

Signatures

FatalRat
FatalRat is a modular infostealer family written in C++ first appearing in June 2021.
infostealer rat fatalrat

Fatal Rat payload 1 IoCs

rat infostealer

Processes:

resource	yara_rule
behavioral2/memory/368-21-0x0000000000BD0000-0x0000000000BFA000-memory.dmp	fatalrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

7a8087eef21400d5a6ba7a7c6474fc60cb520064756ea1c17d5cf8d066a0fa52.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	7a8087eef21400d5a6ba7a7c6474fc60cb520064756ea1c17d5cf8d066a0fa52.exe

Executes dropped EXE 1 IoCs

Processes:

Pepper.exe

pid process

368 Pepper.exe
Loads dropped DLL 1 IoCs

Processes:

Pepper.exe

pid process

368 Pepper.exe

pid	process
368	Pepper.exe

pid	process
368	Pepper.exe

Drops file in Program Files directory 3 IoCs

Processes:

7a8087eef21400d5a6ba7a7c6474fc60cb520064756ea1c17d5cf8d066a0fa52.exe

description	ioc	process
File created	C:\Program Files (x86)\Funshion\cvsd.xml	7a8087eef21400d5a6ba7a7c6474fc60cb520064756ea1c17d5cf8d066a0fa52.exe
File created	C:\Program Files (x86)\Funshion\libcef.dll	7a8087eef21400d5a6ba7a7c6474fc60cb520064756ea1c17d5cf8d066a0fa52.exe
File created	C:\Program Files (x86)\Funshion\Pepper.exe	7a8087eef21400d5a6ba7a7c6474fc60cb520064756ea1c17d5cf8d066a0fa52.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

7a8087eef21400d5a6ba7a7c6474fc60cb520064756ea1c17d5cf8d066a0fa52.exe

pid	process
4808	7a8087eef21400d5a6ba7a7c6474fc60cb520064756ea1c17d5cf8d066a0fa52.exe
4808	7a8087eef21400d5a6ba7a7c6474fc60cb520064756ea1c17d5cf8d066a0fa52.exe
4808	7a8087eef21400d5a6ba7a7c6474fc60cb520064756ea1c17d5cf8d066a0fa52.exe
4808	7a8087eef21400d5a6ba7a7c6474fc60cb520064756ea1c17d5cf8d066a0fa52.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Pepper.exe

description pid process

Token: SeDebugPrivilege 368 Pepper.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

7a8087eef21400d5a6ba7a7c6474fc60cb520064756ea1c17d5cf8d066a0fa52.exe

pid process

4808 7a8087eef21400d5a6ba7a7c6474fc60cb520064756ea1c17d5cf8d066a0fa52.exe

description	pid	process
Token: SeDebugPrivilege	368	Pepper.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

7a8087eef21400d5a6ba7a7c6474fc60cb520064756ea1c17d5cf8d066a0fa52.exe

description	pid	process	target process
PID 4808 wrote to memory of 368	4808	7a8087eef21400d5a6ba7a7c6474fc60cb520064756ea1c17d5cf8d066a0fa52.exe	Pepper.exe
PID 4808 wrote to memory of 368	4808	7a8087eef21400d5a6ba7a7c6474fc60cb520064756ea1c17d5cf8d066a0fa52.exe	Pepper.exe
PID 4808 wrote to memory of 368	4808	7a8087eef21400d5a6ba7a7c6474fc60cb520064756ea1c17d5cf8d066a0fa52.exe	Pepper.exe

C:\Users\Admin\AppData\Local\Temp\7a8087eef21400d5a6ba7a7c6474fc60cb520064756ea1c17d5cf8d066a0fa52.exe
"C:\Users\Admin\AppData\Local\Temp\7a8087eef21400d5a6ba7a7c6474fc60cb520064756ea1c17d5cf8d066a0fa52.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4808
- C:\Program Files (x86)\Funshion\Pepper.exe
  "C:\Program Files (x86)\Funshion\Pepper.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  PID:368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Funshion\Pepper.exe

Filesize
64KB

MD5
813f1b2b6b901b6d1bfbb98d9234feb3

SHA1
0e4f4890e64954fa89efcd06f28a45e9cf3192bf

SHA256
6d7f877fb8a2231df927308794250361fb900fa66e16b656d4cfeeb4e6668010

SHA512
ef11b7c07b3656874098501aefee50d7bac8fc329920eeb2f6b7207651795dd22f7d24a1e6932cfadd0be6e5f547ebd201a65c44b9b2c0cb91deed2d61ad3f7f

Download Submit
C:\Program Files (x86)\Funshion\Pepper.exe

Filesize
567KB

MD5
9ad66449f11a804d30491f1935179aac

SHA1
392a8dd96227112a423c6ad7370e3ebea2242ce4

SHA256
0f21f267f9e4785578584225c7d1880aa20e8f426fce99fd2ca307b9599b0666

SHA512
f633bd3e38c143619528bc9109cde15cd320d5d0e4f426b0b1feaed0a66322be78ec7d5d30a4a93026b1eee3f89a5e738af590153f4c39fb8420da3863ce1c75

Download Submit
C:\Program Files (x86)\Funshion\libcef.dll

Filesize
50KB

MD5
371e19e57bda8036dc6288ff102e2575

SHA1
e001a551793b0b80890a37ba10a97f4f780c64ce

SHA256
57972b1ae66dcdfdadc79e756b3105387dfda80ac256632ff00b25c117634825

SHA512
482272f36e870d36f9d49646f9fe0fa0d5ab47be44f8a5abdd874ebbca99fcf2e9a2daff5911e50fc8c5af5cedb1d8c2c8929a3c7ae68b14822a9cdfa10b6d4a

Download Submit
C:\ProgramData\afd.bin

Filesize
198KB

MD5
7f4f6f2fb0767d623598787c80a3886e

SHA1
6e80630908741661b8227c25a35047d5c86cc0ba

SHA256
1cf5a49f808e3297bfd47c2e38c75bf7ac875470f52969b0bd55d57ae44ddaa8

SHA512
f9d7b51e9d3d9f08374a500c0b7d09f67864164208268ccdfd4d3ae89a7155734f70dc25f4f6528e16be60674a772a7347ad610416a118100f1e699a9d0bafc5

Download Submit
memory/368-17-0x0000000000B50000-0x0000000000BB4000-memory.dmp

Filesize
400KB

Download
memory/368-16-0x0000000010000000-0x0000000010031000-memory.dmp

Filesize
196KB

Download
memory/368-21-0x0000000000BD0000-0x0000000000BFA000-memory.dmp

Filesize
168KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads