fatalrat | 5147c7e0398f0fd6ea913eaf5665019e614853f0a754ee72c76b3643a25ad404

General

Target

5147c7e0398f0fd6ea913eaf5665019e614853f0a754ee72c76b3643a25ad404.exe
Size

7.6MB
MD5

0afe4a82ef51395bb6bda370313374a4
SHA1

555126d7cff7373dfda33d309c211776ef32a6e5
SHA256

5147c7e0398f0fd6ea913eaf5665019e614853f0a754ee72c76b3643a25ad404
SHA512

2f7f040839bbd28e61b7161702f602ed49da1eaa49ec30af8c94b87e54e2943c6094478bc32e856ab9b7f85b09722b9a556b52151c9760c9250ba921ab6a21f6
SSDEEP

196608:w5LIRiAsLXsRZj62vvoVLp7YuLNxr7mFCpp3FjbA9h:cYsrsRZj62X4EE7pl9A9h

Score

10^/10

fatalrat infostealer rat vmprotect

Malware Config

Signatures

FatalRat
FatalRat is a modular infostealer family written in C++ first appearing in June 2021.
infostealer rat fatalrat

Fatal Rat payload 1 IoCs

rat infostealer

resource	yara_rule
behavioral1/memory/4488-36-0x00000000029C0000-0x00000000029EA000-memory.dmp	fatalrat

Executes dropped EXE 1 IoCs

pid	Process
4488	update.exe

Loads dropped DLL 4 IoCs

pid	Process
4488	update.exe
4488	update.exe
4488	update.exe
4488	update.exe

VMProtect packed file 3 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral1/memory/3332-1-0x00000000012A0000-0x0000000002187000-memory.dmp	vmprotect
behavioral1/memory/3332-2-0x00000000012A0000-0x0000000002187000-memory.dmp	vmprotect
behavioral1/memory/3332-26-0x00000000012A0000-0x0000000002187000-memory.dmp	vmprotect

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Fonsd\dmcef.dll	5147c7e0398f0fd6ea913eaf5665019e614853f0a754ee72c76b3643a25ad404.exe
File created	C:\Program Files (x86)\Fonsd\msvcp100.dll	5147c7e0398f0fd6ea913eaf5665019e614853f0a754ee72c76b3643a25ad404.exe
File created	C:\Program Files (x86)\Fonsd\msvcr100.dll	5147c7e0398f0fd6ea913eaf5665019e614853f0a754ee72c76b3643a25ad404.exe
File created	C:\Program Files (x86)\Fonsd\kdsd.dat	5147c7e0398f0fd6ea913eaf5665019e614853f0a754ee72c76b3643a25ad404.exe
File created	C:\Program Files (x86)\Fonsd\version.xml	5147c7e0398f0fd6ea913eaf5665019e614853f0a754ee72c76b3643a25ad404.exe
File created	C:\Program Files (x86)\Fonsd\update.exe	5147c7e0398f0fd6ea913eaf5665019e614853f0a754ee72c76b3643a25ad404.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3332	5147c7e0398f0fd6ea913eaf5665019e614853f0a754ee72c76b3643a25ad404.exe
3332	5147c7e0398f0fd6ea913eaf5665019e614853f0a754ee72c76b3643a25ad404.exe
4488	update.exe
4488	update.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4488	update.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3332	5147c7e0398f0fd6ea913eaf5665019e614853f0a754ee72c76b3643a25ad404.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3332 wrote to memory of 4488	3332	5147c7e0398f0fd6ea913eaf5665019e614853f0a754ee72c76b3643a25ad404.exe	75
PID 3332 wrote to memory of 4488	3332	5147c7e0398f0fd6ea913eaf5665019e614853f0a754ee72c76b3643a25ad404.exe	75
PID 3332 wrote to memory of 4488	3332	5147c7e0398f0fd6ea913eaf5665019e614853f0a754ee72c76b3643a25ad404.exe	75

C:\Users\Admin\AppData\Local\Temp\5147c7e0398f0fd6ea913eaf5665019e614853f0a754ee72c76b3643a25ad404.exe
"C:\Users\Admin\AppData\Local\Temp\5147c7e0398f0fd6ea913eaf5665019e614853f0a754ee72c76b3643a25ad404.exe"
1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3332
- C:\Program Files (x86)\Fonsd\update.exe
  "C:\Program Files (x86)\Fonsd\update.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4488

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Fonsd\MSVCR100.dll

Filesize
756KB

MD5
ef3e115c225588a680acf365158b2f4a

SHA1
ecda6d3b4642d2451817833b39248778e9c2cbb0

SHA256
25d1cc5be93c7a0b58855ad1f4c9df3cfb9ec87e5dc13db85b147b1951ac6fa8

SHA512
d51f51336b7a34eb6c8f429597c3d685eb53853ee5e9d4857c40fc7be6956f1b8363d8d34bebad15ccceae45a6eb69f105f2df6a672f15fb0e6f8d0bb1afb91a

Download Submit
C:\Program Files (x86)\Fonsd\dmcef.dll

Filesize
112KB

MD5
4cc6c14965dc584f09024497e32bce07

SHA1
67143d3b0338b7bcb8c1cfcfc24a25859d67095a

SHA256
08fdef9c3b54e2049ad80b838a4a4afef3a99c608e1305f358360ea1d0e37cb9

SHA512
f26db500778869bbc04b7ae54a75a7250edcb2fd6c9ff9a692cc98030863ae0b87952320c7dcd6d64c35c6b46b6f7090aa493f656fb606ec53bf31d10d0841c4

Download Submit
C:\Program Files (x86)\Fonsd\kdsd.dat

Filesize
198KB

MD5
549af62420bf054e967a2e1c5bb88769

SHA1
043dc0cccd0337e83cc2aa45b572fd83584b6c82

SHA256
0c2dcd599299c084fc53384d9eb9f50ac3d74a96029b50b4bf3ccd9aa209897d

SHA512
547148f4c9c97acae26431af818e6ae94834ac85284b1fab8603ce654b2c889e9467addecb8b6db23fa36cf420bf6f5251bf3009a4926db3777dbe06cc715123

Download Submit
C:\Program Files (x86)\Fonsd\update.exe

Filesize
294KB

MD5
bcf4278bf8b9a49fbab9b49d9d6e34cd

SHA1
4138c5b6159e280cb9df9007d63d859e4aae9bdd

SHA256
bce88b8d91f9dad4d0492a5ba633cab7ffb32afdfe9a47e4e76898d8662835c8

SHA512
aa23a9f38636175ef06bb64c0c7bb881a9ce5a169b77445347d333c40ca49b243ce119ab0602fd661a6574a1e9ec914306ab0a3bfe9b7a2b58ca5ef63f4971a3

Download Submit
C:\Program Files (x86)\Fonsd\version.xml

Filesize
78KB

MD5
003f49618eb5502132ed575cf1124c19

SHA1
4d378b777d881f1da23c2a8e7bf702e6e2953b1d

SHA256
6098f2a0e775bede6c322628b76a64eae7c2656c178858d7f65b4c0846e5c568

SHA512
98fbbaa15ae3c35922a458bc06ad218fd0b076bfae67af1522b888f9b2bc349514f2362dc2fc22ef2cceb68d22b230e3bc18e724b58ca89048b0daaf8d950881

Download Submit
\Program Files (x86)\Fonsd\msvcp100.dll

Filesize
412KB

MD5
ed40615aa67499e2d2da8389ba9b331a

SHA1
09780d2c9d75878f7a9bb94599f3dc9386cf3789

SHA256
cd28daeda3c8731030e2077e6eccbb609e2098919b05ff310bef8dce1dce2d8d

SHA512
47d94c5f4829a0f901b57084c22b24adefb4aec2f7b8df9ea838e485dbc607aa837ed6d3c7186159499c44a3ff488fb04f770c624649a406854d82cd3baf72ee

Download Submit
\Program Files (x86)\Fonsd\msvcr100.dll

Filesize
256KB

MD5
06ab7bd09e74182fad83694af8926212

SHA1
27a5f599702c17ff527fe85505c6abf51b65a3f3

SHA256
548043d32095c83c8df5bc517a75bc75b580d96a146735c056006f144687b966

SHA512
df657a24fb8c67880ec04b2bd198e18430565e597245cd96e97e2b0c0daaed16f51127674d704e2dc4f07c706366d9eeacad3c2f0b59b115600318f8a1ab90d9

Download Submit
memory/3332-1-0x00000000012A0000-0x0000000002187000-memory.dmp

Filesize
14.9MB

Download
memory/3332-0-0x0000000002450000-0x0000000002451000-memory.dmp

Filesize
4KB

Download
memory/3332-26-0x00000000012A0000-0x0000000002187000-memory.dmp

Filesize
14.9MB

Download
memory/3332-2-0x00000000012A0000-0x0000000002187000-memory.dmp

Filesize
14.9MB

Download
memory/4488-23-0x0000000010000000-0x0000000010018000-memory.dmp

Filesize
96KB

Download
memory/4488-24-0x0000000002A00000-0x0000000002AF7000-memory.dmp

Filesize
988KB

Download
memory/4488-31-0x0000000002980000-0x00000000029B1000-memory.dmp

Filesize
196KB

Download
memory/4488-32-0x0000000002CE0000-0x0000000002DD7000-memory.dmp

Filesize
988KB

Download
memory/4488-36-0x00000000029C0000-0x00000000029EA000-memory.dmp

Filesize
168KB

Download

Analysis

Sharing