fatalrat | 4f21d26ddb7e2f75f05b09a9d0394a65bef18f6520c8d6b37eba9eedadfd7710

General

Target

4f21d26ddb7e2f75f05b09a9d0394a65bef18f6520c8d6b37eba9eedadfd7710.exe
Size

6.3MB
MD5

347e0f187d52f4abac877354dfd1539d
SHA1

8f1e98efbfd1be61f1fd0f89787f014b19651ba4
SHA256

4f21d26ddb7e2f75f05b09a9d0394a65bef18f6520c8d6b37eba9eedadfd7710
SHA512

54ffc9911b8cca85e5208bfae4af69ded091b740e82b9ae8b92baf68575195191ed0ac6aa3f3be7f6fe79d831b2a2091dc3501e77db51134986dd2b40db90abc
SSDEEP

98304:JrQvvKGZ6MulJ2LK4hulR7AWIsVk8QWG1qvoZKMRREaXbGqZAQifd64MNnSs17u:ZyvYXJ2q93VDGVRaQKQCI4MNS27

Score

10^/10

fatalrat discovery infostealer rat vmprotect

Malware Config

Signatures

FatalRat
FatalRat is a modular infostealer family written in C++ first appearing in June 2021.
infostealer rat fatalrat

Fatal Rat payload 1 IoCs

rat infostealer

Processes:

resource	yara_rule
behavioral1/memory/2708-66-0x00000000009F0000-0x0000000000A1A000-memory.dmp	fatalrat

Executes dropped EXE 1 IoCs

Processes:

update.exe

pid process

2708 update.exe
Loads dropped DLL 4 IoCs

Processes:

4f21d26ddb7e2f75f05b09a9d0394a65bef18f6520c8d6b37eba9eedadfd7710.exeupdate.exe

pid process

3008 4f21d26ddb7e2f75f05b09a9d0394a65bef18f6520c8d6b37eba9eedadfd7710.exe
2708 update.exe
2708 update.exe
2708 update.exe

pid	process
2708	update.exe

VMProtect packed file 4 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
behavioral1/memory/3008-31-0x0000000000050000-0x0000000000C59000-memory.dmp	vmprotect
behavioral1/memory/3008-33-0x0000000000050000-0x0000000000C59000-memory.dmp	vmprotect
behavioral1/memory/3008-39-0x0000000000050000-0x0000000000C59000-memory.dmp	vmprotect
behavioral1/memory/3008-59-0x0000000000050000-0x0000000000C59000-memory.dmp	vmprotect

Drops file in Program Files directory 6 IoCs

Processes:

4f21d26ddb7e2f75f05b09a9d0394a65bef18f6520c8d6b37eba9eedadfd7710.exe

description	ioc	process
File created	C:\Program Files (x86)\Fonsd\msvcp100.dll	4f21d26ddb7e2f75f05b09a9d0394a65bef18f6520c8d6b37eba9eedadfd7710.exe
File created	C:\Program Files (x86)\Fonsd\msvcr100.dll	4f21d26ddb7e2f75f05b09a9d0394a65bef18f6520c8d6b37eba9eedadfd7710.exe
File created	C:\Program Files (x86)\Fonsd\kdsd.dat	4f21d26ddb7e2f75f05b09a9d0394a65bef18f6520c8d6b37eba9eedadfd7710.exe
File created	C:\Program Files (x86)\Fonsd\version.xml	4f21d26ddb7e2f75f05b09a9d0394a65bef18f6520c8d6b37eba9eedadfd7710.exe
File created	C:\Program Files (x86)\Fonsd\update.exe	4f21d26ddb7e2f75f05b09a9d0394a65bef18f6520c8d6b37eba9eedadfd7710.exe
File created	C:\Program Files (x86)\Fonsd\dmcef.dll	4f21d26ddb7e2f75f05b09a9d0394a65bef18f6520c8d6b37eba9eedadfd7710.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

4f21d26ddb7e2f75f05b09a9d0394a65bef18f6520c8d6b37eba9eedadfd7710.exeupdate.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4f21d26ddb7e2f75f05b09a9d0394a65bef18f6520c8d6b37eba9eedadfd7710.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	update.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

4f21d26ddb7e2f75f05b09a9d0394a65bef18f6520c8d6b37eba9eedadfd7710.exeupdate.exe

pid	process
3008	4f21d26ddb7e2f75f05b09a9d0394a65bef18f6520c8d6b37eba9eedadfd7710.exe
3008	4f21d26ddb7e2f75f05b09a9d0394a65bef18f6520c8d6b37eba9eedadfd7710.exe
2708	update.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

update.exe

description pid process

Token: SeDebugPrivilege 2708 update.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

4f21d26ddb7e2f75f05b09a9d0394a65bef18f6520c8d6b37eba9eedadfd7710.exe

pid process

3008 4f21d26ddb7e2f75f05b09a9d0394a65bef18f6520c8d6b37eba9eedadfd7710.exe

description	pid	process
Token: SeDebugPrivilege	2708	update.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

4f21d26ddb7e2f75f05b09a9d0394a65bef18f6520c8d6b37eba9eedadfd7710.exe

description	pid	process	target process
PID 3008 wrote to memory of 2708	3008	4f21d26ddb7e2f75f05b09a9d0394a65bef18f6520c8d6b37eba9eedadfd7710.exe	update.exe
PID 3008 wrote to memory of 2708	3008	4f21d26ddb7e2f75f05b09a9d0394a65bef18f6520c8d6b37eba9eedadfd7710.exe	update.exe
PID 3008 wrote to memory of 2708	3008	4f21d26ddb7e2f75f05b09a9d0394a65bef18f6520c8d6b37eba9eedadfd7710.exe	update.exe
PID 3008 wrote to memory of 2708	3008	4f21d26ddb7e2f75f05b09a9d0394a65bef18f6520c8d6b37eba9eedadfd7710.exe	update.exe
PID 3008 wrote to memory of 2708	3008	4f21d26ddb7e2f75f05b09a9d0394a65bef18f6520c8d6b37eba9eedadfd7710.exe	update.exe
PID 3008 wrote to memory of 2708	3008	4f21d26ddb7e2f75f05b09a9d0394a65bef18f6520c8d6b37eba9eedadfd7710.exe	update.exe
PID 3008 wrote to memory of 2708	3008	4f21d26ddb7e2f75f05b09a9d0394a65bef18f6520c8d6b37eba9eedadfd7710.exe	update.exe

C:\Users\Admin\AppData\Local\Temp\4f21d26ddb7e2f75f05b09a9d0394a65bef18f6520c8d6b37eba9eedadfd7710.exe
"C:\Users\Admin\AppData\Local\Temp\4f21d26ddb7e2f75f05b09a9d0394a65bef18f6520c8d6b37eba9eedadfd7710.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3008
- C:\Program Files (x86)\Fonsd\update.exe
  "C:\Program Files (x86)\Fonsd\update.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Fonsd\kdsd.dat

Filesize
198KB

MD5
549af62420bf054e967a2e1c5bb88769

SHA1
043dc0cccd0337e83cc2aa45b572fd83584b6c82

SHA256
0c2dcd599299c084fc53384d9eb9f50ac3d74a96029b50b4bf3ccd9aa209897d

SHA512
547148f4c9c97acae26431af818e6ae94834ac85284b1fab8603ce654b2c889e9467addecb8b6db23fa36cf420bf6f5251bf3009a4926db3777dbe06cc715123

Download Submit
C:\Program Files (x86)\Fonsd\version.xml

Filesize
78KB

MD5
003f49618eb5502132ed575cf1124c19

SHA1
4d378b777d881f1da23c2a8e7bf702e6e2953b1d

SHA256
6098f2a0e775bede6c322628b76a64eae7c2656c178858d7f65b4c0846e5c568

SHA512
98fbbaa15ae3c35922a458bc06ad218fd0b076bfae67af1522b888f9b2bc349514f2362dc2fc22ef2cceb68d22b230e3bc18e724b58ca89048b0daaf8d950881

Download Submit
\Program Files (x86)\Fonsd\dmcef.dll

Filesize
112KB

MD5
4cc6c14965dc584f09024497e32bce07

SHA1
67143d3b0338b7bcb8c1cfcfc24a25859d67095a

SHA256
08fdef9c3b54e2049ad80b838a4a4afef3a99c608e1305f358360ea1d0e37cb9

SHA512
f26db500778869bbc04b7ae54a75a7250edcb2fd6c9ff9a692cc98030863ae0b87952320c7dcd6d64c35c6b46b6f7090aa493f656fb606ec53bf31d10d0841c4

Download Submit
\Program Files (x86)\Fonsd\msvcp100.dll

Filesize
412KB

MD5
ed40615aa67499e2d2da8389ba9b331a

SHA1
09780d2c9d75878f7a9bb94599f3dc9386cf3789

SHA256
cd28daeda3c8731030e2077e6eccbb609e2098919b05ff310bef8dce1dce2d8d

SHA512
47d94c5f4829a0f901b57084c22b24adefb4aec2f7b8df9ea838e485dbc607aa837ed6d3c7186159499c44a3ff488fb04f770c624649a406854d82cd3baf72ee

Download Submit
\Program Files (x86)\Fonsd\msvcr100.dll

Filesize
756KB

MD5
ef3e115c225588a680acf365158b2f4a

SHA1
ecda6d3b4642d2451817833b39248778e9c2cbb0

SHA256
25d1cc5be93c7a0b58855ad1f4c9df3cfb9ec87e5dc13db85b147b1951ac6fa8

SHA512
d51f51336b7a34eb6c8f429597c3d685eb53853ee5e9d4857c40fc7be6956f1b8363d8d34bebad15ccceae45a6eb69f105f2df6a672f15fb0e6f8d0bb1afb91a

Download Submit
\Program Files (x86)\Fonsd\update.exe

Filesize
294KB

MD5
bcf4278bf8b9a49fbab9b49d9d6e34cd

SHA1
4138c5b6159e280cb9df9007d63d859e4aae9bdd

SHA256
bce88b8d91f9dad4d0492a5ba633cab7ffb32afdfe9a47e4e76898d8662835c8

SHA512
aa23a9f38636175ef06bb64c0c7bb881a9ce5a169b77445347d333c40ca49b243ce119ab0602fd661a6574a1e9ec914306ab0a3bfe9b7a2b58ca5ef63f4971a3

Download Submit
memory/2708-66-0x00000000009F0000-0x0000000000A1A000-memory.dmp

Filesize
168KB

Download
memory/2708-61-0x0000000000880000-0x00000000008B1000-memory.dmp

Filesize
196KB

Download
memory/2708-65-0x0000000000D60000-0x0000000000E57000-memory.dmp

Filesize
988KB

Download
memory/2708-58-0x00000000008F0000-0x00000000009E7000-memory.dmp

Filesize
988KB

Download
memory/2708-53-0x0000000010000000-0x0000000010018000-memory.dmp

Filesize
96KB

Download
memory/3008-17-0x0000000000D90000-0x0000000000D91000-memory.dmp

Filesize
4KB

Download
memory/3008-14-0x0000000000D80000-0x0000000000D81000-memory.dmp

Filesize
4KB

Download
memory/3008-4-0x0000000000D50000-0x0000000000D51000-memory.dmp

Filesize
4KB

Download
memory/3008-2-0x0000000000D50000-0x0000000000D51000-memory.dmp

Filesize
4KB

Download
memory/3008-0-0x0000000000D50000-0x0000000000D51000-memory.dmp

Filesize
4KB

Download
memory/3008-39-0x0000000000050000-0x0000000000C59000-memory.dmp

Filesize
12.0MB

Download
memory/3008-7-0x0000000000D70000-0x0000000000D71000-memory.dmp

Filesize
4KB

Download
memory/3008-9-0x0000000000D70000-0x0000000000D71000-memory.dmp

Filesize
4KB

Download
memory/3008-12-0x0000000000D80000-0x0000000000D81000-memory.dmp

Filesize
4KB

Download
memory/3008-5-0x0000000000D70000-0x0000000000D71000-memory.dmp

Filesize
4KB

Download
memory/3008-29-0x0000000000DB0000-0x0000000000DB1000-memory.dmp

Filesize
4KB

Download
memory/3008-19-0x0000000000D90000-0x0000000000D91000-memory.dmp

Filesize
4KB

Download
memory/3008-59-0x0000000000050000-0x0000000000C59000-memory.dmp

Filesize
12.0MB

Download
memory/3008-22-0x0000000000DA0000-0x0000000000DA1000-memory.dmp

Filesize
4KB

Download
memory/3008-24-0x0000000000DA0000-0x0000000000DA1000-memory.dmp

Filesize
4KB

Download
memory/3008-27-0x0000000000DB0000-0x0000000000DB1000-memory.dmp

Filesize
4KB

Download
memory/3008-33-0x0000000000050000-0x0000000000C59000-memory.dmp

Filesize
12.0MB

Download
memory/3008-31-0x0000000000050000-0x0000000000C59000-memory.dmp

Filesize
12.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads