Analysis

  • max time kernel
    139s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-07-2024 15:32

General

  • Target

    1484dbb7df09d9c16a2f90477c0d19636c1aa472bb15fc7bd5504fa2cf59d6ee.exe

  • Size

    7.6MB

  • MD5

    22b431d06ffbd17f49894fb5a8d708e1

  • SHA1

    0ffd16b2b439648da1cceca617e8d629c7905e8e

  • SHA256

    1484dbb7df09d9c16a2f90477c0d19636c1aa472bb15fc7bd5504fa2cf59d6ee

  • SHA512

    51c90a0bb6e269654cb7d95dd865b0fc196ce7b945d5e2cc5bea0c104863ce15e90d1e2969bf589ec7222a9111317cd1c8c4bff378b42fea62df270fde5de0fe

  • SSDEEP

    196608:w5LIRiAsLXsRZj62vvoVLp7YuLNxr7mFCpp3FjbA9:cYsrsRZj62X4EE7pl9A9

Malware Config

Signatures

  • FatalRat

    FatalRat is a modular infostealer family written in C++ first appearing in June 2021.

  • Fatal Rat payload 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 4 IoCs
  • VMProtect packed file 3 IoCs

    Detects executables packed with VMProtect commercial packer.

  • Drops file in Program Files directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1484dbb7df09d9c16a2f90477c0d19636c1aa472bb15fc7bd5504fa2cf59d6ee.exe
    "C:\Users\Admin\AppData\Local\Temp\1484dbb7df09d9c16a2f90477c0d19636c1aa472bb15fc7bd5504fa2cf59d6ee.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2372
    • C:\Program Files (x86)\Fonsd\update.exe
      "C:\Program Files (x86)\Fonsd\update.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2112

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Fonsd\MSVCR100.dll

    Filesize

    756KB

    MD5

    ef3e115c225588a680acf365158b2f4a

    SHA1

    ecda6d3b4642d2451817833b39248778e9c2cbb0

    SHA256

    25d1cc5be93c7a0b58855ad1f4c9df3cfb9ec87e5dc13db85b147b1951ac6fa8

    SHA512

    d51f51336b7a34eb6c8f429597c3d685eb53853ee5e9d4857c40fc7be6956f1b8363d8d34bebad15ccceae45a6eb69f105f2df6a672f15fb0e6f8d0bb1afb91a

  • C:\Program Files (x86)\Fonsd\dmcef.dll

    Filesize

    112KB

    MD5

    4cc6c14965dc584f09024497e32bce07

    SHA1

    67143d3b0338b7bcb8c1cfcfc24a25859d67095a

    SHA256

    08fdef9c3b54e2049ad80b838a4a4afef3a99c608e1305f358360ea1d0e37cb9

    SHA512

    f26db500778869bbc04b7ae54a75a7250edcb2fd6c9ff9a692cc98030863ae0b87952320c7dcd6d64c35c6b46b6f7090aa493f656fb606ec53bf31d10d0841c4

  • C:\Program Files (x86)\Fonsd\kdsd.dat

    Filesize

    198KB

    MD5

    549af62420bf054e967a2e1c5bb88769

    SHA1

    043dc0cccd0337e83cc2aa45b572fd83584b6c82

    SHA256

    0c2dcd599299c084fc53384d9eb9f50ac3d74a96029b50b4bf3ccd9aa209897d

    SHA512

    547148f4c9c97acae26431af818e6ae94834ac85284b1fab8603ce654b2c889e9467addecb8b6db23fa36cf420bf6f5251bf3009a4926db3777dbe06cc715123

  • C:\Program Files (x86)\Fonsd\msvcp100.dll

    Filesize

    412KB

    MD5

    ed40615aa67499e2d2da8389ba9b331a

    SHA1

    09780d2c9d75878f7a9bb94599f3dc9386cf3789

    SHA256

    cd28daeda3c8731030e2077e6eccbb609e2098919b05ff310bef8dce1dce2d8d

    SHA512

    47d94c5f4829a0f901b57084c22b24adefb4aec2f7b8df9ea838e485dbc607aa837ed6d3c7186159499c44a3ff488fb04f770c624649a406854d82cd3baf72ee

  • C:\Program Files (x86)\Fonsd\update.exe

    Filesize

    294KB

    MD5

    bcf4278bf8b9a49fbab9b49d9d6e34cd

    SHA1

    4138c5b6159e280cb9df9007d63d859e4aae9bdd

    SHA256

    bce88b8d91f9dad4d0492a5ba633cab7ffb32afdfe9a47e4e76898d8662835c8

    SHA512

    aa23a9f38636175ef06bb64c0c7bb881a9ce5a169b77445347d333c40ca49b243ce119ab0602fd661a6574a1e9ec914306ab0a3bfe9b7a2b58ca5ef63f4971a3

  • C:\Program Files (x86)\Fonsd\version.xml

    Filesize

    78KB

    MD5

    003f49618eb5502132ed575cf1124c19

    SHA1

    4d378b777d881f1da23c2a8e7bf702e6e2953b1d

    SHA256

    6098f2a0e775bede6c322628b76a64eae7c2656c178858d7f65b4c0846e5c568

    SHA512

    98fbbaa15ae3c35922a458bc06ad218fd0b076bfae67af1522b888f9b2bc349514f2362dc2fc22ef2cceb68d22b230e3bc18e724b58ca89048b0daaf8d950881

  • memory/2112-28-0x0000000010000000-0x0000000010018000-memory.dmp

    Filesize

    96KB

  • memory/2112-45-0x0000000002E40000-0x0000000002F37000-memory.dmp

    Filesize

    988KB

  • memory/2112-40-0x0000000002DF0000-0x0000000002E1A000-memory.dmp

    Filesize

    168KB

  • memory/2112-36-0x0000000002DB0000-0x0000000002DE1000-memory.dmp

    Filesize

    196KB

  • memory/2112-34-0x0000000002B30000-0x0000000002C27000-memory.dmp

    Filesize

    988KB

  • memory/2372-26-0x0000000000CE5000-0x00000000010E1000-memory.dmp

    Filesize

    4.0MB

  • memory/2372-33-0x0000000000B80000-0x0000000001A67000-memory.dmp

    Filesize

    14.9MB

  • memory/2372-0-0x0000000000B40000-0x0000000000B41000-memory.dmp

    Filesize

    4KB

  • memory/2372-5-0x0000000000B80000-0x0000000001A67000-memory.dmp

    Filesize

    14.9MB

  • memory/2372-1-0x0000000000B80000-0x0000000001A67000-memory.dmp

    Filesize

    14.9MB

  • memory/2372-3-0x0000000000CE5000-0x00000000010E1000-memory.dmp

    Filesize

    4.0MB