fatalrat | 1484dbb7df09d9c16a2f90477c0d19636c1aa472bb15fc7bd5504fa2cf59d6ee

General

Target

1484dbb7df09d9c16a2f90477c0d19636c1aa472bb15fc7bd5504fa2cf59d6ee.exe
Size

7.6MB
MD5

22b431d06ffbd17f49894fb5a8d708e1
SHA1

0ffd16b2b439648da1cceca617e8d629c7905e8e
SHA256

1484dbb7df09d9c16a2f90477c0d19636c1aa472bb15fc7bd5504fa2cf59d6ee
SHA512

51c90a0bb6e269654cb7d95dd865b0fc196ce7b945d5e2cc5bea0c104863ce15e90d1e2969bf589ec7222a9111317cd1c8c4bff378b42fea62df270fde5de0fe
SSDEEP

196608:w5LIRiAsLXsRZj62vvoVLp7YuLNxr7mFCpp3FjbA9:cYsrsRZj62X4EE7pl9A9

Score

10^/10

fatalrat discovery infostealer rat vmprotect

Malware Config

Signatures

FatalRat
FatalRat is a modular infostealer family written in C++ first appearing in June 2021.
infostealer rat fatalrat

Fatal Rat payload 1 IoCs

rat infostealer

Processes:

resource	yara_rule
behavioral2/memory/2112-40-0x0000000002DF0000-0x0000000002E1A000-memory.dmp	fatalrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

1484dbb7df09d9c16a2f90477c0d19636c1aa472bb15fc7bd5504fa2cf59d6ee.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation	1484dbb7df09d9c16a2f90477c0d19636c1aa472bb15fc7bd5504fa2cf59d6ee.exe

Executes dropped EXE 1 IoCs

Processes:

update.exe

pid process

2112 update.exe
Loads dropped DLL 4 IoCs

Processes:

update.exe

pid process

2112 update.exe
2112 update.exe
2112 update.exe
2112 update.exe

pid	process
2112	update.exe

pid	process
2112	update.exe
2112	update.exe
2112	update.exe
2112	update.exe

VMProtect packed file 3 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
behavioral2/memory/2372-1-0x0000000000B80000-0x0000000001A67000-memory.dmp	vmprotect
behavioral2/memory/2372-5-0x0000000000B80000-0x0000000001A67000-memory.dmp	vmprotect
behavioral2/memory/2372-33-0x0000000000B80000-0x0000000001A67000-memory.dmp	vmprotect

Drops file in Program Files directory 6 IoCs

Processes:

1484dbb7df09d9c16a2f90477c0d19636c1aa472bb15fc7bd5504fa2cf59d6ee.exe

description	ioc	process
File created	C:\Program Files (x86)\Fonsd\dmcef.dll	1484dbb7df09d9c16a2f90477c0d19636c1aa472bb15fc7bd5504fa2cf59d6ee.exe
File created	C:\Program Files (x86)\Fonsd\msvcp100.dll	1484dbb7df09d9c16a2f90477c0d19636c1aa472bb15fc7bd5504fa2cf59d6ee.exe
File created	C:\Program Files (x86)\Fonsd\msvcr100.dll	1484dbb7df09d9c16a2f90477c0d19636c1aa472bb15fc7bd5504fa2cf59d6ee.exe
File created	C:\Program Files (x86)\Fonsd\kdsd.dat	1484dbb7df09d9c16a2f90477c0d19636c1aa472bb15fc7bd5504fa2cf59d6ee.exe
File created	C:\Program Files (x86)\Fonsd\version.xml	1484dbb7df09d9c16a2f90477c0d19636c1aa472bb15fc7bd5504fa2cf59d6ee.exe
File created	C:\Program Files (x86)\Fonsd\update.exe	1484dbb7df09d9c16a2f90477c0d19636c1aa472bb15fc7bd5504fa2cf59d6ee.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

1484dbb7df09d9c16a2f90477c0d19636c1aa472bb15fc7bd5504fa2cf59d6ee.exeupdate.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1484dbb7df09d9c16a2f90477c0d19636c1aa472bb15fc7bd5504fa2cf59d6ee.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	update.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

1484dbb7df09d9c16a2f90477c0d19636c1aa472bb15fc7bd5504fa2cf59d6ee.exeupdate.exe

pid	process
2372	1484dbb7df09d9c16a2f90477c0d19636c1aa472bb15fc7bd5504fa2cf59d6ee.exe
2372	1484dbb7df09d9c16a2f90477c0d19636c1aa472bb15fc7bd5504fa2cf59d6ee.exe
2112	update.exe
2112	update.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

update.exe

description pid process

Token: SeDebugPrivilege 2112 update.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

1484dbb7df09d9c16a2f90477c0d19636c1aa472bb15fc7bd5504fa2cf59d6ee.exe

pid process

2372 1484dbb7df09d9c16a2f90477c0d19636c1aa472bb15fc7bd5504fa2cf59d6ee.exe

description	pid	process
Token: SeDebugPrivilege	2112	update.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

1484dbb7df09d9c16a2f90477c0d19636c1aa472bb15fc7bd5504fa2cf59d6ee.exe

description	pid	process	target process
PID 2372 wrote to memory of 2112	2372	1484dbb7df09d9c16a2f90477c0d19636c1aa472bb15fc7bd5504fa2cf59d6ee.exe	update.exe
PID 2372 wrote to memory of 2112	2372	1484dbb7df09d9c16a2f90477c0d19636c1aa472bb15fc7bd5504fa2cf59d6ee.exe	update.exe
PID 2372 wrote to memory of 2112	2372	1484dbb7df09d9c16a2f90477c0d19636c1aa472bb15fc7bd5504fa2cf59d6ee.exe	update.exe

C:\Users\Admin\AppData\Local\Temp\1484dbb7df09d9c16a2f90477c0d19636c1aa472bb15fc7bd5504fa2cf59d6ee.exe
"C:\Users\Admin\AppData\Local\Temp\1484dbb7df09d9c16a2f90477c0d19636c1aa472bb15fc7bd5504fa2cf59d6ee.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2372

C:\Program Files (x86)\Fonsd\update.exe
"C:\Program Files (x86)\Fonsd\update.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Fonsd\MSVCR100.dll

Filesize
756KB

MD5
ef3e115c225588a680acf365158b2f4a

SHA1
ecda6d3b4642d2451817833b39248778e9c2cbb0

SHA256
25d1cc5be93c7a0b58855ad1f4c9df3cfb9ec87e5dc13db85b147b1951ac6fa8

SHA512
d51f51336b7a34eb6c8f429597c3d685eb53853ee5e9d4857c40fc7be6956f1b8363d8d34bebad15ccceae45a6eb69f105f2df6a672f15fb0e6f8d0bb1afb91a

Download Submit
C:\Program Files (x86)\Fonsd\dmcef.dll

Filesize
112KB

MD5
4cc6c14965dc584f09024497e32bce07

SHA1
67143d3b0338b7bcb8c1cfcfc24a25859d67095a

SHA256
08fdef9c3b54e2049ad80b838a4a4afef3a99c608e1305f358360ea1d0e37cb9

SHA512
f26db500778869bbc04b7ae54a75a7250edcb2fd6c9ff9a692cc98030863ae0b87952320c7dcd6d64c35c6b46b6f7090aa493f656fb606ec53bf31d10d0841c4

Download Submit
C:\Program Files (x86)\Fonsd\kdsd.dat

Filesize
198KB

MD5
549af62420bf054e967a2e1c5bb88769

SHA1
043dc0cccd0337e83cc2aa45b572fd83584b6c82

SHA256
0c2dcd599299c084fc53384d9eb9f50ac3d74a96029b50b4bf3ccd9aa209897d

SHA512
547148f4c9c97acae26431af818e6ae94834ac85284b1fab8603ce654b2c889e9467addecb8b6db23fa36cf420bf6f5251bf3009a4926db3777dbe06cc715123

Download Submit
C:\Program Files (x86)\Fonsd\msvcp100.dll

Filesize
412KB

MD5
ed40615aa67499e2d2da8389ba9b331a

SHA1
09780d2c9d75878f7a9bb94599f3dc9386cf3789

SHA256
cd28daeda3c8731030e2077e6eccbb609e2098919b05ff310bef8dce1dce2d8d

SHA512
47d94c5f4829a0f901b57084c22b24adefb4aec2f7b8df9ea838e485dbc607aa837ed6d3c7186159499c44a3ff488fb04f770c624649a406854d82cd3baf72ee

Download Submit
C:\Program Files (x86)\Fonsd\update.exe

Filesize
294KB

MD5
bcf4278bf8b9a49fbab9b49d9d6e34cd

SHA1
4138c5b6159e280cb9df9007d63d859e4aae9bdd

SHA256
bce88b8d91f9dad4d0492a5ba633cab7ffb32afdfe9a47e4e76898d8662835c8

SHA512
aa23a9f38636175ef06bb64c0c7bb881a9ce5a169b77445347d333c40ca49b243ce119ab0602fd661a6574a1e9ec914306ab0a3bfe9b7a2b58ca5ef63f4971a3

Download Submit
C:\Program Files (x86)\Fonsd\version.xml

Filesize
78KB

MD5
003f49618eb5502132ed575cf1124c19

SHA1
4d378b777d881f1da23c2a8e7bf702e6e2953b1d

SHA256
6098f2a0e775bede6c322628b76a64eae7c2656c178858d7f65b4c0846e5c568

SHA512
98fbbaa15ae3c35922a458bc06ad218fd0b076bfae67af1522b888f9b2bc349514f2362dc2fc22ef2cceb68d22b230e3bc18e724b58ca89048b0daaf8d950881

Download Submit
memory/2112-28-0x0000000010000000-0x0000000010018000-memory.dmp

Filesize
96KB

Download
memory/2112-45-0x0000000002E40000-0x0000000002F37000-memory.dmp

Filesize
988KB

Download
memory/2112-40-0x0000000002DF0000-0x0000000002E1A000-memory.dmp

Filesize
168KB

Download
memory/2112-36-0x0000000002DB0000-0x0000000002DE1000-memory.dmp

Filesize
196KB

Download
memory/2112-34-0x0000000002B30000-0x0000000002C27000-memory.dmp

Filesize
988KB

Download
memory/2372-26-0x0000000000CE5000-0x00000000010E1000-memory.dmp

Filesize
4.0MB

Download
memory/2372-33-0x0000000000B80000-0x0000000001A67000-memory.dmp

Filesize
14.9MB

Download
memory/2372-0-0x0000000000B40000-0x0000000000B41000-memory.dmp

Filesize
4KB

Download
memory/2372-5-0x0000000000B80000-0x0000000001A67000-memory.dmp

Filesize
14.9MB

Download
memory/2372-1-0x0000000000B80000-0x0000000001A67000-memory.dmp

Filesize
14.9MB

Download
memory/2372-3-0x0000000000CE5000-0x00000000010E1000-memory.dmp

Filesize
4.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads