Analysis
-
max time kernel
137s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
04-09-2024 06:30
General
-
Target
20240904f42c665fe99295ac8f4936d8488487f3mafia.exe
-
Size
3.3MB
-
MD5
f42c665fe99295ac8f4936d8488487f3
-
SHA1
0f674cacdf78311e8f310d06b1c89869592e880f
-
SHA256
c9acf95beda28648ae089190cc72ae88e4ccccd50d59e06740714fbbfc16f432
-
SHA512
b8014dbf8944105f40491f05d39a8d2077b6d740d15917f797435230a03dceda22e0981de67d7e7500a050fadf1bd8405434606a35403755a5276e0c092206db
-
SSDEEP
98304:eeSgJLDOQD6MV91/3/yRbNBqWUBLKVYqbS66puB:F9D1XaRBBqWUcbS66pu
Malware Config
Signatures
-
FatalRat
FatalRat is a modular infostealer family written in C++ first appearing in June 2021.
-
Fatal Rat payload 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 1 IoCs
-
Drops file in Program Files directory 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\20240904f42c665fe99295ac8f4936d8488487f3mafia.exe"C:\Users\Admin\AppData\Local\Temp\20240904f42c665fe99295ac8f4936d8488487f3mafia.exe"1⤵
- Checks computer location settings
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Funshion\DySDKController.exe"C:\Program Files (x86)\Funshion\DySDKController.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
142KB
MD5f4e8f95ef1dc8ac0406511fb489d5aa3
SHA1259d274b31c7fe8152a0cc9aa2966164fe1d4113
SHA256237a17b9d328255a03bd00578d9e4b9643201c367db4de7ed3a0912ce6c362b8
SHA512f38b12cd4c8c7c96d36d92237cd1ddc8120443247150c826f9b590b08068d1f450aebe874c3efbaba4b191e81b856af022b5dd81932f23daf4df7b426efb61cd
-
Filesize
1.1MB
MD55441bc3e3ceb2162a65cbfb4b6e7acd3
SHA1103a0ec0f23e90def158eff9be7f63f6ca9af420
SHA25690fe10bb10fbc95285696423e0ba4bfc10f4dcb63ea8d94fe29871036e4859f6
SHA512f76ae8e1e43223e1fa06e5911b06dc7b2b3d60e3758fc5201c4dbd8df601b59be11e65f42ffe43a5823a71aa1cc328c7a2f625ca50893b1101d73d59b13b4ed4
-
Filesize
198KB
MD5e4813426c6d32d0ed3eb21369194f539
SHA1f23b558f9917765a5e7848b05bd04aef813b46e5
SHA25656bb0f8be5e06c1e394adbd88a97bbef4d5119a3b38d066c79a523790bb8a8d0
SHA5122197a288939e21bb83682ac64b280a4fd029e629229c1190f2cc9839064b6ff6486d4c32d84c9c89f565460bae8a10a03a13b6cc5bf7a351b68d5bdf51a321a8
-
Filesize
160KB
-
Filesize
196KB
-
Filesize
400KB
-
Filesize
168KB
-
Filesize
160KB