fatalrat | 86a1d63a26d15531238d62e231261dc73d3a1a1342bd037630890332d0bcdab5

General

Target

2d9002135a5b85b3f3962eab45859f1e59d20ded771b94f0e1127c6c162cb0f4.exe

Score

10^/10

fatalrat infostealer rat

Malware Config

Signatures

FatalRat
FatalRat is a modular infostealer family written in C++ first appearing in June 2021.
infostealer rat fatalrat

Fatal Rat Payload 1 IoCs

rat infostealer

Processes:

resource	yara_rule
behavioral1/memory/1096-61-0x0000000010000000-0x000000001002A000-memory.dmp	fatalrat

Executes dropped EXE 2 IoCs

Processes:

Vwxyab.exeVwxyab.exe

pid process

2020 Vwxyab.exe
2012 Vwxyab.exe

pid	process
2020	Vwxyab.exe
2012	Vwxyab.exe

Drops file in Windows directory 4 IoCs

Processes:

2d9002135a5b85b3f3962eab45859f1e59d20ded771b94f0e1127c6c162cb0f4.exeVwxyab.exe

description	ioc	process
File created	C:\Windows\Vwxyab.exe	2d9002135a5b85b3f3962eab45859f1e59d20ded771b94f0e1127c6c162cb0f4.exe
File opened for modification	C:\Windows\Vwxyab.exe	2d9002135a5b85b3f3962eab45859f1e59d20ded771b94f0e1127c6c162cb0f4.exe
File opened for modification	C:\Windows\Vwxyab.exe	Vwxyab.exe
File created	C:\Windows\Vwxyab.exe	Vwxyab.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Vwxyab.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Vwxyab.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Vwxyab.exe

Modifies data under HKEY_USERS 20 IoCs

Processes:

Vwxyab.exeVwxyab.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM	Vwxyab.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies	Vwxyab.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Services\Vwxyab Defghijk	Vwxyab.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet	Vwxyab.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Services	Vwxyab.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Services\Vwxyab Defghijk\InstallTime = "2021-07-01 16:16"	Vwxyab.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum	Vwxyab.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	Vwxyab.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum\Version = "7"	Vwxyab.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\System	Vwxyab.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	Vwxyab.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\System	Vwxyab.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableLockWorkstation = "1"	Vwxyab.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Services\Vwxyab Defghijk\Group = "Fatal"	Vwxyab.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	Vwxyab.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	Vwxyab.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableLockWorkstation = "1"	Vwxyab.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	Vwxyab.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	Vwxyab.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	Vwxyab.exe

Suspicious behavior: EnumeratesProcesses 51 IoCs

Processes:

Vwxyab.exe

pid	process
2012	Vwxyab.exe
2012	Vwxyab.exe
2012	Vwxyab.exe
2012	Vwxyab.exe
2012	Vwxyab.exe
2012	Vwxyab.exe
2012	Vwxyab.exe
2012	Vwxyab.exe
2012	Vwxyab.exe
2012	Vwxyab.exe
2012	Vwxyab.exe
2012	Vwxyab.exe
2012	Vwxyab.exe
2012	Vwxyab.exe
2012	Vwxyab.exe
2012	Vwxyab.exe
2012	Vwxyab.exe
2012	Vwxyab.exe
2012	Vwxyab.exe
2012	Vwxyab.exe
2012	Vwxyab.exe
2012	Vwxyab.exe
2012	Vwxyab.exe
2012	Vwxyab.exe
2012	Vwxyab.exe
2012	Vwxyab.exe
2012	Vwxyab.exe
2012	Vwxyab.exe
2012	Vwxyab.exe
2012	Vwxyab.exe
2012	Vwxyab.exe
2012	Vwxyab.exe
2012	Vwxyab.exe
2012	Vwxyab.exe
2012	Vwxyab.exe
2012	Vwxyab.exe
2012	Vwxyab.exe
2012	Vwxyab.exe
2012	Vwxyab.exe
2012	Vwxyab.exe
2012	Vwxyab.exe
2012	Vwxyab.exe
2012	Vwxyab.exe
2012	Vwxyab.exe
2012	Vwxyab.exe
2012	Vwxyab.exe
2012	Vwxyab.exe
2012	Vwxyab.exe
2012	Vwxyab.exe
2012	Vwxyab.exe
2012	Vwxyab.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

2d9002135a5b85b3f3962eab45859f1e59d20ded771b94f0e1127c6c162cb0f4.exeVwxyab.exeVwxyab.exe

description	pid	process
Token: SeDebugPrivilege	1096	2d9002135a5b85b3f3962eab45859f1e59d20ded771b94f0e1127c6c162cb0f4.exe
Token: SeDebugPrivilege	2020	Vwxyab.exe
Token: SeDebugPrivilege	2012	Vwxyab.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

Vwxyab.exe

description	pid	process	target process
PID 2020 wrote to memory of 2012	2020	Vwxyab.exe	Vwxyab.exe
PID 2020 wrote to memory of 2012	2020	Vwxyab.exe	Vwxyab.exe
PID 2020 wrote to memory of 2012	2020	Vwxyab.exe	Vwxyab.exe
PID 2020 wrote to memory of 2012	2020	Vwxyab.exe	Vwxyab.exe

C:\Users\Admin\AppData\Local\Temp\2d9002135a5b85b3f3962eab45859f1e59d20ded771b94f0e1127c6c162cb0f4.exe
"C:\Users\Admin\AppData\Local\Temp\2d9002135a5b85b3f3962eab45859f1e59d20ded771b94f0e1127c6c162cb0f4.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1096

C:\Windows\Vwxyab.exe
C:\Windows\Vwxyab.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2020
- C:\Windows\Vwxyab.exe
  C:\Windows\Vwxyab.exe Win7
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Checks processor information in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2012

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\Documents\SVP7.PNG

MD5
2da0d1842cce00414ad22f38c85cb111

SHA1
99853f6a8378220427b6a05bedb34e8f4e45645f

SHA256
cd70bde1d7eabbe12efd0bb2ed414dc6fe6645f7dabb0f3a39d7b70c6259bace

SHA512
5457d25270dfd0d2df3b54743c0d5a43b0b17a318045f7aaa0058ec1d47d5e0e8e51a260a57408969e8080e92a475caddbc77d617c35d02f5dc67623ed6e7888

Download Submit
C:\Windows\Vwxyab.exe

MD5
d96987f5e2f64b880cfb3a7de05ff0ef

SHA1
edd15437be63392c7cd332919c332029a2240dd0

SHA256
2d9002135a5b85b3f3962eab45859f1e59d20ded771b94f0e1127c6c162cb0f4

SHA512
226329ad4d9684a0ef0cfdb80450f9006a9d0f88007b3f31d4bfa6f258c94fdc06262f560327511acb49847729875ee9e80f327f32f9b23a75ec0eb1ffa6090b

Download Submit
C:\Windows\Vwxyab.exe

MD5
d96987f5e2f64b880cfb3a7de05ff0ef

SHA1
edd15437be63392c7cd332919c332029a2240dd0

SHA256
2d9002135a5b85b3f3962eab45859f1e59d20ded771b94f0e1127c6c162cb0f4

SHA512
226329ad4d9684a0ef0cfdb80450f9006a9d0f88007b3f31d4bfa6f258c94fdc06262f560327511acb49847729875ee9e80f327f32f9b23a75ec0eb1ffa6090b

Download Submit
C:\Windows\Vwxyab.exe

MD5
d96987f5e2f64b880cfb3a7de05ff0ef

SHA1
edd15437be63392c7cd332919c332029a2240dd0

SHA256
2d9002135a5b85b3f3962eab45859f1e59d20ded771b94f0e1127c6c162cb0f4

SHA512
226329ad4d9684a0ef0cfdb80450f9006a9d0f88007b3f31d4bfa6f258c94fdc06262f560327511acb49847729875ee9e80f327f32f9b23a75ec0eb1ffa6090b

Download Submit
memory/1096-60-0x0000000075201000-0x0000000075203000-memory.dmp

Filesize
8KB

Download
memory/1096-61-0x0000000010000000-0x000000001002A000-memory.dmp

Filesize
168KB

Download
memory/2012-69-0x0000000000000000-mapping.dmp

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads