Overview

overview

10

Static

static

2d9002135a...f4.exe

windows7_x64

10

2d9002135a...f4.exe

windows10_x64

10

Resubmissions

03-07-2021 10:50

210703-jh2cb389k6 10

01-07-2021 14:19

210701-xnbfc8bzks 10

Analysis

  • max time kernel
    4s
  • max time network
    141s
  • platform
    windows7_x64
  • resource
    win7v20210408
  • submitted
    01-07-2021 14:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2d9002135a5b85b3f3962eab45859f1e59d20ded771b94f0e1127c6c162cb0f4.exe

Score
10/10
fatalratinfostealerrat

Malware Config

Signatures

  • FatalRat

    FatalRat is a modular infostealer family written in C++ first appearing in June 2021.

    infostealerratfatalrat
  • Fatal Rat Payload 1 IoCs
    ratinfostealer
  • Executes dropped EXE 2 IoCs
  • Drops file in Windows directory 4 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 20 IoCs
  • Suspicious behavior: EnumeratesProcesses 51 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2d9002135a5b85b3f3962eab45859f1e59d20ded771b94f0e1127c6c162cb0f4.exe
    "C:\Users\Admin\AppData\Local\Temp\2d9002135a5b85b3f3962eab45859f1e59d20ded771b94f0e1127c6c162cb0f4.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    PID:1096
  • C:\Windows\Vwxyab.exe
    C:\Windows\Vwxyab.exe
    1⤵
    • Executes dropped EXE
    • Modifies data under HKEY_USERS
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2020
    • C:\Windows\Vwxyab.exe
      C:\Windows\Vwxyab.exe Win7
      2⤵
      • Executes dropped EXE
      • Drops file in Windows directory
      • Checks processor information in registry
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2012

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Public\Documents\SVP7.PNG
    MD5

    2da0d1842cce00414ad22f38c85cb111

    SHA1

    99853f6a8378220427b6a05bedb34e8f4e45645f

    SHA256

    cd70bde1d7eabbe12efd0bb2ed414dc6fe6645f7dabb0f3a39d7b70c6259bace

    SHA512

    5457d25270dfd0d2df3b54743c0d5a43b0b17a318045f7aaa0058ec1d47d5e0e8e51a260a57408969e8080e92a475caddbc77d617c35d02f5dc67623ed6e7888

    Download Submit
  • C:\Windows\Vwxyab.exe
    MD5

    d96987f5e2f64b880cfb3a7de05ff0ef

    SHA1

    edd15437be63392c7cd332919c332029a2240dd0

    SHA256

    2d9002135a5b85b3f3962eab45859f1e59d20ded771b94f0e1127c6c162cb0f4

    SHA512

    226329ad4d9684a0ef0cfdb80450f9006a9d0f88007b3f31d4bfa6f258c94fdc06262f560327511acb49847729875ee9e80f327f32f9b23a75ec0eb1ffa6090b

    Download Submit
  • C:\Windows\Vwxyab.exe
    MD5

    d96987f5e2f64b880cfb3a7de05ff0ef

    SHA1

    edd15437be63392c7cd332919c332029a2240dd0

    SHA256

    2d9002135a5b85b3f3962eab45859f1e59d20ded771b94f0e1127c6c162cb0f4

    SHA512

    226329ad4d9684a0ef0cfdb80450f9006a9d0f88007b3f31d4bfa6f258c94fdc06262f560327511acb49847729875ee9e80f327f32f9b23a75ec0eb1ffa6090b

    Download Submit
  • C:\Windows\Vwxyab.exe
    MD5

    d96987f5e2f64b880cfb3a7de05ff0ef

    SHA1

    edd15437be63392c7cd332919c332029a2240dd0

    SHA256

    2d9002135a5b85b3f3962eab45859f1e59d20ded771b94f0e1127c6c162cb0f4

    SHA512

    226329ad4d9684a0ef0cfdb80450f9006a9d0f88007b3f31d4bfa6f258c94fdc06262f560327511acb49847729875ee9e80f327f32f9b23a75ec0eb1ffa6090b

    Download Submit
  • memory/1096-60-0x0000000075201000-0x0000000075203000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1096-61-0x0000000010000000-0x000000001002A000-memory.dmp
    Filesize

    168KB

    Download
  • memory/2012-69-0x0000000000000000-mapping.dmp
    Download