fatalrat | 2d68ea954ba7ff7da8b6f8d9003943d9cb314493d5c8e0b04146c2bb67884903

Analysis

max time kernel
125s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
22-08-2023 23:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2d68ea954ba7ff7da8b6f8d9003943d9cb314493d5c8e0b04146c2bb67884903.exe
Size

508KB
MD5

748153a93ec63ecbbb5dbd4a4c57c34f
SHA1

41161e254b1112f02be8efc10be58dd2b284a013
SHA256

2d68ea954ba7ff7da8b6f8d9003943d9cb314493d5c8e0b04146c2bb67884903
SHA512

af43c1c6f77415253a9fd8288a8944d347bd342aa62ef7fdcdbb48ca24eab86f012aa932d2d9360e0a88a397bf45ef65f5e0de1607bcd5d76ed55f63d88e49fe
SSDEEP

6144:gqRtk+feyFwSzkPDNGEfDVFG1wqBVb1w1s:Jtk+8ykLlpF6PVR9

Score

10^/10

fatalrat infostealer rat

Malware Config

Signatures

FatalRat
FatalRat is a modular infostealer family written in C++ first appearing in June 2021.
infostealer rat fatalrat

Fatal Rat payload 2 IoCs

rat infostealer

resource	yara_rule
behavioral2/memory/2820-136-0x0000000010000000-0x000000001002A000-memory.dmp	fatalrat
behavioral2/memory/416-145-0x0000000010000000-0x000000001002A000-memory.dmp	fatalrat

Executes dropped EXE 2 IoCs

pid	Process
416	Vwxyab.exe
1388	Vwxyab.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Vwxyab.exe	2d68ea954ba7ff7da8b6f8d9003943d9cb314493d5c8e0b04146c2bb67884903.exe
File opened for modification	C:\Windows\Vwxyab.exe	Vwxyab.exe
File created	C:\Windows\Vwxyab.exe	Vwxyab.exe
File created	C:\Windows\Vwxyab.exe	2d68ea954ba7ff7da8b6f8d9003943d9cb314493d5c8e0b04146c2bb67884903.exe

Modifies data under HKEY_USERS 21 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\System\CurrentControlSet\Services	Vwxyab.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\System\CurrentControlSet\Services\Vwxyab Defghijk\Group = "Fatal"	Vwxyab.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum	Vwxyab.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\System	Vwxyab.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	Vwxyab.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	Vwxyab.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	Vwxyab.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	Vwxyab.exe
Key created	\REGISTRY\USER\.DEFAULT\System\CurrentControlSet	Vwxyab.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\System\CurrentControlSet\Services\Vwxyab Defghijk\InstallTime = "2023-08-22 23:35"	Vwxyab.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM	Vwxyab.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	Vwxyab.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies	Vwxyab.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\System	Vwxyab.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableLockWorkstation = "1"	Vwxyab.exe
Key created	\REGISTRY\USER\.DEFAULT\System\CurrentControlSet\Services\Vwxyab Defghijk	Vwxyab.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	Vwxyab.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum\Version = "7"	Vwxyab.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	Vwxyab.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableLockWorkstation = "1"	Vwxyab.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Services\Vwxyab Defghijk	Vwxyab.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1388	Vwxyab.exe
1388	Vwxyab.exe
1388	Vwxyab.exe
1388	Vwxyab.exe
1388	Vwxyab.exe
1388	Vwxyab.exe
1388	Vwxyab.exe
1388	Vwxyab.exe
1388	Vwxyab.exe
1388	Vwxyab.exe
1388	Vwxyab.exe
1388	Vwxyab.exe
1388	Vwxyab.exe
1388	Vwxyab.exe
1388	Vwxyab.exe
1388	Vwxyab.exe
1388	Vwxyab.exe
1388	Vwxyab.exe
1388	Vwxyab.exe
1388	Vwxyab.exe
1388	Vwxyab.exe
1388	Vwxyab.exe
1388	Vwxyab.exe
1388	Vwxyab.exe
1388	Vwxyab.exe
1388	Vwxyab.exe
1388	Vwxyab.exe
1388	Vwxyab.exe
1388	Vwxyab.exe
1388	Vwxyab.exe
1388	Vwxyab.exe
1388	Vwxyab.exe
1388	Vwxyab.exe
1388	Vwxyab.exe
1388	Vwxyab.exe
1388	Vwxyab.exe
1388	Vwxyab.exe
1388	Vwxyab.exe
1388	Vwxyab.exe
1388	Vwxyab.exe
1388	Vwxyab.exe
1388	Vwxyab.exe
1388	Vwxyab.exe
1388	Vwxyab.exe
1388	Vwxyab.exe
1388	Vwxyab.exe
1388	Vwxyab.exe
1388	Vwxyab.exe
1388	Vwxyab.exe
1388	Vwxyab.exe
1388	Vwxyab.exe
1388	Vwxyab.exe
1388	Vwxyab.exe
1388	Vwxyab.exe
1388	Vwxyab.exe
1388	Vwxyab.exe
1388	Vwxyab.exe
1388	Vwxyab.exe
1388	Vwxyab.exe
1388	Vwxyab.exe
1388	Vwxyab.exe
1388	Vwxyab.exe
1388	Vwxyab.exe
1388	Vwxyab.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2820	2d68ea954ba7ff7da8b6f8d9003943d9cb314493d5c8e0b04146c2bb67884903.exe
Token: SeDebugPrivilege	416	Vwxyab.exe
Token: SeDebugPrivilege	1388	Vwxyab.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 416 wrote to memory of 1388	416	Vwxyab.exe	83
PID 416 wrote to memory of 1388	416	Vwxyab.exe	83
PID 416 wrote to memory of 1388	416	Vwxyab.exe	83

C:\Users\Admin\AppData\Local\Temp\2d68ea954ba7ff7da8b6f8d9003943d9cb314493d5c8e0b04146c2bb67884903.exe
"C:\Users\Admin\AppData\Local\Temp\2d68ea954ba7ff7da8b6f8d9003943d9cb314493d5c8e0b04146c2bb67884903.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2820

C:\Windows\Vwxyab.exe
C:\Windows\Vwxyab.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:416
- C:\Windows\Vwxyab.exe
  C:\Windows\Vwxyab.exe Win7
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1388

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Vwxyab.exe

Filesize
508KB

MD5
748153a93ec63ecbbb5dbd4a4c57c34f

SHA1
41161e254b1112f02be8efc10be58dd2b284a013

SHA256
2d68ea954ba7ff7da8b6f8d9003943d9cb314493d5c8e0b04146c2bb67884903

SHA512
af43c1c6f77415253a9fd8288a8944d347bd342aa62ef7fdcdbb48ca24eab86f012aa932d2d9360e0a88a397bf45ef65f5e0de1607bcd5d76ed55f63d88e49fe

Download Submit
C:\Windows\Vwxyab.exe

Filesize
508KB

MD5
748153a93ec63ecbbb5dbd4a4c57c34f

SHA1
41161e254b1112f02be8efc10be58dd2b284a013

SHA256
2d68ea954ba7ff7da8b6f8d9003943d9cb314493d5c8e0b04146c2bb67884903

SHA512
af43c1c6f77415253a9fd8288a8944d347bd342aa62ef7fdcdbb48ca24eab86f012aa932d2d9360e0a88a397bf45ef65f5e0de1607bcd5d76ed55f63d88e49fe

Download Submit
C:\Windows\Vwxyab.exe

Filesize
508KB

MD5
748153a93ec63ecbbb5dbd4a4c57c34f

SHA1
41161e254b1112f02be8efc10be58dd2b284a013

SHA256
2d68ea954ba7ff7da8b6f8d9003943d9cb314493d5c8e0b04146c2bb67884903

SHA512
af43c1c6f77415253a9fd8288a8944d347bd342aa62ef7fdcdbb48ca24eab86f012aa932d2d9360e0a88a397bf45ef65f5e0de1607bcd5d76ed55f63d88e49fe

Download Submit
memory/416-145-0x0000000010000000-0x000000001002A000-memory.dmp

Filesize
168KB

Download
memory/2820-136-0x0000000010000000-0x000000001002A000-memory.dmp

Filesize
168KB

Download