fatalrat | 192d445fa3b7ca7b6238e63d6f0677b2a0300370462b994a7287cb33142bdcbb

General

Target

192d445fa3b7ca7b6238e63d6f0677b2a0300370462b994a7287cb33142bdcbb.exe
Size

293KB
MD5

b7fd72a3f295cb08e6536643c808d0c7
SHA1

3bba05bde5119776dd015046ab0ebdb6127e50e1
SHA256

192d445fa3b7ca7b6238e63d6f0677b2a0300370462b994a7287cb33142bdcbb
SHA512

11cbbceb7025ee8f38d805574ba0ae9c1069bc5d0d7742006c7e3a46cb94f7e5c62a1b191474b7fb5777361ef02e74e79aa0a204bb942976c4e0bb85d88edc05
SSDEEP

6144:856Un3QmD+7KFw3nJsiQ6GPvaEKcEGnn9mrk83/J9b5RrVZ:7Ug8+7dJsQGPGcEG9mhPtRrz

Score

10^/10

fatalrat infostealer rat upx

Malware Config

Signatures

FatalRat
FatalRat is a modular infostealer family written in C++ first appearing in June 2021.
infostealer rat fatalrat

Fatal Rat payload 4 IoCs

rat infostealer

resource	yara_rule
behavioral1/memory/2600-1-0x0000000010000000-0x000000001002A000-memory.dmp	fatalrat
behavioral1/memory/2600-6-0x0000000000400000-0x00000000004D7000-memory.dmp	fatalrat
behavioral1/memory/2160-23-0x0000000000400000-0x00000000004D7000-memory.dmp	fatalrat
behavioral1/memory/1404-24-0x0000000000400000-0x00000000004D7000-memory.dmp	fatalrat

Executes dropped EXE 2 IoCs

pid	Process
2160	Svwxya.exe
1404	Svwxya.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2600-0-0x0000000000400000-0x00000000004D7000-memory.dmp	upx
behavioral1/memory/2600-6-0x0000000000400000-0x00000000004D7000-memory.dmp	upx
behavioral1/files/0x0015000000011fff-8.dat	upx
behavioral1/memory/2160-9-0x0000000000400000-0x00000000004D7000-memory.dmp	upx
behavioral1/files/0x0015000000011fff-16.dat	upx
behavioral1/files/0x0015000000011fff-17.dat	upx
behavioral1/memory/2160-23-0x0000000000400000-0x00000000004D7000-memory.dmp	upx
behavioral1/memory/1404-24-0x0000000000400000-0x00000000004D7000-memory.dmp	upx

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Svwxya.exe	Svwxya.exe
File created	C:\Program Files (x86)\Svwxya.exe	192d445fa3b7ca7b6238e63d6f0677b2a0300370462b994a7287cb33142bdcbb.exe
File opened for modification	C:\Program Files (x86)\Svwxya.exe	192d445fa3b7ca7b6238e63d6f0677b2a0300370462b994a7287cb33142bdcbb.exe
File opened for modification	C:\Program Files (x86)\Svwxya.exe	Svwxya.exe

Modifies data under HKEY_USERS 16 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	Svwxya.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	Svwxya.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableLockWorkstation = "1"	Svwxya.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Services\Stuvwx Abcdefgh\InstallTime = "2023-10-05 18:56"	Svwxya.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	Svwxya.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows	Svwxya.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\System	Svwxya.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\System	Svwxya.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion	Svwxya.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM	Svwxya.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Services\Stuvwx Abcdefgh\Group = "Fatal"	Svwxya.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Services	Svwxya.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Svwxya.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableLockWorkstation = "1"	Svwxya.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Services\Stuvwx Abcdefgh	Svwxya.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet	Svwxya.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2600	192d445fa3b7ca7b6238e63d6f0677b2a0300370462b994a7287cb33142bdcbb.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2600	192d445fa3b7ca7b6238e63d6f0677b2a0300370462b994a7287cb33142bdcbb.exe
Token: SeDebugPrivilege	2160	Svwxya.exe
Token: SeDebugPrivilege	1404	Svwxya.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2160 wrote to memory of 1404	2160	Svwxya.exe	29
PID 2160 wrote to memory of 1404	2160	Svwxya.exe	29
PID 2160 wrote to memory of 1404	2160	Svwxya.exe	29
PID 2160 wrote to memory of 1404	2160	Svwxya.exe	29

C:\Users\Admin\AppData\Local\Temp\192d445fa3b7ca7b6238e63d6f0677b2a0300370462b994a7287cb33142bdcbb.exe
"C:\Users\Admin\AppData\Local\Temp\192d445fa3b7ca7b6238e63d6f0677b2a0300370462b994a7287cb33142bdcbb.exe"
1⤵
- Drops file in Program Files directory
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
PID:2600

C:\Program Files (x86)\Svwxya.exe
"C:\Program Files (x86)\Svwxya.exe"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2160
- C:\Program Files (x86)\Svwxya.exe
  "C:\Program Files (x86)\Svwxya.exe" Win7
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:1404

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Svwxya.exe

Filesize
293KB

MD5
b7fd72a3f295cb08e6536643c808d0c7

SHA1
3bba05bde5119776dd015046ab0ebdb6127e50e1

SHA256
192d445fa3b7ca7b6238e63d6f0677b2a0300370462b994a7287cb33142bdcbb

SHA512
11cbbceb7025ee8f38d805574ba0ae9c1069bc5d0d7742006c7e3a46cb94f7e5c62a1b191474b7fb5777361ef02e74e79aa0a204bb942976c4e0bb85d88edc05

Download Submit
C:\Program Files (x86)\Svwxya.exe

Filesize
293KB

MD5
b7fd72a3f295cb08e6536643c808d0c7

SHA1
3bba05bde5119776dd015046ab0ebdb6127e50e1

SHA256
192d445fa3b7ca7b6238e63d6f0677b2a0300370462b994a7287cb33142bdcbb

SHA512
11cbbceb7025ee8f38d805574ba0ae9c1069bc5d0d7742006c7e3a46cb94f7e5c62a1b191474b7fb5777361ef02e74e79aa0a204bb942976c4e0bb85d88edc05

Download Submit
C:\Program Files (x86)\Svwxya.exe

Filesize
293KB

MD5
b7fd72a3f295cb08e6536643c808d0c7

SHA1
3bba05bde5119776dd015046ab0ebdb6127e50e1

SHA256
192d445fa3b7ca7b6238e63d6f0677b2a0300370462b994a7287cb33142bdcbb

SHA512
11cbbceb7025ee8f38d805574ba0ae9c1069bc5d0d7742006c7e3a46cb94f7e5c62a1b191474b7fb5777361ef02e74e79aa0a204bb942976c4e0bb85d88edc05

Download Submit
memory/1404-24-0x0000000000400000-0x00000000004D7000-memory.dmp

Filesize
860KB

Download
memory/2160-9-0x0000000000400000-0x00000000004D7000-memory.dmp

Filesize
860KB

Download
memory/2160-23-0x0000000000400000-0x00000000004D7000-memory.dmp

Filesize
860KB

Download
memory/2600-0-0x0000000000400000-0x00000000004D7000-memory.dmp

Filesize
860KB

Download
memory/2600-1-0x0000000010000000-0x000000001002A000-memory.dmp

Filesize
168KB

Download
memory/2600-6-0x0000000000400000-0x00000000004D7000-memory.dmp

Filesize
860KB

Download

Analysis

Sharing