fatalrat | 94cc07a8a0c06fe97bebae3356b18a6283c13661086ba530b03d0a57ffa2db63

General

Target

94cc07a8a0c06fe97bebae3356b18a6283c13661086ba530b03d0a57ffa2db63.exe
Size

292KB
MD5

14867f1b93264bfd6b889ae4939ae9f1
SHA1

928d5d6b7f1c86dbb22b2b4cc0928488bc1569b4
SHA256

94cc07a8a0c06fe97bebae3356b18a6283c13661086ba530b03d0a57ffa2db63
SHA512

b1efaae56d4c866ff4e272698e41c369bf05454c6d41e08320eb353ced57e5af0a2f7d9cd324d824d829261261f15a0170158f802bf1de2aa6a63bc83401635a
SSDEEP

6144:0HHFupLjspCyyTKLhcy2pU42e03EWoqSbHG:0HHFY/spCtUhcy2OJEuc

Score

10^/10

fatalrat infostealer rat upx

Malware Config

Signatures

FatalRat
FatalRat is a modular infostealer family written in C++ first appearing in June 2021.
infostealer rat fatalrat

Fatal Rat payload 5 IoCs

rat infostealer

resource	yara_rule
behavioral2/memory/4908-1-0x0000000010000000-0x000000001002A000-memory.dmp	fatalrat
behavioral2/memory/4908-6-0x0000000000400000-0x00000000004E1000-memory.dmp	fatalrat
behavioral2/memory/3724-10-0x0000000010000000-0x000000001002A000-memory.dmp	fatalrat
behavioral2/memory/3724-21-0x0000000000400000-0x00000000004E1000-memory.dmp	fatalrat
behavioral2/memory/3264-23-0x0000000000400000-0x00000000004E1000-memory.dmp	fatalrat

Executes dropped EXE 2 IoCs

pid	Process
3724	Svwxya.exe
3264	Svwxya.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4908-0-0x0000000000400000-0x00000000004E1000-memory.dmp	upx
behavioral2/memory/4908-6-0x0000000000400000-0x00000000004E1000-memory.dmp	upx
behavioral2/files/0x00070000000230b1-8.dat	upx
behavioral2/files/0x00070000000230b1-9.dat	upx
behavioral2/files/0x00070000000230b1-15.dat	upx
behavioral2/memory/3724-21-0x0000000000400000-0x00000000004E1000-memory.dmp	upx
behavioral2/memory/3264-23-0x0000000000400000-0x00000000004E1000-memory.dmp	upx

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Svwxya.exe	94cc07a8a0c06fe97bebae3356b18a6283c13661086ba530b03d0a57ffa2db63.exe
File opened for modification	C:\Program Files (x86)\Svwxya.exe	Svwxya.exe
File created	C:\Program Files (x86)\Svwxya.exe	Svwxya.exe
File created	C:\Program Files (x86)\Svwxya.exe	94cc07a8a0c06fe97bebae3356b18a6283c13661086ba530b03d0a57ffa2db63.exe

Modifies data under HKEY_USERS 16 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software	Svwxya.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	Svwxya.exe
Key created	\REGISTRY\USER\.DEFAULT\System\CurrentControlSet	Svwxya.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\System	Svwxya.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	Svwxya.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies	Svwxya.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableLockWorkstation = "1"	Svwxya.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\System	Svwxya.exe
Key created	\REGISTRY\USER\.DEFAULT\System\CurrentControlSet\Services\Stuvwx Abcdefgh	Svwxya.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\System\CurrentControlSet\Services\Stuvwx Abcdefgh\Group = "Fatal"	Svwxya.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	Svwxya.exe
Key created	\REGISTRY\USER\.DEFAULT\System\CurrentControlSet\Services	Svwxya.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableLockWorkstation = "1"	Svwxya.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Services\Stuvwx Abcdefgh	Svwxya.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM	Svwxya.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\System\CurrentControlSet\Services\Stuvwx Abcdefgh\InstallTime = "2023-10-13 03:36"	Svwxya.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4908	94cc07a8a0c06fe97bebae3356b18a6283c13661086ba530b03d0a57ffa2db63.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4908	94cc07a8a0c06fe97bebae3356b18a6283c13661086ba530b03d0a57ffa2db63.exe
Token: SeDebugPrivilege	3724	Svwxya.exe
Token: SeDebugPrivilege	3264	Svwxya.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3724 wrote to memory of 3264	3724	Svwxya.exe	91
PID 3724 wrote to memory of 3264	3724	Svwxya.exe	91
PID 3724 wrote to memory of 3264	3724	Svwxya.exe	91

C:\Users\Admin\AppData\Local\Temp\94cc07a8a0c06fe97bebae3356b18a6283c13661086ba530b03d0a57ffa2db63.exe
"C:\Users\Admin\AppData\Local\Temp\94cc07a8a0c06fe97bebae3356b18a6283c13661086ba530b03d0a57ffa2db63.exe"
1⤵
- Drops file in Program Files directory
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
PID:4908

C:\Program Files (x86)\Svwxya.exe
"C:\Program Files (x86)\Svwxya.exe"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3724
- C:\Program Files (x86)\Svwxya.exe
  "C:\Program Files (x86)\Svwxya.exe" Win7
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:3264

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Svwxya.exe

Filesize
292KB

MD5
14867f1b93264bfd6b889ae4939ae9f1

SHA1
928d5d6b7f1c86dbb22b2b4cc0928488bc1569b4

SHA256
94cc07a8a0c06fe97bebae3356b18a6283c13661086ba530b03d0a57ffa2db63

SHA512
b1efaae56d4c866ff4e272698e41c369bf05454c6d41e08320eb353ced57e5af0a2f7d9cd324d824d829261261f15a0170158f802bf1de2aa6a63bc83401635a

Download Submit
C:\Program Files (x86)\Svwxya.exe

Filesize
292KB

MD5
14867f1b93264bfd6b889ae4939ae9f1

SHA1
928d5d6b7f1c86dbb22b2b4cc0928488bc1569b4

SHA256
94cc07a8a0c06fe97bebae3356b18a6283c13661086ba530b03d0a57ffa2db63

SHA512
b1efaae56d4c866ff4e272698e41c369bf05454c6d41e08320eb353ced57e5af0a2f7d9cd324d824d829261261f15a0170158f802bf1de2aa6a63bc83401635a

Download Submit
C:\Program Files (x86)\Svwxya.exe

Filesize
292KB

MD5
14867f1b93264bfd6b889ae4939ae9f1

SHA1
928d5d6b7f1c86dbb22b2b4cc0928488bc1569b4

SHA256
94cc07a8a0c06fe97bebae3356b18a6283c13661086ba530b03d0a57ffa2db63

SHA512
b1efaae56d4c866ff4e272698e41c369bf05454c6d41e08320eb353ced57e5af0a2f7d9cd324d824d829261261f15a0170158f802bf1de2aa6a63bc83401635a

Download Submit
memory/3264-23-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download
memory/3724-10-0x0000000010000000-0x000000001002A000-memory.dmp

Filesize
168KB

Download
memory/3724-21-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download
memory/4908-0-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download
memory/4908-1-0x0000000010000000-0x000000001002A000-memory.dmp

Filesize
168KB

Download
memory/4908-6-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download

Analysis

Sharing