Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

7

b280f57cc6...36.exe

windows7-x64

10

b280f57cc6...36.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    142s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13/10/2023, 04:40 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b280f57cc64f24e3feefaecc3746058d393c4d16ca9ab3cdfac1ebfdb3111136.exe

  • Size

    376KB

  • MD5

    b8f957e23aa6a2e9bbd44d26618ff1fd

  • SHA1

    4cc450bbba0caa9a78e880446500354d1ce7bb01

  • SHA256

    b280f57cc64f24e3feefaecc3746058d393c4d16ca9ab3cdfac1ebfdb3111136

  • SHA512

    6572d396affa2a3440cf5bb4967368fce743493871a174b3d7be4db48fd0181d61009748b01021be01132d622f245fe08ff0269465675277e4e23c313c1115d7

  • SSDEEP

    6144:AORLKn/ocYlNMeBasmrfc2RrYZWC9sQNwhstAOWf4rE0G/saJ:A6+ANlNMeMx0MrG9fGwAOWf4rt8X

Score
10/10
fatalratinfostealerratupx

Malware Config

Signatures

  • FatalRat

    FatalRat is a modular infostealer family written in C++ first appearing in June 2021.

    infostealerratfatalrat
  • Fatal Rat payload 5 IoCs
    ratinfostealer
  • Executes dropped EXE 2 IoCs
  • UPX packed file 7 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 4 IoCs
  • Modifies data under HKEY_USERS 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b280f57cc64f24e3feefaecc3746058d393c4d16ca9ab3cdfac1ebfdb3111136.exe
    "C:\Users\Admin\AppData\Local\Temp\b280f57cc64f24e3feefaecc3746058d393c4d16ca9ab3cdfac1ebfdb3111136.exe"
    1⤵
    • Drops file in Program Files directory
    • Suspicious use of AdjustPrivilegeToken
    PID:4688
  • C:\Program Files (x86)\Svwxya.exe
    "C:\Program Files (x86)\Svwxya.exe"
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:840
    • C:\Program Files (x86)\Svwxya.exe
      "C:\Program Files (x86)\Svwxya.exe" Win7
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      • Modifies data under HKEY_USERS
      • Suspicious use of AdjustPrivilegeToken
      PID:2712

Network

  • flag-us
    DNS
    2.136.104.51.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    2.136.104.51.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    67.31.126.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    67.31.126.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    108.211.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    108.211.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    59.128.231.4.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    59.128.231.4.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    50.23.12.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    50.23.12.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    15.164.165.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    15.164.165.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    126.24.238.8.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    126.24.238.8.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    25.73.42.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    25.73.42.20.in-addr.arpa
    IN PTR
    Response
  • 202.95.14.6:8081
    Svwxya.exe
    260 B
     5
  • 202.95.14.6:8081
    Svwxya.exe
    260 B
     5
  • 202.95.14.6:8081
    Svwxya.exe
    260 B
     5
  • 202.95.14.6:8081
    Svwxya.exe
    260 B
     5
  • 202.95.14.6:8081
    Svwxya.exe
    208 B
     4
  • 8.8.8.8:53
    2.136.104.51.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    2.136.104.51.in-addr.arpa

  • 8.8.8.8:53
    67.31.126.40.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    67.31.126.40.in-addr.arpa

  • 8.8.8.8:53
    108.211.229.192.in-addr.arpa
    dns
    74 B
     145 B
     1
    1

    DNS Request

    108.211.229.192.in-addr.arpa

  • 8.8.8.8:53
    59.128.231.4.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    59.128.231.4.in-addr.arpa

  • 8.8.8.8:53
    50.23.12.20.in-addr.arpa
    dns
    70 B
     156 B
     1
    1

    DNS Request

    50.23.12.20.in-addr.arpa

  • 8.8.8.8:53
    15.164.165.52.in-addr.arpa
    dns
    72 B
     146 B
     1
    1

    DNS Request

    15.164.165.52.in-addr.arpa

  • 8.8.8.8:53
    126.24.238.8.in-addr.arpa
    dns
    71 B
     125 B
     1
    1

    DNS Request

    126.24.238.8.in-addr.arpa

  • 8.8.8.8:53
    25.73.42.20.in-addr.arpa
    dns
    70 B
     156 B
     1
    1

    DNS Request

    25.73.42.20.in-addr.arpa

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Svwxya.exe
    Filesize

    376KB

    MD5

    b8f957e23aa6a2e9bbd44d26618ff1fd

    SHA1

    4cc450bbba0caa9a78e880446500354d1ce7bb01

    SHA256

    b280f57cc64f24e3feefaecc3746058d393c4d16ca9ab3cdfac1ebfdb3111136

    SHA512

    6572d396affa2a3440cf5bb4967368fce743493871a174b3d7be4db48fd0181d61009748b01021be01132d622f245fe08ff0269465675277e4e23c313c1115d7

    Download Submit

  • C:\Program Files (x86)\Svwxya.exe
    Filesize

    376KB

    MD5

    b8f957e23aa6a2e9bbd44d26618ff1fd

    SHA1

    4cc450bbba0caa9a78e880446500354d1ce7bb01

    SHA256

    b280f57cc64f24e3feefaecc3746058d393c4d16ca9ab3cdfac1ebfdb3111136

    SHA512

    6572d396affa2a3440cf5bb4967368fce743493871a174b3d7be4db48fd0181d61009748b01021be01132d622f245fe08ff0269465675277e4e23c313c1115d7

    Download Submit

  • C:\Program Files (x86)\Svwxya.exe
    Filesize

    376KB

    MD5

    b8f957e23aa6a2e9bbd44d26618ff1fd

    SHA1

    4cc450bbba0caa9a78e880446500354d1ce7bb01

    SHA256

    b280f57cc64f24e3feefaecc3746058d393c4d16ca9ab3cdfac1ebfdb3111136

    SHA512

    6572d396affa2a3440cf5bb4967368fce743493871a174b3d7be4db48fd0181d61009748b01021be01132d622f245fe08ff0269465675277e4e23c313c1115d7

    Download Submit

  • memory/840-9-0x0000000010000000-0x000000001002A000-memory.dmp

    Filesize

    168KB

    Download

  • memory/840-21-0x0000000000400000-0x0000000000517000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2712-23-0x0000000000400000-0x0000000000517000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/4688-0-0x0000000000400000-0x0000000000517000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/4688-1-0x0000000010000000-0x000000001002A000-memory.dmp

    Filesize

    168KB

    Download

  • memory/4688-20-0x0000000000400000-0x0000000000517000-memory.dmp

    Filesize

    1.1MB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.