fatalrat | 2266b4eb699c201c53e62a9fe129147d2c93050d74ad002026254d046265f7f0

Analysis

max time kernel
121s
max time network
131s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
14/11/2023, 09:18

Target

2266b4eb699c201c53e62a9fe129147d2c93050d74ad002026254d046265f7f0.exe
Size

140KB
MD5

92aed57954eff74deda66ac4de027880
SHA1

06cac80d83b3aa78e622f1f72cae6510e945f6e4
SHA256

2266b4eb699c201c53e62a9fe129147d2c93050d74ad002026254d046265f7f0
SHA512

64d31d37008283fbef361588692bb756b3b6b5ed0ac84a55739f74975a6ed53d19d8eb55d7335ed16ddd713fb43b443acb06838bfb1ea351768704893d1c080f
SSDEEP

1536:Vua+BTv3tIO8MtM+/6jRVGIk1MgHjsPGYYwOda2CqqZOIgQJb0lfjtO+vbWL8xJb:Vn+htWMtf+7GZYGVA2QJgi8xJLDoU

Score

10^/10

FatalRat
FatalRat is a modular infostealer family written in C++ first appearing in June 2021.
infostealer rat fatalrat

Fatal Rat payload 1 IoCs

rat infostealer

resource	yara_rule
behavioral1/memory/1516-0-0x0000000010000000-0x000000001001C000-memory.dmp	fatalrat

Executes dropped EXE 2 IoCs

pid	Process
844	Wxyabc.exe
2996	Wxyabc.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Wxyabc.exe	2266b4eb699c201c53e62a9fe129147d2c93050d74ad002026254d046265f7f0.exe
File opened for modification	C:\Windows\Wxyabc.exe	Wxyabc.exe
File created	C:\Windows\Wxyabc.exe	Wxyabc.exe
File created	C:\Windows\Wxyabc.exe	2266b4eb699c201c53e62a9fe129147d2c93050d74ad002026254d046265f7f0.exe

Modifies data under HKEY_USERS 6 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Services\Wxyabc Efghijkl	Wxyabc.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM	Wxyabc.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet	Wxyabc.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Services	Wxyabc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Services\Wxyabc Efghijkl\Group = "Fatal"	Wxyabc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Services\Wxyabc Efghijkl\InstallTime = "2023-11-14 10:34"	Wxyabc.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1516	2266b4eb699c201c53e62a9fe129147d2c93050d74ad002026254d046265f7f0.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 844 wrote to memory of 2996	844	Wxyabc.exe	29
PID 844 wrote to memory of 2996	844	Wxyabc.exe	29
PID 844 wrote to memory of 2996	844	Wxyabc.exe	29
PID 844 wrote to memory of 2996	844	Wxyabc.exe	29

C:\Windows\Wxyabc.exe

Filesize
140KB

MD5
92aed57954eff74deda66ac4de027880

SHA1
06cac80d83b3aa78e622f1f72cae6510e945f6e4

SHA256
2266b4eb699c201c53e62a9fe129147d2c93050d74ad002026254d046265f7f0

SHA512
64d31d37008283fbef361588692bb756b3b6b5ed0ac84a55739f74975a6ed53d19d8eb55d7335ed16ddd713fb43b443acb06838bfb1ea351768704893d1c080f

Download Submit
C:\Windows\Wxyabc.exe

Filesize
140KB

MD5
92aed57954eff74deda66ac4de027880

SHA1
06cac80d83b3aa78e622f1f72cae6510e945f6e4

SHA256
2266b4eb699c201c53e62a9fe129147d2c93050d74ad002026254d046265f7f0

SHA512
64d31d37008283fbef361588692bb756b3b6b5ed0ac84a55739f74975a6ed53d19d8eb55d7335ed16ddd713fb43b443acb06838bfb1ea351768704893d1c080f

Download Submit
C:\Windows\Wxyabc.exe

Filesize
140KB

MD5
92aed57954eff74deda66ac4de027880

SHA1
06cac80d83b3aa78e622f1f72cae6510e945f6e4

SHA256
2266b4eb699c201c53e62a9fe129147d2c93050d74ad002026254d046265f7f0

SHA512
64d31d37008283fbef361588692bb756b3b6b5ed0ac84a55739f74975a6ed53d19d8eb55d7335ed16ddd713fb43b443acb06838bfb1ea351768704893d1c080f

Download Submit
memory/1516-0-0x0000000010000000-0x000000001001C000-memory.dmp

Filesize
112KB

Download