fatalrat | 012d5c38bb315e316b4e53101f7bf44dc55b6b2301e626f13a8a5cad8fac0ba9

Analysis

max time kernel
146s
max time network
159s
platform
windows7_x64
resource
win7-20231025-en
resource tags

arch:x64arch:x86image:win7-20231025-enlocale:en-usos:windows7-x64system
submitted
16-11-2023 08:16

Target

3.exe
Size

140KB
MD5

71d6ba66466828dfe5c7d8cadfd44c79
SHA1

b79ba0d33150e22e8afa5a9360e9a0dbc2df7e2d
SHA256

012d5c38bb315e316b4e53101f7bf44dc55b6b2301e626f13a8a5cad8fac0ba9
SHA512

3c7a1eb705e2188f9b0e355ec853a98529083a67051a567aa22f94770ae15c9105746fb1059ad6b840fc14f5fc680034c47be004c5ba28b907fab137a9ebb699
SSDEEP

1536:Vua+BTv3tIO8MtM+/6jRVGIk1MgHjsPGYYwOda2CqqZOIgQJb0lfjtO+vbWL8xJb:Vn+htWMtf+7GZYGVA2QJgi8xJLDoU

Score

10^/10

FatalRat
FatalRat is a modular infostealer family written in C++ first appearing in June 2021.
infostealer rat fatalrat

Fatal Rat payload 1 IoCs

rat infostealer

resource	yara_rule
behavioral1/memory/1664-0-0x0000000010000000-0x000000001001C000-memory.dmp	fatalrat

Executes dropped EXE 2 IoCs

pid	Process
2004	3.exe
2744	3.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\3.exe	3.exe
File opened for modification	C:\Windows\3.exe	3.exe
File opened for modification	C:\Windows\3.exe	3.exe
File created	C:\Windows\3.exe	3.exe

Modifies data under HKEY_USERS 6 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Services\Lmnopq Stuvwxya\InstallTime = "2023-11-16 08:17"	3.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Services\Lmnopq Stuvwxya	3.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM	3.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet	3.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Services	3.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Services\Lmnopq Stuvwxya\Group = "3"	3.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Suspicious use of AdjustPrivilegeToken 3 IoCs

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2004 wrote to memory of 2744	2004	3.exe	29
PID 2004 wrote to memory of 2744	2004	3.exe	29
PID 2004 wrote to memory of 2744	2004	3.exe	29
PID 2004 wrote to memory of 2744	2004	3.exe	29

C:\Windows\3.exe

Filesize
140KB

MD5
71d6ba66466828dfe5c7d8cadfd44c79

SHA1
b79ba0d33150e22e8afa5a9360e9a0dbc2df7e2d

SHA256
012d5c38bb315e316b4e53101f7bf44dc55b6b2301e626f13a8a5cad8fac0ba9

SHA512
3c7a1eb705e2188f9b0e355ec853a98529083a67051a567aa22f94770ae15c9105746fb1059ad6b840fc14f5fc680034c47be004c5ba28b907fab137a9ebb699

Download Submit
C:\Windows\3.exe

Filesize
140KB

MD5
71d6ba66466828dfe5c7d8cadfd44c79

SHA1
b79ba0d33150e22e8afa5a9360e9a0dbc2df7e2d

SHA256
012d5c38bb315e316b4e53101f7bf44dc55b6b2301e626f13a8a5cad8fac0ba9

SHA512
3c7a1eb705e2188f9b0e355ec853a98529083a67051a567aa22f94770ae15c9105746fb1059ad6b840fc14f5fc680034c47be004c5ba28b907fab137a9ebb699

Download Submit
C:\Windows\3.exe

Filesize
140KB

MD5
71d6ba66466828dfe5c7d8cadfd44c79

SHA1
b79ba0d33150e22e8afa5a9360e9a0dbc2df7e2d

SHA256
012d5c38bb315e316b4e53101f7bf44dc55b6b2301e626f13a8a5cad8fac0ba9

SHA512
3c7a1eb705e2188f9b0e355ec853a98529083a67051a567aa22f94770ae15c9105746fb1059ad6b840fc14f5fc680034c47be004c5ba28b907fab137a9ebb699

Download Submit
memory/1664-0-0x0000000010000000-0x000000001001C000-memory.dmp

Filesize
112KB

Download