Overview

overview

10

Static

static

3

765989b165...a7.exe

windows7-x64

10

765989b165...a7.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    158s
  • max time network
    164s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231023-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-11-2023 19:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    765989b16541ced8e464097c54960fbedbb520875e34a630b45537c5d8937da7.exe

  • Size

    1.4MB

  • MD5

    8c0bf864084a36599c18441a3a970c0f

  • SHA1

    e42898dcd37993b2116a3dbbf95dc4c11ef10aa8

  • SHA256

    765989b16541ced8e464097c54960fbedbb520875e34a630b45537c5d8937da7

  • SHA512

    32f40d8b82f1cb2406255c6e59d33bbaeb192d7d6492e444f379b1fb2dd14ca776d88d5023229ce948050b5b65f77f02d05166e8e575ba155cf92fbe0e41ad34

  • SSDEEP

    24576:QUDTJcZN/784qWjcKknk7PLMQ4q8CKKnnaul94jAu/F8FwyA89vSzJJSYUvpKOO+:33JcH/78mOuC6zlaAu2FIPzHSYUvQOO+

Score
10/10
fatalratinfostealerrat

Malware Config

Signatures

  • FatalRat

    FatalRat is a modular infostealer family written in C++ first appearing in June 2021.

    infostealerratfatalrat
  • Fatal Rat payload 5 IoCs
    ratinfostealer
  • Executes dropped EXE 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 57 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 21 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\765989b16541ced8e464097c54960fbedbb520875e34a630b45537c5d8937da7.exe
    "C:\Users\Admin\AppData\Local\Temp\765989b16541ced8e464097c54960fbedbb520875e34a630b45537c5d8937da7.exe"
    1⤵
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Program Files directory
    • Suspicious use of AdjustPrivilegeToken
    PID:3192
  • C:\Program Files (x86)\AppPatch\Svwxya.exe
    "C:\Program Files (x86)\AppPatch\Svwxya.exe"
    1⤵
    • Executes dropped EXE
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Modifies data under HKEY_USERS
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1768
    • C:\Program Files (x86)\AppPatch\Svwxya.exe
      "C:\Program Files (x86)\AppPatch\Svwxya.exe" Win7
      2⤵
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Drops file in Program Files directory
      • Checks processor information in registry
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:892

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\AppPatch\Svwxya.exe
    Filesize

    1.4MB

    MD5

    8c0bf864084a36599c18441a3a970c0f

    SHA1

    e42898dcd37993b2116a3dbbf95dc4c11ef10aa8

    SHA256

    765989b16541ced8e464097c54960fbedbb520875e34a630b45537c5d8937da7

    SHA512

    32f40d8b82f1cb2406255c6e59d33bbaeb192d7d6492e444f379b1fb2dd14ca776d88d5023229ce948050b5b65f77f02d05166e8e575ba155cf92fbe0e41ad34

    Download Submit

  • C:\Program Files (x86)\AppPatch\Svwxya.exe
    Filesize

    1.4MB

    MD5

    8c0bf864084a36599c18441a3a970c0f

    SHA1

    e42898dcd37993b2116a3dbbf95dc4c11ef10aa8

    SHA256

    765989b16541ced8e464097c54960fbedbb520875e34a630b45537c5d8937da7

    SHA512

    32f40d8b82f1cb2406255c6e59d33bbaeb192d7d6492e444f379b1fb2dd14ca776d88d5023229ce948050b5b65f77f02d05166e8e575ba155cf92fbe0e41ad34

    Download Submit

  • C:\Program Files (x86)\AppPatch\Svwxya.exe
    Filesize

    1.4MB

    MD5

    8c0bf864084a36599c18441a3a970c0f

    SHA1

    e42898dcd37993b2116a3dbbf95dc4c11ef10aa8

    SHA256

    765989b16541ced8e464097c54960fbedbb520875e34a630b45537c5d8937da7

    SHA512

    32f40d8b82f1cb2406255c6e59d33bbaeb192d7d6492e444f379b1fb2dd14ca776d88d5023229ce948050b5b65f77f02d05166e8e575ba155cf92fbe0e41ad34

    Download Submit

  • memory/892-39241-0x0000000000400000-0x00000000005DF000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/892-39243-0x0000000000400000-0x00000000005DF000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/892-39242-0x0000000000400000-0x00000000005DF000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/892-39245-0x0000000000400000-0x00000000005DF000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/892-39240-0x0000000000400000-0x00000000005DF000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/892-32054-0x0000000077960000-0x00000000779DA000-memory.dmp

    Filesize

    488KB

    Download

  • memory/892-30045-0x0000000076940000-0x0000000076AE0000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/892-26171-0x0000000075C70000-0x0000000075E85000-memory.dmp

    Filesize

    2.1MB

    Download

  • memory/892-39247-0x0000000000400000-0x00000000005DF000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/892-39255-0x0000000000400000-0x00000000005DF000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/1768-26157-0x0000000000400000-0x00000000005DF000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/1768-13085-0x0000000075C70000-0x0000000075E85000-memory.dmp

    Filesize

    2.1MB

    Download

  • memory/1768-16960-0x0000000076940000-0x0000000076AE0000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/1768-18970-0x0000000077960000-0x00000000779DA000-memory.dmp

    Filesize

    488KB

    Download

  • memory/1768-26156-0x0000000000400000-0x00000000005DF000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/1768-32999-0x0000000000400000-0x00000000005DF000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/1768-26158-0x0000000000400000-0x00000000005DF000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/1768-26159-0x0000000000400000-0x00000000005DF000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/1768-26161-0x0000000000400000-0x00000000005DF000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/1768-26162-0x0000000000400000-0x00000000005DF000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/3192-26170-0x0000000000400000-0x00000000005DF000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/3192-14194-0x0000000000400000-0x00000000005DF000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/3192-13076-0x0000000010000000-0x000000001002A000-memory.dmp

    Filesize

    168KB

    Download

  • memory/3192-13075-0x0000000000400000-0x00000000005DF000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/3192-13074-0x0000000000400000-0x00000000005DF000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/3192-0-0x0000000000400000-0x00000000005DF000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/3192-13072-0x0000000000400000-0x00000000005DF000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/3192-13071-0x0000000000400000-0x00000000005DF000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/3192-13070-0x0000000000400000-0x00000000005DF000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/3192-13069-0x0000000000400000-0x00000000005DF000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/3192-5884-0x0000000077960000-0x00000000779DA000-memory.dmp

    Filesize

    488KB

    Download

  • memory/3192-3875-0x0000000076940000-0x0000000076AE0000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/3192-1-0x0000000075C70000-0x0000000075E85000-memory.dmp

    Filesize

    2.1MB

    Download