Overview

overview

10

Static

static

3

55bea56c9a...65.exe

windows7-x64

10

55bea56c9a...65.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    135s
  • max time network
    146s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    12-01-2024 06:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    55bea56c9ad9357a714843e5da3a0165.exe

  • Size

    335KB

  • MD5

    55bea56c9ad9357a714843e5da3a0165

  • SHA1

    4ef79ba772406e111ad986036324d1d0ea15cc9d

  • SHA256

    65a6740aaab16104235a33c2e9aea03479491ac60cfb316b44a1ec3c1f87027d

  • SHA512

    29893d2ad84093f36a549e5b02124ca562f20568bb9445687bc4e6109beb3b114bf86d11d6b6d00815d7ffa0f9694c8a5ef420c60d6380db29e95513f0ddbae5

  • SSDEEP

    6144:AoLZBns/AeJrtYO+6FDsqTDFu3ZSCBt/oPRYYayHiS:AotmJMk9TDFu3ZS40RO2

Score
10/10
fatalratinfostealerrat

Malware Config

Signatures

  • FatalRat

    FatalRat is a modular infostealer family written in C++ first appearing in June 2021.

    infostealerratfatalrat
  • Fatal Rat payload 1 IoCs
    ratinfostealer
  • Executes dropped EXE 2 IoCs
  • Drops file in Windows directory 4 IoCs
  • Modifies data under HKEY_USERS 16 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Windows\Pqrstu.exe
    C:\Windows\Pqrstu.exe Win7
    1⤵
    • Executes dropped EXE
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Suspicious use of AdjustPrivilegeToken
    PID:2020
  • C:\Windows\Pqrstu.exe
    C:\Windows\Pqrstu.exe
    1⤵
    • Executes dropped EXE
    • Modifies data under HKEY_USERS
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3068
  • C:\Users\Admin\AppData\Local\Temp\55bea56c9ad9357a714843e5da3a0165.exe
    "C:\Users\Admin\AppData\Local\Temp\55bea56c9ad9357a714843e5da3a0165.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    PID:2936

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Public\Documents\SVP7.PNG
    Filesize

    152KB

    MD5

    b02e46db6e44bab74dccf4cfd14a1076

    SHA1

    295a06cc304356f7f9671c03fc858dc071e1f391

    SHA256

    24448f93ddeadd0d1c71f273e6a080f0f6200cc0c753f88efb06fced3c816ebf

    SHA512

    a53948cdef001502e0dc17c0ecf5331dfcff78c54b41d3a4bd11cbe73afe61a55339689d5192fcad7e7f2a805a7b8ada4fadd3b6e637738c589d5c91603e77b4

    Download Submit

  • C:\Windows\Pqrstu.exe
    Filesize

    335KB

    MD5

    55bea56c9ad9357a714843e5da3a0165

    SHA1

    4ef79ba772406e111ad986036324d1d0ea15cc9d

    SHA256

    65a6740aaab16104235a33c2e9aea03479491ac60cfb316b44a1ec3c1f87027d

    SHA512

    29893d2ad84093f36a549e5b02124ca562f20568bb9445687bc4e6109beb3b114bf86d11d6b6d00815d7ffa0f9694c8a5ef420c60d6380db29e95513f0ddbae5

    Download Submit

  • memory/2936-2-0x0000000010000000-0x000000001002A000-memory.dmp

    Filesize

    168KB

    Download