Overview

overview

10

Static

static

3

55bea56c9a...65.exe

windows7-x64

10

55bea56c9a...65.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    184s
  • max time network
    203s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-01-2024 06:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    55bea56c9ad9357a714843e5da3a0165.exe

  • Size

    335KB

  • MD5

    55bea56c9ad9357a714843e5da3a0165

  • SHA1

    4ef79ba772406e111ad986036324d1d0ea15cc9d

  • SHA256

    65a6740aaab16104235a33c2e9aea03479491ac60cfb316b44a1ec3c1f87027d

  • SHA512

    29893d2ad84093f36a549e5b02124ca562f20568bb9445687bc4e6109beb3b114bf86d11d6b6d00815d7ffa0f9694c8a5ef420c60d6380db29e95513f0ddbae5

  • SSDEEP

    6144:AoLZBns/AeJrtYO+6FDsqTDFu3ZSCBt/oPRYYayHiS:AotmJMk9TDFu3ZS40RO2

Score
10/10
fatalratinfostealerrat

Malware Config

Signatures

  • FatalRat

    FatalRat is a modular infostealer family written in C++ first appearing in June 2021.

    infostealerratfatalrat
  • Fatal Rat payload 2 IoCs
    ratinfostealer
  • Executes dropped EXE 2 IoCs
  • Drops file in Windows directory 4 IoCs
  • Modifies data under HKEY_USERS 16 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\55bea56c9ad9357a714843e5da3a0165.exe
    "C:\Users\Admin\AppData\Local\Temp\55bea56c9ad9357a714843e5da3a0165.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    PID:1688
  • C:\Windows\Pqrstu.exe
    C:\Windows\Pqrstu.exe
    1⤵
    • Executes dropped EXE
    • Modifies data under HKEY_USERS
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2060
    • C:\Windows\Pqrstu.exe
      C:\Windows\Pqrstu.exe Win7
      2⤵
      • Executes dropped EXE
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      • Suspicious use of AdjustPrivilegeToken
      PID:3944

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Public\Documents\SVP7.PNG
    Filesize

    152KB

    MD5

    b02e46db6e44bab74dccf4cfd14a1076

    SHA1

    295a06cc304356f7f9671c03fc858dc071e1f391

    SHA256

    24448f93ddeadd0d1c71f273e6a080f0f6200cc0c753f88efb06fced3c816ebf

    SHA512

    a53948cdef001502e0dc17c0ecf5331dfcff78c54b41d3a4bd11cbe73afe61a55339689d5192fcad7e7f2a805a7b8ada4fadd3b6e637738c589d5c91603e77b4

    Download Submit

  • C:\Windows\Pqrstu.exe
    Filesize

    193KB

    MD5

    7d9e1e71e595c1b32cad52c8e242ed9c

    SHA1

    bd1680e7a047d917bb1288c5e7c5d62abf13ebbe

    SHA256

    a92f6462c6dcdc04ea08480a2996aa6124fe981b181c9dbd9a255eb810cbe29b

    SHA512

    941d85e9aa28c017902158ad52ade390d088e6ded3cf19fbbdec121b8f8ec59a1d3ba7deec36e41343c17f6487c9b2cc175de925819d415528e978a341ce7699

    Download Submit

  • C:\Windows\Pqrstu.exe
    Filesize

    326KB

    MD5

    b150a849e8bffa5b8fbd7c9597b531b3

    SHA1

    97722875a1294fd48712c67c976969e10e484e28

    SHA256

    28be66642a788cb5e493f9bdf2776ab90edb8c98bbfa16acfe4bd5ac0d03490c

    SHA512

    694419c6e69cfbdb2d30c70455d2e0fb976802f05d708a8b4fc1cedaee9d77238a59ce04a437f477a9559643a1850501b106524e3d509177c322dea009bc75dd

    Download Submit

  • C:\Windows\Pqrstu.exe
    Filesize

    277KB

    MD5

    3a5a5e1b44b0db314f33f274a53880db

    SHA1

    068df5df91ca239920e3536fecb8a7801982b57c

    SHA256

    fed1b6062c78b7b6b3f8a7f76042b3ca656084b76bca732f93ca4b1890a27b74

    SHA512

    97f3b354d1335cb3fd8653382f7ea5d4eb08966f35a18a7ac04d8abbdf6ecc621ed5b868f08c81bc515a23cba18fa531d34674ca036184b8592024ead48d5049

    Download Submit

  • memory/1688-2-0x0000000010000000-0x000000001002A000-memory.dmp

    Filesize

    168KB

    Download

  • memory/2060-12-0x0000000010000000-0x000000001002A000-memory.dmp

    Filesize

    168KB

    Download