Overview

overview

10

Static

static

3

5a1bb777d4...ca.exe

windows7-x64

10

5a1bb777d4...ca.exe

windows10-2004-x64

1

Analysis

  • max time kernel
    147s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    14-01-2024 03:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5a1bb777d4127a871626f9276771ecca.exe

  • Size

    818KB

  • MD5

    5a1bb777d4127a871626f9276771ecca

  • SHA1

    727930ec9e050478e53a99bef15bc035a0404dff

  • SHA256

    e118e14e52a9fc203dc91df7ea00a8dd047379a56f9ddff0334cc16428f07d5e

  • SHA512

    bc478bce7a24f68c585f413f5b33d8cbbade33d1f1c2b9b2c28bde4d38c4536cc958a1912a9d0cbea320e24ebfe0a4a1587e084da6950004178584e3b60555c3

  • SSDEEP

    12288:EVWZDtv7F0izVusS8Av3KAXcpy9Hh9B2d:qQDt48Av6ECydj+

Score
10/10
fatalratinfostealerrat

Malware Config

Signatures

  • FatalRat

    FatalRat is a modular infostealer family written in C++ first appearing in June 2021.

    infostealerratfatalrat
  • Fatal Rat payload 1 IoCs
    ratinfostealer
  • Executes dropped EXE 2 IoCs
  • Drops file in Windows directory 4 IoCs
  • Modifies data under HKEY_USERS 16 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5a1bb777d4127a871626f9276771ecca.exe
    "C:\Users\Admin\AppData\Local\Temp\5a1bb777d4127a871626f9276771ecca.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    PID:2660
  • C:\Windows\Jklmno.exe
    C:\Windows\Jklmno.exe
    1⤵
    • Executes dropped EXE
    • Modifies data under HKEY_USERS
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2436
    • C:\Windows\Jklmno.exe
      C:\Windows\Jklmno.exe Win7
      2⤵
      • Executes dropped EXE
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      • Suspicious use of AdjustPrivilegeToken
      PID:2616

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Public\Documents\SVP7.PNG
    Filesize

    152KB

    MD5

    b02e46db6e44bab74dccf4cfd14a1076

    SHA1

    295a06cc304356f7f9671c03fc858dc071e1f391

    SHA256

    24448f93ddeadd0d1c71f273e6a080f0f6200cc0c753f88efb06fced3c816ebf

    SHA512

    a53948cdef001502e0dc17c0ecf5331dfcff78c54b41d3a4bd11cbe73afe61a55339689d5192fcad7e7f2a805a7b8ada4fadd3b6e637738c589d5c91603e77b4

    Download Submit

  • C:\Windows\Jklmno.exe
    Filesize

    818KB

    MD5

    5a1bb777d4127a871626f9276771ecca

    SHA1

    727930ec9e050478e53a99bef15bc035a0404dff

    SHA256

    e118e14e52a9fc203dc91df7ea00a8dd047379a56f9ddff0334cc16428f07d5e

    SHA512

    bc478bce7a24f68c585f413f5b33d8cbbade33d1f1c2b9b2c28bde4d38c4536cc958a1912a9d0cbea320e24ebfe0a4a1587e084da6950004178584e3b60555c3

    Download Submit

  • memory/2660-2-0x0000000010000000-0x000000001002A000-memory.dmp

    Filesize

    168KB

    Download