Overview

overview

10

Static

static

3

0de0ac1632...a6.exe

windows7-x64

10

0de0ac1632...a6.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    136s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    18-04-2024 08:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0de0ac163256b4dd48d77191f7a14ac955b16299cf26da3ad9e2c09f524472a6.exe

  • Size

    421KB

  • MD5

    42e26212e908c36f4b728521c4f51a43

  • SHA1

    96c1cc942bd4474078ccfd7e50251ae85b68c14e

  • SHA256

    0de0ac163256b4dd48d77191f7a14ac955b16299cf26da3ad9e2c09f524472a6

  • SHA512

    4283b57b4d9b88c487311d756e07f32132af68af41138b6d33343d3ba3459f9dc4b2eacec77031b5dcf4ac4ce2bf2e2af21d1efc7afdd12c94e6b401f993f886

  • SSDEEP

    6144:2al+ea/Txa3Rp6OLztixirPOB0t39fcLbHM+Tz8O/oPRYYayHi:28fa/10t0irPOBct0fHME0RO

Score
10/10
fatalratinfostealerrat

Malware Config

Signatures

  • FatalRat

    FatalRat is a modular infostealer family written in C++ first appearing in June 2021.

    infostealerratfatalrat
  • Fatal Rat payload 1 IoCs
    ratinfostealer
  • Executes dropped EXE 2 IoCs
  • Drops file in Windows directory 4 IoCs
  • Modifies data under HKEY_USERS 15 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0de0ac163256b4dd48d77191f7a14ac955b16299cf26da3ad9e2c09f524472a6.exe
    "C:\Users\Admin\AppData\Local\Temp\0de0ac163256b4dd48d77191f7a14ac955b16299cf26da3ad9e2c09f524472a6.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    PID:272
  • C:\Windows\Vwxyab.exe
    C:\Windows\Vwxyab.exe
    1⤵
    • Executes dropped EXE
    • Modifies data under HKEY_USERS
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2360
    • C:\Windows\Vwxyab.exe
      C:\Windows\Vwxyab.exe Win7
      2⤵
      • Executes dropped EXE
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      • Suspicious use of AdjustPrivilegeToken
      PID:2916

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Public\Documents\SVP7.PNG
    Filesize

    152KB

    MD5

    b02e46db6e44bab74dccf4cfd14a1076

    SHA1

    295a06cc304356f7f9671c03fc858dc071e1f391

    SHA256

    24448f93ddeadd0d1c71f273e6a080f0f6200cc0c753f88efb06fced3c816ebf

    SHA512

    a53948cdef001502e0dc17c0ecf5331dfcff78c54b41d3a4bd11cbe73afe61a55339689d5192fcad7e7f2a805a7b8ada4fadd3b6e637738c589d5c91603e77b4

    Download Submit

  • C:\Windows\Vwxyab.exe
    Filesize

    421KB

    MD5

    42e26212e908c36f4b728521c4f51a43

    SHA1

    96c1cc942bd4474078ccfd7e50251ae85b68c14e

    SHA256

    0de0ac163256b4dd48d77191f7a14ac955b16299cf26da3ad9e2c09f524472a6

    SHA512

    4283b57b4d9b88c487311d756e07f32132af68af41138b6d33343d3ba3459f9dc4b2eacec77031b5dcf4ac4ce2bf2e2af21d1efc7afdd12c94e6b401f993f886

    Download Submit

  • memory/272-2-0x0000000010000000-0x000000001002A000-memory.dmp

    Filesize

    168KB

    Download