Analysis

  • max time kernel
    136s
  • max time network
    146s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    24-04-2024 17:14

General

  • Target

    c18df16013c1a039cb7125ee50d26b5f9835f61d3c791d38d5a0f7ad2215e861.exe

  • Size

    820KB

  • MD5

    ba5ded4a384dc6ab600dd6af1ba25884

  • SHA1

    8bad7156fda273bfc789b6810dacabec05207688

  • SHA256

    c18df16013c1a039cb7125ee50d26b5f9835f61d3c791d38d5a0f7ad2215e861

  • SHA512

    5a1d98da409088e0f2e8af57ec5292ce1b2d0149a84e7cdcfa6d8335219eb3c1375d81daf1776f454126256fa536e86ea609621ef027417197d04975764a4a5b

  • SSDEEP

    12288:OKnJXa/rMOPsQ3ykLlf6VEPvgHyBqgiyUDHUgYR9mLzQx:1OLPsQ9faSQNyUD07EH

Malware Config

Signatures

  • FatalRat

    FatalRat is a modular infostealer family written in C++ first appearing in June 2021.

  • Fatal Rat payload 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Modifies data under HKEY_USERS 16 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c18df16013c1a039cb7125ee50d26b5f9835f61d3c791d38d5a0f7ad2215e861.exe
    "C:\Users\Admin\AppData\Local\Temp\c18df16013c1a039cb7125ee50d26b5f9835f61d3c791d38d5a0f7ad2215e861.exe"
    1⤵
    • Drops file in Program Files directory
    • Suspicious behavior: RenamesItself
    • Suspicious use of AdjustPrivilegeToken
    PID:1796
  • C:\Program Files (x86)\Svwxya.exe
    "C:\Program Files (x86)\Svwxya.exe"
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Modifies data under HKEY_USERS
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3048
    • C:\Program Files (x86)\Svwxya.exe
      "C:\Program Files (x86)\Svwxya.exe" Win7
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      • Modifies data under HKEY_USERS
      • Suspicious use of AdjustPrivilegeToken
      PID:2564

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Svwxya.exe

    Filesize

    820KB

    MD5

    ba5ded4a384dc6ab600dd6af1ba25884

    SHA1

    8bad7156fda273bfc789b6810dacabec05207688

    SHA256

    c18df16013c1a039cb7125ee50d26b5f9835f61d3c791d38d5a0f7ad2215e861

    SHA512

    5a1d98da409088e0f2e8af57ec5292ce1b2d0149a84e7cdcfa6d8335219eb3c1375d81daf1776f454126256fa536e86ea609621ef027417197d04975764a4a5b

  • memory/1796-0-0x0000000010000000-0x000000001002A000-memory.dmp

    Filesize

    168KB