fatalrat | c18df16013c1a039cb7125ee50d26b5f9835f61d3c791d38d5a0f7ad2215e861

General

Target

c18df16013c1a039cb7125ee50d26b5f9835f61d3c791d38d5a0f7ad2215e861.exe
Size

820KB
MD5

ba5ded4a384dc6ab600dd6af1ba25884
SHA1

8bad7156fda273bfc789b6810dacabec05207688
SHA256

c18df16013c1a039cb7125ee50d26b5f9835f61d3c791d38d5a0f7ad2215e861
SHA512

5a1d98da409088e0f2e8af57ec5292ce1b2d0149a84e7cdcfa6d8335219eb3c1375d81daf1776f454126256fa536e86ea609621ef027417197d04975764a4a5b
SSDEEP

12288:OKnJXa/rMOPsQ3ykLlf6VEPvgHyBqgiyUDHUgYR9mLzQx:1OLPsQ9faSQNyUD07EH

Score

10^/10

fatalrat infostealer rat

Malware Config

Signatures

FatalRat
FatalRat is a modular infostealer family written in C++ first appearing in June 2021.
infostealer rat fatalrat

Fatal Rat payload 1 IoCs

rat infostealer

Processes:

resource	yara_rule
behavioral1/memory/1796-0-0x0000000010000000-0x000000001002A000-memory.dmp	fatalrat

Executes dropped EXE 2 IoCs

Processes:

Svwxya.exeSvwxya.exe

pid process

3048 Svwxya.exe
2564 Svwxya.exe
Loads dropped DLL 1 IoCs

Processes:

Svwxya.exe

pid process

3048 Svwxya.exe

pid	process
3048	Svwxya.exe
2564	Svwxya.exe

pid	process
3048	Svwxya.exe

Drops file in Program Files directory 4 IoCs

Processes:

c18df16013c1a039cb7125ee50d26b5f9835f61d3c791d38d5a0f7ad2215e861.exeSvwxya.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Svwxya.exe	c18df16013c1a039cb7125ee50d26b5f9835f61d3c791d38d5a0f7ad2215e861.exe
File opened for modification	C:\Program Files (x86)\Svwxya.exe	Svwxya.exe
File created	C:\Program Files (x86)\Svwxya.exe	Svwxya.exe
File created	C:\Program Files (x86)\Svwxya.exe	c18df16013c1a039cb7125ee50d26b5f9835f61d3c791d38d5a0f7ad2215e861.exe

Modifies data under HKEY_USERS 16 IoCs

Processes:

Svwxya.exeSvwxya.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software	Svwxya.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Svwxya.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Services\Stuvwx Abcdefgh\Group = "Fatal"	Svwxya.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Services	Svwxya.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	Svwxya.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\System	Svwxya.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet	Svwxya.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion	Svwxya.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM	Svwxya.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Services\Stuvwx Abcdefgh\InstallTime = "2024-04-24 17:14"	Svwxya.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableLockWorkstation = "1"	Svwxya.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableLockWorkstation = "1"	Svwxya.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Services\Stuvwx Abcdefgh	Svwxya.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\System	Svwxya.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	Svwxya.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows	Svwxya.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

c18df16013c1a039cb7125ee50d26b5f9835f61d3c791d38d5a0f7ad2215e861.exe

pid process

1796 c18df16013c1a039cb7125ee50d26b5f9835f61d3c791d38d5a0f7ad2215e861.exe

pid	process
1796	c18df16013c1a039cb7125ee50d26b5f9835f61d3c791d38d5a0f7ad2215e861.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

c18df16013c1a039cb7125ee50d26b5f9835f61d3c791d38d5a0f7ad2215e861.exeSvwxya.exeSvwxya.exe

description	pid	process
Token: SeDebugPrivilege	1796	c18df16013c1a039cb7125ee50d26b5f9835f61d3c791d38d5a0f7ad2215e861.exe
Token: SeDebugPrivilege	3048	Svwxya.exe
Token: SeDebugPrivilege	2564	Svwxya.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

Svwxya.exe

description	pid	process	target process
PID 3048 wrote to memory of 2564	3048	Svwxya.exe	Svwxya.exe
PID 3048 wrote to memory of 2564	3048	Svwxya.exe	Svwxya.exe
PID 3048 wrote to memory of 2564	3048	Svwxya.exe	Svwxya.exe
PID 3048 wrote to memory of 2564	3048	Svwxya.exe	Svwxya.exe

C:\Users\Admin\AppData\Local\Temp\c18df16013c1a039cb7125ee50d26b5f9835f61d3c791d38d5a0f7ad2215e861.exe
"C:\Users\Admin\AppData\Local\Temp\c18df16013c1a039cb7125ee50d26b5f9835f61d3c791d38d5a0f7ad2215e861.exe"
1⤵
- Drops file in Program Files directory
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
PID:1796

C:\Program Files (x86)\Svwxya.exe
"C:\Program Files (x86)\Svwxya.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3048

C:\Program Files (x86)\Svwxya.exe
"C:\Program Files (x86)\Svwxya.exe" Win7
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2564

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Svwxya.exe

Filesize
820KB

MD5
ba5ded4a384dc6ab600dd6af1ba25884

SHA1
8bad7156fda273bfc789b6810dacabec05207688

SHA256
c18df16013c1a039cb7125ee50d26b5f9835f61d3c791d38d5a0f7ad2215e861

SHA512
5a1d98da409088e0f2e8af57ec5292ce1b2d0149a84e7cdcfa6d8335219eb3c1375d81daf1776f454126256fa536e86ea609621ef027417197d04975764a4a5b

Download Submit
memory/1796-0-0x0000000010000000-0x000000001002A000-memory.dmp

Filesize
168KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads