fatalrat | c18df16013c1a039cb7125ee50d26b5f9835f61d3c791d38d5a0f7ad2215e861

Analysis

max time kernel
140s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
24-04-2024 17:14

Target

c18df16013c1a039cb7125ee50d26b5f9835f61d3c791d38d5a0f7ad2215e861.exe
Size

820KB
MD5

ba5ded4a384dc6ab600dd6af1ba25884
SHA1

8bad7156fda273bfc789b6810dacabec05207688
SHA256

c18df16013c1a039cb7125ee50d26b5f9835f61d3c791d38d5a0f7ad2215e861
SHA512

5a1d98da409088e0f2e8af57ec5292ce1b2d0149a84e7cdcfa6d8335219eb3c1375d81daf1776f454126256fa536e86ea609621ef027417197d04975764a4a5b
SSDEEP

12288:OKnJXa/rMOPsQ3ykLlf6VEPvgHyBqgiyUDHUgYR9mLzQx:1OLPsQ9faSQNyUD07EH

Score

10^/10

FatalRat
FatalRat is a modular infostealer family written in C++ first appearing in June 2021.
infostealer rat fatalrat

Fatal Rat payload 2 IoCs

rat infostealer

Processes:

resource	yara_rule
behavioral2/memory/4396-0-0x0000000010000000-0x000000001002A000-memory.dmp	fatalrat
behavioral2/memory/4500-8-0x0000000010000000-0x000000001002A000-memory.dmp	fatalrat

Executes dropped EXE 2 IoCs

Processes:

Svwxya.exeSvwxya.exe

pid process

4500 Svwxya.exe
3960 Svwxya.exe

pid	process
4500	Svwxya.exe
3960	Svwxya.exe

Drops file in Program Files directory 4 IoCs

Processes:

c18df16013c1a039cb7125ee50d26b5f9835f61d3c791d38d5a0f7ad2215e861.exeSvwxya.exe

description	ioc	process
File created	C:\Program Files (x86)\Svwxya.exe	c18df16013c1a039cb7125ee50d26b5f9835f61d3c791d38d5a0f7ad2215e861.exe
File opened for modification	C:\Program Files (x86)\Svwxya.exe	c18df16013c1a039cb7125ee50d26b5f9835f61d3c791d38d5a0f7ad2215e861.exe
File opened for modification	C:\Program Files (x86)\Svwxya.exe	Svwxya.exe
File created	C:\Program Files (x86)\Svwxya.exe	Svwxya.exe

Modifies data under HKEY_USERS 16 IoCs

Processes:

Svwxya.exeSvwxya.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	Svwxya.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies	Svwxya.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\System	Svwxya.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM	Svwxya.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\System	Svwxya.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	Svwxya.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableLockWorkstation = "1"	Svwxya.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Services\Stuvwx Abcdefgh	Svwxya.exe
Key created	\REGISTRY\USER\.DEFAULT\System\CurrentControlSet	Svwxya.exe
Key created	\REGISTRY\USER\.DEFAULT\System\CurrentControlSet\Services	Svwxya.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\System\CurrentControlSet\Services\Stuvwx Abcdefgh\Group = "Fatal"	Svwxya.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\System\CurrentControlSet\Services\Stuvwx Abcdefgh\InstallTime = "2024-04-24 17:14"	Svwxya.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	Svwxya.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	Svwxya.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableLockWorkstation = "1"	Svwxya.exe
Key created	\REGISTRY\USER\.DEFAULT\System\CurrentControlSet\Services\Stuvwx Abcdefgh	Svwxya.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

c18df16013c1a039cb7125ee50d26b5f9835f61d3c791d38d5a0f7ad2215e861.exe

pid process

4396 c18df16013c1a039cb7125ee50d26b5f9835f61d3c791d38d5a0f7ad2215e861.exe

pid	process
4396	c18df16013c1a039cb7125ee50d26b5f9835f61d3c791d38d5a0f7ad2215e861.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

c18df16013c1a039cb7125ee50d26b5f9835f61d3c791d38d5a0f7ad2215e861.exeSvwxya.exeSvwxya.exe

description	pid	process
Token: SeDebugPrivilege	4396	c18df16013c1a039cb7125ee50d26b5f9835f61d3c791d38d5a0f7ad2215e861.exe
Token: SeDebugPrivilege	4500	Svwxya.exe
Token: SeDebugPrivilege	3960	Svwxya.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

Svwxya.exe

description	pid	process	target process
PID 4500 wrote to memory of 3960	4500	Svwxya.exe	Svwxya.exe
PID 4500 wrote to memory of 3960	4500	Svwxya.exe	Svwxya.exe
PID 4500 wrote to memory of 3960	4500	Svwxya.exe	Svwxya.exe

C:\Program Files (x86)\Svwxya.exe

Filesize
820KB

MD5
ba5ded4a384dc6ab600dd6af1ba25884

SHA1
8bad7156fda273bfc789b6810dacabec05207688

SHA256
c18df16013c1a039cb7125ee50d26b5f9835f61d3c791d38d5a0f7ad2215e861

SHA512
5a1d98da409088e0f2e8af57ec5292ce1b2d0149a84e7cdcfa6d8335219eb3c1375d81daf1776f454126256fa536e86ea609621ef027417197d04975764a4a5b

Download Submit
memory/4396-0-0x0000000010000000-0x000000001002A000-memory.dmp

Filesize
168KB

Download
memory/4500-8-0x0000000010000000-0x000000001002A000-memory.dmp

Filesize
168KB

Download