fatalrat | c7686d25a7a9a3e08096d5db430f1cf3f6552c67773d6afaaa8e67f560c74ada

Analysis

max time kernel
149s
max time network
120s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
25-06-2024 15:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c7686d25a7a9a3e08096d5db430f1cf3f6552c67773d6afaaa8e67f560c74ada.exe
Size

912KB
MD5

6498dad935caa4d87bdc9b55c4c930aa
SHA1

f59ce446dcd18fcd7a39ebd0c11a4776affd4333
SHA256

c7686d25a7a9a3e08096d5db430f1cf3f6552c67773d6afaaa8e67f560c74ada
SHA512

ad44573dac9bb84462f2097d3d2119dd49276e364e2207d95c2b8eb1bd6b08a3524b0edcbea3c5f1e988b01fcf2fd0d3c9d8bb8324f664596c723dc72d5b2d5d
SSDEEP

24576:OP19ETGRUqtJ18lWng08/top3sGF1HKKXf:EEyRB+2u+qm

Score

10^/10

fatalrat infostealer rat

Malware Config

Signatures

FatalRat
FatalRat is a modular infostealer family written in C++ first appearing in June 2021.
infostealer rat fatalrat

Fatal Rat payload 1 IoCs

rat infostealer

resource	yara_rule
behavioral1/memory/2088-18014-0x0000000000400000-0x00000000004FC000-memory.dmp	fatalrat

Executes dropped EXE 2 IoCs

pid	Process
8316	Svwxya.exe
12960	Svwxya.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs

pid	Process
2088	c7686d25a7a9a3e08096d5db430f1cf3f6552c67773d6afaaa8e67f560c74ada.exe
2088	c7686d25a7a9a3e08096d5db430f1cf3f6552c67773d6afaaa8e67f560c74ada.exe
8316	Svwxya.exe
8316	Svwxya.exe
2088	c7686d25a7a9a3e08096d5db430f1cf3f6552c67773d6afaaa8e67f560c74ada.exe
8316	Svwxya.exe
12960	Svwxya.exe
12960	Svwxya.exe
8316	Svwxya.exe
12960	Svwxya.exe
8316	Svwxya.exe
12960	Svwxya.exe
8316	Svwxya.exe
12960	Svwxya.exe
8316	Svwxya.exe
12960	Svwxya.exe
8316	Svwxya.exe
12960	Svwxya.exe
8316	Svwxya.exe
12960	Svwxya.exe
8316	Svwxya.exe
12960	Svwxya.exe
8316	Svwxya.exe
12960	Svwxya.exe
8316	Svwxya.exe
12960	Svwxya.exe
8316	Svwxya.exe
12960	Svwxya.exe
8316	Svwxya.exe
12960	Svwxya.exe
8316	Svwxya.exe
12960	Svwxya.exe
8316	Svwxya.exe
12960	Svwxya.exe
8316	Svwxya.exe
12960	Svwxya.exe
8316	Svwxya.exe
12960	Svwxya.exe
8316	Svwxya.exe
12960	Svwxya.exe
8316	Svwxya.exe
12960	Svwxya.exe
8316	Svwxya.exe
12960	Svwxya.exe
8316	Svwxya.exe
12960	Svwxya.exe
8316	Svwxya.exe
12960	Svwxya.exe
8316	Svwxya.exe
12960	Svwxya.exe
8316	Svwxya.exe
12960	Svwxya.exe
8316	Svwxya.exe
12960	Svwxya.exe
8316	Svwxya.exe
12960	Svwxya.exe
8316	Svwxya.exe
12960	Svwxya.exe
8316	Svwxya.exe
12960	Svwxya.exe
8316	Svwxya.exe
12960	Svwxya.exe
8316	Svwxya.exe
12960	Svwxya.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\Svwxya.exe	c7686d25a7a9a3e08096d5db430f1cf3f6552c67773d6afaaa8e67f560c74ada.exe
File opened for modification	C:\Windows\Svwxya.exe	c7686d25a7a9a3e08096d5db430f1cf3f6552c67773d6afaaa8e67f560c74ada.exe
File opened for modification	C:\Windows\Svwxya.exe	Svwxya.exe
File created	C:\Windows\Svwxya.exe	Svwxya.exe

Modifies data under HKEY_USERS 16 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Services\Stuvwx Abcdefgh\Group = "Fatal"	Svwxya.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	Svwxya.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	Svwxya.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	Svwxya.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Services	Svwxya.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\System	Svwxya.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows	Svwxya.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM	Svwxya.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Services\Stuvwx Abcdefgh\InstallTime = "2024-06-25 15:18"	Svwxya.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion	Svwxya.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Svwxya.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet	Svwxya.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableLockWorkstation = "1"	Svwxya.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\System	Svwxya.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableLockWorkstation = "1"	Svwxya.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Services\Stuvwx Abcdefgh	Svwxya.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2088	c7686d25a7a9a3e08096d5db430f1cf3f6552c67773d6afaaa8e67f560c74ada.exe
Token: SeDebugPrivilege	8316	Svwxya.exe
Token: SeDebugPrivilege	12960	Svwxya.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 8316 wrote to memory of 12960	8316	Svwxya.exe	29
PID 8316 wrote to memory of 12960	8316	Svwxya.exe	29
PID 8316 wrote to memory of 12960	8316	Svwxya.exe	29
PID 8316 wrote to memory of 12960	8316	Svwxya.exe	29

C:\Users\Admin\AppData\Local\Temp\c7686d25a7a9a3e08096d5db430f1cf3f6552c67773d6afaaa8e67f560c74ada.exe
"C:\Users\Admin\AppData\Local\Temp\c7686d25a7a9a3e08096d5db430f1cf3f6552c67773d6afaaa8e67f560c74ada.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2088

C:\Windows\Svwxya.exe
C:\Windows\Svwxya.exe
1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:8316
- C:\Windows\Svwxya.exe
  C:\Windows\Svwxya.exe Win7
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:12960

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Svwxya.exe

Filesize
912KB

MD5
6498dad935caa4d87bdc9b55c4c930aa

SHA1
f59ce446dcd18fcd7a39ebd0c11a4776affd4333

SHA256
c7686d25a7a9a3e08096d5db430f1cf3f6552c67773d6afaaa8e67f560c74ada

SHA512
ad44573dac9bb84462f2097d3d2119dd49276e364e2207d95c2b8eb1bd6b08a3524b0edcbea3c5f1e988b01fcf2fd0d3c9d8bb8324f664596c723dc72d5b2d5d

Download Submit
memory/2088-560-0x00000000021D0000-0x00000000022E1000-memory.dmp

Filesize
1.1MB

Download
memory/2088-532-0x00000000021D0000-0x00000000022E1000-memory.dmp

Filesize
1.1MB

Download
memory/2088-506-0x00000000021D0000-0x00000000022E1000-memory.dmp

Filesize
1.1MB

Download
memory/2088-558-0x00000000021D0000-0x00000000022E1000-memory.dmp

Filesize
1.1MB

Download
memory/2088-510-0x00000000021D0000-0x00000000022E1000-memory.dmp

Filesize
1.1MB

Download
memory/2088-518-0x00000000021D0000-0x00000000022E1000-memory.dmp

Filesize
1.1MB

Download
memory/2088-520-0x00000000021D0000-0x00000000022E1000-memory.dmp

Filesize
1.1MB

Download
memory/2088-516-0x00000000021D0000-0x00000000022E1000-memory.dmp

Filesize
1.1MB

Download
memory/2088-514-0x00000000021D0000-0x00000000022E1000-memory.dmp

Filesize
1.1MB

Download
memory/2088-512-0x00000000021D0000-0x00000000022E1000-memory.dmp

Filesize
1.1MB

Download
memory/2088-504-0x00000000021D0000-0x00000000022E1000-memory.dmp

Filesize
1.1MB

Download
memory/2088-522-0x00000000021D0000-0x00000000022E1000-memory.dmp

Filesize
1.1MB

Download
memory/2088-542-0x00000000021D0000-0x00000000022E1000-memory.dmp

Filesize
1.1MB

Download
memory/2088-555-0x00000000021D0000-0x00000000022E1000-memory.dmp

Filesize
1.1MB

Download
memory/2088-564-0x00000000021D0000-0x00000000022E1000-memory.dmp

Filesize
1.1MB

Download
memory/2088-552-0x00000000021D0000-0x00000000022E1000-memory.dmp

Filesize
1.1MB

Download
memory/2088-562-0x00000000021D0000-0x00000000022E1000-memory.dmp

Filesize
1.1MB

Download
memory/2088-0-0x0000000000400000-0x00000000004FC000-memory.dmp

Filesize
1008KB

Download
memory/2088-508-0x00000000021D0000-0x00000000022E1000-memory.dmp

Filesize
1.1MB

Download
memory/2088-18014-0x0000000000400000-0x00000000004FC000-memory.dmp

Filesize
1008KB

Download
memory/2088-548-0x00000000021D0000-0x00000000022E1000-memory.dmp

Filesize
1.1MB

Download
memory/2088-550-0x00000000021D0000-0x00000000022E1000-memory.dmp

Filesize
1.1MB

Download
memory/2088-546-0x00000000021D0000-0x00000000022E1000-memory.dmp

Filesize
1.1MB

Download
memory/2088-544-0x00000000021D0000-0x00000000022E1000-memory.dmp

Filesize
1.1MB

Download
memory/2088-540-0x00000000021D0000-0x00000000022E1000-memory.dmp

Filesize
1.1MB

Download
memory/2088-538-0x00000000021D0000-0x00000000022E1000-memory.dmp

Filesize
1.1MB

Download
memory/2088-536-0x00000000021D0000-0x00000000022E1000-memory.dmp

Filesize
1.1MB

Download
memory/2088-534-0x00000000021D0000-0x00000000022E1000-memory.dmp

Filesize
1.1MB

Download
memory/2088-503-0x00000000021D0000-0x00000000022E1000-memory.dmp

Filesize
1.1MB

Download
memory/2088-530-0x00000000021D0000-0x00000000022E1000-memory.dmp

Filesize
1.1MB

Download
memory/2088-528-0x00000000021D0000-0x00000000022E1000-memory.dmp

Filesize
1.1MB

Download
memory/2088-526-0x00000000021D0000-0x00000000022E1000-memory.dmp

Filesize
1.1MB

Download
memory/2088-524-0x00000000021D0000-0x00000000022E1000-memory.dmp

Filesize
1.1MB

Download
memory/2088-1-0x0000000075B50000-0x0000000075B97000-memory.dmp

Filesize
284KB

Download
memory/2088-556-0x00000000021D0000-0x00000000022E1000-memory.dmp

Filesize
1.1MB

Download
memory/8316-7984-0x0000000000400000-0x00000000004FC000-memory.dmp

Filesize
1008KB

Download
memory/8316-16681-0x0000000002C10000-0x0000000002D0C000-memory.dmp

Filesize
1008KB

Download