fatalrat | 8c1f2670e5eee538bf62274f68e9316d55f51376d03017bf64c3f9887630230b

Analysis

max time kernel
128s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
26-06-2024 10:38

Target

8c1f2670e5eee538bf62274f68e9316d55f51376d03017bf64c3f9887630230b.exe
Size

140KB
MD5

cfb70656b7855c0374683a875f44f0e4
SHA1

b84452ab83f392fac9c2e7b9c1e0ba5f9f951168
SHA256

8c1f2670e5eee538bf62274f68e9316d55f51376d03017bf64c3f9887630230b
SHA512

926367b18c23a768feb1f9a5679731ddd0de7b6c1c8542805a72debbbcba7588adfbbefb830b97e0946abe269bd7057c19e63ca704283d96f4fc7e0a671227b8
SSDEEP

1536:Vua+BTv3tIO8MtM+/6jRVGIk1MgHjsPGYYwOda2CqqZOIgQJb0lfjtO+vbWL8xJb:Vn+htWMtf+7GZYGVA2QJgi8xJLDoU

Score

10^/10

FatalRat
FatalRat is a modular infostealer family written in C++ first appearing in June 2021.
infostealer rat fatalrat

Fatal Rat payload 2 IoCs

rat infostealer

resource	yara_rule
behavioral2/memory/740-0-0x0000000010000000-0x000000001001C000-memory.dmp	fatalrat
behavioral2/memory/2816-9-0x0000000010000000-0x000000001001C000-memory.dmp	fatalrat

Executes dropped EXE 2 IoCs

pid	Process
2816	Nopqrs.exe
116	Nopqrs.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Nopqrs.exe	8c1f2670e5eee538bf62274f68e9316d55f51376d03017bf64c3f9887630230b.exe
File opened for modification	C:\Windows\Nopqrs.exe	Nopqrs.exe
File created	C:\Windows\Nopqrs.exe	Nopqrs.exe
File created	C:\Windows\Nopqrs.exe	8c1f2670e5eee538bf62274f68e9316d55f51376d03017bf64c3f9887630230b.exe

Modifies data under HKEY_USERS 7 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\System\CurrentControlSet\Services\Nopqrs Uvwxyabc\Group = "Ä¬ÈÏ"	Nopqrs.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\System\CurrentControlSet\Services\Nopqrs Uvwxyabc\InstallTime = "2024-06-26 10:39"	Nopqrs.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Services\Nopqrs Uvwxyabc	Nopqrs.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM	Nopqrs.exe
Key created	\REGISTRY\USER\.DEFAULT\System\CurrentControlSet	Nopqrs.exe
Key created	\REGISTRY\USER\.DEFAULT\System\CurrentControlSet\Services	Nopqrs.exe
Key created	\REGISTRY\USER\.DEFAULT\System\CurrentControlSet\Services\Nopqrs Uvwxyabc	Nopqrs.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Suspicious use of AdjustPrivilegeToken 5 IoCs

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2816 wrote to memory of 116	2816	Nopqrs.exe	102
PID 2816 wrote to memory of 116	2816	Nopqrs.exe	102
PID 2816 wrote to memory of 116	2816	Nopqrs.exe	102

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4280,i,6522675234395427298,2952738987384583032,262144 --variations-seed-version --mojo-platform-channel-handle=4360 /prefetch:8
1⤵
PID:2404

C:\Windows\Nopqrs.exe

Filesize
140KB

MD5
cfb70656b7855c0374683a875f44f0e4

SHA1
b84452ab83f392fac9c2e7b9c1e0ba5f9f951168

SHA256
8c1f2670e5eee538bf62274f68e9316d55f51376d03017bf64c3f9887630230b

SHA512
926367b18c23a768feb1f9a5679731ddd0de7b6c1c8542805a72debbbcba7588adfbbefb830b97e0946abe269bd7057c19e63ca704283d96f4fc7e0a671227b8

Download Submit
memory/740-0-0x0000000010000000-0x000000001001C000-memory.dmp

Filesize
112KB

Download
memory/2816-9-0x0000000010000000-0x000000001001C000-memory.dmp

Filesize
112KB

Download