MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1924b09ff1e25fe9d39bad70f094766863f366543658627fe94f435b07da6109. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FatalRAT


Vendor detections: 8


Intelligence 8 IOCs YARA 8 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1924b09ff1e25fe9d39bad70f094766863f366543658627fe94f435b07da6109
SHA3-384 hash: edd0e385c880af54b98e8bcc51ac3cb72173940af069098eccb06d137e4b044a174b8f49227f9ac7ac732cb99d816932
SHA1 hash: 20f8d75d976f7af644bf8479ab1e611fe5bea55f
MD5 hash: 1ac2f26a8d6237713f6120d9272de355
humanhash: quiet-violet-speaker-asparagus
File name:Chrome.msi
Download: download sample
Signature FatalRAT
Create hunting rule
File size:15'328'768 bytes
First seen:2025-02-21 22:48:43 UTC
Last seen:Never
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 393216:LBfMDSDSK12jqHzADE/FxGAl81nKJJ3g7xM9a6uAAARWMgyeG/z:5Mg2jUziiFxGAS1UJQNM9aE3RW1yemz
TLSH T1F8F61212E98FC631FB6D417AD868EB2F257A7FE2073180D7A3E43D9A49704C152B5E06
TrID 80.0% (.MSI) Microsoft Windows Installer (454500/1/170)
10.7% (.MST) Windows SDK Setup Transform script (61000/1/5)
7.8% (.MSP) Windows Installer Patch (44509/10/5)
1.4% (.) Generic OLE2 / Multistream Compound (8000/1)
Magika msi
Reporter aachum
Tags:Blackmoon FatalRAT KRBanker msi


Avatar
iamaachum
https://qpwlm.chrmg.work/ => https://aom-pothos-8afd8b.netlify.app/download => https://goolee-1330838086.cos.ap-hongkong.myqcloud.com/Chrome.zip

Intelligence

File Origin
# of uploads :
1
# of downloads :
40
Origin country :
ES ES
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Badmacro.Doc.wmg.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67b902f028ab76d43a5c59b2
Tags:
shellcode phishing dropper virus
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
adaptive-context anti-vm cmd evasive fingerprint fingerprint lolbin obfuscated remote timeout wix
Link:
https://www.filescan.io/uploads/67b902ee60f4b4f0724a9ddb/reports/7b546eaa-dad3-4cd9-96af-6c68b02421d8/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/1924b09ff1e25fe9d39bad70f094766863f366543658627fe94f435b07da6109
Result
Verdict:
UNKNOWN
Link:
https://labs.inquest.net/dfi/sha256/1924b09ff1e25fe9d39bad70f094766863f366543658627fe94f435b07da6109
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
FatalRAT, GhostRat, Nitol
Create hunting rule
Detection:
malicious
Classification:
bank.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1621492
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
Checks if browser processes are running
Contains functionality to access PhysicalDrive, possible boot sector overwrite
Contains functionality to automate explorer (e.g. start an application)
Contains functionality to capture and log keystrokes
Contains functionality to detect virtual machines (IN, VMware)
Contains functionality to determine the online IP of the system
Contains functionality to infect the boot sector
Contains functionality to inject threads in other processes
Creates an undocumented autostart registry key
Creates files in the system32 config directory
Detected VMProtect packer
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with benign system names
Found API chain indicative of debugger detection
Found direct / indirect Syscall (likely to bypass EDR)
Found stalling execution ending in API Sleep call
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Opens the same file many times (likely Sandbox evasion)
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Reads the Security eventlog
Reads the System eventlog
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: System File Execution Location Anomaly
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Yara detected FatalRAT
Yara detected GhostRat
Yara detected Nitol
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1621492 Sample: Chrome.msi Startdate: 21/02/2025 Architecture: WINDOWS Score: 100 77 a17.yydsnb1.top 2->77 79 a17.nbdsnb2.top 2->79 83 Suricata IDS alerts for network traffic 2->83 85 Malicious sample detected (through community Yara rule) 2->85 87 Yara detected FatalRAT 2->87 89 6 other signatures 2->89 11 msiexec.exe 18 39 2->11         started        14 TjNkNpAilaYvt.exe 3 2->14         started        17 msiexec.exe 4 2->17         started        signatures3 process4 file5 67 C:\Windows\Installer\MSI88CC.tmp, PE32 11->67 dropped 69 C:\Windows\Installer\MSI887D.tmp, PE32 11->69 dropped 71 C:\Windows\Installer\MSI87D0.tmp, PE32 11->71 dropped 73 6 other malicious files 11->73 dropped 19 msiexec.exe 1 1 11->19         started        129 Creates files in the system32 config directory 14->129 21 setup.exe 3 14->21         started        signatures6 process7 signatures8 24 cmd.exe 1 19->24         started        113 Antivirus detection for dropped file 21->113 115 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 21->115 117 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 21->117 119 Tries to detect virtualization through RDTSC time measurements 21->119 26 svchost.exe 5 21->26         started        30 svchost.exe 21->30         started        32 svchost.exe 21->32         started        process9 dnsIp10 34 setup.exe 24->34         started        38 scrok.exe 24->38         started        40 scrok.exe 24->40         started        42 7 other processes 24->42 81 a17.yydsnb1.top 47.76.184.172, 1080, 49737, 49739 VODAFONE-TRANSIT-ASVodafoneNZLtdNZ United States 26->81 121 Antivirus detection for dropped file 26->121 123 System process connects to network (likely due to code injection or exploit) 26->123 125 Creates an undocumented autostart registry key 26->125 127 10 other signatures 26->127 signatures11 process12 file13 51 C:\Windows\SystemTemp\...\psuser_64.dll, PE32+ 34->51 dropped 53 C:\Windows\SystemTemp\...\psuser.dll, PE32 34->53 dropped 55 C:\Windows\SystemTemp\...\psmachine_64.dll, PE32+ 34->55 dropped 65 65 other malicious files 34->65 dropped 91 Drops executables to the windows directory (C:\Windows) and starts them 34->91 44 GoogleUpdate.exe 34->44         started        93 Antivirus detection for dropped file 38->93 95 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 38->95 97 Writes to foreign memory regions 38->97 47 svchost.exe 3 38->47 injected 99 Allocates memory in foreign processes 40->99 101 Injects a PE file into a foreign processes 40->101 103 Found direct / indirect Syscall (likely to bypass EDR) 40->103 57 C:\ProgramData\Smart\setup.exe, PE32 42->57 dropped 59 C:\ProgramData\Smart\TjNkNpAilaYvt.exe, PE32 42->59 dropped 61 C:\ProgramData\Packas\scrok.exe, PE32+ 42->61 dropped 63 C:\ProgramData63VIDIARV\svchost.exe, PE32 42->63 dropped 105 Found API chain indicative of debugger detection 42->105 107 Drops PE files with benign system names 42->107 109 Reads the Security eventlog 42->109 111 Reads the System eventlog 42->111 signatures14 process15 file16 75 C:\Program Files (x86)\...behaviorgraphoogleUpdate.exe, PE32 44->75 dropped 49 GoogleUpdateOnDemand.exe 47->49         started        process17
Score:
39%
Verdict:
Susipicious
File Type:
ARCHIVE
Link:
https://malprob.io/report/1924b09ff1e25fe9d39bad70f094766863f366543658627fe94f435b07da6109
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1924b09ff1e25fe9d39bad70f094766863f366543658627fe94f435b07da6109/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=deslbh7r4jp6tu43vvypbfdwnbr7gzsugzmge77jj5bvwb62meeq._file
Result
Malware family:
fatalrat
Create hunting rule
Score:
  10/10
Tags:
family:blackmoon family:fatalrat banker discovery infostealer persistence privilege_escalation rat spyware stealer trojan vmprotect
Link:
https://tria.ge/reports/250221-2rslqstqt5/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Delays execution with timeout.exe
Enumerates system info in registry
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Browser Information Discovery
Enumerates physical storage devices
Event Triggered Execution: Installer Packages
Reads user/profile data of web browsers
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
Checks installed software on the system
Checks system information in the registry
Drops file in Program Files directory
Drops file in Windows directory
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
Drops file in System32 directory
Event Triggered Execution: Component Object Model Hijacking
Boot or Logon Autostart Execution: Active Setup
Enumerates connected drives
Event Triggered Execution: Image File Execution Options Injection
VMProtect packed file
Fatal Rat payload
Blackmoon family
Blackmoon, KrBanker
Detect Blackmoon payload
FatalRat
Fatalrat family
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/bec07571-d0aa-489b-b564-2673e8c686b3
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Detect_LATAM_MSI_Banker
Create hunting rule
Rule name:detect_tiny_vbs
Create hunting rule
Author:daniyyell
Description:Detects tiny VBS delivery technique
Rule name:Disable_Defender
Create hunting rule
Author:iam-py-test
Description:Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:suspicious_msi_file
Create hunting rule
Author:Johnk3r
Description:Detects common strings, DLL and API in Banker_BR
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

FatalRAT

Microsoft Software Installer (MSI) msi 1924b09ff1e25fe9d39bad70f094766863f366543658627fe94f435b07da6109

(this sample)

Executable exe 6fd145b1de7d0a143fd25274544d5e3c4ecee06cf3e31631d51cae8ca3e25f01

  
Link
https://tria.ge/250221-2njvessnhn/
  
Delivery method
Distributed via web download
  
Dropping
SHA256 6fd145b1de7d0a143fd25274544d5e3c4ecee06cf3e31631d51cae8ca3e25f01
  
Dropping
MD5 a03b2eaa4d517fd935bb0032d444f22d
  
Dropping
SHA256 b995e6a0299f2465fd5881157aab1c6c9753c8e459efd661b9cd1e83be7e53f6
  
Dropping
MD5 118a9a9f6280e177fdac16989b8aa1a5
  
Dropping
SHA256 ba51980ef9681d849c9331e891cc411c1687d3c011f0acc01da9f4ef640764b6
  
Dropping
MD5 4ce1a842d3d770f6fa4b4167542408b2

Comments


Avatar
commented on 2025-02-21 22:49:14 UTC

Found at https://chro.edrmodd.shop/ too