MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 23e975c4d458f7e301752b7973418a6b07659ab1731e2cd19fe89995dc52ac7e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FatalRAT


Vendor detections: 10


Intelligence 10 IOCs YARA 1 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 23e975c4d458f7e301752b7973418a6b07659ab1731e2cd19fe89995dc52ac7e
SHA3-384 hash: 89b4470eed009fd8df2fcd78f70e93fb9f95d0027af1cb67fb032529c185f46f1e0098f65008d5ff5d78eb884bf03942
SHA1 hash: 73fafe93ad6fd104fcfb8feae8d782d0f0e7ead4
MD5 hash: d747bab2dbb84ce007f7c48d2a3fc352
humanhash: twenty-william-tango-coffee
File name:d747bab2dbb84ce007f7c48d2a3fc352
Download: download sample
Signature FatalRAT
Create hunting rule
File size:66'048 bytes
First seen:2023-02-27 08:25:30 UTC
Last seen:2023-02-27 09:43:27 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash e0e87a17e111fcdd23a8af05782b3882 (1 x FatalRAT)
ssdeep 1536:54kwdbdWdqFMrUt1KoyqkzhjShwP6eSTyCJLmWYNW:54kwdbdkqpQqKI4zELOQ
Threatray 55 similar samples on MalwareBazaar
TLSH T1F353CFD93690C474F4AE177160AB279A93FAF5413FE6C7435D980AAC7E6B3082E51312
TrID 42.7% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
17.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
13.0% (.EXE) Win16 NE executable (generic) (5038/12/1)
11.6% (.EXE) Win32 Executable (generic) (4505/5/1)
5.2% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter zbetcheckin
Tags:32 dll exe FatalRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
181
Origin country :
n/a
Vendor Threat Intelligence
Detection:
FatalRAT
Create hunting rule
Link:
https://www.capesandbox.com/analysis/369984/
Detection(s):
PUA.Win.Packer.Asprotect-3
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a custom TCP request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed shell32.dll
Link:
https://www.filescan.io/uploads/63fc691d589e1e4c5bd97586/reports/6994f09a-3128-441d-b4e5-1309bf431532/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/23e975c4d458f7e301752b7973418a6b07659ab1731e2cd19fe89995dc52ac7e
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/31560527-0618-4d23-917b-9cdb27c365b4
Result
Threat name:
GhostRat, Nitol
Create hunting rule
Detection:
malicious
Classification:
bank.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1182968
Signature
Checks if browser processes are running
Contains functionality to access PhysicalDrive, possible boot sector overwrite
Contains functionality to automate explorer (e.g. start an application)
Contains functionality to capture and log keystrokes
Contains functionality to detect virtual machines (IN, VMware)
Contains functionality to determine the online IP of the system
Contains functionality to infect the boot sector
Contains functionality to inject threads in other processes
Creates an undocumented autostart registry key
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Yara detected GhostRat
Yara detected Nitol
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/23e975c4d458f7e301752b7973418a6b07659ab1731e2cd19fe89995dc52ac7e/
Threat name:
Win32.Trojan.Antavmu
Create hunting rule
Status:
Malicious
First seen:
2023-02-27 08:26:09 UTC
File Type:
PE (Dll)
Extracted files:
8
AV detection:
18 of 25 (72.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=epuxlrguld36galvfn4xgqmknmdwlgvrompczum75cmzlxcsvr7a._file
Verdict:
malicious
Similar samples:
444ccb4a0c24e38f61ba9722d095fc8487aeacf0d16b322f019b9547af2f423a
FatalRAT
64e4c9c434fedb085a6cb79509ba8f40772ac1f62ced2bed1da41c16167a577d
FatalRAT
738ff1b734f45db5f96fcf7cf44bc19be88ae922ef08a4b1952bdc3b12e86090
FatalRAT
b1e165a77e4b0de2cd16fdd3994e9cddf0d1f13f1e80bd277385c7d2a8943203
FatalRAT
cdc6aef29d300c937b80abade4022803e565f3895b697dbcddc11fe36e19d0f5
FatalRAT
ef0c34580084f9855c1e5c3fa9d902688d400baabc7366c8da9ba3d4b708da49
FatalRAT
+ 45 additional samples on MalwareBazaar
Result
Malware family:
fatalrat
Create hunting rule
Score:
  10/10
Tags:
family:fatalrat aspackv2 infostealer rat
Link:
https://tria.ge/reports/230227-kbvygsce77/
Behaviour
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Blocklisted process makes network request
Fatal Rat payload
FatalRat
Unpacked files
SH256 hash:
605e4e80510e14afcba46a4350d1ada89d51c3e66b74dafaeb9de9174a2c5569
MD5 hash:
9c41a5e3ebb57ae665bf2fcd0883b945
SHA1 hash:
116e99d6db346e19a5c529f8043231abef719762
Link:
https://www.unpac.me/results/6b5fe431-fefe-4724-af9d-97ccc020471d/
SH256 hash:
23e975c4d458f7e301752b7973418a6b07659ab1731e2cd19fe89995dc52ac7e
MD5 hash:
d747bab2dbb84ce007f7c48d2a3fc352
SHA1 hash:
73fafe93ad6fd104fcfb8feae8d782d0f0e7ead4
Link:
https://www.unpac.me/results/6b5fe431-fefe-4724-af9d-97ccc020471d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.10
Link:
https://yomi.yoroi.company/submissions/23e975c4d458f7e301752b7973418a6b07659ab1731e2cd19fe89995dc52ac7e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_ASPack
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ASPack

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

FatalRAT

DLL dll 23e975c4d458f7e301752b7973418a6b07659ab1731e2cd19fe89995dc52ac7e

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2551552/
Cape
Cape
https://www.capesandbox.com/analysis/369984/

Comments


Avatar
zbet commented on 2023-02-27 08:25:33 UTC

url : hxxp://39.109.114.129:5858/xdxm/qbcore.dll