MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 252f62fd53af829b188afc11bd2215d0d7793bf3cf0f44c3ac9bb5cb9d5fa2b4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FatalRAT


Vendor detections: 15


Intelligence 15 IOCs 1 YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 252f62fd53af829b188afc11bd2215d0d7793bf3cf0f44c3ac9bb5cb9d5fa2b4
SHA3-384 hash: fa7bda2c8542ba7764ddaf9b9eb1fbe63423b28e7b7024e022354f45037a3c6d3eab1dfb1717f56ecb7d6c76b66286e2
SHA1 hash: 1f6734b5f9f45d1f06841c4944c30328dbdd8cde
MD5 hash: 34b10906d83c11208a62ab492c7d4be3
humanhash: kentucky-charlie-carolina-nitrogen
File name:34b10906d83c11208a62ab492c7d4be3.exe
Download: download sample
Signature FatalRAT
Create hunting rule
File size:8'718'848 bytes
First seen:2025-07-21 20:06:46 UTC
Last seen:2025-09-17 07:16:17 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 79346d73f8d60fa11ceef27932261e6a (3 x FatalRAT)
ssdeep 196608:F2sFHi5JQX8GEi8L6QZOOqrxktFw3r6cJW6ukaae:7C5JQXShZOOqrxktFw3rQkaae
TLSH T13B9659D13A868469C83577F29890F3661078CE1CE176CAD59E88F675FE3390ECABB441
TrID 37.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
20.0% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
12.7% (.EXE) Win64 Executable (generic) (10522/11/4)
7.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
Magika pebin
dhash icon c28ccc8ccccce492 (2 x FatalRAT)
Reporter abuse_ch
Tags:exe FatalRAT longlq-cl


Avatar
abuse_ch
FatalRAT C2:
192.238.177.48:8081

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
192.238.177.48:8081 https://threatfox.abuse.ch/ioc/1559128/

Intelligence

File Origin
# of uploads :
2
# of downloads :
32
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
_252f62fd53af829b188afc11bd2215d0d7793bf3cf0f44c3ac9bb5cb9d5fa2b4.exe
Verdict:
Malicious activity
Analysis date:
2025-07-21 20:09:24 UTC
Tags:
auto-startup susp-lnk arch-exec
Link:
https://app.any.run/tasks/1f030d2e-a5ef-424f-8865-ed09ceb34e9f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
FatalRAT
Create hunting rule
Link:
https://www.capesandbox.com/analysis/16173/
Verdict:
Malicious
Score:
98.2%
Link:
https://cyber-fortress.com/docs/result/index.php?id=687e9dfe2f623871a5f178be
Tags:
phishing autorun emotet
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a file
Enabling the 'hidden' option for recently created files
Creating a file in the %AppData% directory
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a window
Connection attempt
DNS request
Searching for the window
Sending a custom TCP request
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Enabling autorun by creating a file
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/252f62fd53af829b188afc11bd2215d0d7793bf3cf0f44c3ac9bb5cb9d5fa2b4
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/aa83d5df-f249-45ea-92cb-405b73374838
Result
Threat name:
FatalRAT, GhostRat, Nitol
Create hunting rule
Detection:
malicious
Classification:
bank.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1741589
Signature
Antivirus / Scanner detection for submitted sample
Checks if browser processes are running
Contains functionality to access PhysicalDrive, possible boot sector overwrite
Contains functionality to automate explorer (e.g. start an application)
Contains functionality to capture and log keystrokes
Contains functionality to detect sleep reduction / modifications
Contains functionality to detect virtual machines (IN, VMware)
Contains functionality to determine the online IP of the system
Contains functionality to infect the boot sector
Contains functionality to inject threads in other processes
Creates an undocumented autostart registry key
Detected unpacking (creates a PE file in dynamic memory)
Found suspicious ZIP file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Opens the same file many times (likely Sandbox evasion)
Suricata IDS alerts for network traffic
Tries to delay execution (extensive OutputDebugStringW loop)
Yara detected FatalRAT
Yara detected GhostRat
Yara detected Nitol
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/252f62fd53af829b188afc11bd2215d0d7793bf3cf0f44c3ac9bb5cb9d5fa2b4
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/252f62fd53af829b188afc11bd2215d0d7793bf3cf0f44c3ac9bb5cb9d5fa2b4/
Verdict:
Malicious
Threat:
Trojan.Win32.TCP
Link:
https://tip.neiki.dev/file/252f62fd53af829b188afc11bd2215d0d7793bf3cf0f44c3ac9bb5cb9d5fa2b4
Threat name:
Win32.Trojan.Antavmu
Create hunting rule
Status:
Malicious
First seen:
2025-07-17 14:50:49 UTC
File Type:
PE (Exe)
Extracted files:
18
AV detection:
16 of 22 (72.73%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=euxwf7ktv6bjwgek7qi32iqv2dlxso7tz4hujq5mto24xhk7uk2a._file
Result
Malware family:
fatalrat
Create hunting rule
Score:
  10/10
Tags:
family:fatalrat discovery infostealer rat stealer trojan
Link:
https://tria.ge/reports/250721-yv5tpazmz3/
Behaviour
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
Drops file in System32 directory
Drops startup file
Executes dropped EXE
Loads dropped DLL
Fatal Rat payload
FatalRat
Fatalrat family
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/37f0a42d-ef6e-4e18-82b4-44025ef4624f
Unpacked files
SH256 hash:
252f62fd53af829b188afc11bd2215d0d7793bf3cf0f44c3ac9bb5cb9d5fa2b4
MD5 hash:
34b10906d83c11208a62ab492c7d4be3
SHA1 hash:
1f6734b5f9f45d1f06841c4944c30328dbdd8cde
Link:
https://www.unpac.me/results/7b50d940-3a2d-4e2e-a400-65e633888bc1/
SH256 hash:
8a466a25ffb353b1c2cf2a61265bae5f51550c2ab6a5d7596fa6e0d0ed1510c9
MD5 hash:
5e3966096a6dcafd9620e6f25ff75e96
SHA1 hash:
47ad21d9bdf23f901de8f62ccbeaad222acffb37
Link:
https://www.unpac.me/results/7b50d940-3a2d-4e2e-a400-65e633888bc1/
SH256 hash:
5b74329f72b5e185b8e962ca2c2dadb17f2b1ed09a933f73b6d17cf37b8ed7e7
MD5 hash:
9d3174d55fa15c3302103152ccef43d1
SHA1 hash:
75c6cf6f9b0bb4b03de3c30c82a36dee946a1a7f
Link:
https://www.unpac.me/results/7b50d940-3a2d-4e2e-a400-65e633888bc1/
SH256 hash:
b1ac2445dfe81d8f63022fd2273cb602f433ae69a68126db9c67f4ad72276374
MD5 hash:
7c2ebb5c2cd93b07cb5b4b13ae35e0c6
SHA1 hash:
e2d4060213fe06c8c294d61d9daf93fc7d56a798
Link:
https://www.unpac.me/results/7b50d940-3a2d-4e2e-a400-65e633888bc1/
SH256 hash:
c50d191d0e79ae6b60559b1f1b7bf2ea85dbb88d28e5760d35f009d2fd068b21
MD5 hash:
5e79f16f5c9b2d477de00b08a81b8d4a
SHA1 hash:
b10e2df531003fcccfbc2fe0d0fecdc9fad62667
Detections:
win_fatal_rat_w0
Create hunting rule
win_younglotus_g0
Create hunting rule
win_fatal_rat_auto
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_ClearMyTracksByProcess
Create hunting rule
MALWARE_Win_FatalRAT
Create hunting rule
Link:
https://www.unpac.me/results/7b50d940-3a2d-4e2e-a400-65e633888bc1/
Parent samples :
41739bfb9518c5de588152c8090911bf2be7677794d97ff50a7642276752f7c5
8d5f0150d9529fe33d1bae3c8891fa46556782c0d9269215bc8ad672e178a902
252f62fd53af829b188afc11bd2215d0d7793bf3cf0f44c3ac9bb5cb9d5fa2b4
72ea59962c5ac7200d317104a55a6a09d657d3f6c224c963ae380ff39941f04c
9caa90fe0216c66dc29e3049b126643d2a8c68f68663fba2da70a2d9c29d5c49
f735dfdc7f1a238074f0e501d8e8d823ff3a9020a4b843dda69ff3f349567d20
9d6d15a37df9799adf1e7fdbd65ab162e770fe0952c91c1ff5c91dc40f1ae659
1caacde9b1b6557c996ffe78f932ffc6ceba05ee3d095e2741df75d3a52c30b2
SH256 hash:
947271cf054ad3b893ff8eae6a16e0e5012a45965c7d985267e29ba8ead899d3
MD5 hash:
cda0ecd803c8248285cad25b58a5f24b
SHA1 hash:
7703516f5268ea192b1dbd4db926caf38f5ad53e
Link:
https://www.unpac.me/results/7b50d940-3a2d-4e2e-a400-65e633888bc1/
SH256 hash:
1b3c564df7c39a73b05882dcf5826a2c8310793a5c8f97f35de666561dee92ca
MD5 hash:
576f7bdd0e9fe3888eb6a09647d78372
SHA1 hash:
5f48d4a436b8b6310626f89dacf9d58f35c2b260
Link:
https://www.unpac.me/results/7b50d940-3a2d-4e2e-a400-65e633888bc1/
SH256 hash:
08b571a4d0f91d1102d257f50f27a2546fd2775b42517d1323777f6316cc48b4
MD5 hash:
c761ba03a4c6e61bd97b223a84c5e838
SHA1 hash:
a49f004c0e012d9247fa81791475dd86d045b895
Link:
https://www.unpac.me/results/7b50d940-3a2d-4e2e-a400-65e633888bc1/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/252f62fd53af829b188afc11bd2215d0d7793bf3cf0f44c3ac9bb5cb9d5fa2b4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:pe_detect_tls_callbacks
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/16173/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance
ole32.dll::CoFreeUnusedLibraries
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::OpenProcess
KERNEL32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::LoadLibraryW
KERNEL32.dll::GetSystemInfo
KERNEL32.dll::GetStartupInfoA
KERNEL32.dll::GetDiskFreeSpaceExA
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::DeleteFileA
KERNEL32.dll::GetWindowsDirectoryW
KERNEL32.dll::GetFileAttributesA
KERNEL32.dll::GetTempPathA
WIN_USER_APIPerforms GUI ActionsUSER32.dll::AppendMenuA
USER32.dll::CreateMenu
USER32.dll::CreateWindowExA

Comments