MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 32cf48d0ef7ac450c80fcc9fb9ec28af88370298c36547d2a94ff882b12500ae. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FatalRAT


Vendor detections: 8


Intelligence 8 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 32cf48d0ef7ac450c80fcc9fb9ec28af88370298c36547d2a94ff882b12500ae
SHA3-384 hash: 44c219feef7661fa3f1f6a1b6d665a5f97582d09b8de9c6c44af6330895bae2ef9e4838f27d76650b9618a9f3522b499
SHA1 hash: 4b60df157d79c4863a8065e149ec6e447d1a3342
MD5 hash: a476065df4bcac42aad4f3eeab3545b4
humanhash: indigo-fish-black-oranges
File name:Chromestup插件.msi
Download: download sample
Signature FatalRAT
Create hunting rule
File size:14'013'952 bytes
First seen:2025-03-15 06:56:56 UTC
Last seen:2025-03-15 07:34:23 UTC
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 393216:pBfMDbMkh0n28RmwRRenYtpBRW9AxGq5azUUEC5:vMNSSnsjRaKDGEC5
Threatray 4 similar samples on MalwareBazaar
TLSH T11CE61212F99FC632FB6D953AD468EB2B24BA7FE20B7084D762E43D9A48704C15175F02
TrID 80.0% (.MSI) Microsoft Windows Installer (454500/1/170)
10.7% (.MST) Windows SDK Setup Transform script (61000/1/5)
7.8% (.MSP) Windows Installer Patch (44509/10/5)
1.4% (.) Generic OLE2 / Multistream Compound (8000/1)
Magika msi
Reporter Anonymous
Tags:FakeApp FatalRAT msi Trojan horse program

Intelligence

File Origin
# of uploads :
2
# of downloads :
88
Origin country :
FR FR
Vendor Threat Intelligence
Verdict:
Malicious
Score:
93.3%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67d5359d3962f1a6f471841d
Tags:
shellcode phishing dropper virus
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/32cf48d0ef7ac450c80fcc9fb9ec28af88370298c36547d2a94ff882b12500ae
Result
Verdict:
UNKNOWN
Link:
https://labs.inquest.net/dfi/sha256/32cf48d0ef7ac450c80fcc9fb9ec28af88370298c36547d2a94ff882b12500ae
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
FatalRAT, GhostRat, Nitol
Create hunting rule
Detection:
malicious
Classification:
bank.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1639249
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
Changes security center settings (notifications, updates, antivirus, firewall)
Checks if browser processes are running
Contains functionality to access PhysicalDrive, possible boot sector overwrite
Contains functionality to automate explorer (e.g. start an application)
Contains functionality to capture and log keystrokes
Contains functionality to detect virtual machines (IN, VMware)
Contains functionality to determine the online IP of the system
Contains functionality to infect the boot sector
Contains functionality to inject threads in other processes
Creates an undocumented autostart registry key
Creates files in the system32 config directory
Detected VMProtect packer
Drops PE files with benign system names
Found API chain indicative of debugger detection
Found direct / indirect Syscall (likely to bypass EDR)
Found stalling execution ending in API Sleep call
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Opens the same file many times (likely Sandbox evasion)
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Reads the Security eventlog
Reads the System eventlog
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: System File Execution Location Anomaly
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Yara detected FatalRAT
Yara detected GhostRat
Yara detected Nitol
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1639249 Sample: Chromestup#U63d2#U4ef6.msi Startdate: 15/03/2025 Architecture: WINDOWS Score: 100 68 a1.yydsnb1.top 2->68 70 a1.nbdsnb2.top 2->70 76 Suricata IDS alerts for network traffic 2->76 78 Malicious sample detected (through community Yara rule) 2->78 80 Yara detected FatalRAT 2->80 82 6 other signatures 2->82 10 msiexec.exe 17 38 2->10         started        13 TjNkNpAilaYvt.exe 3 2->13         started        16 svchost.exe 2->16         started        18 7 other processes 2->18 signatures3 process4 dnsIp5 52 C:\Windows\Installer\MSIF5D4.tmp, PE32 10->52 dropped 54 C:\Windows\Installer\MSIF585.tmp, PE32 10->54 dropped 56 C:\Windows\Installer\MSIF555.tmp, PE32 10->56 dropped 58 5 other malicious files 10->58 dropped 21 msiexec.exe 1 1 10->21         started        116 Creates files in the system32 config directory 13->116 23 setup.exe 3 13->23         started        118 Changes security center settings (notifications, updates, antivirus, firewall) 16->118 26 MpCmdRun.exe 16->26         started        72 127.0.0.1 unknown unknown 18->72 file6 signatures7 process8 signatures9 28 cmd.exe 1 21->28         started        84 Antivirus detection for dropped file 23->84 86 Multi AV Scanner detection for dropped file 23->86 88 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 23->88 90 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 23->90 30 svchost.exe 23->30         started        34 svchost.exe 23->34         started        36 svchost.exe 23->36         started        38 conhost.exe 26->38         started        process10 dnsIp11 40 scrok.exe 28->40         started        43 scrok.exe 28->43         started        45 aa.exe 18 28->45         started        48 6 other processes 28->48 74 a1.yydsnb1.top 118.107.29.165, 1080, 49728 BCPL-SGBGPNETGlobalASNSG Singapore 30->74 120 Antivirus detection for dropped file 30->120 122 System process connects to network (likely due to code injection or exploit) 30->122 124 Multi AV Scanner detection for dropped file 30->124 126 12 other signatures 30->126 signatures12 process13 file14 92 Antivirus detection for dropped file 40->92 94 Multi AV Scanner detection for dropped file 40->94 96 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 40->96 98 Tries to detect virtualization through RDTSC time measurements 40->98 50 svchost.exe 21 40->50 injected 100 Writes to foreign memory regions 43->100 102 Allocates memory in foreign processes 43->102 104 Injects a PE file into a foreign processes 43->104 106 Found direct / indirect Syscall (likely to bypass EDR) 43->106 60 C:\ProgramData\Smart\setup.exe, PE32 45->60 dropped 62 C:\ProgramData\Smart\TjNkNpAilaYvt.exe, PE32 45->62 dropped 64 C:\ProgramData\Packas\scrok.exe, PE32+ 45->64 dropped 66 C:\ProgramData66VIDIARV\svchost.exe, PE32 45->66 dropped 108 Found API chain indicative of debugger detection 45->108 110 Drops PE files with benign system names 45->110 112 Reads the Security eventlog 48->112 114 Reads the System eventlog 48->114 signatures15 process16
Score:
2%
Verdict:
Benign
File Type:
ARCHIVE
Link:
https://malprob.io/report/32cf48d0ef7ac450c80fcc9fb9ec28af88370298c36547d2a94ff882b12500ae
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/32cf48d0ef7ac450c80fcc9fb9ec28af88370298c36547d2a94ff882b12500ae/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=glhuruhpplcfbsapzsp3t3biv6edoauyynsupuvjj74ifmjfacxa._file
Verdict:
malicious
Label(s):
krbanker
Create hunting rule
fatalrat
Create hunting rule
Similar samples:
092ff5eeddfd265d8f37c5a9afbf7c3018ba65fcd0dd59c0237f7e04d1915060
FatalRAT
32cf48d0ef7ac450c80fcc9fb9ec28af88370298c36547d2a94ff882b12500ae
FatalRAT
94200b3b4792c019ebe7bcfd16573fdedf385369e41309d82958568078e90c43
FatalRAT
error
FatalRAT
Result
Malware family:
fatalrat
Create hunting rule
Score:
  10/10
Tags:
family:blackmoon family:fatalrat banker discovery infostealer persistence privilege_escalation rat stealer trojan vmprotect
Link:
https://tria.ge/reports/250315-hqzh4szrt9/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Delays execution with timeout.exe
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Event Triggered Execution: Installer Packages
System Location Discovery: System Language Discovery
Drops file in Windows directory
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Enumerates connected drives
VMProtect packed file
Fatal Rat payload
Blackmoon family
Blackmoon, KrBanker
Detect Blackmoon payload
FatalRat
Fatalrat family
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/ab6e2ba5-8e6d-496d-876b-c89925d888f1
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/32cf48d0ef7ac450c80fcc9fb9ec28af88370298c36547d2a94ff882b12500ae

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Detect_LATAM_MSI_Banker
Create hunting rule
Rule name:detect_tiny_vbs
Create hunting rule
Author:daniyyell
Description:Detects tiny VBS delivery technique
Rule name:Disable_Defender
Create hunting rule
Author:iam-py-test
Description:Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:suspicious_msi_file
Create hunting rule
Author:Johnk3r
Description:Detects common strings, DLL and API in Banker_BR
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments