MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 41739bfb9518c5de588152c8090911bf2be7677794d97ff50a7642276752f7c5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FatalRAT


Vendor detections: 13


Intelligence 13 IOCs 1 YARA 11 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 41739bfb9518c5de588152c8090911bf2be7677794d97ff50a7642276752f7c5
SHA3-384 hash: 15d6acc898b200c0e97826c26c6d6b963314443d1d2c68482b1f7e4a009523c6388def4af27263859166decbe984215a
SHA1 hash: f76e0752f93b5768c518bb9a781d506e24190516
MD5 hash: 6dbacdb676094999754c0614eca999cd
humanhash: shade-victor-bulldog-california
File name:6DBACDB676094999754C0614ECA999CD.exe
Download: download sample
Signature FatalRAT
Create hunting rule
File size:11'477'060 bytes
First seen:2025-07-12 03:30:17 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 79346d73f8d60fa11ceef27932261e6a (3 x FatalRAT)
ssdeep 196608:pOoDTeZWLx2xERGW6FO7VSSdRSdZbmhkINNjo5W4C:TSbbmhkkjqW4C
TLSH T13BC65C510F6598AFD8587AB3919237251331EC60B5BBC606D36BB43A31323EFBE97901
TrID 32.2% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
20.5% (.EXE) Win64 Executable (generic) (10522/11/4)
12.8% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
9.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.7% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
dhash icon c28ccc8ccccce492 (2 x FatalRAT)
Reporter abuse_ch
Tags:exe FatalRAT


Avatar
abuse_ch
FatalRAT C2:
206.238.196.239:8081

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
206.238.196.239:8081 https://threatfox.abuse.ch/ioc/1556107/

Intelligence

File Origin
# of uploads :
1
# of downloads :
19
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
fatalrat
Create hunting rule
ID:
1
File name:
6DBACDB676094999754C0614ECA999CD.exe
Verdict:
Malicious activity
Analysis date:
2025-07-12 03:33:27 UTC
Tags:
fatalrat rat auto generic auto-reg
Link:
https://app.any.run/tasks/76714d16-b863-479f-bd2d-46abdc3d1f78

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
FatalRAT
Create hunting rule
Link:
https://www.capesandbox.com/analysis/13922/
Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6871d6d3900df8e7f86a0731
Tags:
phishing emotet
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a file
Enabling the 'hidden' option for recently created files
Creating a file in the %temp% directory
Creating a process from a recently created file
Searching for synchronization primitives
DNS request
Connection attempt
Searching for the window
Sending a custom TCP request
Launching the default Windows debugger (dwwin.exe)
Launching a process
Possible injection to a system process
Enabling autorun by creating a file
Verdict:
Malicious
Labled as:
Trojan_Win32_Wacatac_B_ml
Link:
https://www.hybrid-analysis.com/sample/41739bfb9518c5de588152c8090911bf2be7677794d97ff50a7642276752f7c5
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/da12cdfa-5f6f-49cf-8ad2-d417ca98e699
Result
Threat name:
FatalRAT, GhostRat, Nitol
Create hunting rule
Detection:
malicious
Classification:
bank.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1734447
Signature
Checks if browser processes are running
Contains functionality to access PhysicalDrive, possible boot sector overwrite
Contains functionality to automate explorer (e.g. start an application)
Contains functionality to capture and log keystrokes
Contains functionality to detect sleep reduction / modifications
Contains functionality to detect virtual machines (IN, VMware)
Contains functionality to determine the online IP of the system
Contains functionality to infect the boot sector
Contains functionality to inject threads in other processes
Creates an undocumented autostart registry key
Detected unpacking (creates a PE file in dynamic memory)
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Opens the same file many times (likely Sandbox evasion)
Suricata IDS alerts for network traffic
Tries to delay execution (extensive OutputDebugStringW loop)
Yara detected FatalRAT
Yara detected GhostRat
Yara detected Nitol
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1734447 Sample: muaCSuFH2C.exe Startdate: 12/07/2025 Architecture: WINDOWS Score: 100 43 www.llq.top 2->43 53 Suricata IDS alerts for network traffic 2->53 55 Malicious sample detected (through community Yara rule) 2->55 57 Multi AV Scanner detection for submitted file 2->57 59 3 other signatures 2->59 8 Tempb64c1762ffe5434baa3db214982ad387.exe 2 2->8         started        10 muaCSuFH2C.exe 11 2->10         started        14 Tempb64c1762ffe5434baa3db214982ad387.exe 2 2->14         started        signatures3 process4 file5 16 Nc3caZR.exe 3 1 8->16         started        21 conhost.exe 8->21         started        35 C:\ProgramData\45335835c3caZR.exe, PE32 10->35 dropped 37 Tempb64c1762ffe5434baa3db214982ad387.exe, PE32 10->37 dropped 39 C:\ProgramData\453358\STGameOptBase.dll, PE32 10->39 dropped 61 Detected unpacking (creates a PE file in dynamic memory) 10->61 23 WerFault.exe 19 16 10->23         started        25 reg.exe 1 14->25         started        27 conhost.exe 14->27         started        signatures6 process7 dnsIp8 41 206.238.196.239, 49693, 8081 COGENT-174US United States 16->41 31 C:\Users\user\AppData\Local31c3caZR.exe, PE32 16->31 dropped 45 Detected unpacking (creates a PE file in dynamic memory) 16->45 47 Creates an undocumented autostart registry key 16->47 49 Contains functionality to determine the online IP of the system 16->49 51 10 other signatures 16->51 33 C:\ProgramData\Microsoft\...\Report.wer, Unicode 23->33 dropped 29 conhost.exe 1 25->29         started        file9 signatures10 process11
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/41739bfb9518c5de588152c8090911bf2be7677794d97ff50a7642276752f7c5
Verdict:
inconclusive
YARA:
5 match(es)
Tags:
CAB:COMPRESSION:LZX Executable PE (Portable Executable) Win 32 Exe x86
Link:
https://app.malva.re/file/6dbacdb676094999754c0614eca999cd
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/41739bfb9518c5de588152c8090911bf2be7677794d97ff50a7642276752f7c5/
Threat name:
Win32.Trojan.Kepavll
Create hunting rule
Status:
Malicious
First seen:
2025-07-08 04:07:31 UTC
File Type:
PE (Exe)
Extracted files:
18
AV detection:
17 of 24 (70.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ifzzx64vddc54webkleascirx4v6oz3xstmx75ikozbcoz2s67cq._file
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/250712-d2mlgafn4t/
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/7bc9c484-ff9f-4830-b735-e8b27980d5f9
Unpacked files
SH256 hash:
6c2c204e0a15cb899c592e5836adc0bfacf73249b27e91d815739d26bf56e3f8
MD5 hash:
f6c33c31d2dc153ddffd612a0ccc4e19
SHA1 hash:
47f6adca03a904f9f8da9c5434a1c3093e679048
Link:
https://www.unpac.me/results/4f8b7d3c-1e7b-4ce3-8214-db5974f9c269/
SH256 hash:
c4efa634e4f6d8c70010e68cc0847c6447a37302710c3ddeca656162af1771f0
MD5 hash:
797068204cdb4e6ae92e7eccd2f3a708
SHA1 hash:
ec2b2a4b8c7b6b88393331aeb1229ab99270ea7b
Link:
https://www.unpac.me/results/4f8b7d3c-1e7b-4ce3-8214-db5974f9c269/
SH256 hash:
c50d191d0e79ae6b60559b1f1b7bf2ea85dbb88d28e5760d35f009d2fd068b21
MD5 hash:
5e79f16f5c9b2d477de00b08a81b8d4a
SHA1 hash:
b10e2df531003fcccfbc2fe0d0fecdc9fad62667
Detections:
win_fatal_rat_w0
Create hunting rule
win_younglotus_g0
Create hunting rule
win_fatal_rat_auto
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_ClearMyTracksByProcess
Create hunting rule
MALWARE_Win_FatalRAT
Create hunting rule
Link:
https://www.unpac.me/results/4f8b7d3c-1e7b-4ce3-8214-db5974f9c269/
Parent samples :
41739bfb9518c5de588152c8090911bf2be7677794d97ff50a7642276752f7c5
8d5f0150d9529fe33d1bae3c8891fa46556782c0d9269215bc8ad672e178a902
252f62fd53af829b188afc11bd2215d0d7793bf3cf0f44c3ac9bb5cb9d5fa2b4
72ea59962c5ac7200d317104a55a6a09d657d3f6c224c963ae380ff39941f04c
9caa90fe0216c66dc29e3049b126643d2a8c68f68663fba2da70a2d9c29d5c49
f735dfdc7f1a238074f0e501d8e8d823ff3a9020a4b843dda69ff3f349567d20
9d6d15a37df9799adf1e7fdbd65ab162e770fe0952c91c1ff5c91dc40f1ae659
1caacde9b1b6557c996ffe78f932ffc6ceba05ee3d095e2741df75d3a52c30b2
SH256 hash:
fc9a2532fa51a3d36b202863a7705c389c9a821d362017adf41485f24c869eda
MD5 hash:
1ceae2982d6645b4225c1ea6cf457794
SHA1 hash:
486505b7eda18d899f9eceb64685dab75e776208
Link:
https://www.unpac.me/results/4f8b7d3c-1e7b-4ce3-8214-db5974f9c269/
SH256 hash:
7762fceaf8af0c1ba0d8d03e831de845f93d1bbee1958e85dd53d75efc73756c
MD5 hash:
c551e762a776537a31d511b5327d56cb
SHA1 hash:
2d929591a18d50dabb1a7c51f3981bcc76514f21
Detections:
win_fatal_rat_w0
Create hunting rule
win_younglotus_g0
Create hunting rule
win_fatal_rat_auto
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_ClearMyTracksByProcess
Create hunting rule
MALWARE_Win_FatalRAT
Create hunting rule
Link:
https://www.unpac.me/results/4f8b7d3c-1e7b-4ce3-8214-db5974f9c269/
SH256 hash:
3b1f8370f3140c3338c7ae93cdb38671a91552a470a2c2cacd62d741a6e5d701
MD5 hash:
e16e30b459b214593d1261aac4a44a2c
SHA1 hash:
8dd8abbcff6843d6236c4417eb24080851f25202
Link:
https://www.unpac.me/results/4f8b7d3c-1e7b-4ce3-8214-db5974f9c269/
SH256 hash:
41739bfb9518c5de588152c8090911bf2be7677794d97ff50a7642276752f7c5
MD5 hash:
6dbacdb676094999754c0614eca999cd
SHA1 hash:
f76e0752f93b5768c518bb9a781d506e24190516
Link:
https://www.unpac.me/results/4f8b7d3c-1e7b-4ce3-8214-db5974f9c269/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:botnet_plaintext_c2
Create hunting rule
Author:cip
Description:Attempts to match at least some of the strings used in some botnet variants which use plaintext communication protocols.
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:ProgramLanguage_Rust
Create hunting rule
Author:albertzsigovits
Description:Application written in Rust programming language
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/13922/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance
ole32.dll::CoFreeUnusedLibraries
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::OpenProcess
KERNEL32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::LoadLibraryW
KERNEL32.dll::GetSystemInfo
KERNEL32.dll::GetStartupInfoA
KERNEL32.dll::GetDiskFreeSpaceExA
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::DeleteFileA
KERNEL32.dll::GetWindowsDirectoryW
KERNEL32.dll::GetFileAttributesA
KERNEL32.dll::GetTempPathA
WIN_USER_APIPerforms GUI ActionsUSER32.dll::AppendMenuA
USER32.dll::CreateMenu
USER32.dll::CreateWindowExA

Comments