MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 72ea59962c5ac7200d317104a55a6a09d657d3f6c224c963ae380ff39941f04c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

FatalRAT

Vendor detections: 15

Intelligence 15 IOCs 1 YARA 4 File information Comments

SHA256 hash:	72ea59962c5ac7200d317104a55a6a09d657d3f6c224c963ae380ff39941f04c
SHA3-384 hash:	e0cda80330f7072dcde98ed91e71b66e04ba1cf38627c11994497fae4e86b0cd1db9341a9fef5541a4f01edafec1b985
SHA1 hash:	8a0dafa108f333b9bffb83902c6ff9d07b9e395e
MD5 hash:	5effc8c24375dfff489c6318c88b3b81
humanhash:	single-stream-uranus-autumn
File name:	5EFFC8C24375DFFF489C6318C88B3B81.exe
Download:	download sample
Signature	FatalRAT Create hunting rule
File size:	5'293'056 bytes
First seen:	2025-07-26 00:32:10 UTC
Last seen:	2025-09-17 07:16:25 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	79346d73f8d60fa11ceef27932261e6a (3 x FatalRAT)
ssdeep	98304:ulvO8Pw9abKDhZgW5MzEOPgRJBtmF2lYTygC6QE4M:wvO8opjNzOPgjVYTy
TLSH	T1C8364AB5F94AE6E5C505F6B1C69E0969CEB8A73ACF805E629C04F76F7112E00078BD07
TrID	37.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 20.0% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 12.7% (.EXE) Win64 Executable (generic) (10522/11/4) 7.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 6.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
Magika	pebin
dhash icon	d4c6a098cea6d6c8 (1 x FatalRAT)
Reporter	abuse_ch
Tags:	exe FatalRAT longlq-cl

abuse_ch

FatalRAT C2:
43.132.231.144:8081

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
43.132.231.144:8081	https://threatfox.abuse.ch/ioc/1560771/

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Malware family:

fatalrat

ID:

File name:

5EFFC8C24375DFFF489C6318C88B3B81.exe

Verdict:

Malicious activity

Analysis date:

2025-07-26 00:52:58 UTC

Tags:

auto-startup fatalrat rat susp-lnk arch-exec

Link:

https://app.any.run/tasks/b0005cf6-584e-4acc-8369-dab7e99f6c06

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

FatalRAT

Link:

https://www.capesandbox.com/analysis/16891/

Verdict:

Malicious

Score:

98.2%

Link:

https://cyber-fortress.com/docs/result/index.php?id=68842253af3050dc8d30fa71

Tags:

autorun virus spawn

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %AppData% directory

Creating a file in the %temp% directory

Creating a process from a recently created file

Creating a window

Connection attempt

DNS request

Searching for the window

Sending a custom TCP request

Searching for synchronization primitives

Launching the default Windows debugger (dwwin.exe)

Сreating synchronization primitives

Creating a file

Enabling the 'hidden' option for recently created files

Enabling autorun by creating a file

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/72ea59962c5ac7200d317104a55a6a09d657d3f6c224c963ae380ff39941f04c

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/89d61265-ca03-47d0-b30b-70312823070c

Result

Threat name:

FatalRAT, GhostRat, Nitol

Detection:

malicious

Classification:

bank.troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1744458

Signature

Checks if browser processes are running

Contains functionality to access PhysicalDrive, possible boot sector overwrite

Contains functionality to automate explorer (e.g. start an application)

Contains functionality to capture and log keystrokes

Contains functionality to detect sleep reduction / modifications

Contains functionality to detect virtual machines (IN, VMware)

Contains functionality to determine the online IP of the system

Contains functionality to infect the boot sector

Contains functionality to inject threads in other processes

Creates an undocumented autostart registry key

Detected unpacking (creates a PE file in dynamic memory)

Found suspicious ZIP file

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Opens the same file many times (likely Sandbox evasion)

Suricata IDS alerts for network traffic

Tries to delay execution (extensive OutputDebugStringW loop)

Yara detected FatalRAT

Yara detected GhostRat

Yara detected Nitol

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/72ea59962c5ac7200d317104a55a6a09d657d3f6c224c963ae380ff39941f04c

Verdict:

inconclusive

YARA:

4 match(es)

Tags:

Executable PE (Portable Executable) Win 32 Exe x86

Link:

https://app.malva.re/file/5effc8c24375dfff489c6318c88b3b81

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/72ea59962c5ac7200d317104a55a6a09d657d3f6c224c963ae380ff39941f04c/

Threat name:

Win32.Trojan.Antavmu

Status:

Malicious

First seen:

2025-07-21 12:32:15 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

17 of 34 (50.00%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=olvftfrmlldsadjroeckkwtkbhlfpu7wyismsy5ohah7hgkb6bga._file

Result

Malware family:

fatalrat

Score:

10/10

Tags:

family:fatalrat discovery infostealer rat stealer trojan upx

Link:

https://tria.ge/reports/250726-av5a6abp7w/

Behaviour

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Enumerates physical storage devices

Program crash

System Location Discovery: System Language Discovery

Drops file in System32 directory

UPX packed file

ACProtect 1.3x - 1.4x DLL software

Drops startup file

Executes dropped EXE

Loads dropped DLL

Fatal Rat payload

FatalRat

Fatalrat family

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/00234507-0183-4262-b181-51e4d1684eda

Unpacked files

SH256 hash:

72ea59962c5ac7200d317104a55a6a09d657d3f6c224c963ae380ff39941f04c

MD5 hash:

5effc8c24375dfff489c6318c88b3b81

SHA1 hash:

8a0dafa108f333b9bffb83902c6ff9d07b9e395e

Link:

https://www.unpac.me/results/d65faa17-38e9-43cb-94e2-728e177fa558/

SH256 hash:

8a466a25ffb353b1c2cf2a61265bae5f51550c2ab6a5d7596fa6e0d0ed1510c9

MD5 hash:

5e3966096a6dcafd9620e6f25ff75e96

SHA1 hash:

47ad21d9bdf23f901de8f62ccbeaad222acffb37

Link:

https://www.unpac.me/results/d65faa17-38e9-43cb-94e2-728e177fa558/

SH256 hash:

b1ac2445dfe81d8f63022fd2273cb602f433ae69a68126db9c67f4ad72276374

MD5 hash:

7c2ebb5c2cd93b07cb5b4b13ae35e0c6

SHA1 hash:

e2d4060213fe06c8c294d61d9daf93fc7d56a798

Link:

https://www.unpac.me/results/d65faa17-38e9-43cb-94e2-728e177fa558/

SH256 hash:

9aa66167379acd9322988eb15fb7a2f1ae3d729e6ee55bc91101b50dceb7abf9

MD5 hash:

bc77193ee35f7b4420193973c65ba639

SHA1 hash:

fb4368eb4acb26055200f4a4905694129cc31731

Link:

https://www.unpac.me/results/d65faa17-38e9-43cb-94e2-728e177fa558/

SH256 hash:

c50d191d0e79ae6b60559b1f1b7bf2ea85dbb88d28e5760d35f009d2fd068b21

MD5 hash:

5e79f16f5c9b2d477de00b08a81b8d4a

SHA1 hash:

b10e2df531003fcccfbc2fe0d0fecdc9fad62667

Detections:

win_fatal_rat_w0

win_younglotus_g0

win_fatal_rat_auto

INDICATOR_SUSPICIOUS_EXE_ClearMyTracksByProcess

MALWARE_Win_FatalRAT

Link:

https://www.unpac.me/results/d65faa17-38e9-43cb-94e2-728e177fa558/

Parent samples :

41739bfb9518c5de588152c8090911bf2be7677794d97ff50a7642276752f7c5
8d5f0150d9529fe33d1bae3c8891fa46556782c0d9269215bc8ad672e178a902
252f62fd53af829b188afc11bd2215d0d7793bf3cf0f44c3ac9bb5cb9d5fa2b4
72ea59962c5ac7200d317104a55a6a09d657d3f6c224c963ae380ff39941f04c
9caa90fe0216c66dc29e3049b126643d2a8c68f68663fba2da70a2d9c29d5c49
f735dfdc7f1a238074f0e501d8e8d823ff3a9020a4b843dda69ff3f349567d20
9d6d15a37df9799adf1e7fdbd65ab162e770fe0952c91c1ff5c91dc40f1ae659
1caacde9b1b6557c996ffe78f932ffc6ceba05ee3d095e2741df75d3a52c30b2

SH256 hash:

dad81703723eb6f0f7b86780aceaa5e939a9b363abd8078a551ca1698e3af1ec

MD5 hash:

46e4511077ff9ae3701fa97231ff9899

SHA1 hash:

2bfbd2e3b0d2132d30f2f6a1a16c6db2f02bb543

Link:

https://www.unpac.me/results/d65faa17-38e9-43cb-94e2-728e177fa558/

SH256 hash:

b97d710b5ba44400fb9837f5eab5d499211349dfff3ca576f98b71b33410c9ae

MD5 hash:

43610464fa725eb68528e26a6894cc7b

SHA1 hash:

85793b2a2cb786d5507ace0dbf8b781dcc8ccdb4

Link:

https://www.unpac.me/results/d65faa17-38e9-43cb-94e2-728e177fa558/

SH256 hash:

bf348a51d310ef37a33109f98c545a32de57c6379318472339c8666774e41f9b

MD5 hash:

5ac147dd4581da51d253fcd180f8a032

SHA1 hash:

09bcd50f5d2f006a6a8338b113adad855f583a9a

Link:

https://www.unpac.me/results/d65faa17-38e9-43cb-94e2-728e177fa558/

SH256 hash:

a61cc013e3cf56cbe53e07a7ce5a6b44466bc70a49b692c8bae02013c865a841

MD5 hash:

725683582be6d565e85ff210fa5b27f7

SHA1 hash:

287185ff3d21a9ca42e2bfd773917665590e33d8

Detections:

win_fatal_rat_w0

win_younglotus_g0

win_fatal_rat_auto

INDICATOR_SUSPICIOUS_EXE_ClearMyTracksByProcess

MALWARE_Win_FatalRAT

Link:

https://www.unpac.me/results/d65faa17-38e9-43cb-94e2-728e177fa558/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/72ea59962c5ac7200d317104a55a6a09d657d3f6c224c963ae380ff39941f04c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	botnet_plaintext_c2 Create hunting rule
Author:	cip
Description:	Attempts to match at least some of the strings used in some botnet variants which use plaintext communication protocols.

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/16891/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_NX	Missing Non-Executable Memory Protection	critical
CHECK_PIE	Missing Position-Independent Executable (PIE) Protection	high

Reviews

ID	Capabilities	Evidence
COM_BASE_API	Can Download & Execute components	ole32.dll::CoCreateInstance ole32.dll::CoFreeUnusedLibraries
WIN32_PROCESS_API	Can Create Process and Threads	KERNEL32.dll::OpenProcess KERNEL32.dll::CloseHandle
WIN_BASE_API	Uses Win Base API	KERNEL32.dll::TerminateProcess KERNEL32.dll::LoadLibraryA KERNEL32.dll::LoadLibraryW KERNEL32.dll::GetSystemInfo KERNEL32.dll::GetStartupInfoA KERNEL32.dll::GetDiskFreeSpaceExA
WIN_BASE_IO_API	Can Create Files	KERNEL32.dll::DeleteFileA KERNEL32.dll::GetWindowsDirectoryW KERNEL32.dll::GetFileAttributesA KERNEL32.dll::GetTempPathA
WIN_USER_API	Performs GUI Actions	USER32.dll::AppendMenuA USER32.dll::CreateMenu USER32.dll::CreateWindowExA

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample