MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8493010c4ae899dcc634bd726ecc4c96d469e2a0ba1d37ba8323d3c12f42a419. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FatalRAT


Vendor detections: 15


Intelligence 15 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8493010c4ae899dcc634bd726ecc4c96d469e2a0ba1d37ba8323d3c12f42a419
SHA3-384 hash: 5d7d21dbaa7eab3ea411a7c2817d9f5e5c6116443b5ec094333ac7777a40e537dceb6f6aea1b98b6fc5b16a37f7e29db
SHA1 hash: fc7b82b2c3d4d15d50244a4352dce0ff9efa8f35
MD5 hash: 982df76237c9ff52ad1d2cda5176fbc3
humanhash: yellow-finch-stream-illinois
File name:letsvpn-latest.exe
Download: download sample
Signature FatalRAT
Create hunting rule
File size:18'633'354 bytes
First seen:2024-07-20 09:36:01 UTC
Last seen:2024-07-20 14:15:24 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash c1f9ea6d51ba4934aeaee8b1f7d283d7 (2 x CoinMiner, 1 x FatalRAT, 1 x Blackmoon)
ssdeep 393216:Y1X6WuA5qyz6CAx8HUtClFqxMzohB2OOvz9S/RjePL/B24fvI:Y9T5R6XrtMNohXez9/DQsI
TLSH T1781733687AA0FCD5EC019772A382772411E96A5359C881D0ABFDD31867B7EC7F708272
TrID 32.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
28.9% (.EXE) Win32 Executable (generic) (4504/4/1)
13.0% (.EXE) OS/2 Executable (generic) (2029/13)
12.8% (.EXE) Generic Win/DOS Executable (2002/3)
12.8% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):PE icon
dhash icon 69ccd4d49696cc71 (13 x Adware.Adload, 8 x CoinMiner, 7 x ValleyRAT)
Reporter Anonymous
Tags:exe FatalRAT

Intelligence

File Origin
# of uploads :
3
# of downloads :
355
Origin country :
JP JP
Vendor Threat Intelligence
Malware family:
fatalrat
Create hunting rule
ID:
1
File name:
8493010c4ae899dcc634bd726ecc4c96d469e2a0ba1d37ba8323d3c12f42a419.exe
Verdict:
Malicious activity
Analysis date:
2024-07-21 08:55:31 UTC
Tags:
fatalrat rat
Link:
https://app.any.run/tasks/7f05672e-3e92-4ddb-aa15-0e1c1ada1d31

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=669b850a2f6eaff4b90ef4eb
Tags:
Execution Generic Infostealer Network Ransomware Stealth
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the Program Files subdirectories
Сreating synchronization primitives
Creating a process from a recently created file
Creating a file
DNS request
Connection attempt
Sending a custom TCP request
Sending an HTTP GET request
Searching for synchronization primitives
Creating a file in the %temp% directory
Running batch commands
Creating a process with a hidden window
Searching for the window
Blocking the User Account Control
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Verdict:
Unknown
Threat level:
  0/10
Confidence:
100%
Tags:
fingerprint hook keylogger lolbin packed packed packed shell32 upx
Link:
https://www.filescan.io/uploads/669b8506f1068d66afbf8b12/reports/bedbf096-33fd-447c-bf37-0de6c3c742b2/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/8493010c4ae899dcc634bd726ecc4c96d469e2a0ba1d37ba8323d3c12f42a419
Result
Verdict:
MALICIOUS
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/5260491d-62bd-4024-bd07-ee6e09386c07
Result
Threat name:
BlackMoon, FatalRAT, GhostRat, Nitol
Create hunting rule
Detection:
malicious
Classification:
rans.bank.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1477194
Signature
AI detected suspicious sample
Allocates memory in foreign processes
Checks if browser processes are running
Contains functionality to access PhysicalDrive, possible boot sector overwrite
Contains functionality to automate explorer (e.g. start an application)
Contains functionality to capture and log keystrokes
Contains functionality to detect virtual machines (IN, VMware)
Contains functionality to determine the online IP of the system
Contains functionality to infect the boot sector
Contains functionality to inject code into remote processes
Contains functionality to inject threads in other processes
Contains functionality to register a low level keyboard hook
Creates an undocumented autostart registry key
Detected unpacking (changes PE section rights)
Disables UAC (registry)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Sigma detected: Execution from Suspicious Folder
Sigma detected: Suspicious Program Location with Network Connections
Snort IDS alert for network traffic
Writes to foreign memory regions
Yara detected BlackMoon Ransomware
Yara detected FatalRAT
Yara detected GhostRat
Yara detected Nitol
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1477194 Sample: letsvpn-latest.exe Startdate: 20/07/2024 Architecture: WINDOWS Score: 100 60 seo.wccabc.com 2->60 62 dows.enigmacn.top 2->62 68 Snort IDS alert for network traffic 2->68 70 Malicious sample detected (through community Yara rule) 2->70 72 Multi AV Scanner detection for dropped file 2->72 74 11 other signatures 2->74 10 letsvpn-latest.exe 7 2->10         started        14 PTvrst.exe 2->14         started        16 PTvrst.exe 2->16         started        signatures3 process4 file5 56 C:\Program Files (x86)\uzj.exe, PE32 10->56 dropped 58 C:\Program Files (x86)\letsvpn-latest.exe, PE32 10->58 dropped 100 Contains functionality to register a low level keyboard hook 10->100 18 uzj.exe 3 11 10->18         started        23 cmd.exe 1 10->23         started        102 Writes to foreign memory regions 14->102 104 Allocates memory in foreign processes 14->104 106 Injects a PE file into a foreign processes 14->106 25 spolsvt.exe 2 14->25         started        signatures6 process7 dnsIp8 64 dows.enigmacn.top 188.114.96.3, 443, 49713 CLOUDFLARENETUS European Union 18->64 46 C:\Users\Public\Documents\...\audidog.exe, PE32 18->46 dropped 48 C:\Users\Public\Documents\sougou\PTvrst.exe, PE32 18->48 dropped 50 C:\Users\Public\Documents\...\spolsvt.exe, PE32 18->50 dropped 76 Disables UAC (registry) 18->76 27 PTvrst.exe 18->27         started        30 conhost.exe 23->30         started        78 Writes to foreign memory regions 25->78 80 Allocates memory in foreign processes 25->80 82 Injects a PE file into a foreign processes 25->82 32 spolsvt.exe 25->32         started        34 svcoth.exe 25->34         started        file9 signatures10 process11 signatures12 108 Multi AV Scanner detection for dropped file 27->108 110 Detected unpacking (changes PE section rights) 27->110 112 Machine Learning detection for dropped file 27->112 114 3 other signatures 27->114 36 spolsvt.exe 6 27->36         started        process13 file14 52 C:\Users\Public\Documents\uu\svcoth.exe, PE32 36->52 dropped 54 C:\Users\Public\Documents\dd\spolsvt.exe, PE32 36->54 dropped 84 Contains functionality to inject code into remote processes 36->84 86 Writes to foreign memory regions 36->86 88 Allocates memory in foreign processes 36->88 90 Injects a PE file into a foreign processes 36->90 40 spolsvt.exe 5 36->40         started        44 svcoth.exe 36->44         started        signatures15 process16 dnsIp17 66 seo.wccabc.com 8.218.228.132, 3928, 49715, 49723 CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC Singapore 40->66 92 Creates an undocumented autostart registry key 40->92 94 Contains functionality to determine the online IP of the system 40->94 96 Contains functionality to detect virtual machines (IN, VMware) 40->96 98 6 other signatures 40->98 signatures18
Score:
77%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/8493010c4ae899dcc634bd726ecc4c96d469e2a0ba1d37ba8323d3c12f42a419
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8493010c4ae899dcc634bd726ecc4c96d469e2a0ba1d37ba8323d3c12f42a419/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2024-07-20 09:37:07 UTC
File Type:
PE (Exe)
Extracted files:
43
AV detection:
19 of 24 (79.17%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qsjqcdck5cm5zrruxvzg5tcms3kgtyvaxiotpoudepj4cl2cuqmq._file
Result
Malware family:
fatalrat
Create hunting rule
Score:
  10/10
Tags:
family:fatalrat aspackv2 evasion infostealer persistence rat trojan upx
Link:
https://tria.ge/reports/240720-lkxn4szdqc/
Behaviour
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Suspicious use of SetThreadContext
Adds Run key to start application
Checks whether UAC is enabled
ASPack v2.12-2.42
Checks computer location settings
Deletes itself
Executes dropped EXE
Loads dropped DLL
UPX packed file
Fatal Rat payload
FatalRat
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/2cf046b9-4571-4175-a6af-5c94bac56978
Unpacked files
SH256 hash:
bb0d10639b115283b48225473b5499d4b5abf509f2eadc299f1604048311dc5b
MD5 hash:
71ac0e312d2756360d001cf0fbc6233a
SHA1 hash:
e681293f4801a6de47a42380cf0511404b132bc5
Link:
https://www.unpac.me/results/36448472-756d-4a6e-8d93-97c5ae0442e6/
SH256 hash:
20e3dc90a3e83b6202e2a7f4603b60e5e859639cb68693426c400b13aaeabd78
MD5 hash:
523d5c39f9d8d2375c3df68251fa2249
SHA1 hash:
d4ed365c44bec9246fc1a65a32a7791792647a10
Link:
https://www.unpac.me/results/36448472-756d-4a6e-8d93-97c5ae0442e6/
SH256 hash:
4edad2fdc2803f62faa1489cd90e61a2b67d9383fe7bf43d8afbb92e772cefb3
MD5 hash:
debadba81b518ece6387505165a4eda4
SHA1 hash:
573ac8c4ba166dbf3e7fa73841199409485289ba
Link:
https://www.unpac.me/results/36448472-756d-4a6e-8d93-97c5ae0442e6/
SH256 hash:
260464fb05210cfb30ef7a12d568f75eb781634b251d958cae8911948f6ca360
MD5 hash:
d22cfb5bfaeb1503b12b07e53ef0a149
SHA1 hash:
8ea2c85e363f551a159fabd65377affed4e417a1
Link:
https://www.unpac.me/results/36448472-756d-4a6e-8d93-97c5ae0442e6/
SH256 hash:
01ef0d37701f46f5d788a07dfd8323f4a675e15711582655cab2130c7006ec04
MD5 hash:
d8cec8c6175c36aa412096745fa4f402
SHA1 hash:
934c5ef76e290cbf4f53aec136e7af5c5927a8ec
Link:
https://www.unpac.me/results/36448472-756d-4a6e-8d93-97c5ae0442e6/
SH256 hash:
69f404aff3688fb4224540330e88a1fe0d244e2bca7a99b5a8e1dc88f7345704
MD5 hash:
c4a29c7f73cf69486b8f6d20d101bba7
SHA1 hash:
38d14c59618395204143f569700a65c6b0a4a719
Link:
https://www.unpac.me/results/36448472-756d-4a6e-8d93-97c5ae0442e6/
SH256 hash:
d1093a47a39980c8f826a0eca79e3bf4cf68e82d6ec37456c647367c70ee5aef
MD5 hash:
db52f54569ecd8ce96a1526ccc674af1
SHA1 hash:
dc70830081e256fa0459097f2cf8077094d631fa
Link:
https://www.unpac.me/results/36448472-756d-4a6e-8d93-97c5ae0442e6/
SH256 hash:
02c1f0772fd921a158925c6f727d812a243197c12d7d3d010f22d801ba84acf9
MD5 hash:
025523492a698abe3eaed965fad9514a
SHA1 hash:
79993dd2521b50cdbd68a115517ab0a1c918b23f
Link:
https://www.unpac.me/results/36448472-756d-4a6e-8d93-97c5ae0442e6/
SH256 hash:
db5a4613d1fb4f7c486b514709a444ef5f2c72cc55e6186f4a890064e81a8673
MD5 hash:
122f42efd7f89f2e26eb7242074bfec1
SHA1 hash:
627419675b9a9eef38bc9f4bc784b68d6b1ba9c6
Detections:
Chinese_Hacktool_1014
Create hunting rule
Link:
https://www.unpac.me/results/36448472-756d-4a6e-8d93-97c5ae0442e6/
SH256 hash:
8493010c4ae899dcc634bd726ecc4c96d469e2a0ba1d37ba8323d3c12f42a419
MD5 hash:
982df76237c9ff52ad1d2cda5176fbc3
SHA1 hash:
fc7b82b2c3d4d15d50244a4352dce0ff9efa8f35
Link:
https://www.unpac.me/results/36448472-756d-4a6e-8d93-97c5ae0442e6/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8493010c4ae899dcc634bd726ecc4c96d469e2a0ba1d37ba8323d3c12f42a419

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser
Create hunting rule
Author:malware-lu
Rule name:UPXv20MarkusLaszloReiser
Create hunting rule
Author:malware-lu
Rule name:upx_largefile
Create hunting rule
Author:k3nr9

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
CHECK_TRUST_INFORequires Elevated Execution (level:requireAdministrator)high
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::FreeSid
WIN_BASE_APIUses Win Base APIKERNEL32.DLL::LoadLibraryA

Comments