MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8795836a86dc61f9fe1d4b3f798ebf3a4c1900ddac2f207f4d1f46e87b85850f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FatalRAT


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8795836a86dc61f9fe1d4b3f798ebf3a4c1900ddac2f207f4d1f46e87b85850f
SHA3-384 hash: af4ee9feed416d84d0f0d67a5b9925ca2724ff86e257be92c257cfe88c210ab25605c338e564c3f970e59f3843d77191
SHA1 hash: e0d623b55e5e307540d05a55fadc323d9615d3b2
MD5 hash: 55c32cb9a881b49bcc0d1b36868a3e98
humanhash: echo-uncle-glucose-mexico
File name:EduCefWarper.dll
Download: download sample
Signature FatalRAT
Create hunting rule
File size:1'126'400 bytes
First seen:2022-05-21 11:57:45 UTC
Last seen:2022-05-21 12:31:27 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash 1266d081a2aded22b4f04bc05d0ae214 (1 x FatalRAT)
ssdeep 24576:t1n06KTEyH3+8Fj/jurktUU0VOluKioflDElNn:tKRtbj/SrkgOlpXN+
Threatray 12'113 similar samples on MalwareBazaar
TLSH T1A4350246EA570072E1630670607356ECDEB80EA32F34C4BB87E07BB67DB16A5963B147
TrID 38.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
20.5% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
13.0% (.EXE) Win64 Executable (generic) (10523/12/4)
8.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
Reporter obfusor
Tags:dll dropper FatalRAT rootkit

Intelligence

File Origin
# of uploads :
2
# of downloads :
639
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/273309/
Result
Verdict:
Clean
Maliciousness:
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
babar flystudio packed
Link:
https://www.filescan.io/uploads/6288d4086eb3ff326319ea4b/reports/4a1864c4-c83c-4091-8a35-033ff21d1ab8/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2aa18278-1d0e-4fdd-8bfa-74f5b2270977
Result
Threat name:
GhostRat, Nitol
Create hunting rule
Detection:
malicious
Classification:
bank.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/999076
Signature
Antivirus detection for dropped file
Checks if browser processes are running
Contains functionality to access PhysicalDrive, possible boot sector overwrite
Contains functionality to automate explorer (e.g. start an application)
Contains functionality to capture and log keystrokes
Contains functionality to detect virtual machines (IN, VMware)
Contains functionality to determine the online IP of the system
Contains functionality to infect the boot sector
Contains functionality to inject threads in other processes
Creates an undocumented autostart registry key
Found stalling execution ending in API Sleep call
Hides threads from debuggers
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Performs DNS queries to domains with low reputation
Sample is not signed and drops a device driver
Snort IDS alert for network traffic
Tries to delay execution (extensive OutputDebugStringW loop)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Yara detected GhostRat
Yara detected Nitol
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 631572 Sample: EduCefWarper.dll Startdate: 21/05/2022 Architecture: WINDOWS Score: 100 59 Snort IDS alert for network traffic 2->59 61 Malicious sample detected (through community Yara rule) 2->61 63 Antivirus detection for dropped file 2->63 65 6 other signatures 2->65 8 loaddll32.exe 1 2->8         started        10 ApplicationFrame.exe 2 2->10         started        14 ApplicationFrame.exe 2->14         started        16 9 other processes 2->16 process3 dnsIp4 19 rundll32.exe 5 9 8->19         started        23 cmd.exe 1 8->23         started        25 rundll32.exe 6 2 8->25         started        51 C:\Users\user\...\ApplicationFrame.exe, PE32 10->51 dropped 81 Hides threads from debuggers 10->81 27 ApplicationFrame.exe 10->27         started        53 127.0.0.1 unknown unknown 16->53 55 192.168.2.1 unknown unknown 16->55 file5 signatures6 process7 file8 43 C:\Windows\SysWOW64\TestDriver.sys, PE32+ 19->43 dropped 45 C:\Windows\SysWOW64\Perl510.dll, PE32 19->45 dropped 47 C:\Users\Public\...\ApplicationFrame.exe, PE32 19->47 dropped 49 C:\Windows\SysWOW64\AAscit.exe, PE32 19->49 dropped 67 Sample is not signed and drops a device driver 19->67 29 ApplicationFrame.exe 1 19->29         started        32 rundll32.exe 5 6 23->32         started        69 Contains functionality to determine the online IP of the system 27->69 71 Contains functionality to automate explorer (e.g. start an application) 27->71 73 Contains functionality to access PhysicalDrive, possible boot sector overwrite 27->73 75 7 other signatures 27->75 signatures9 process10 file11 83 Contains functionality to determine the online IP of the system 29->83 85 Performs DNS queries to domains with low reputation 29->85 87 Found stalling execution ending in API Sleep call 29->87 89 11 other signatures 29->89 39 C:\Users\user\AppData\Local\perl510.dll, PE32 32->39 dropped 41 C:\Users\Public\Downloads\...\Perl510.dll, PE32 32->41 dropped 35 ApplicationFrame.exe 6 32->35         started        signatures12 process13 dnsIp14 57 16511.xyz 180.215.221.97, 49766, 49798, 8081 BCPL-SGBGPNETGlobalASNSG Singapore 35->57 77 Creates an undocumented autostart registry key 35->77 79 Hides threads from debuggers 35->79 signatures15
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8795836a86dc61f9fe1d4b3f798ebf3a4c1900ddac2f207f4d1f46e87b85850f/
Threat name:
Win32.PUA.HsNet
Create hunting rule
Status:
Malicious
First seen:
2022-05-21 11:58:10 UTC
File Type:
PE (Dll)
Extracted files:
19
AV detection:
9 of 40 (22.50%)
Threat level:
  1/5
Verdict:
malicious
Similar samples:
18a5c872854f70b391af0696978bfb35d8ae08059971dd9eb8219f5aef40c026
FatalRAT
1e857555be92a0e4bfa8c0e5dc5b7b91a08e6daea0036e3bf23d3d3de79e495f
FatalRAT
7b483b575f88d063ec7d84405be25d5d29579133e9951e5f7b5e2b0d9632472f
FatalRAT
7c28b994aeb3a85e37225cc20bae2232f97e23f115c2a409da31f353140c631e
FatalRAT
887aae4c40ef5ac852dcb98c50598ae087e21ba02456b35da67365fcfa6fea9b
FatalRAT
ae0a99c5cc44699f19c5967df89e034876b214da707275a33bcf7298697ac184
FatalRAT
f224eb6d7d25fed68f1053c7f38fbf09e416fc55230d04a1591e97aa2144c092
FatalRAT
+ 12'103 additional samples on MalwareBazaar
Result
Malware family:
fatalrat
Create hunting rule
Score:
  10/10
Tags:
family:fatalrat infostealer persistence rat suricata
Link:
https://tria.ge/reports/220521-n456pshgej/
Behaviour
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Checks processor information in registry
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
Sets service image path in registry
Fatal Rat Payload
FatalRat
suricata: ET MALWARE FatalRAT CnC Activity
Unpacked files
SH256 hash:
a700e3b02b857953dd4140eb46636ba1f369c84e278776e74f2123e0a272cfcd
MD5 hash:
668f719204708b00b1322cdd70dfdd9d
SHA1 hash:
eb765470e7c79160b5c14583339d7486fbc1ca53
Detections:
win_fatal_rat_auto
Create hunting rule
win_fatal_rat_w0
Create hunting rule
win_younglotus_g0
Create hunting rule
Link:
https://www.unpac.me/results/9b810c62-bd1c-4c38-9bd6-b819d68d7e41/
Parent samples :
8795836a86dc61f9fe1d4b3f798ebf3a4c1900ddac2f207f4d1f46e87b85850f
9c7feb98fb5804f1f80dd03db1f84a06b68ea6043d2d34ab53edce82b83827b2
SH256 hash:
863680107c464ed2a3c5ea4463a16f3f84cd56efdbaf70104d9ce10d0f9e6197
MD5 hash:
d7b4e4cc455521157b40758c83cd22bc
SHA1 hash:
ef99ebede0469fed3dbbc6c0f499544dfb1a87cb
Link:
https://www.unpac.me/results/9b810c62-bd1c-4c38-9bd6-b819d68d7e41/
SH256 hash:
8795836a86dc61f9fe1d4b3f798ebf3a4c1900ddac2f207f4d1f46e87b85850f
MD5 hash:
55c32cb9a881b49bcc0d1b36868a3e98
SHA1 hash:
e0d623b55e5e307540d05a55fadc323d9615d3b2
Link:
https://www.unpac.me/results/9b810c62-bd1c-4c38-9bd6-b819d68d7e41/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/8795836a86dc61f9fe1d4b3f798ebf3a4c1900ddac2f207f4d1f46e87b85850f

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/273309/

Comments