MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9c7feb98fb5804f1f80dd03db1f84a06b68ea6043d2d34ab53edce82b83827b2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FatalRAT


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9c7feb98fb5804f1f80dd03db1f84a06b68ea6043d2d34ab53edce82b83827b2
SHA3-384 hash: f0adaeea2955cf7ec4fd8f9612e2c902fb87c349db11e2bcb07a4b55d421f6d251895b42493beb6f943ad337895095cf
SHA1 hash: 1215872c6f7306d6ba14133eb706483f04445885
MD5 hash: dbf8b9ab8ae650d5b452240c0e9c90df
humanhash: single-butter-beryllium-uniform
File name:Perl510.dll
Download: download sample
Signature FatalRAT
Create hunting rule
File size:946'176 bytes
First seen:2022-05-21 14:56:42 UTC
Last seen:2022-05-21 15:38:22 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash 6f3a6106cd96b1e06955bb6bf5243619 (1 x FatalRAT)
ssdeep 24576:dTEyH3+8Fj/jurktUU0VOluKioflDElNnk:dtbj/SrkgOlpXN+2
Threatray 12'039 similar samples on MalwareBazaar
TLSH T1D51512C9EE681136E1B305B0641755CCD9B40DE21F38C5BB43F207D6BA717B9A27A187
TrID 38.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
20.5% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
13.0% (.EXE) Win64 Executable (generic) (10523/12/4)
8.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
Reporter obfusor
Tags:dll FatalRAT RAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
304
Origin country :
n/a
Vendor Threat Intelligence
Detection:
FatalRAT
Create hunting rule
Link:
https://www.capesandbox.com/analysis/273315/
Result
Verdict:
Clean
Maliciousness:
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed shell32.dll
Link:
https://www.filescan.io/uploads/6288fdce370bb1455cbae421/reports/9d01fee8-0ba9-4080-91c2-e82422eb1c78/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/988e3daf-3efb-439b-8347-71302995d5b5
Result
Threat name:
GhostRat, Nitol
Create hunting rule
Detection:
malicious
Classification:
bank.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/999094
Signature
Antivirus / Scanner detection for submitted sample
Checks if browser processes are running
Contains functionality to access PhysicalDrive, possible boot sector overwrite
Contains functionality to automate explorer (e.g. start an application)
Contains functionality to capture and log keystrokes
Contains functionality to detect virtual machines (IN, VMware)
Contains functionality to determine the online IP of the system
Contains functionality to infect the boot sector
Contains functionality to inject threads in other processes
Creates an autostart registry key pointing to binary in C:\Windows
Creates an undocumented autostart registry key
Found stalling execution ending in API Sleep call
Hides threads from debuggers
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Performs DNS queries to domains with low reputation
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to delay execution (extensive OutputDebugStringW loop)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Yara detected GhostRat
Yara detected Nitol
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 631589 Sample: Perl510.dll Startdate: 21/05/2022 Architecture: WINDOWS Score: 100 31 Snort IDS alert for network traffic 2->31 33 Malicious sample detected (through community Yara rule) 2->33 35 Antivirus / Scanner detection for submitted sample 2->35 37 5 other signatures 2->37 7 loaddll32.exe 1 2->7         started        10 rundll32.exe 2->10         started        12 rundll32.exe 2->12         started        process3 signatures4 49 Tries to evade debugger and weak emulator (self modifying code) 7->49 51 Tries to detect virtualization through RDTSC time measurements 7->51 53 Hides threads from debuggers 7->53 14 rundll32.exe 7->14         started        17 cmd.exe 1 7->17         started        19 rundll32.exe 7->19         started        process5 signatures6 55 System process connects to network (likely due to code injection or exploit) 14->55 57 Contains functionality to determine the online IP of the system 14->57 59 Performs DNS queries to domains with low reputation 14->59 63 10 other signatures 14->63 21 rundll32.exe 7 17->21         started        61 Hides threads from debuggers 19->61 process7 dnsIp8 25 16511.xyz 21->25 27 16511.xyz 180.215.221.97, 49690, 8081 BCPL-SGBGPNETGlobalASNSG Singapore 21->27 29 192.168.2.1 unknown unknown 21->29 39 System process connects to network (likely due to code injection or exploit) 21->39 41 Creates an undocumented autostart registry key 21->41 43 Creates an autostart registry key pointing to binary in C:\Windows 21->43 45 Hides threads from debuggers 21->45 signatures9 47 Performs DNS queries to domains with low reputation 25->47
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9c7feb98fb5804f1f80dd03db1f84a06b68ea6043d2d34ab53edce82b83827b2/
Threat name:
Win32.Trojan.Antavmu
Create hunting rule
Status:
Malicious
First seen:
2022-05-21 11:58:10 UTC
File Type:
PE (Dll)
AV detection:
18 of 26 (69.23%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
18a5c872854f70b391af0696978bfb35d8ae08059971dd9eb8219f5aef40c026
FatalRAT
1e857555be92a0e4bfa8c0e5dc5b7b91a08e6daea0036e3bf23d3d3de79e495f
FatalRAT
7b483b575f88d063ec7d84405be25d5d29579133e9951e5f7b5e2b0d9632472f
FatalRAT
7c28b994aeb3a85e37225cc20bae2232f97e23f115c2a409da31f353140c631e
FatalRAT
8795836a86dc61f9fe1d4b3f798ebf3a4c1900ddac2f207f4d1f46e87b85850f
FatalRAT
887aae4c40ef5ac852dcb98c50598ae087e21ba02456b35da67365fcfa6fea9b
FatalRAT
ae0a99c5cc44699f19c5967df89e034876b214da707275a33bcf7298697ac184
FatalRAT
+ 12'029 additional samples on MalwareBazaar
Result
Malware family:
fatalrat
Create hunting rule
Score:
  10/10
Tags:
family:fatalrat infostealer persistence rat suricata
Link:
https://tria.ge/reports/220521-sbkfradaek/
Behaviour
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Adds Run key to start application
Blocklisted process makes network request
Fatal Rat Payload
FatalRat
suricata: ET MALWARE FatalRAT CnC Activity
Unpacked files
SH256 hash:
a700e3b02b857953dd4140eb46636ba1f369c84e278776e74f2123e0a272cfcd
MD5 hash:
668f719204708b00b1322cdd70dfdd9d
SHA1 hash:
eb765470e7c79160b5c14583339d7486fbc1ca53
Detections:
win_fatal_rat_auto
Create hunting rule
win_fatal_rat_w0
Create hunting rule
win_younglotus_g0
Create hunting rule
Link:
https://www.unpac.me/results/8d70d0d2-7fd1-4a8a-8d3f-ec665db269be/
Parent samples :
8795836a86dc61f9fe1d4b3f798ebf3a4c1900ddac2f207f4d1f46e87b85850f
9c7feb98fb5804f1f80dd03db1f84a06b68ea6043d2d34ab53edce82b83827b2
SH256 hash:
9c7feb98fb5804f1f80dd03db1f84a06b68ea6043d2d34ab53edce82b83827b2
MD5 hash:
dbf8b9ab8ae650d5b452240c0e9c90df
SHA1 hash:
1215872c6f7306d6ba14133eb706483f04445885
Link:
https://www.unpac.me/results/8d70d0d2-7fd1-4a8a-8d3f-ec665db269be/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/9c7feb98fb5804f1f80dd03db1f84a06b68ea6043d2d34ab53edce82b83827b2

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/273315/

Comments


Avatar
Obfusor commented on 2022-05-21 15:15:47 UTC

#Gh0stRAT