MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9caa90fe0216c66dc29e3049b126643d2a8c68f68663fba2da70a2d9c29d5c49. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FatalRAT


Vendor detections: 16


Intelligence 16 IOCs 1 YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9caa90fe0216c66dc29e3049b126643d2a8c68f68663fba2da70a2d9c29d5c49
SHA3-384 hash: afcd6932719914154e38c33e9d36d68d385e173852152c19abd929d926115c0f3ef86d349b8c3457fab2730419e590a8
SHA1 hash: 5d28e0cbf6d81394029d2cec5ed45c67f2875693
MD5 hash: 199dd0a3367f4a7213d17ad6ab1983f7
humanhash: uniform-venus-mars-nine
File name:9caa90fe0216c66dc29e3049b126643d2a8c68f68663f.exe
Download: download sample
Signature FatalRAT
Create hunting rule
File size:5'281'792 bytes
First seen:2025-07-29 15:05:47 UTC
Last seen:2025-09-17 07:16:41 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 4438a88fe236bfa808992f2adb1a4a4c (1 x FatalRAT)
ssdeep 98304:mcf1Gvh8Ru+otx3Zi6rjkCmX40ZlGtYYW:rGvhF+ojZ/UbUYYW
TLSH T18D3629F32394B7E0E46F21F8B514B43698DEE2995D840B6ED3C4D40734A6B29E5CEAD0
TrID 37.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
20.0% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
12.7% (.EXE) Win64 Executable (generic) (10522/11/4)
7.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
Magika pebin
Reporter abuse_ch
Tags:exe FatalRAT longlq-cl


Avatar
abuse_ch
FatalRAT C2:
206.233.130.82:8081

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
206.233.130.82:8081 https://threatfox.abuse.ch/ioc/1562041/

Intelligence

File Origin
# of uploads :
2
# of downloads :
29
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
fatalrat
Create hunting rule
ID:
1
File name:
9caa90fe0216c66dc29e3049b126643d2a8c68f68663fba2da70a2d9c29d5c49.exe
Verdict:
Malicious activity
Analysis date:
2025-07-29 11:39:59 UTC
Tags:
auto-startup susp-lnk arch-exec fatalrat rat
Link:
https://app.any.run/tasks/4949b719-1f1c-4980-80cd-6cb13d3a9565

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
FatalRAT
Create hunting rule
Link:
https://www.capesandbox.com/analysis/17586/
Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6888b30daf3050dc8d320b0c
Tags:
autorun emotet madi
Result
Verdict:
Malware
Maliciousness:

Behaviour
Enabling the 'hidden' option for recently created files
Creating a file in the %AppData% directory
Creating a file in the %temp% directory
Creating a process from a recently created file
DNS request
Connection attempt
Searching for synchronization primitives
Searching for the window
Sending a custom TCP request
Launching the default Windows debugger (dwwin.exe)
Сreating synchronization primitives
Creating a file
Enabling autorun by creating a file
Verdict:
Malicious
Labled as:
Win/malicious_confidence_60%
Link:
https://www.hybrid-analysis.com/sample/9caa90fe0216c66dc29e3049b126643d2a8c68f68663fba2da70a2d9c29d5c49
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/6ffa11a2-ca27-4ee8-9967-7bb8a5ca1f03
Result
Threat name:
FatalRAT, GhostRat, Nitol
Create hunting rule
Detection:
malicious
Classification:
bank.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1746420
Signature
Checks if browser processes are running
Contains functionality to access PhysicalDrive, possible boot sector overwrite
Contains functionality to automate explorer (e.g. start an application)
Contains functionality to capture and log keystrokes
Contains functionality to detect sleep reduction / modifications
Contains functionality to detect virtual machines (IN, VMware)
Contains functionality to determine the online IP of the system
Contains functionality to infect the boot sector
Contains functionality to inject threads in other processes
Creates an undocumented autostart registry key
Detected unpacking (creates a PE file in dynamic memory)
Found stalling execution ending in API Sleep call
Found suspicious ZIP file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Opens the same file many times (likely Sandbox evasion)
Suricata IDS alerts for network traffic
Tries to delay execution (extensive OutputDebugStringW loop)
Yara detected FatalRAT
Yara detected GhostRat
Yara detected Nitol
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/9caa90fe0216c66dc29e3049b126643d2a8c68f68663fba2da70a2d9c29d5c49
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9caa90fe0216c66dc29e3049b126643d2a8c68f68663fba2da70a2d9c29d5c49/
Verdict:
Malicious
Threat:
Trojan.Antavmu.TCP
Link:
https://tip.neiki.dev/file/9caa90fe0216c66dc29e3049b126643d2a8c68f68663fba2da70a2d9c29d5c49
Threat name:
Win32.Trojan.Nekark
Create hunting rule
Status:
Malicious
First seen:
2025-07-29 10:30:10 UTC
File Type:
PE (Exe)
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=tsvjb7qcc3dg3qu6gbe3cjtehuviy2hwqzr7xiw2ocrntqu5lreq._file
Result
Malware family:
fatalrat
Create hunting rule
Score:
  10/10
Tags:
family:fatalrat discovery infostealer rat stealer trojan
Link:
https://tria.ge/reports/250729-sgzsmahr2y/
Behaviour
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
Drops file in System32 directory
Drops startup file
Executes dropped EXE
Loads dropped DLL
Fatal Rat payload
FatalRat
Fatalrat family
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/827a2994-976f-4356-8c7a-dda6e5a19a68
Unpacked files
SH256 hash:
9caa90fe0216c66dc29e3049b126643d2a8c68f68663fba2da70a2d9c29d5c49
MD5 hash:
199dd0a3367f4a7213d17ad6ab1983f7
SHA1 hash:
5d28e0cbf6d81394029d2cec5ed45c67f2875693
Link:
https://www.unpac.me/results/575ecec9-708f-4e2c-9b0d-6de1a6d3cc0b/
SH256 hash:
0ddcfa247c71e506be25f64ba7f846a91b6bec9a2aac63839f151eeb1a0d5cce
MD5 hash:
abf40226cd3c2ab82cf24b5cd5d34af2
SHA1 hash:
0ca5c0ebc3f125c57f83e6e256abdb087b82cd65
Link:
https://www.unpac.me/results/575ecec9-708f-4e2c-9b0d-6de1a6d3cc0b/
SH256 hash:
2a0aaa8da20fe5106ecec3fdf69f2109439b683338e048e754059cb569f82c1d
MD5 hash:
3799a281a99404220d9b9b115288f9c9
SHA1 hash:
30a1be4261ebcaefa1fc2008a34baa804ccc6ef7
Link:
https://www.unpac.me/results/575ecec9-708f-4e2c-9b0d-6de1a6d3cc0b/
SH256 hash:
7505aeb80bcf0700d015cac74abebeb807396be592d197a776f4b2761c86a0ef
MD5 hash:
015e33c593a248448b552ac7cd2e18a1
SHA1 hash:
a0553da8898afcbcff18e7d143eebac076194a39
Link:
https://www.unpac.me/results/575ecec9-708f-4e2c-9b0d-6de1a6d3cc0b/
SH256 hash:
c50d191d0e79ae6b60559b1f1b7bf2ea85dbb88d28e5760d35f009d2fd068b21
MD5 hash:
5e79f16f5c9b2d477de00b08a81b8d4a
SHA1 hash:
b10e2df531003fcccfbc2fe0d0fecdc9fad62667
Detections:
win_fatal_rat_w0
Create hunting rule
win_younglotus_g0
Create hunting rule
win_fatal_rat_auto
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_ClearMyTracksByProcess
Create hunting rule
MALWARE_Win_FatalRAT
Create hunting rule
Link:
https://www.unpac.me/results/575ecec9-708f-4e2c-9b0d-6de1a6d3cc0b/
Parent samples :
41739bfb9518c5de588152c8090911bf2be7677794d97ff50a7642276752f7c5
8d5f0150d9529fe33d1bae3c8891fa46556782c0d9269215bc8ad672e178a902
252f62fd53af829b188afc11bd2215d0d7793bf3cf0f44c3ac9bb5cb9d5fa2b4
72ea59962c5ac7200d317104a55a6a09d657d3f6c224c963ae380ff39941f04c
9caa90fe0216c66dc29e3049b126643d2a8c68f68663fba2da70a2d9c29d5c49
f735dfdc7f1a238074f0e501d8e8d823ff3a9020a4b843dda69ff3f349567d20
9d6d15a37df9799adf1e7fdbd65ab162e770fe0952c91c1ff5c91dc40f1ae659
1caacde9b1b6557c996ffe78f932ffc6ceba05ee3d095e2741df75d3a52c30b2
SH256 hash:
2c1cd0674a4643abf79a4694782d62b83d4736cb389413fccaa18d7a69fc3d22
MD5 hash:
4076b7ea2158c63db56bb2af1b7dc6bb
SHA1 hash:
dfae9aa4d8f1cbcd3bf2cbaed0751047e1fef36e
Link:
https://www.unpac.me/results/575ecec9-708f-4e2c-9b0d-6de1a6d3cc0b/
SH256 hash:
c5ba101135688bd8bf524d8d3abbdf182a1340173273d130e69bf2a24203378d
MD5 hash:
ea91d609e929da8db40e873af0badba5
SHA1 hash:
0b42c1f90363a7c19bb6dc6ed1ec150d440e138f
Link:
https://www.unpac.me/results/575ecec9-708f-4e2c-9b0d-6de1a6d3cc0b/
SH256 hash:
6aeb7a43a5f739a25bbbe25c6c662bf7c47dddf4425794f7b80dd1b471af4fd5
MD5 hash:
0731c5e3963fd5134422100426fbfc1f
SHA1 hash:
1041eda738535c094e1f5357aa49025e40e2512a
Link:
https://www.unpac.me/results/575ecec9-708f-4e2c-9b0d-6de1a6d3cc0b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9caa90fe0216c66dc29e3049b126643d2a8c68f68663fba2da70a2d9c29d5c49

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:botnet_plaintext_c2
Create hunting rule
Author:cip
Description:Attempts to match at least some of the strings used in some botnet variants which use plaintext communication protocols.
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/17586/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance
ole32.dll::CoFreeUnusedLibraries
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::OpenProcess
KERNEL32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::GetSystemInfo
KERNEL32.dll::GetStartupInfoA
KERNEL32.dll::GetDiskFreeSpaceExA
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::DeleteFileA
KERNEL32.dll::GetWindowsDirectoryW
KERNEL32.dll::GetFileAttributesA
KERNEL32.dll::GetTempPathA
WIN_USER_APIPerforms GUI ActionsUSER32.dll::AppendMenuA
USER32.dll::CreateMenu
USER32.dll::CreateWindowExA

Comments