General
-
Target
kousaka.7z
-
Size
116.4MB
-
Sample
230630-alfansge61
-
MD5
54258b41e5314442e9f0b355c0801082
-
SHA1
4a155bca6e21c9cead20b0c7062fd50ebc8020a0
-
SHA256
aa3f58f228d9d0ef44417c33aa03e3d3c7b3cfde67c0db70a9d21fb8b5cb981c
-
SHA512
c156706f453de53fdf28a2101229088554ca3ef7b9d7ee20cf8d8c0e1ecb596d14282e9013337a639549ff85c9c3933c11b6e593ecc0e088b9a11bc786824cee
-
SSDEEP
3145728:MlsvVEvkxWLm43txGzcNM7eok/nNywDYl7ZysXmPjH:8KxWLmGtxGoNgeL/NUhMsX+
Malware Config
Targets
-
-
Target
06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe
-
Size
44.9MB
-
MD5
66a1e1458b9790758f8b985ffb582383
-
SHA1
670d1185dad515b8b963717b249da3641f8c9b14
-
SHA256
06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787
-
SHA512
3d1a20ff2f5584e14e10cf2d4cd8aefeeec9335cf1308c5d91d1bcb576a8598247f006d2112833c2f5d36fce88b2cdef726c20f6ca95de31a0c13b822afd5ca1
-
SSDEEP
786432:tKatKpswghEMxrpw+en0PYisnDpCf4YiHfaVC4JL4DJvuk7RuPq0yUkmSH592gU2:tXs2r3gVnYiHAC41e5uuRuPK1H59G8px
Score10/10-
FatalRat
FatalRat is a modular infostealer family written in C++ first appearing in June 2021.
-
Fatal Rat payload
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
-
-
Target
2e4156dba629ad427a47c2f09af2447231511ca74cd911c2311e15a698d38aa6.exe
-
Size
39.1MB
-
MD5
c12ef4a309a821b55acd077a9a64a397
-
SHA1
e3f9a27437121c58cb35291ab5dfefae83e9319d
-
SHA256
2e4156dba629ad427a47c2f09af2447231511ca74cd911c2311e15a698d38aa6
-
SHA512
ea820e5048a7bb3670cf5433cf3acb084373f5a8ec225ba84aac5ec06dabaf0c9c96f37b2e2de8342dacd9d0106f594bb2876ac27952c8b49d9332911b376902
-
SSDEEP
786432:9OHnlxUFm6/c37hhtPOmN+FjEaQ9I73VecYiSLzufVcxQwf0ZTTFRp66Q:Mx4ChLOZloI73zSLzSVS0Z3Dp66Q
Score7/10-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
Adds Run key to start application
-
-
-
Target
8525c99383b0acaeed302488b50a36439b71083e851bb28b65a893bf8ed944cf.exe
-
Size
38.6MB
-
MD5
b0cce809fe88b73d7532373911c23bd0
-
SHA1
c50f7fd9bb65dcd350909e367865ebe9bff894ff
-
SHA256
8525c99383b0acaeed302488b50a36439b71083e851bb28b65a893bf8ed944cf
-
SHA512
3ab841cdce17bc666e246fa61065eeda5f8c8d95d93045dac2036e566b8d708dd5119f16640a8dfc2f63d386d7d09ea0bd6b697642f67de5aae47a849daea33f
-
SSDEEP
786432:yC4PWjsUxcIIKD+0XXeWkePNwmALcekMhu9D+0h7lvWZ3gqL/xR5lQzzLE:yCcUOIIKD+YOWRPNwNTd6+wlvKVL/das
Score7/10-
Executes dropped EXE
-
Loads dropped DLL
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops desktop.ini file(s)
-
Drops file in System32 directory
-