fatalrat | 9801b373a5ce4c24e1d60f429cb22f7fb3806b4a84d54f5ad18a3a26ec918c68 | Triage

Submit
Reports

Overview

overview

Static

static

1

Todesk-x64.msi

windows10-2004-x64

Sharing

General

Target

Todesk-x64.msi
Size

100.3MB
Sample

230725-d81rnsab84
MD5

c6688985a839ddbedfcde13596a5e3bf
SHA1

eb0492b6d0cf3660a39af2309e7c7b1647868be1
SHA256

9801b373a5ce4c24e1d60f429cb22f7fb3806b4a84d54f5ad18a3a26ec918c68
SHA512

fe9246821f5532143ebe587305db5533c3212d2e1a3b64aa16bb2948c0eea7fc29a88d8e69a4550be2dccb78baf26feaa87c89285896bf944b5a4f71da25d943
SSDEEP

3145728:hxc9Ksu9VWfhFcMiY0IapT6UE7MNQ0mByg6:h6G3GFc60IaYUoaQX

Score

10^/10

fatalrat gh0strat infostealer rat upx vmprotect

Static task

static1

Behavioral task

behavioral1

Sample

Todesk-x64.msi

Resource

win10v2004-20230703-en

fatalrat gh0strat infostealer rat upx vmprotect

windows10-2004-x64

26 signatures

600 seconds

Malware Config

Targets

- Target
  
  Todesk-x64.msi
- Size
  
  100.3MB
- MD5
  
  c6688985a839ddbedfcde13596a5e3bf
- SHA1
  
  eb0492b6d0cf3660a39af2309e7c7b1647868be1
- SHA256
  
  9801b373a5ce4c24e1d60f429cb22f7fb3806b4a84d54f5ad18a3a26ec918c68
- SHA512
  
  fe9246821f5532143ebe587305db5533c3212d2e1a3b64aa16bb2948c0eea7fc29a88d8e69a4550be2dccb78baf26feaa87c89285896bf944b5a4f71da25d943
- SSDEEP
  
  3145728:hxc9Ksu9VWfhFcMiY0IapT6UE7MNQ0mByg6:h6G3GFc60IaYUoaQX
Score

10^/10

fatalrat gh0strat infostealer rat upx vmprotect
- FatalRat
  FatalRat is a modular infostealer family written in C++ first appearing in June 2021.
  infostealer rat fatalrat
- Gh0st RAT payload
- Gh0strat
  Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
  rat gh0strat
- Fatal Rat payload
  rat infostealer
- Downloads MZ/PE file
- ACProtect 1.3x - 1.4x DLL software
  Detects file using ACProtect software.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- VMProtect packed file
  Detects executables packed with VMProtect commercial packer.
  vmprotect
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

fatalratgh0stratinfostealerratupxvmprotect

© 2018-2025

Terms | Privacy