fatalrat | 0fc9b32ce3d413281569d019f0d9cd712224ca7d8a8a375bfea881335142093a | Triage

Submit
Reports

Overview

overview

Static

static

7

0fc9b32ce3...3a.exe

windows7-x64

0fc9b32ce3...3a.exe

windows10-2004-x64

Sharing

General

Target

0fc9b32ce3d413281569d019f0d9cd712224ca7d8a8a375bfea881335142093a
Size

252KB
Sample

230908-132hcafg23
MD5

e7b77f9ccca4b2438c87def415421e55
SHA1

204fd901dbdd3723e54019805edfd18dd277f3c2
SHA256

0fc9b32ce3d413281569d019f0d9cd712224ca7d8a8a375bfea881335142093a
SHA512

c49c4c44dbfec33749d49ef4d4665f197c05a524bd2d69574934c575f83cfc53ce41618908e5efee844e61e62ae0e5840f0cb188dd60feb07597142f3937bdf7
SSDEEP

6144:2euZGKBb+7wacDG+lACeGD4weCPjkafVWcTKGev7Z:vu0Y+7lcC+lMV7CXk0KGeTZ

Score

10^/10

fatalrat evasion infostealer persistence rat vmprotect

Static task

static1

2 signatures

Behavioral task

behavioral1

Sample

0fc9b32ce3d413281569d019f0d9cd712224ca7d8a8a375bfea881335142093a.exe

Resource

win7-20230831-en

fatalrat evasion infostealer persistence rat vmprotect

windows7-x64

17 signatures

150 seconds

Behavioral task

behavioral2

Sample

0fc9b32ce3d413281569d019f0d9cd712224ca7d8a8a375bfea881335142093a.exe

Resource

win10v2004-20230831-en

fatalrat evasion infostealer persistence rat vmprotect

windows10-2004-x64

18 signatures

150 seconds

Malware Config

Targets

- Target
  
  0fc9b32ce3d413281569d019f0d9cd712224ca7d8a8a375bfea881335142093a
- Size
  
  252KB
- MD5
  
  e7b77f9ccca4b2438c87def415421e55
- SHA1
  
  204fd901dbdd3723e54019805edfd18dd277f3c2
- SHA256
  
  0fc9b32ce3d413281569d019f0d9cd712224ca7d8a8a375bfea881335142093a
- SHA512
  
  c49c4c44dbfec33749d49ef4d4665f197c05a524bd2d69574934c575f83cfc53ce41618908e5efee844e61e62ae0e5840f0cb188dd60feb07597142f3937bdf7
- SSDEEP
  
  6144:2euZGKBb+7wacDG+lACeGD4weCPjkafVWcTKGev7Z:vu0Y+7lcC+lMV7CXk0KGeTZ
Score

10^/10

fatalrat evasion infostealer persistence rat vmprotect
- FatalRat
  FatalRat is a modular infostealer family written in C++ first appearing in June 2021.
  infostealer rat fatalrat
- Fatal Rat payload
  rat infostealer
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Downloads MZ/PE file
- Executes dropped EXE
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Loads dropped DLL
- VMProtect packed file
  Detects executables packed with VMProtect commercial packer.
  vmprotect
- Adds Run key to start application
  persistence
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Virtualization/Sandbox Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

fatalratevasioninfostealerpersistenceratvmprotect

behavioral2

fatalratevasioninfostealerpersistenceratvmprotect

© 2018-2025

Terms | Privacy