fatalrat | 291e91026dc87e8d85e4a25cdbdce09010c4a7f1b2492e23e3ec875a3370c7d7 | Triage

Submit
Reports

Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

Static

static

1

291e91026d...d7.dll

windows7-x64

291e91026d...d7.dll

windows10-2004-x64

Sharing

General

Target

291e91026dc87e8d85e4a25cdbdce09010c4a7f1b2492e23e3ec875a3370c7d7
Size

922KB
Sample

231016-hypc4sed58
MD5

22019e31ea6f7134c94358e9eb8516fe
SHA1

51673f72f119b1fc391fcb8b0780c0077aac1e13
SHA256

291e91026dc87e8d85e4a25cdbdce09010c4a7f1b2492e23e3ec875a3370c7d7
SHA512

20d226aec3cc06aa2d62b555d144896fc6f7d575968f02997f96875640ba51801b9fd29925dd1e3ec092870a7696c5d14c1c0303f35607aa979f40a28ccc33d4
SSDEEP

24576:pFQlHXEcOC4yQHNrJn46YoNP0jhqFRDxVgx9NbMMdh:8l3EcOJyKNl4kOj6DxoM

Score

10^/10

fatalrat evasion infostealer rat

Static task

static1

Behavioral task

behavioral1

Sample

291e91026dc87e8d85e4a25cdbdce09010c4a7f1b2492e23e3ec875a3370c7d7.dll

Resource

win7-20230831-en

fatalrat evasion infostealer rat

windows7-x64

9 signatures

150 seconds

Behavioral task

behavioral2

Sample

291e91026dc87e8d85e4a25cdbdce09010c4a7f1b2492e23e3ec875a3370c7d7.dll

Resource

win10v2004-20230915-en

fatalrat evasion infostealer rat

windows10-2004-x64

9 signatures

150 seconds

Malware Config

Targets

- Target
  
  291e91026dc87e8d85e4a25cdbdce09010c4a7f1b2492e23e3ec875a3370c7d7
- Size
  
  922KB
- MD5
  
  22019e31ea6f7134c94358e9eb8516fe
- SHA1
  
  51673f72f119b1fc391fcb8b0780c0077aac1e13
- SHA256
  
  291e91026dc87e8d85e4a25cdbdce09010c4a7f1b2492e23e3ec875a3370c7d7
- SHA512
  
  20d226aec3cc06aa2d62b555d144896fc6f7d575968f02997f96875640ba51801b9fd29925dd1e3ec092870a7696c5d14c1c0303f35607aa979f40a28ccc33d4
- SSDEEP
  
  24576:pFQlHXEcOC4yQHNrJn46YoNP0jhqFRDxVgx9NbMMdh:8l3EcOJyKNl4kOj6DxoM
Score

10^/10

fatalrat evasion infostealer rat
- FatalRat
  FatalRat is a modular infostealer family written in C++ first appearing in June 2021.
  infostealer rat fatalrat
- Fatal Rat payload
  rat infostealer
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Blocklisted process makes network request
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

Credential Access

Discovery

Query Registry

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

fatalratevasioninfostealerrat

behavioral2

fatalratevasioninfostealerrat

© 2018-2025

Terms | Privacy

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.