fatalrat

General

Target

Wps.exe
Size

8.3MB
Sample

231019-sylmbsgg7z
MD5

fa05a54376d3377967e52ba78dee8ba6
SHA1

3349e0236e886f2c1e69c02eb99b6fbc242f930f
SHA256

c9cbb955c9c7c0f5b5cb4bce2b7b87b211c2ddd5eb123da663ace4bd6beb3017
SHA512

ba63752a5900d3ad1e1dcf9c00e99c6295ef9b06e2842ad2384860ace8c61458a483954e13700ff2402db58c6e3c2a759f73b5f5c69967b56fd37ded81f12953
SSDEEP

196608:6guPOGfSizC2F/LVk6jO521HC3YW4Xxqrlnbt84bYQ8RK:6gKO63zRFqKO2EwXox8E9

Score

10^/10

Malware Config

Targets

- Target
  
  Wps.exe
- Size
  
  8.3MB
- MD5
  
  fa05a54376d3377967e52ba78dee8ba6
- SHA1
  
  3349e0236e886f2c1e69c02eb99b6fbc242f930f
- SHA256
  
  c9cbb955c9c7c0f5b5cb4bce2b7b87b211c2ddd5eb123da663ace4bd6beb3017
- SHA512
  
  ba63752a5900d3ad1e1dcf9c00e99c6295ef9b06e2842ad2384860ace8c61458a483954e13700ff2402db58c6e3c2a759f73b5f5c69967b56fd37ded81f12953
- SSDEEP
  
  196608:6guPOGfSizC2F/LVk6jO521HC3YW4Xxqrlnbt84bYQ8RK:6gKO63zRFqKO2EwXox8E9
Score

10^/10

evasion persistence upx vmprotect fatalrat infostealer rat
- FatalRat
  FatalRat is a modular infostealer family written in C++ first appearing in June 2021.
  infostealer rat fatalrat
- Fatal Rat payload
  rat infostealer
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Loads dropped DLL
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- VMProtect packed file
  Detects executables packed with VMProtect commercial packer.
  vmprotect
- Adds Run key to start application
  persistence
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2 behavioral3