General
-
Target
美洽6.9.7.exe
-
Size
76.8MB
-
Sample
231020-mlwzmshf71
-
MD5
f906902a7970d66ec823444808fb8610
-
SHA1
e352be78393bc978041d8923f72d74b9e53c0a1d
-
SHA256
e2da625d78cd27f539bd21dbfcbf1f12c3dab7320342bc5168c8d25cf665033c
-
SHA512
992b6c0dcc8911e5f12b3b42a9c439654cc7ff5a795398da25c56419d34a1ec4361e54c8e637552e2c98c109c6379ce2f1b95994ce7c4ceebd7db45efe9af02b
-
SSDEEP
1572864:yIC/ls2gHnOvm83ucVTyy9G6nqsDuXgsj2DarbpDNny3AGtoV8:A+vWf3tVTy9ApsCerbFRywNV8
Malware Config
Targets
-
-
Target
美洽6.9.7.exe
-
Size
76.8MB
-
MD5
f906902a7970d66ec823444808fb8610
-
SHA1
e352be78393bc978041d8923f72d74b9e53c0a1d
-
SHA256
e2da625d78cd27f539bd21dbfcbf1f12c3dab7320342bc5168c8d25cf665033c
-
SHA512
992b6c0dcc8911e5f12b3b42a9c439654cc7ff5a795398da25c56419d34a1ec4361e54c8e637552e2c98c109c6379ce2f1b95994ce7c4ceebd7db45efe9af02b
-
SSDEEP
1572864:yIC/ls2gHnOvm83ucVTyy9G6nqsDuXgsj2DarbpDNny3AGtoV8:A+vWf3tVTy9ApsCerbFRywNV8
Score10/10-
FatalRat
FatalRat is a modular infostealer family written in C++ first appearing in June 2021.
-
Gh0st RAT payload
-
Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
-
Fatal Rat payload
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Identifies Wine through registry keys
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
Adds Run key to start application
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-