fatalrat | 6c3540f243e789505d3bcf5e19185b81fc558c626db3d4a4d9affab89df0d444 | Triage

Submit
Reports

Overview

overview

Static

static

7

6c3540f243...44.exe

windows7-x64

9

6c3540f243...44.exe

windows10-2004-x64

Sharing

General

Target

6c3540f243e789505d3bcf5e19185b81fc558c626db3d4a4d9affab89df0d444
Size

5.8MB
Sample

231123-fpjedsgh7z
MD5

fc4cd218208f7901d5c462ecd066c57b
SHA1

12fa7c06eefd67ef3bf1e4c4fd12ab80ddddc6b9
SHA256

6c3540f243e789505d3bcf5e19185b81fc558c626db3d4a4d9affab89df0d444
SHA512

7ad501d74a98c5b3c10cae6405dcabcc2242d16263632f637ee2238f4d7dfe5dd9b8a862735525da2d613e3de874dfa69e1a729329560502140954a4bb2567fa
SSDEEP

98304:yQ8ek0Yyc89jX5kvGdxMrG7gGEGT4PWBZsSneAJ:y9NP8h5YN/iHn

Score

10^/10

fatalrat evasion infostealer persistence rat vmprotect

Static task

static1

2 signatures

Behavioral task

behavioral1

Sample

6c3540f243e789505d3bcf5e19185b81fc558c626db3d4a4d9affab89df0d444.exe

Resource

win7-20231025-en

evasion persistence vmprotect

windows7-x64

14 signatures

150 seconds

Behavioral task

behavioral2

Sample

6c3540f243e789505d3bcf5e19185b81fc558c626db3d4a4d9affab89df0d444.exe

Resource

win10v2004-20231023-en

fatalrat evasion infostealer persistence rat vmprotect

windows10-2004-x64

17 signatures

150 seconds

Malware Config

Targets

- Target
  
  6c3540f243e789505d3bcf5e19185b81fc558c626db3d4a4d9affab89df0d444
- Size
  
  5.8MB
- MD5
  
  fc4cd218208f7901d5c462ecd066c57b
- SHA1
  
  12fa7c06eefd67ef3bf1e4c4fd12ab80ddddc6b9
- SHA256
  
  6c3540f243e789505d3bcf5e19185b81fc558c626db3d4a4d9affab89df0d444
- SHA512
  
  7ad501d74a98c5b3c10cae6405dcabcc2242d16263632f637ee2238f4d7dfe5dd9b8a862735525da2d613e3de874dfa69e1a729329560502140954a4bb2567fa
- SSDEEP
  
  98304:yQ8ek0Yyc89jX5kvGdxMrG7gGEGT4PWBZsSneAJ:y9NP8h5YN/iHn
Score

10^/10

evasion persistence vmprotect fatalrat infostealer rat
- FatalRat
  FatalRat is a modular infostealer family written in C++ first appearing in June 2021.
  infostealer rat fatalrat
- Fatal Rat payload
  rat infostealer
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Downloads MZ/PE file
- Executes dropped EXE
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Loads dropped DLL
- VMProtect packed file
  Detects executables packed with VMProtect commercial packer.
  vmprotect
- Adds Run key to start application
  persistence
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Virtualization/Sandbox Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

evasionpersistencevmprotect

behavioral2

fatalratevasioninfostealerpersistenceratvmprotect

© 2018-2025

Terms | Privacy