Overview

overview

10

Static

static

3

2025-03-03...uk.exe

windows7-x64

10

2025-03-03...uk.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    2025-03-03_a69273e15f761f1aba60604ae7823581_hijackloader_ryuk

  • Size

    20.2MB

  • Sample

    250303-l23axsvwcx

  • MD5

    a69273e15f761f1aba60604ae7823581

  • SHA1

    f7a5fbb131ac38592208f534bb45d5927ef33bd1

  • SHA256

    361d4971fb5d11daf62336bbf8427a17c4e1b6c7b33db0c82037d34cc9ae07b8

  • SHA512

    84b4b62eca8d781d29bf21f519356460346d75a6998130ef88d23e69de6dea1a6d92df9dd2b2625261520ad3c5f8479c0d4637ce29900548e6e6bea2c8f15ede

  • SSDEEP

    196608:oatpgF2oM7Vk96Cy8xEqn0SweKG8PvMTnsOTLkE:9tpgF2oM7Vk96Cy8xEqn0MlAvYnsO3J

Score
10/10
fatalratgh0stratdefense_evasiondiscoveryexecutioninfostealerpersistenceratstealertrojanupx

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://baba-1336130708.cos.ap-tokyo.myqcloud.com/as.exe

Targets

    • Target

      2025-03-03_a69273e15f761f1aba60604ae7823581_hijackloader_ryuk

    • Size

      20.2MB

    • MD5

      a69273e15f761f1aba60604ae7823581

    • SHA1

      f7a5fbb131ac38592208f534bb45d5927ef33bd1

    • SHA256

      361d4971fb5d11daf62336bbf8427a17c4e1b6c7b33db0c82037d34cc9ae07b8

    • SHA512

      84b4b62eca8d781d29bf21f519356460346d75a6998130ef88d23e69de6dea1a6d92df9dd2b2625261520ad3c5f8479c0d4637ce29900548e6e6bea2c8f15ede

    • SSDEEP

      196608:oatpgF2oM7Vk96Cy8xEqn0SweKG8PvMTnsOTLkE:9tpgF2oM7Vk96Cy8xEqn0MlAvYnsO3J

    Score
    10/10
    fatalratgh0stratdefense_evasiondiscoveryexecutioninfostealerpersistenceratstealertrojanupx

    • FatalRat

      FatalRat is a modular infostealer family written in C++ first appearing in June 2021.

      stealertrojanfatalrat

    • Fatalrat family

      fatalrat

    • Gh0st RAT payload

    • Gh0strat

      Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

      ratgh0strat

    • Gh0strat family

      gh0strat

    • UAC bypass

      defense_evasiontrojan

    • Fatal Rat payload

      ratinfostealer

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Impair Defenses

1
T1562

Disable or Modify Tools

1
T1562.001

Modify Registry

2
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

3
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks