SVP7
Behavioral task
behavioral1
Sample
a996e4c18ae4c4563db0767cb230b24279daeb3f62ee62b061d2ee076d81bdfd.dll
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
a996e4c18ae4c4563db0767cb230b24279daeb3f62ee62b061d2ee076d81bdfd.dll
Resource
win10v2004-20250314-en
General
-
Target
250307-n6hhesvkwz_pw_infected.zip
-
Size
56KB
-
MD5
3c74836383b60b35f14b96e5cd9a7907
-
SHA1
6897bcd06aed28504ceac7523f84b1661a19cedc
-
SHA256
23defe413fbe2444aa1254c91c86b49e58d30d37782869afd5f306311236475a
-
SHA512
5124aaf0543dca133aa5d211f51feb50dfdf96871ac5b9dde103a8f6e93e3a4107f95eeda10bce27af1ee83c0ea95765f99f77dc84b3fc50fef98965a70522b6
-
SSDEEP
1536:6EDp/8efXOCMQVxM0UYGb71rGXzcdnglAR6MFQ83I5sIgCGHWv:TDd8efeCMQBUYGPFacJglARDa83I5Qw
Malware Config
Extracted
fatalrat
45.195.148.58
Signatures
-
Fatal Rat payload 1 IoCs
resource yara_rule static1/unpack001/a996e4c18ae4c4563db0767cb230b24279daeb3f62ee62b061d2ee076d81bdfd fatalrat -
Fatalrat family
-
Unsigned PE 1 IoCs
Checks for missing Authenticode signature.
resource unpack001/a996e4c18ae4c4563db0767cb230b24279daeb3f62ee62b061d2ee076d81bdfd
Files
-
250307-n6hhesvkwz_pw_infected.zip.zip
Password: infected
-
a996e4c18ae4c4563db0767cb230b24279daeb3f62ee62b061d2ee076d81bdfd.dll windows:4 windows x86 arch:x86
Password: infected
15ff780ad959cc7132e95a50ed9bfe0e
Headers
File Characteristics
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL
Imports
kernel32
VirtualProtect
Process32Next
Process32First
OutputDebugStringA
Sleep
SetThreadExecutionState
GetLocalTime
CreateDirectoryA
GetLastError
lstrlenA
FreeLibrary
GetTickCount
CloseHandle
CreateToolhelp32Snapshot
GetCurrentProcess
CreateRemoteThread
WriteProcessMemory
VirtualAllocEx
GetModuleFileNameA
OpenProcess
WinExec
GetExitCodeThread
SetPriorityClass
ExitProcess
CreateThread
WriteFile
SetFilePointer
GetFileSize
lstrcpyA
CreateProcessA
lstrcatA
RemoveDirectoryA
Beep
CopyFileA
lstrcmpA
ReadFile
GetModuleHandleA
GlobalMemoryStatusEx
HeapAlloc
GetProcessHeap
HeapFree
lstrcmpiA
GetEnvironmentVariableA
FindFirstFileA
MultiByteToWideChar
DisableThreadLibraryCalls
FindNextFileA
FindClose
DeviceIoControl
InterlockedDecrement
CreateFileA
InterlockedExchange
LocalAlloc
LoadLibraryA
GetProcAddress
LocalReAlloc
LocalSize
LocalFree
GetCurrentProcessId
VirtualFree
user32
MessageBoxA
GetLastInputInfo
GetWindow
GetClassNameA
ShowWindow
SendMessageA
MoveWindow
GetWindowRect
SwapMouseButton
PostMessageA
FindWindowA
FindWindowExA
GetDlgCtrlID
OpenClipboard
wsprintfA
GetSystemMetrics
GetWindowTextA
GetForegroundWindow
GetKeyState
GetAsyncKeyState
ChangeDisplaySettingsA
advapi32
RegCloseKey
RegQueryValueExA
RegOpenKeyExA
AdjustTokenPrivileges
LookupPrivilegeValueA
OpenProcessToken
CloseEventLog
ClearEventLogA
OpenEventLogA
RegDeleteValueA
RegQueryValueA
GetUserNameA
RegSetValueExA
RegCreateKeyExA
EnumServicesStatusA
shell32
ShellExecuteExA
SHChangeNotify
ole32
CoInitializeEx
CoInitialize
CoCreateInstance
CoInitializeSecurity
CoSetProxyBlanket
CoUninitialize
oleaut32
SysFreeString
VariantClear
SysAllocString
mfc42
ord800
ord823
ord537
ord4202
ord924
ord926
ord1140
ord540
ord668
ord1980
ord5583
ord3181
ord4058
ord2781
ord2770
ord356
ord5572
ord825
msvcrt
fclose
fprintf
fopen
??1type_info@@UAE@XZ
__dllonexit
_onexit
_initterm
_adjust_fdiv
_strupr
_strcmpi
_beginthreadex
memcpy
ceil
_ftol
__CxxFrameHandler
strcpy
memcmp
_CxxThrowException
strstr
malloc
_except_handler3
_stricmp
_access
_local_unwind2
memset
strcat
strcmp
rand
strncpy
strrchr
_mbscmp
system
memmove
strchr
printf
sprintf
realloc
free
shlwapi
PathStripToRootA
SHSetValueA
msvcp60
??1Init@ios_base@std@@QAE@XZ
??0Init@ios_base@std@@QAE@XZ
?at@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z
??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@D@Z
??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z
??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z
??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z
?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIABV12@I@Z
?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB
?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z
?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ
?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ
??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z
??0_Winit@std@@QAE@XZ
??1_Winit@std@@QAE@XZ
??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ
?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ
??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z
winmm
mciSendStringA
wininet
InternetOpenA
InternetQueryDataAvailable
InternetReadFile
InternetOpenUrlA
InternetCloseHandle
ws2_32
inet_addr
WSAStartup
gethostbyname
inet_ntoa
gethostname
WSACleanup
Exports
Exports
Sections
.text Size: 68KB - Virtual size: 68KB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
.rdata Size: 20KB - Virtual size: 20KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.data Size: 16KB - Virtual size: 16KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
.reloc Size: 8KB - Virtual size: 8KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ