fatalrat | 250307-n6gk5a1d9x_pw_infected[.]zip

Sharing

Copy URL

Twitter E-mail

General

Target

250307-n6gk5a1d9x_pw_infected.zip
Size

84KB
MD5

b18d042e9a334f82a7100960631a62cf
SHA1

ce20df9798018a6b2a8b09358ee047bb8418188b
SHA256

fb4d9a8257be9211f70d8dff176e67daca2e95ba7f0822e27d8503b9ab448e16
SHA512

8ace13b8871d34a87cc2e233ef0ef4ff5714e56d4beeb67799c37c56997a0dea26d60148223acbe2bedfb1dd55edd19c306efb7c7db37f2fd9d468704918954d
SSDEEP

1536:DIek/4FfkTKXK1EsHiPnJ/2P+MdWiG2iXSSTd0Nx4dKXLoSEKY6NiWVSwFbM+kIz:EvOfkTKausHiPnRMdW0YTd0Nb7YIXVS2

Score

10^/10

rat infostealer fatalrat

Malware Config

Signatures

Fatal Rat payload 1 IoCs

rat infostealer

resource	yara_rule
static1/unpack001/4609f46c7a9f8fe01fe05eca4cde987e28f68fd9651de113ec87c4e6b03b52c9	fatalrat

Fatalrat family
fatalrat

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
unpack001/4609f46c7a9f8fe01fe05eca4cde987e28f68fd9651de113ec87c4e6b03b52c9

Files

250307-n6gk5a1d9x_pw_infected.zip
.zip

Password: infected
4609f46c7a9f8fe01fe05eca4cde987e28f68fd9651de113ec87c4e6b03b52c9
.dll windows:4 windows x86 arch:x86

3e8c1ec958a972a1a0bfec550b558755

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

kernel32

VirtualProtect
Process32Next
Process32First
OutputDebugStringA
Sleep
SetThreadExecutionState
GetLocalTime
CreateDirectoryA
GetLastError
lstrlenA
FreeLibrary
GetTickCount
CloseHandle
CreateToolhelp32Snapshot
GetCurrentProcess
CreateRemoteThread
WriteProcessMemory
VirtualAllocEx
GetModuleFileNameA
OpenProcess
WinExec
GetExitCodeThread
SetPriorityClass
GetCurrentProcessId
CreateThread
WriteFile
SetFilePointer
GetFileSize
ExitProcess
WideCharToMultiByte
FormatMessageA
HeapFree
HeapAlloc
GetProcessHeap
lstrcpyA
CreateProcessA
lstrcatA
RemoveDirectoryA
GetCurrentDirectoryA
MultiByteToWideChar
Beep
CopyFileA
lstrcmpA
ReadFile
GetModuleHandleA
GlobalMemoryStatusEx
lstrcmpiA
SystemTimeToFileTime
LocalFileTimeToFileTime
GetFileAttributesA
SetFileTime
FileTimeToSystemTime
GetFileInformationByHandle
MapViewOfFile
CreateFileMappingA
UnmapViewOfFile
DisableThreadLibraryCalls
GetEnvironmentVariableA
FindFirstFileA
FindNextFileA
FindClose
DeviceIoControl
InterlockedDecrement
CreateFileA
InterlockedExchange
LocalAlloc
LoadLibraryA
GetProcAddress
LocalReAlloc
LocalSize
LocalFree
lstrlenW
VirtualFree

user32

GetWindowRect
MoveWindow
GetDlgCtrlID
ShowWindow
GetClassNameA
SwapMouseButton
GetLastInputInfo
GetDesktopWindow
wsprintfA
GetSystemMetrics
ChangeDisplaySettingsA
PostMessageA
FindWindowA
GetWindow
FindWindowExA
GetWindowTextA
GetKeyState
GetAsyncKeyState
GetForegroundWindow
SendMessageA
OpenClipboard

advapi32

RegCloseKey
RegQueryValueExA
RegOpenKeyExA
AdjustTokenPrivileges
LookupPrivilegeValueA
OpenProcessToken
CloseEventLog
ClearEventLogA
OpenEventLogA
RegDeleteValueA
RegQueryValueA
GetUserNameA
RegSetValueExA
RegCreateKeyExA
EnumServicesStatusA

shell32

ShellExecuteExA
SHChangeNotify

ole32

CoInitializeSecurity
CoInitializeEx
CoSetProxyBlanket
CoUninitialize
CoInitialize
CoCreateInstance

oleaut32

VariantClear
SysAllocString
SysFreeString

mfc42

ord535
ord539
ord5710
ord800
ord939
ord2770
ord356
ord5572
ord537
ord4202
ord924
ord926
ord1140
ord540
ord1980
ord5583
ord3181
ord4058
ord2781
ord668
ord823
ord825

msvcrt

_strcmpi
_mbsnbcpy
_strupr
_adjust_fdiv
_initterm
_onexit
memcpy
ceil
_ftol
__CxxFrameHandler
strcpy
memcmp
_CxxThrowException
strstr
malloc
_except_handler3
_stricmp
_access
_local_unwind2
memset
strcat
strcmp
_mbscmp
printf
rand
strncpy
strrchr
system
memmove
strchr
sprintf
realloc
free
_beginthreadex
fclose
fprintf
fopen
calloc
strlen
_mbsstr
_mbsicmp
srand
??1type_info@@UAE@XZ
__dllonexit

shlwapi

SHSetValueA
PathRemoveFileSpecA
PathStripToRootA

msvcp60

??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ
??1Init@ios_base@std@@QAE@XZ
??0_Winit@std@@QAE@XZ
??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z
??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z
?at@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z
??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@D@Z
??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z
??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z
?length@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ
??A?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAGI@Z
?append@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@IG@Z
??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV?$allocator@G@1@@Z
?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ
??0Init@ios_base@std@@QAE@XZ
??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z
??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z
?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIABV12@I@Z
?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB
?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z
?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ
?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ
??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z
??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z
?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ
??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ
??1_Winit@std@@QAE@XZ

winmm

mciSendStringA

iphlpapi

GetInterfaceInfo
IpRenewAddress
IpReleaseAddress

wininet

InternetOpenUrlA
InternetCloseHandle
InternetOpenA
InternetReadFile
InternetQueryDataAvailable

ws2_32

WSACleanup
inet_addr
inet_ntoa
gethostbyname
WSAStartup
gethostname

Exports

Exports

SVP7

Sections

.text
Size: 101KB - Virtual size: 101KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 29KB - Virtual size: 28KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 15KB - Virtual size: 17KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 7KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

Password: infected

3e8c1ec958a972a1a0bfec550b558755

Headers

File Characteristics

Imports

kernel32

user32

advapi32

shell32

ole32

oleaut32

mfc42

msvcrt

shlwapi

msvcp60

winmm

iphlpapi

wininet

ws2_32

Exports

Exports

Sections

.text Size: 101KB - Virtual size: 101KB

.rdata Size: 29KB - Virtual size: 28KB

.data Size: 15KB - Virtual size: 17KB

.reloc Size: 7KB - Virtual size: 6KB

.text
Size: 101KB - Virtual size: 101KB

.rdata
Size: 29KB - Virtual size: 28KB

.data
Size: 15KB - Virtual size: 17KB

.reloc
Size: 7KB - Virtual size: 6KB