A Detailed Analysis of Lazarus’ RAT Called FALLCHILL
2021-09-07 • Lifars •
Attachments
Lazarus.pdf (13 MB)
LIFARS analyzed FALLCHILL, a Lazarus Group remote access Trojan used since at least 2016. The sample decrypts runtime strings with XOR and a hard-coded RC4 key, resolves DLL and API names dynamically, and builds a victim ID from OS version, MAC address, hostname, and local IP data. The report identifies C2 servers at 175.100.189.174 and 125.212.132.222 and documents broad Windows API use for process, file, registry, service, networking, and system discovery operations.
Related Actors
Related Reports
2021-10-07 •
60% Match
Multi-universe of adversary: multiple campaigns of the Lazarus group and their connections
Kaspersky
Shares tag: Lazarus • Published within a month
Shares tag: Lazarus • Published within a week
Shares tag: Lazarus • Published within a month
Shares tags: FALLCHILL, Lazarus
2021-12-02 •
50% Match
#Lazarus
#T1102.002
#T1082
#T1059.003
#T1567.002
#T1140
#T1584.004
#T1005
#T1070.004
#T1587.001
#T1041
#T1560
#T1608.001
#T1071.001
#T1046
#T1083
#T1056.001
#T1204.001
#T1036
#T1027
#T1204.002
#T1566.002
#T1566.003
#T1124
#T1057
#T1059.005
#T1583.006
#T1566.001
#T1547.001
#T1585.002
#T1053.005
#T1583.001
#T1059.001
#T1036.005
#T1132.001
#T1001.003
#T1585.001
#T1497.001
#T1105
#T1553.002
#T1620
#T1574.002
#T1562.001
#T1027.002
#T1489
#T1078
#T1008
#T1573.001
#T1571
#T1491.001
#T1218
#T1220
#T1203
#T1189
#T1049
#T1564.001
#T1098
#T1016
#T1074.001
#T1588.002
#T1562.004
#T1591
#T1218.011
#T1583.004
#T1036.004
#T1588.003
#T1593.001
#T1218.005
#T1589.002
#T1584.001
#T1070.006
#T1048.003
#T1134.002
#T1027.007
#T1021.001
#T1106
#T1090.001
#T1070
#T1047
#T1574.013
#T1561.001
#T1036.003
#T1529
#T1055.001
#T1614.001
#T1010
#T1021.002
#T1033
#T1543.003
#T1485
#T1090.002
#T1542.003
#T1560.002
#T1012
#T1110
#T1547.009
#T1110.003
#T1534
#T1588.004
#T1104
#T1591.004
#T1561.002
#T1608.002
#T1202
#T1221
#T1557.001
#T1087.002
#T1560.003
#T1070.003
#T1021.004
#T0865
Shares tag: Lazarus
Shares tag: Lazarus