MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 00f90cda9f514832ed2e3d6c232ad0677b2bad1550719cf2a02f1988980942ff. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BitRAT


Vendor detections: 9


Intelligence 9 IOCs 1 YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 00f90cda9f514832ed2e3d6c232ad0677b2bad1550719cf2a02f1988980942ff
SHA3-384 hash: 37a64f59d3b9268d0504a1e43f2423b76ec3b3226d01284ccf2cb14071dceaefcb2172a1c8c13dc2373b26ba2e4ee377
SHA1 hash: 619e2c8bf88d90c5982b22176597ec2525a88ce1
MD5 hash: 9d60e01d9595b6c66499c8bf32c2ea65
humanhash: nine-connecticut-oregon-delta
File name:9D60E01D9595B6C66499C8BF32C2EA65.exe
Download: download sample
Signature BitRAT
Create hunting rule
File size:4'037'120 bytes
First seen:2021-09-06 22:06:16 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 98304:yU2vuU2djpabFxBaSpKHm/E/QJi3WpQnoE7/AWTM7/YlnuvzKf83e:KaOFxsPH/rWpQnoEDA0+Ylnb8
TLSH T1121633BE6A091F53D60311FBC15E9A8065AA9256C38AFC9FF48BA40651D63C3F137C4E
Reporter abuse_ch
Tags:BitRAT exe RAT


Avatar
abuse_ch
BitRAT C2:
203.159.80.18:6841

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
203.159.80.18:6841 https://threatfox.abuse.ch/ioc/216754/

Intelligence

File Origin
# of uploads :
1
# of downloads :
138
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
9D60E01D9595B6C66499C8BF32C2EA65.exe
Verdict:
No threats detected
Analysis date:
2021-09-06 22:16:13 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/4c416597-052d-4884-ba29-809b2ee36d00

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
BitRAT
Create hunting rule
Link:
https://www.capesandbox.com/analysis/185731/
Detection(s):
SecuriteInfo.com.BackDoor.Wirenet.557.15561.28487.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Deleting a recently created file
Changing a file
Creating a file
Sending a UDP request
Creating a file in the Windows subdirectories
Running batch commands
Creating a process with a hidden window
Creating a process from a recently created file
Launching the default Windows debugger (dwwin.exe)
Launching a process
Unauthorized injection to a recently created process
Enabling autorun by creating a file
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c053a039-c00e-4ab2-94f0-b507c52a6ce5
Result
Threat name:
BitRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/846128
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AntiVM3
Yara detected BitRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 478559 Sample: p7qsMlfWjt.exe Startdate: 07/09/2021 Architecture: WINDOWS Score: 84 16 203.159.80.18 LOVESERVERSGB Netherlands 2->16 18 Found malware configuration 2->18 20 Multi AV Scanner detection for submitted file 2->20 22 Yara detected BitRAT 2->22 24 4 other signatures 2->24 7 p7qsMlfWjt.exe 8 2->7         started        signatures3 process4 process5 9 WerFault.exe 23 9 7->9         started        12 WerFault.exe 7->12         started        file6 14 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 9->14 dropped
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/00f90cda9f514832ed2e3d6c232ad0677b2bad1550719cf2a02f1988980942ff/
Threat name:
ByteCode-MSIL.Trojan.NetWired
Create hunting rule
Status:
Malicious
First seen:
2021-09-02 16:49:59 UTC
AV detection:
21 of 28 (75.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ad4qzwu7kfedf3johvwcgkwqm55sxlivkbyzz4vaf4myrgajil7q._file
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:bitrat family:raccoon botnet:f1c2d75e5b93139df970b89de62c480786fcb755 discovery spyware stealer suricata trojan
Link:
https://tria.ge/reports/210906-11mleaefhk/
Behaviour
Creates scheduled task(s)
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Views/modifies file attributes
Enumerates physical storage devices
Program crash
Drops file in Windows directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks installed software on the system
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
BitRAT
BitRAT Payload
Raccoon
suricata: ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious
suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)
Unpacked files
SH256 hash:
6f4e0045646d06687f832efb5cbc784bae6a4a1af42fa43cd76bd156c3e1abe2
MD5 hash:
c110c860d830fd2fe1eff55f18cf4263
SHA1 hash:
5cb28d1dd0bdcb67e37e21098ccf2ad9d9669552
Link:
https://www.unpac.me/results/1c2cde72-1ac6-45f2-a31f-f57d30133ea0/
SH256 hash:
5e1b14571782400fb1b9b0c8dddadde0cfe7f40a0827d8ab28dfe5414aa36863
MD5 hash:
a2ffd2325628a8de9ee09ab1ff788e63
SHA1 hash:
2e5fbd48b94c35423891813d265012f051914fb7
Link:
https://www.unpac.me/results/1c2cde72-1ac6-45f2-a31f-f57d30133ea0/
SH256 hash:
dff77567e77fb1fc95fb29a971fb6a6bd8c9b0fddd45328634d98ecd865ed1cf
MD5 hash:
82f82ee7ea7cc9905942913e34fc9559
SHA1 hash:
1b49e6d4efba70b64eb183ea0e03788dd7a27a02
Link:
https://www.unpac.me/results/1c2cde72-1ac6-45f2-a31f-f57d30133ea0/
SH256 hash:
00f90cda9f514832ed2e3d6c232ad0677b2bad1550719cf2a02f1988980942ff
MD5 hash:
9d60e01d9595b6c66499c8bf32c2ea65
SHA1 hash:
619e2c8bf88d90c5982b22176597ec2525a88ce1
Link:
https://www.unpac.me/results/1c2cde72-1ac6-45f2-a31f-f57d30133ea0/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/00f90cda9f51/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/00f90cda9f514832ed2e3d6c232ad0677b2bad1550719cf2a02f1988980942ff

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MALWARE_Win_BitRAT
Create hunting rule
Author:ditekSHen
Description:Detects BitRAT RAT
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/185731/

Comments