MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 00fca5381ec94c0e1901a3fa10fb5d38e73c06af17df98af463e3a4393246685. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

BitRAT

Vendor detections: 8

Intelligence 8 IOCs 1 YARA 2 File information Comments

SHA256 hash:	00fca5381ec94c0e1901a3fa10fb5d38e73c06af17df98af463e3a4393246685
SHA3-384 hash:	da1b3089cf388c816aa1620932fe257595641be688bb7044c6d08551bf694f310949648da0141e21a3b53b4a25449fb1
SHA1 hash:	dd5a8fa46fc52cf4b26046d3a0f9f2ea4a0f03e5
MD5 hash:	2f7c805d358aae9d60d730e8ed5c4a03
humanhash:	white-south-mississippi-golf
File name:	Bank Copy#547896532123.exe
Download:	download sample
Signature	BitRAT Create hunting rule
File size:	1'967'616 bytes
First seen:	2022-02-08 13:26:32 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep	24576:1nn16VRtv0p2rNRf07HtFVoQ9jTLxM7t+OExsbgAWAVFiVs1Z6UhbLpRPzy+v1/f:iVgp2rNRfINFv2MpAziVs1Ik/emV06
Threatray	634 similar samples on MalwareBazaar
TLSH	T1BF9533F013FC0B2DC2EE4E70687921405D7BA6D357A2CF5B6D4169AF9C523C62A22397
Reporter	abuse_ch
Tags:	BitRAT exe RAT

abuse_ch

BitRAT C2:
185.140.53.165:55441

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
185.140.53.165:55441	https://threatfox.abuse.ch/ioc/382239/

Intelligence

File Origin

# of uploads :

# of downloads :

238

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/238191/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

DNS request

Creating a window

Сreating synchronization primitives

Launching a process

Creating a process with a hidden window

Modifying an executable file

Moving of the original file

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

obfuscated packed

Link:

https://www.filescan.io/uploads/62026faa4077c8b9a0219b5b/reports/ae8b9a08-d0b8-4885-bff5-9f92073ec615/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/6e30af7d-84a8-4d07-ac27-e5f820e83be7

Result

Threat name:

BitRAT

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/936062

Behaviour

Behavior Graph:

n/a

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/00fca5381ec94c0e1901a3fa10fb5d38e73c06af17df98af463e3a4393246685/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2022-02-08 13:27:19 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

23 of 28 (82.14%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=ad6kkoa6zfga4gibup5bb625hdttybvpc7pzrl2ghy5ehezem2cq._file

Verdict:

malicious

BitRAT

5bef6639461cd7089101a8f6601f5be40a2fcc52651150dcf1647ff70040a1c5

BitRAT

704e26dbdebc8b3ad1391f5b9d671f8b9550609455821540151ff70e17bed798

BitRAT

888497ac8f3cb030dc34d198ef8e307fab6b129f31f4fc9c41ea78f94d831529

BitRAT

ad29674b1a2bcc3ff4ef5746d9317740ab72b016ee3b89ac9aa9871bcb378b6b

BitRAT

d9f858f28cab427ea59133d06469903d937cd10334a0fdd5f77fe529e3d0ece1

BitRAT

+ 624 additional samples on MalwareBazaar

Result

Malware family:

bitrat

Score:

10/10

Tags:

family:bitrat persistence trojan upx

Link:

https://tria.ge/reports/220208-qp34xagha3/

Behaviour

Creates scheduled task(s)

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: RenamesItself

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Drops file in Windows directory

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Adds Run key to start application

Checks computer location settings

Executes dropped EXE

UPX packed file

BitRAT

Malware Config

C2 Extraction:

trotox.duckdns.org:55441

Unpacked files

SH256 hash:

ac3fc398c39e18b44bbd3a0acaa9e985cc7421a3daf8904e74064c2bee26062c

MD5 hash:

1baed44cad47f8df277501212dd7ac70

SHA1 hash:

d54cccb035bbf33bb678147764598d6f1085090e

Link:

https://www.unpac.me/results/be1b2e9c-9403-4759-bef3-bfd05914f42e/

SH256 hash:

0cc119786b104cf0aa261a208bf38802b339774ff3d7a42afcd8329d2d7d21c9

MD5 hash:

263b5190f7ac42d83c756dcdf38147bb

SHA1 hash:

78f419fe3936ed7d603706c47230cd3e6ff79ffe

Link:

https://www.unpac.me/results/be1b2e9c-9403-4759-bef3-bfd05914f42e/

SH256 hash:

6be42481e889fb5b4c9656d76c2afdd4ed11a7913d90b7c0f55f0b9c6645a0ee

MD5 hash:

6d3ecfd0696fa4490046a88990da7510

SHA1 hash:

78df57ab19f3a329ed8476e51ca581b3c56bdf45

Link:

https://www.unpac.me/results/be1b2e9c-9403-4759-bef3-bfd05914f42e/

SH256 hash:

00fca5381ec94c0e1901a3fa10fb5d38e73c06af17df98af463e3a4393246685

MD5 hash:

2f7c805d358aae9d60d730e8ed5c4a03

SHA1 hash:

dd5a8fa46fc52cf4b26046d3a0f9f2ea4a0f03e5

Link:

https://www.unpac.me/results/be1b2e9c-9403-4759-bef3-bfd05914f42e/

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/238191/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample