MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 03674af9c28f5702955756f95a9173954188deb1d4f14b0bc8f0457e9383d6db. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BitRAT


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 03674af9c28f5702955756f95a9173954188deb1d4f14b0bc8f0457e9383d6db
SHA3-384 hash: 0183d554b810e62b4374e4e6be3c71dc45328663336ecafdd3d1ed26c1a4a67992e085339d8485f8c99f5d45a479f6d2
SHA1 hash: 36caf7a27c4eb6c30557737ea50b8e47e32e07a9
MD5 hash: 03e4a5b246180743a15aabbe28f2acb5
humanhash: south-equal-seventeen-california
File name:#WUHD09.vbs
Download: download sample
Signature BitRAT
Create hunting rule
File size:1'186 bytes
First seen:2021-08-02 18:05:05 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 24:APHD3noJbzeI2hreIqmQHhvvAN5mPT+69P1EI3SDKV:6nubzCrdcAN54ic1EI3D
Threatray 342 similar samples on MalwareBazaar
TLSH T15621CE187E8EF1395A01D2C65EED8A25F6A712BEC47054653238C15850BF4EE29C3ECF
Reporter abuse_ch
Tags:BitRAT vbs

Intelligence

File Origin
# of uploads :
1
# of downloads :
126
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/175862/
Detection(s):
securiteinfo.com.script.snh_gentrj.7358.1510.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Result
Threat name:
BitRAT Njrat
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/825674
Signature
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Creates an undocumented autostart registry key
Creates files in alternative data streams (ADS)
Found malware configuration
Hides threads from debuggers
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Obfuscated command line found
Sigma detected: Suspicious PowerShell Command Line
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
VBScript performs obfuscated calls to suspicious functions
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected BitRAT
Yara detected Njrat
Yara detected Powershell download and execute
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 458086 Sample: #WUHD09.vbs Startdate: 02/08/2021 Architecture: WINDOWS Score: 100 40 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->40 42 Found malware configuration 2->42 44 Malicious sample detected (through community Yara rule) 2->44 46 6 other signatures 2->46 7 wscript.exe 1 2->7         started        process3 signatures4 48 VBScript performs obfuscated calls to suspicious functions 7->48 50 Wscript starts Powershell (via cmd or directly) 7->50 52 Obfuscated command line found 7->52 10 powershell.exe 14 32 7->10         started        process5 dnsIp6 30 ia601506.us.archive.org 207.241.227.116, 443, 49709, 49723 INTERNET-ARCHIVEUS United States 10->30 28 PowerShell_transcr....20210802200711.txt, UTF-8 10->28 dropped 54 Creates an undocumented autostart registry key 10->54 56 Writes to foreign memory regions 10->56 58 Injects a PE file into a foreign processes 10->58 15 aspnet_compiler.exe 10->15         started        20 aspnet_compiler.exe 10->20         started        22 conhost.exe 10->22         started        24 aspnet_compiler.exe 10->24         started        file7 signatures8 process9 dnsIp10 32 20.194.35.6, 49734, 49740, 49741 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 15->32 26 C:\Users\user\AppData\Local:02-08-2021, HTML 15->26 dropped 36 Creates files in alternative data streams (ADS) 15->36 38 Hides threads from debuggers 15->38 34 13.77.222.211, 49737, 7827 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 20->34 file11 signatures12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/03674af9c28f5702955756f95a9173954188deb1d4f14b0bc8f0457e9383d6db/
Threat name:
Script.Trojan.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2021-08-02 18:05:10 UTC
AV detection:
4 of 46 (8.70%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=antuv6ocr5lqffkxk34vveltsvayrxvr2tyuwc6i6bcx5e4d23nq._file
Verdict:
malicious
Similar samples:
09df08b715bf11a0bc6cb5cdc5cd724927ba6c6a18ca2896f153d9b424196767
BitRAT
127a77aec69d301ec0eff62153eb160c7a195df26de7ac8617572b2433be6528
BitRAT
185d25898a718d3e3ff6d12a3ad18f12734c73859ed4ff1993ce1e4a011485f2
BitRAT
18b96a50da281d031e2ce58c2143a9c1bf4868c710bbcc61b7d147038b449e2b
BitRAT
af7800b9d14d41db33e7aeb100aac52bcae40bd7dfa2f151ffb4e76e810ea965
BitRAT
f1041f8beb103e1f63fa8d5234ed3b5a55a37d1c675755040dbb08836c210a90
BitRAT
+ 332 additional samples on MalwareBazaar
Result
Malware family:
bitrat
Create hunting rule
Score:
  10/10
Tags:
family:bitrat persistence suricata trojan upx
Link:
https://tria.ge/reports/210802-mwacbxez6j/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Blocklisted process makes network request
UPX packed file
BitRAT
BitRAT Payload
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)
Malware Config
Dropper Extraction:
https://ia601506.us.archive.org/27/items/bypass_202108/bypass.txt
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/03674af9c28f5702955756f95a9173954188deb1d4f14b0bc8f0457e9383d6db

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

BitRAT

Visual Basic Script (vbs) vbs 03674af9c28f5702955756f95a9173954188deb1d4f14b0bc8f0457e9383d6db

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/175862/

Comments