MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 03957e1a76e380308206465031a99a1db9e7afce4b82e021f0f8f94888b791b2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BitRAT


Vendor detections: 11


Intelligence 11 IOCs 1 YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 03957e1a76e380308206465031a99a1db9e7afce4b82e021f0f8f94888b791b2
SHA3-384 hash: 30cbe640c6495a88a2f5eb0710302da129f2b41fe5cd122f5490b6bd2016683d4f20417110e4243636ec047e6331ebe1
SHA1 hash: 97ce3f3084b8db04be526422bf9a1feb0d476e25
MD5 hash: 7f33bacbd78bf143a1f8a52b1f8b4cde
humanhash: sweet-mississippi-earth-orange
File name:97ce3f3084b8db04be526422bf9a1feb0d476e25.exe
Download: download sample
Signature BitRAT
Create hunting rule
File size:3'336'192 bytes
First seen:2021-07-31 18:06:46 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 98304:TKC6+yhQD2OYZGQRticLcM1cVr9D0mDpg84G:+CpYQClrRIcLcMir9DrDp
Threatray 336 similar samples on MalwareBazaar
TLSH T1E0F51268898C9F9ACC5C03340B5846346EF56DE6B2B0C4AC3D8D31B5B7F2D16EAB6345
dhash icon c4b4e6e69898d2c4 (11 x Formbook, 11 x AgentTesla, 4 x NanoCore)
Reporter abuse_ch
Tags:BitRAT exe RAT


Avatar
abuse_ch
BitRAT C2:
84.38.129.103:43413

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
84.38.129.103:43413 https://threatfox.abuse.ch/ioc/165170/

Intelligence

File Origin
# of uploads :
1
# of downloads :
401
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
97ce3f3084b8db04be526422bf9a1feb0d476e25.exe
Verdict:
Malicious activity
Analysis date:
2021-07-31 18:09:33 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/354caafc-efb2-4d32-9f14-eb37c2c0b3b6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
BitRAT
Create hunting rule
Link:
https://www.capesandbox.com/analysis/175504/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.967-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/64c5e748-1b1c-4275-89e1-730cd5f714cb
Result
Threat name:
BitRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/824954
Signature
Contains functionality to hide a thread from the debugger
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected BitRAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/03957e1a76e380308206465031a99a1db9e7afce4b82e021f0f8f94888b791b2/
Threat name:
ByteCode-MSIL.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2021-07-29 12:51:49 UTC
AV detection:
18 of 27 (66.67%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=aokx4gtw4oadbaqgiziddkm2dw46pl6ojoboaipq7d4urcfxsgza._file
Verdict:
malicious
Similar samples:
09df08b715bf11a0bc6cb5cdc5cd724927ba6c6a18ca2896f153d9b424196767
BitRAT
127a77aec69d301ec0eff62153eb160c7a195df26de7ac8617572b2433be6528
BitRAT
185d25898a718d3e3ff6d12a3ad18f12734c73859ed4ff1993ce1e4a011485f2
BitRAT
18b96a50da281d031e2ce58c2143a9c1bf4868c710bbcc61b7d147038b449e2b
BitRAT
ab7553549ec32422ee868e71eb96fae87439a4c1333e400d455f31d0b74c8ef2
BitRAT
af7800b9d14d41db33e7aeb100aac52bcae40bd7dfa2f151ffb4e76e810ea965
BitRAT
ef9e853a343f1d3588eeaf60c443add28e376fd97f3bc77309b8436349b60bb3
BitRAT
+ 326 additional samples on MalwareBazaar
Result
Malware family:
bitrat
Create hunting rule
Score:
  10/10
Tags:
family:bitrat suricata trojan
Link:
https://tria.ge/reports/210731-kl5pqnvf82/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
CustAttr .NET packer
BitRAT
BitRAT Payload
suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)
Unpacked files
SH256 hash:
6a965265d389ec570b817b5daf6a5a43224094ef4551ff69ab2b558e932e304f
MD5 hash:
c253d0d83615b90f121049924408071a
SHA1 hash:
d53b2f2460f8d5666ed90d7f6a676287ebcbbdc8
Link:
https://www.unpac.me/results/5a16a695-c1c4-44ef-a508-c697ad101110/
SH256 hash:
b6b216aee97a76da8f960cb80a00043642122982c3833ed7d52c708ac7d86d3a
MD5 hash:
350ddc5932e751d3d53807003170d338
SHA1 hash:
8b9fd0331e2a524d9d54598a89b105a24851eaa1
Link:
https://www.unpac.me/results/5a16a695-c1c4-44ef-a508-c697ad101110/
SH256 hash:
97d2fa1d01b2f9a2199896e05e0cf60c14a9f41ef2d72e15fbb862b7afa08438
MD5 hash:
68463851c0e6fe7a254c99fae763d454
SHA1 hash:
4587a5371d88c296a0184fe47ee0c5245b187127
Link:
https://www.unpac.me/results/5a16a695-c1c4-44ef-a508-c697ad101110/
SH256 hash:
03957e1a76e380308206465031a99a1db9e7afce4b82e021f0f8f94888b791b2
MD5 hash:
7f33bacbd78bf143a1f8a52b1f8b4cde
SHA1 hash:
97ce3f3084b8db04be526422bf9a1feb0d476e25
Link:
https://www.unpac.me/results/5a16a695-c1c4-44ef-a508-c697ad101110/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/03957e1a76e380308206465031a99a1db9e7afce4b82e021f0f8f94888b791b2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/175504/

Comments