MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 060b5f33c579d34306373d3d3f9e58456d450d84f4b516f7792bd9171e42454c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BitRAT


Vendor detections: 7


Intelligence 7 IOCs 1 YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 060b5f33c579d34306373d3d3f9e58456d450d84f4b516f7792bd9171e42454c
SHA3-384 hash: 3079b340c1f792d033e78853ffeddf637c8ad7aa58b46b54234ce4a290ef641c3ba6c3fad1601ba519772241bd31a67c
SHA1 hash: d3830e2dd789fda7816c1c4b22ed372ec4270fb4
MD5 hash: 697826bc95ad7978a9ec020318cb733d
humanhash: fourteen-mississippi-alabama-sixteen
File name:697826bc95ad7978a9ec020318cb733d.exe
Download: download sample
Signature BitRAT
Create hunting rule
File size:2'148'352 bytes
First seen:2021-05-14 18:40:26 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'461 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 49152:yb79zbnplbBGRPpaif65XFH6hLufnSAq58PUYY0:qhbnplbBGRP0SYFHILq5q0
Threatray 219 similar samples on MalwareBazaar
TLSH C7A53316A8A0C241C5AABD7CFC8F71F087F1FE1BF496159F9412BEC138B6905DAD1682
Reporter abuse_ch
Tags:BitRAT exe RAT


Avatar
abuse_ch
BitRAT C2:
179.43.176.27:7777

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
179.43.176.27:7777 https://threatfox.abuse.ch/ioc/42246/

Intelligence

File Origin
# of uploads :
1
# of downloads :
102
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
697826bc95ad7978a9ec020318cb733d.exe
Verdict:
No threats detected
Analysis date:
2021-05-14 18:42:59 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/11fc043d-41ce-4d7c-825d-fb2871826f32

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/156897/
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Launching a process
Creating a process with a hidden window
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
BitRAT Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/782191
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Contains functionality to hide a thread from the debugger
Contains functionality to inject code into remote processes
Creates an undocumented autostart registry key
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: WScript or CScript Dropper
Uses the Telegram API (likely for C&C communication)
Wscript starts Powershell (via cmd or directly)
Yara detected BitRAT
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 414588 Sample: Y0gBNSR1bp.exe Startdate: 14/05/2021 Architecture: WINDOWS Score: 100 39 gentlemanhost.ddnsgeek.com 2->39 47 Multi AV Scanner detection for dropped file 2->47 49 Multi AV Scanner detection for submitted file 2->49 51 Yara detected BitRAT 2->51 53 6 other signatures 2->53 9 Y0gBNSR1bp.exe 4 9 2->9         started        signatures3 process4 file5 31 C:\Users\user\AppData\Roaming\wmi.exe, PE32 9->31 dropped 33 C:\Users\user\AppData\Local\Temp\RegAsm.exe, PE32 9->33 dropped 35 C:\Users\user\...\wmi.exe:Zone.Identifier, ASCII 9->35 dropped 37 3 other files (2 malicious) 9->37 dropped 55 Creates an undocumented autostart registry key 9->55 13 RegAsm.exe 9->13         started        17 wscript.exe 1 9->17         started        19 AdvancedRun.exe 1 9->19         started        21 AdvancedRun.exe 1 9->21         started        signatures6 process7 dnsIp8 41 api.telegram.org 149.154.167.220, 443, 49772 TELEGRAMRU United Kingdom 13->41 43 gentlemanhost.ddnsgeek.com 179.43.176.27, 49765, 49766, 49768 PLI-ASCH Panama 13->43 45 192.168.2.1 unknown unknown 13->45 57 Contains functionality to inject code into remote processes 13->57 59 Hides threads from debuggers 13->59 61 Contains functionality to hide a thread from the debugger 13->61 63 Wscript starts Powershell (via cmd or directly) 17->63 65 Adds a directory exclusion to Windows Defender 17->65 23 powershell.exe 26 17->23         started        25 AdvancedRun.exe 19->25         started        27 AdvancedRun.exe 21->27         started        signatures9 process10 process11 29 conhost.exe 23->29         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/060b5f33c579d34306373d3d3f9e58456d450d84f4b516f7792bd9171e42454c/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-05-11 17:08:38 UTC
AV detection:
14 of 29 (48.28%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ayfv6m6fphjugbrxhu6t7hsyivwukdme6s2rn53zfpmrohscivga._file
Verdict:
unknown
Similar samples:
0137042c076d728f11067b31394854e43724b1b588a65d0718d696ac2efd7f3f
BitRAT
19f17d84c67985de677ea0f746955f709106d8833311d3b8c9b67491d0498ff0
BitRAT
27288b137d69616f6b67a54f45c664e6990cf99202ca16b31d0f95cafb5463bb
BitRAT
293f318cefb29cb776231450e036c7165e1bc0a07f2952aec616a510e995d4a6
BitRAT
469d8739956f308d50bc7e5243e6a8539ac94a16784a2d613b925f9a11d9804b
BitRAT
6c7219ce0b85bcda4ea4fed96e66f08e2621463ac3bc1da55a108af0b35758c0
BitRAT
6d86c85343b0e4a7a3275c1fe07e37868655bad3b69e136e6c43c15074b6f97a
BitRAT
78396f7f4448c533637a2ceddd8cf6e94681b7f0c2c7b446c3db3704bda8b928
BitRAT
89585eda68deca3403a7f13c177b1ec07b2b633e2a1293c6d99f1f9c47e79075
BitRAT
f9eca150e7741db6bbacba0a625b673eb349540ac76a329a68ac55aa96743b96
BitRAT
+ 209 additional samples on MalwareBazaar
Result
Malware family:
xenarmor
Create hunting rule
Score:
  10/10
Tags:
family:bitrat family:xenarmor password persistence recovery spyware stealer trojan upx
Link:
https://tria.ge/reports/210514-sc9fgamfn2/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Loads dropped DLL
Reads data files stored by FTP clients
Reads local data of messenger clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Executes dropped EXE
UPX packed file
ACProtect 1.3x - 1.4x DLL software
Nirsoft
BitRAT
BitRAT Payload
Modifies WinLogon for persistence
XenArmor Suite
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
BitRat
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/060b5f33c579d34306373d3d3f9e58456d450d84f4b516f7792bd9171e42454c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Email_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Email in files like avemaria
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MALWARE_Win_BitRAT
Create hunting rule
Author:ditekSHen
Description:Detects BitRAT RAT
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/156897/

Comments