MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 06563f00355b6af7247e643234ff4bab3bdf580e295ac374c6f5a7cd7867a2e9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BitRAT


Vendor detections: 8


Intelligence 8 IOCs 1 YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 06563f00355b6af7247e643234ff4bab3bdf580e295ac374c6f5a7cd7867a2e9
SHA3-384 hash: 387fff92efb279e988b1410283120b3162d5b9248c1f3e1ebcf3bc56c5ef011dc9246f023ccd227f6f89856dd62b2e53
SHA1 hash: ec33b3c266336bf384abacd5ac2e2cdbf39c1d05
MD5 hash: 493a1481892c26bc0939053ecfe52bd8
humanhash: nineteen-coffee-lamp-august
File name:493A1481892C26BC0939053ECFE52BD8.exe
Download: download sample
Signature BitRAT
Create hunting rule
File size:19'713'024 bytes
First seen:2021-07-21 20:45:58 UTC
Last seen:2021-07-21 21:40:27 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 97d91400de25b81272a3c0454b5cf248 (1 x BitRAT)
ssdeep 393216:01n4QZY9EU559Y4NnyiumUV6tqhaKl8lUe4qz4bcjrDb:bQZmEMYmyTu88lUmz2cT
Threatray 349 similar samples on MalwareBazaar
TLSH T1EA1733AFE08361BED320D6B9962DC7EB435A8E647C4256C7F7C63E4D40306D22675A0E
Reporter abuse_ch
Tags:BitRAT exe RAT


Avatar
abuse_ch
BitRAT C2:
157.90.140.22:55060

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
157.90.140.22:55060 https://threatfox.abuse.ch/ioc/161990/

Intelligence

File Origin
# of uploads :
2
# of downloads :
149
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
493A1481892C26BC0939053ECFE52BD8.exe
Verdict:
Suspicious activity
Analysis date:
2021-07-21 20:51:05 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/fcd7275e-2aca-4d7f-8d82-fb276d258da8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Variant.Razy.846260.3331.25352.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
BitRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/819771
Signature
Antivirus detection for dropped file
Creates files in alternative data streams (ADS)
Hides threads from debuggers
Machine Learning detection for dropped file
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected BitRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 452179 Sample: D4p0ZEHZfW.exe Startdate: 21/07/2021 Architecture: WINDOWS Score: 88 48 Multi AV Scanner detection for submitted file 2->48 50 Yara detected BitRAT 2->50 8 D4p0ZEHZfW.exe 4 2->8         started        11 winserv.exe 2->11         started        14 winserv.exe 2->14         started        process3 file4 40 C:\Users\user\AppData\Local\...\winserv.exe, PE32 8->40 dropped 42 C:\...42  o  E  r  r  o  r  s  A  I  O  .exe, PE32+ 8->42 dropped 16 N  o  E  r  r  o  r  s  A  I  O  .exe 116 8->16         started        19 winserv.exe 2 2 8->19         started        64 Hides threads from debuggers 11->64 signatures5 process6 dnsIp7 30 C:\Users\user\AppData\Local\...\win32wnet.pyd, PE32+ 16->30 dropped 32 C:\Users\user\AppData\Local\...\win32ui.pyd, PE32+ 16->32 dropped 34 C:\Users\user\AppData\...\win32trace.pyd, PE32+ 16->34 dropped 38 75 other files (none is malicious) 16->38 dropped 23 N  o  E  r  r  o  r  s  A  I  O  .exe 5 16->23         started        26 conhost.exe 16->26         started        44 157.90.140.22, 49727, 49728, 49732 REDIRISRedIRISAutonomousSystemES United States 19->44 46 192.168.2.1 unknown unknown 19->46 36 C:\Users\user\AppData\Local:22-07-2021, HTML 19->36 dropped 52 Antivirus detection for dropped file 19->52 54 Multi AV Scanner detection for dropped file 19->54 56 Creates files in alternative data streams (ADS) 19->56 58 2 other signatures 19->58 file8 signatures9 process10 signatures11 60 Modifies the context of a thread in another process (thread injection) 23->60 62 Hides threads from debuggers 23->62 28 cmd.exe 1 23->28         started        process12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/06563f00355b6af7247e643234ff4bab3bdf580e295ac374c6f5a7cd7867a2e9/
Threat name:
Win32.Spyware.Solmyr
Create hunting rule
Status:
Malicious
First seen:
2021-07-19 14:33:28 UTC
AV detection:
18 of 28 (64.29%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=azld6abvlnvpojd6mqzdj72lvm556waoffnmg5gg6wt426dhuluq._file
Verdict:
malicious
Similar samples:
09a70564723d4a33bb06b1ad49c656f3b4ff32bc50af5fdd08bf3f1f70735bdb
BitRAT
114e6de40d858b16e3e34dd62ef9d2d69758142b8da593a9496a08424ca518f9
BitRAT
1d64c9836f3e45a4083774fa75ef8b1ca9be4b85561ec12608a10570734f3725
BitRAT
4cdfc8c1032ededddcecd13894424bc36e15173ca5cabefe38d0fa7db33d4491
BitRAT
ade9445823ca1711a80264706d612f5815743d69352619df4c4505cbaf50c640
BitRAT
b2b90c803853c036f18b858027ae242f675f65d075b6e21b12659e3c48e5815d
BitRAT
b5ba3f8f7dee43c7924a626f7e0cf088dc2c4ad21d563b770518d3abafda1f69
BitRAT
b7a919bb30c1633483399356aedf42c11656c8a076be969e85b57ccdd071b879
BitRAT
dff85817c9f5b1bc9153495323fa7b36fc8f8b6a8100155081d885e840da9c89
BitRAT
e64680fcc09a464e9c482987f8727df5d25ec4bbc312db6a51d557178f9ab17a
BitRAT
+ 339 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence pyinstaller upx
Link:
https://tria.ge/reports/210721-dwvxkfm3jj/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Detects Pyinstaller
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
UPX packed file
Unpacked files
SH256 hash:
071f6a7bf762f96a905dcde6546778f604381ddb3958756b88f1ed9758b1ea49
MD5 hash:
6dbd33e301b2c4811c821722b2e74403
SHA1 hash:
412ce2502997bac32ccb7730463e8f28c6d2cfe5
Link:
https://www.unpac.me/results/16a7bfb9-9a9c-495b-a7bd-24477170956f/
SH256 hash:
06563f00355b6af7247e643234ff4bab3bdf580e295ac374c6f5a7cd7867a2e9
MD5 hash:
493a1481892c26bc0939053ecfe52bd8
SHA1 hash:
ec33b3c266336bf384abacd5ac2e2cdbf39c1d05
Link:
https://www.unpac.me/results/16a7bfb9-9a9c-495b-a7bd-24477170956f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/06563f00355b6af7247e643234ff4bab3bdf580e295ac374c6f5a7cd7867a2e9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_BitRAT
Create hunting rule
Author:ditekSHen
Description:Detects BitRAT RAT

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments