MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 083d5efb4da09432a206cb7fba5cef2c82dd6cc080015fe69c2b36e71bca6c89. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BitRAT


Vendor detections: 8


Intelligence 8 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 083d5efb4da09432a206cb7fba5cef2c82dd6cc080015fe69c2b36e71bca6c89
SHA3-384 hash: bd1c7e3ec046ad2fa1fc095599841c6b0cd4a01bc5ef3d90813e1d602a86d3fa1995bbc4ee6809ed3c3fad0e5c425aed
SHA1 hash: 5f34eb3c4243445c92c7e4d806e3ce6be4b76a8b
MD5 hash: 2db8431e25227cb5d42e8e6d5b0e3856
humanhash: tennessee-double-snake-gee
File name:083d5efb4da09432a206cb7fba5cef2c82dd6cc080015fe69c2b36e71bca6c89
Download: download sample
Signature BitRAT
Create hunting rule
File size:3'337'808 bytes
First seen:2021-03-05 10:03:46 UTC
Last seen:2021-03-05 11:54:18 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash a0305e8e31de912761769ea2eba47276 (2 x BitRAT)
ssdeep 98304:io0Gk+8m9t5it719JchJbDVs8DD2ux8QlFRMvNxLWDaZgzlmHXY1hVh04v9/nQOc:qGk+t9bs9i6z8Msk/XJmXLA
Threatray 287 similar samples on MalwareBazaar
TLSH 42F5331D5150C1B3FC2A2AFAE3B2BB297E233DC61C6FC5A111A57849C67F563A848473
Reporter JAMESWT_WT
Tags:BitRAT Creator Soft Limited signed

Code Signing Certificate

Organisation:Creator Soft Limited
Issuer:DigiCert EV Code Signing CA (SHA2)
Algorithm:sha256WithRSAEncryption
Valid from:2021-03-04T00:00:00Z
Valid to:2022-03-08T23:59:59Z
Serial number: 0ced87bd70b092cb93b182fac32655f6
MalwareBazaar Blocklist:This certificate is on the MalwareBazaar code signing certificate blocklist (CSCB)
Thumbprint Algorithm:SHA256
Thumbprint: b5562652e236ed8b39021e9a706006889b421548d7d8ae190a5b7ac2711d2b66
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
132
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
083d5efb4da09432a206cb7fba5cef2c82dd6cc080015fe69c2b36e71bca6c89
Verdict:
Malicious activity
Analysis date:
2021-03-05 10:04:11 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/21ba270a-dc77-4c47-a62f-3f646a72b75f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
BitRAT
Create hunting rule
Link:
https://www.capesandbox.com/analysis/122428/
Detection(s):
PUA.Win.Packer.Upx-49
Create hunting rule

PUA.Win.Packer.UpxProtector-1
Create hunting rule

PUA.Win.Packer.Upx-4
Create hunting rule

PUA.Win.Packer.PrivateEXEProtector4-6192998-2
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Launching a process
Creating a window
Setting a global event handler
Sending a custom TCP request
Unauthorized injection to a system process
Setting a global event handler for the keyboard
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/629611
Signature
Allocates memory in foreign processes
Found potential dummy code loops (likely to delay analysis)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hijacks the control flow in another process
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Injects a PE file into a foreign processes
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 363774 Sample: YyhXkv42qZ Startdate: 05/03/2021 Architecture: WINDOWS Score: 88 23 Icon mismatch, binary includes an icon from a different legit application in order to fool users 2->23 25 Multi AV Scanner detection for submitted file 2->25 27 Found potential dummy code loops (likely to delay analysis) 2->27 29 Tries to detect virtualization through RDTSC time measurements 2->29 6 YyhXkv42qZ.exe 1 2->6         started        9 igfxMO.exe 2->9         started        process3 signatures4 31 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 6->31 33 Hijacks the control flow in another process 6->33 35 Writes to foreign memory regions 6->35 37 4 other signatures 6->37 11 notepad.exe 6->11         started        13 notepad.exe 6->13         started        15 notepad.exe 6->15         started        17 notepad.exe 6->17         started        19 notepad.exe 9->19         started        21 notepad.exe 9->21         started        process5
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/083d5efb4da09432a206cb7fba5cef2c82dd6cc080015fe69c2b36e71bca6c89/
Threat name:
Win32.Trojan.GenCBL
Create hunting rule
Status:
Malicious
First seen:
2021-03-05 04:41:22 UTC
File Type:
PE (Exe)
Extracted files:
32
AV detection:
13 of 47 (27.66%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ba6v562nuckdfiqgzn73uxhpfsbn23gaqaav7zu4fm3oog6knseq._file
Verdict:
unknown
Similar samples:
0953e54968ca9407a172c0a35a00d8b30ec603770809bbd2901a070e1b83b7f8
BitRAT
21ba0bed0b05a2ce68496e73a5c103fb5b815ac2c77e997f46e5d09666c1c978
BitRAT
411e56b415d4c23a741958c3f1ada72b3e958c078d27c339678bb690b7a895c3
BitRAT
43aa01ebbd20c81ee60bd5b6bacabcdd0a84e0aeb892c0ea18383261dbcdb0fb
BitRAT
6f0f5ac2a08c4746186a79f3afe48a614b1ed180ce830058805354bfa8cb1e8e
BitRAT
6f8fc539952555b057adf7810aca782a29f8f624e1d46a0f4732db3763130725
BitRAT
bbfe5eaa0138f51710292488a384e4f6dcb65a6cba2a4c63387c714cec753d6e
BitRAT
d98fd8189273e4f4fcbb8b1d5b32459b5d7adcd6eaff9efef0c32ace0fdfab0e
BitRAT
e3670bfc1db6fb7223bb6b231ef4c3afd9d34de1d8f87b7a8e7a4cb27cfaa37d
BitRAT
ef77a8918ed19e4c73ba620ee2fba77e1058d8b132768ef034dc10322d560aa0
BitRAT
+ 277 additional samples on MalwareBazaar
Result
Malware family:
bitrat
Create hunting rule
Score:
  10/10
Tags:
family:bitrat trojan upx
Link:
https://tria.ge/reports/210305-catcja4ega/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Drops startup file
BitRAT
BitRAT Payload
Unpacked files
SH256 hash:
503ba276bac316f7056df2d8c75eb08fc99823882cf199384bf91a03b0956fc0
MD5 hash:
8ef3dc1ab38effe374ed64889c494f66
SHA1 hash:
ea63bf5ce016889926e6653e57ad7c8b14a076f7
Link:
https://www.unpac.me/results/6312ea57-89c2-44ab-81bd-5b908fda811a/
SH256 hash:
44b8e6a310564338968158a1ed88c8535dece20acb06c5e22d87953c261dfed0
MD5 hash:
9c8886759e736d3f27674e0fff63d40a
SHA1 hash:
ceff6a7b106c3262d9e8496d2ab319821b100541
Link:
https://www.unpac.me/results/6312ea57-89c2-44ab-81bd-5b908fda811a/
SH256 hash:
88ce2ec555e1a4824d7658dab8e006386656deb52b30e1fd13e53bf4d327d2c7
MD5 hash:
421495887311af5ab270936b28b1e7a0
SHA1 hash:
6ba731c19e4b1a93426f9c121ef3c0de80867084
Link:
https://www.unpac.me/results/6312ea57-89c2-44ab-81bd-5b908fda811a/
SH256 hash:
083d5efb4da09432a206cb7fba5cef2c82dd6cc080015fe69c2b36e71bca6c89
MD5 hash:
2db8431e25227cb5d42e8e6d5b0e3856
SHA1 hash:
5f34eb3c4243445c92c7e4d806e3ce6be4b76a8b
Link:
https://www.unpac.me/results/6312ea57-89c2-44ab-81bd-5b908fda811a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/083d5efb4da09432a206cb7fba5cef2c82dd6cc080015fe69c2b36e71bca6c89

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Email_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Email in files like avemaria
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:MALWARE_Win_BitRAT
Create hunting rule
Author:ditekSHen
Description:Detects BitRAT RAT
Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/
Rule name:upx_packed
Create hunting rule
Description:UPX packed file

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/122428/

Comments