MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 08ad11bae99deab8e128dfea4c85f8bb46124f32a7cfae956c1b650e94f005fa. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BitRAT


Vendor detections: 11


Intelligence 11 IOCs 1 YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 08ad11bae99deab8e128dfea4c85f8bb46124f32a7cfae956c1b650e94f005fa
SHA3-384 hash: 90e8b9cfeacc5ead5e5c47aee0738e197c1eefa6b68c885fd842605e24e45bf65c9b8769bed7aa764911acd575310c92
SHA1 hash: f4503fd5b9d8b23c02bff1abd23fb17ce341f907
MD5 hash: aa1d9a07e0bd53a161cb35168bb1bb31
humanhash: cola-lamp-lion-may
File name:invoice.exe
Download: download sample
Signature BitRAT
Create hunting rule
File size:17'104 bytes
First seen:2022-08-10 11:15:34 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'741 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 192:Zo5jXGlBRI2po6Ce0J4h9Oecqz3K5O3lDWpHrDWpHE7x0gZHSVLRjt8:ZMjXQ3K6CPJ4aPqe0DGrDGuph2O
Threatray 61 similar samples on MalwareBazaar
TLSH T1BD721856C7941DB2ED7B8E3270E0D5122B30B7416AD2C6FF91ACC054CF827866AF86B5
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Reporter abuse_ch
Tags:BitRAT exe RAT


Avatar
abuse_ch
BitRAT C2:
45.137.22.189:7744

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
45.137.22.189:7744 https://threatfox.abuse.ch/ioc/842319/

Intelligence

File Origin
# of uploads :
1
# of downloads :
306
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
bitrat
Create hunting rule
ID:
1
File name:
invoice.exe
Verdict:
Malicious activity
Analysis date:
2022-08-10 11:20:46 UTC
Tags:
opendir loader trojan bitrat rat
Link:
https://app.any.run/tasks/43ddfc03-9d1e-4854-85fe-80ec5b84a77a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/297601/
Detection(s):
SecuriteInfo.com.Trojan.DownLoaderNET.454.5512.10646.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Sending an HTTP GET request
Launching a process
Creating a file
Sending a custom TCP request
Creating a window
DNS request
Setting a global event handler
Setting a global event handler for the keyboard
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
overlay packed packed
Link:
https://www.filescan.io/uploads/62f393baf6ec33747d91e1c4/reports/f6170b68-7a07-4d5c-a23f-f8d0352a0bdc/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
BitRAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/935c2532-f350-4765-a431-9ae43e7fbedb
Result
Threat name:
BitRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1049137
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Executable has a suspicious name (potential lure to open the executable)
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Uses dynamic DNS services
Writes to foreign memory regions
Yara detected BitRAT
Yara detected Generic Downloader
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/08ad11bae99deab8e128dfea4c85f8bb46124f32a7cfae956c1b650e94f005fa/
Threat name:
ByteCode-MSIL.Spyware.Solmyr
Create hunting rule
Status:
Malicious
First seen:
2022-08-10 09:01:35 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
19 of 26 (73.08%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=bcwrdoxjtxvlryji37vezbpyxndbetzsu7h25flmdnsq5fhqax5a._file
Verdict:
malicious
Similar samples:
392d76c65c2ffb346bffd06a636a8fba619b4a51d7db1aac5940fe9987386830
BitRAT
58fe463afcc60875aa24b55894dcbba720243eb4e1099a91d8e8bdd0cdb06d34
BitRAT
707bfa62345b1f14fed08cc325df83df9b76b0f1ad305f39b37008754399ef98
BitRAT
8994875bb2ea4899e1c56d0b390fcdfe6068f6a8577a197f0d13245f369b220f
BitRAT
98f4957f96f19cf22dbfec7b549af7275cfe17484bfd18fc10a639663b7ba583
BitRAT
bb81812044069608e1ba320fcb7b878c5b6895f5bf91c93027ab4161042d01c7
BitRAT
c49dbc502ff7d9217603a363ec7d3048a2d6cd13dd5d4305bd8af96fcdd3da44
BitRAT
eafdcbea5a9544d87f8a7c03ee4eb6ab0d9c12bbbbc1d9705dc94d5fd983c5bd
BitRAT
f3f0b5cdb77da6c5c5949ba1ab34e2e2f86f5d562e4d5967a23eb6c64f0512b7
BitRAT
+ 51 additional samples on MalwareBazaar
Result
Malware family:
bitrat
Create hunting rule
Score:
  10/10
Tags:
family:bitrat trojan upx
Link:
https://tria.ge/reports/220810-nc5e4abch7/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Downloads MZ/PE file
UPX packed file
BitRAT
Malware Config
C2 Extraction:
eichelberger.duckdns.org:7744
Unpacked files
SH256 hash:
08ad11bae99deab8e128dfea4c85f8bb46124f32a7cfae956c1b650e94f005fa
MD5 hash:
aa1d9a07e0bd53a161cb35168bb1bb31
SHA1 hash:
f4503fd5b9d8b23c02bff1abd23fb17ce341f907
Link:
https://www.unpac.me/results/9676e7d1-3f88-476b-a71c-3fc981e0e378/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/08ad11bae99d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/08ad11bae99deab8e128dfea4c85f8bb46124f32a7cfae956c1b650e94f005fa

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:bitrat_unpacked
Create hunting rule
Author:jeFF0Falltrades
Description:Experimental rule to detect unpacked BitRat payloads on disk or in memory, looking for a combination of strings and decryption/decoding patterns
Reference:https://krabsonsecurity.com/2020/08/22/bitrat-the-latest-in-copy-pasted-malware-by-incompetent-developers/
Rule name:MALWARE_Win_BitRAT
Create hunting rule
Author:ditekSHen
Description:Detects BitRAT RAT
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_bit_rat_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.bit_rat.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/297601/

Comments