MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 08bb4e840873a9f4aa846ecf0a00c4e2a2911c36bd591a29afc188a7c42cc0ed. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BitRAT


Vendor detections: 9


Intelligence 9 IOCs 1 YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 08bb4e840873a9f4aa846ecf0a00c4e2a2911c36bd591a29afc188a7c42cc0ed
SHA3-384 hash: ea2ef4606159f77fe5cbe304d0e3de79b6b567174ad06d14fd9ebd68e80b682290c2cfdec825d3091026811a54c3571b
SHA1 hash: d420c952691706c9f062a8064d8c06b2b651099f
MD5 hash: bbd5353dc072332a85b1a5035519bf35
humanhash: hotel-oklahoma-solar-mars
File name:MtSvkc87ybOwjvd.exe
Download: download sample
Signature BitRAT
Create hunting rule
File size:2'491'904 bytes
First seen:2021-07-20 01:01:16 UTC
Last seen:2021-07-20 01:35:17 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'751 x AgentTesla, 19'656 x Formbook, 12'248 x SnakeKeylogger)
ssdeep 49152:WrL/hwF1Vp9ojfE4uaEVSFOY/9u+CW5Gr4y:ohC1RpVSFb/TfV
Threatray 297 similar samples on MalwareBazaar
TLSH T1DDB51139642856A3D639A03BC560E709FEF66D5661308C0A43DBF6871F73113998EF2E
Reporter abuse_ch
Tags:BitRAT exe RAT


Avatar
abuse_ch
BitRAT C2:
74.201.28.32:5506

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
74.201.28.32:5506 https://threatfox.abuse.ch/ioc/161262/

Intelligence

File Origin
# of uploads :
2
# of downloads :
150
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
MtSvkc87ybOwjvd.exe
Verdict:
Malicious activity
Analysis date:
2021-07-20 01:02:42 UTC
Tags:
trojan bitrat rat
Link:
https://app.any.run/tasks/edd2c85c-7d96-474e-8726-0aee1a64ab3c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/172673/
Detection(s):
SecuriteInfo.com.Trojan.Siggen14.43926.28206.5856.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/63b40593-50c3-4deb-95e9-4f1c0a4cdf82
Result
Threat name:
BitRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/818606
Signature
.NET source code contains very large strings
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected BitRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 451017 Sample: MtSvkc87ybOwjvd.exe Startdate: 20/07/2021 Architecture: WINDOWS Score: 92 31 Multi AV Scanner detection for dropped file 2->31 33 Yara detected BitRAT 2->33 35 Yara detected AntiVM3 2->35 37 4 other signatures 2->37 7 MtSvkc87ybOwjvd.exe 6 2->7         started        process3 file4 23 C:\Users\user\AppData\...\WgbceOgsKr.exe, PE32 7->23 dropped 25 C:\Users\user\AppData\Local\...\tmpBBED.tmp, XML 7->25 dropped 27 C:\Users\user\...\MtSvkc87ybOwjvd.exe.log, ASCII 7->27 dropped 39 Uses schtasks.exe or at.exe to add and modify task schedules 7->39 41 Injects a PE file into a foreign processes 7->41 11 MtSvkc87ybOwjvd.exe 1 7->11         started        15 schtasks.exe 1 7->15         started        17 MtSvkc87ybOwjvd.exe 7->17         started        19 MtSvkc87ybOwjvd.exe 7->19         started        signatures5 process6 dnsIp7 29 74.201.28.32, 49723, 49727, 49733 DEDIPATH-LLCUS United States 11->29 43 Hides threads from debuggers 11->43 21 conhost.exe 15->21         started        signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/08bb4e840873a9f4aa846ecf0a00c4e2a2911c36bd591a29afc188a7c42cc0ed/
Threat name:
ByteCode-MSIL.Trojan.Strictor
Create hunting rule
Status:
Malicious
First seen:
2021-07-20 01:02:04 UTC
AV detection:
11 of 46 (23.91%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=bc5u5baioou7jkuen3hquage4krjchbwxvmruknpygekprbmydwq._file
Verdict:
malicious
Similar samples:
3d63c22ce814418819c6a1783e542bd75a23ca4321f49208391f18dd781b27e7
BitRAT
52dbaf7435516b388d60abebda89615a4c2286a663de889a15b45be3b71b0def
BitRAT
60b1e21007ef93c3ac0bb8fcb0d063f2429aae47b4715d0324096887aeb165f8
BitRAT
8c584a322deb7e0731b90ae30dbdfe4821d13ad8ae7ade8fffd28ebbf0ca2504
BitRAT
befaecfa9c1207b951dcf8e72b803cb32d237f16d9e49df1c6c29fcf690b4ec3
BitRAT
d2b6ad926987074e93a769eaf34598a4df8bbb839208c57d4fc1516f9ed1eaa6
BitRAT
f69b86e22b03881dc837afc9a2c0d4f6555e1e9eb19f7c826b3eb695feaa76bb
BitRAT
+ 287 additional samples on MalwareBazaar
Result
Malware family:
bitrat
Create hunting rule
Score:
  10/10
Tags:
family:bitrat trojan upx
Link:
https://tria.ge/reports/210720-dh1e7pqn4j/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
UPX packed file
BitRAT
BitRAT Payload
Unpacked files
SH256 hash:
9238b1f8791d2f2a84bef7ad13419381ddff2351190954484873853673768acb
MD5 hash:
bd3d2c6b7751073a218745eeb934b990
SHA1 hash:
252475e6280cec4079a2851c290750253941735b
Link:
https://www.unpac.me/results/0bd7f0e3-04fe-4671-b6d9-44fe74d664a4/
SH256 hash:
c362729899c5956cfa9fc3bcf9b21ac72066a1b84a497ceb1281f76e2f55c54b
MD5 hash:
0327d1374a5ce015ad9c83c5de76e823
SHA1 hash:
e521349d9e96a4191248747c42c78b6f88fc8f63
Link:
https://www.unpac.me/results/0bd7f0e3-04fe-4671-b6d9-44fe74d664a4/
SH256 hash:
780a0f0547374ea66737d452cfbe02c03cf293c149ac8808211cdba342f84007
MD5 hash:
38f4749ef563fb5aab7e9e09f51e7869
SHA1 hash:
8d6d04e69e9dc4c1597207bddd074f5750a9fc2b
Link:
https://www.unpac.me/results/0bd7f0e3-04fe-4671-b6d9-44fe74d664a4/
SH256 hash:
08bb4e840873a9f4aa846ecf0a00c4e2a2911c36bd591a29afc188a7c42cc0ed
MD5 hash:
bbd5353dc072332a85b1a5035519bf35
SHA1 hash:
d420c952691706c9f062a8064d8c06b2b651099f
Link:
https://www.unpac.me/results/0bd7f0e3-04fe-4671-b6d9-44fe74d664a4/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/08bb4e840873a9f4aa846ecf0a00c4e2a2911c36bd591a29afc188a7c42cc0ed

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/172673/

Comments