MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0954364fc93fcfcc1ec2518eb732d150544c05ec5960667da080da7a08f9dc2f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BitRAT


Vendor detections: 9


Intelligence 9 IOCs 1 YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0954364fc93fcfcc1ec2518eb732d150544c05ec5960667da080da7a08f9dc2f
SHA3-384 hash: 35e3d9b7e520cae778d3e6fb038c567e2b7e3a9d0329777e3b024e4bf02047b04bd227e9c32d4da089c327aeb37f7ab1
SHA1 hash: 3a42c010afc37d6eef5d590d4004cdbb6a105daf
MD5 hash: b9af21495c0918c48a3b6af9d2683598
humanhash: speaker-april-stairway-mango
File name:Gpkbiihvipxqrytliykbcwvlsjxdtzpzai.exe
Download: download sample
Signature BitRAT
Create hunting rule
File size:768'512 bytes
First seen:2021-07-14 17:25:47 UTC
Last seen:2025-02-17 08:49:32 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 38d16b2c37539891bdbf379fbde18675 (1 x BitRAT, 1 x RemcosRAT)
ssdeep 12288:MMzACYeU8tDGC/xRXzpU2YeJHsOHUgqBFDRVGt4qOeAhFK:MMMCnMC/xRmeJMQVqdVGdj
Threatray 208 similar samples on MalwareBazaar
TLSH T19FF49E73A2914437D1731E399C4FB75A9D26BF012E28948A7AFC2D4C5F297C1392A393
Reporter abuse_ch
Tags:BitRAT exe RAT


Avatar
abuse_ch
BitRAT C2:
20.80.51.178:2222

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
20.80.51.178:2222 https://threatfox.abuse.ch/ioc/160177/

Intelligence

File Origin
# of uploads :
3
# of downloads :
173
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Gpkbiihvipxqrytliykbcwvlsjxdtzpzai.exe
Verdict:
Malicious activity
Analysis date:
2021-07-14 17:28:42 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/f5f12f40-3052-4124-9c23-4cb815609b6d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/171789/
Detection(s):
PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Loki
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/94748ce3-d4de-4c1e-9b27-df3d825b2c3f
Result
Threat name:
BitRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/816458
Signature
Creates a thread in another existing process (thread injection)
Hides threads from debuggers
Injects a PE file into a foreign processes
Multi AV Scanner detection for dropped file
Writes to foreign memory regions
Yara detected BitRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 448869 Sample: Gpkbiihvipxqrytliykbcwvlsjx... Startdate: 14/07/2021 Architecture: WINDOWS Score: 72 49 Yara detected BitRAT 2->49 8 Gpkbiihvipxqrytliykbcwvlsjxdtzpzai.exe 1 24 2->8         started        13 Gpkbiih.exe 13 2->13         started        15 Gpkbiih.exe 14 2->15         started        process3 dnsIp4 47 cdn.discordapp.com 162.159.134.233, 443, 49722, 49723 CLOUDFLARENETUS United States 8->47 41 C:\Users\Public\Libraries\...behaviorgraphpkbiih.exe, PE32 8->41 dropped 53 Writes to foreign memory regions 8->53 55 Creates a thread in another existing process (thread injection) 8->55 57 Injects a PE file into a foreign processes 8->57 17 ieinstal.exe 1 8->17         started        21 cmd.exe 1 8->21         started        23 cmd.exe 1 8->23         started        59 Multi AV Scanner detection for dropped file 13->59 25 mshta.exe 13->25         started        27 mshta.exe 15->27         started        file5 signatures6 process7 dnsIp8 43 resereved.nerdpol.ovh 20.80.51.178, 2222, 49736, 49740 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 17->43 45 192.168.2.1 unknown unknown 17->45 51 Hides threads from debuggers 17->51 29 reg.exe 1 21->29         started        31 conhost.exe 21->31         started        33 cmd.exe 1 23->33         started        35 conhost.exe 23->35         started        signatures9 process10 process11 37 conhost.exe 29->37         started        39 conhost.exe 33->39         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0954364fc93fcfcc1ec2518eb732d150544c05ec5960667da080da7a08f9dc2f/
Threat name:
Win32.Trojan.Woreflint
Create hunting rule
Status:
Malicious
First seen:
2021-07-14 17:26:05 UTC
AV detection:
13 of 29 (44.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=bfkdmt6jh7h4yhwckghlomwrkbkeybpmlfqgm7naqdnhuchz3qxq._file
Verdict:
malicious
Similar samples:
051bfc878cbfc9748f59edcb04b8d8cfdc75b566e403236385c51374b7afd393
BitRAT
413c4d1e7f91baf3ea5e77ed4ce25fc092d6167dabe1076ddca27a377d6a8197
BitRAT
418cf2d183b0ad4239752ae06861e629bf3e8f5ffec607c3eb4fae2ce130a5ff
BitRAT
5371be34589e6447d7e2714c298903587fcfdebcd634822107a19b3de2b33f6b
BitRAT
747610321f9100e0dadd7c7728282b7403172ad1fc23e60eea12f4eaff28ce7e
BitRAT
88f79e83c95b1e666a1bcb387919b2dba6ebb0cdc6db14c7f6d1229728e40a6c
BitRAT
92fee75dbfa7cb48d837b580cc3544832cf116d9991ac9cd0135cef22e535510
BitRAT
f353dc700a77a88665e2d6cb4f73396ba3b4437cc3ee9a6a7e095de5f77277c5
BitRAT
+ 198 additional samples on MalwareBazaar
Result
Malware family:
bitrat
Create hunting rule
Score:
  10/10
Tags:
family:bitrat persistence trojan upx
Link:
https://tria.ge/reports/210714-yacqwmjm9e/
Behaviour
Modifies registry key
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of NtSetInformationThreadHideFromDebugger
Adds Run key to start application
UPX packed file
BitRAT
BitRAT Payload
Unpacked files
SH256 hash:
7977cf08b9e8faccde39a1620281265292b634c592dd532d8dad755d28b95d24
MD5 hash:
1c6dbe1008826c5a02e7504cab86ba14
SHA1 hash:
6a21b266b8e8fb84b11b6e798e052b729fdb1094
Link:
https://www.unpac.me/results/b74e621f-7b12-422d-b2c4-a657093de579/
SH256 hash:
0954364fc93fcfcc1ec2518eb732d150544c05ec5960667da080da7a08f9dc2f
MD5 hash:
b9af21495c0918c48a3b6af9d2683598
SHA1 hash:
3a42c010afc37d6eef5d590d4004cdbb6a105daf
Link:
https://www.unpac.me/results/b74e621f-7b12-422d-b2c4-a657093de579/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0954364fc93fcfcc1ec2518eb732d150544c05ec5960667da080da7a08f9dc2f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_EnvVarScheduledTasks
Create hunting rule
Author:ditekSHen
Description:detects Windows exceutables potentially bypassing UAC (ab)using Environment Variables in Scheduled Tasks
Rule name:MALWARE_Win_BitRAT
Create hunting rule
Author:ditekSHen
Description:Detects BitRAT RAT

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/171789/

Comments