MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 099a7566c4df824ab93cbeba826f8b76c222783a984f13c9b62d373754e81308. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BitRAT


Vendor detections: 14


Intelligence 14 IOCs YARA 8 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 099a7566c4df824ab93cbeba826f8b76c222783a984f13c9b62d373754e81308
SHA3-384 hash: 34ca9323344a142e681dab38f544c01392418b5accd23f6b4826d24c6686610c6186a3be26c0373369d111aa00c84a01
SHA1 hash: 5c1e921b5f50752a6b28cb6c648521cd5de6bb80
MD5 hash: cd95409562c8fdfc118f63916bb416df
humanhash: georgia-monkey-pip-eighteen
File name:cd95409562c8fdfc118f63916bb416df
Download: download sample
Signature BitRAT
Create hunting rule
File size:331'776 bytes
First seen:2021-11-02 07:00:05 UTC
Last seen:2021-11-02 09:30:37 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'461 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 6144:PKytb6bU4MjtTgR7wrGz4Ac8/FPxrUmEwBP/DGDMDSj:X55jtuwSz4At/NxztPrGS
Threatray 1'610 similar samples on MalwareBazaar
TLSH T1BD64F106D168D956D6095DBCE261DCF244BD8C33D0B6636702FCBD493EBE61ACA922C3
File icon (PE):PE icon
dhash icon 16174db2a88e9620 (26 x BitRAT, 16 x AsyncRAT, 9 x AveMariaRAT)
Reporter zbetcheckin
Tags:32 BitRAT exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
109
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
215473460067_043145230_20211101.xls
Verdict:
Malicious activity
Analysis date:
2021-11-02 06:14:20 UTC
Tags:
macros macros-on-open ta505 loader
Link:
https://app.any.run/tasks/03ebde1f-936e-4f95-946f-05908d79a00b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
asyncrat
Create hunting rule
Link:
https://www.capesandbox.com/analysis/201289/
Detection(s):
SecuriteInfo.com.Trojan.Siggen15.33519.8799.17009.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %AppData% directory
Creating a file in the %temp% directory
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/6180e1f8bf51178dbe47e49b/reports/b8187457-a51d-421a-a742-86658c439087/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/783cbed0-a452-46b2-8bfb-adb895903580
Result
Threat name:
AsyncRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/881026
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Bypasses PowerShell execution policy
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Sigma detected: Suspicious Script Execution From Temp Folder
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected AsyncRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 513462 Sample: 5tx1tCz0TC Startdate: 02/11/2021 Architecture: WINDOWS Score: 100 51 Found malware configuration 2->51 53 Antivirus / Scanner detection for submitted sample 2->53 55 Multi AV Scanner detection for submitted file 2->55 57 7 other signatures 2->57 9 5tx1tCz0TC.exe 1 4 2->9         started        12 jtr3Ty7NMk.exe 1 2->12         started        15 jtr3Ty7NMk.exe 2->15         started        process3 file4 37 C:\Users\user\AppData\...\jtr3Ty7NMk.exe, PE32 9->37 dropped 39 C:\Users\user\AppData\Local\Temp\RegAsm.exe, PE32 9->39 dropped 41 C:\Users\...\jtr3Ty7NMk.exe:Zone.Identifier, ASCII 9->41 dropped 43 C:\Users\user\AppData\...\5tx1tCz0TC.exe.log, ASCII 9->43 dropped 17 RegAsm.exe 1 4 9->17         started        63 Antivirus detection for dropped file 12->63 65 Multi AV Scanner detection for dropped file 12->65 67 Machine Learning detection for dropped file 12->67 69 3 other signatures 12->69 21 RegAsm.exe 3 12->21         started        23 RegAsm.exe 15->23         started        signatures5 process6 dnsIp7 45 185.157.160.198, 1973, 49782, 49802 OBE-EUROPEObenetworkEuropeSE Sweden 17->45 35 C:\Users\user\AppData\Local\Temp\bhruiz.exe, PE32 17->35 dropped 25 cmd.exe 1 17->25         started        file8 process9 signatures10 59 Suspicious powershell command line found 25->59 61 Bypasses PowerShell execution policy 25->61 28 powershell.exe 14 25->28         started        30 conhost.exe 25->30         started        process11 process12 32 bhruiz.exe 28->32         started        signatures13 47 Antivirus detection for dropped file 32->47 49 Machine Learning detection for dropped file 32->49
Detection:
asyncrat
Create hunting rule
Link:
https://mwdb.cert.pl/sample/099a7566c4df824ab93cbeba826f8b76c222783a984f13c9b62d373754e81308/
Threat name:
ByteCode-MSIL.Spyware.Noon
Create hunting rule
Status:
Malicious
First seen:
2021-11-02 02:18:52 UTC
AV detection:
16 of 27 (59.26%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=bgnhkzwe36bevoj4x25ie34lo3bce6b2tbhrhsnwfu3tovhicmea._file
Verdict:
malicious
Label(s):
asyncrat
Create hunting rule
Similar samples:
0b8a5cbe236a7057a2904f18480b85ce9b59b891c0a1a041516248d35760744d
BitRAT
16fc0cec13d88da3d0a36e4c42e733db8f1e21cafc18fd813a25cd0bc835f35a
BitRAT
1d8f931e4e69330838c622831c8cb0225a5126f7141e77747b5cb07a23abf41b
BitRAT
220bb2b7deba41f53a8d86d677691aff283314a29c27cc49b2ba396699237825
BitRAT
b51c07d9a4e50ac499514d378320260821bd7486acd1077a6bddf8ab70c6a2b3
BitRAT
bcf7571a4d9b25fabdc2d6120b1b2d7bd8446ea2bc3a5da1d4127954920067de
BitRAT
ceddcfa72226e91f7435facafe6631d1385ca4d246d242d5136ac4e9462b8611
BitRAT
e6f2be409cbb65ed65758afcc519a1249080be41bf0cf80c32a2d7fea02bc60c
BitRAT
ecb8839117d73d33390c84f7f6e02f4970156ccb2da7b48083922f60625fa8be
BitRAT
+ 1'600 additional samples on MalwareBazaar
Result
Malware family:
bitrat
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat family:bitrat botnet:2 persistence rat trojan
Link:
https://tria.ge/reports/211102-hspfxsbhd5/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
Async RAT payload
AsyncRat
BitRAT
BitRAT Payload
Malware Config
C2 Extraction:
185.157.160.198:1973
Unpacked files
SH256 hash:
a65ec092f1f2e5b972b05b8e409c2cd66059060c8465afa0af85307aef6e39a1
MD5 hash:
83da8697ccafdaf9434365557da2d46a
SHA1 hash:
bae4611fa1804098734c649d5fa7ee1e08c24b14
Link:
https://www.unpac.me/results/63b3e76b-d034-49d9-bb75-82f357b45088/
SH256 hash:
8ebba9f5e58d42bdc72dc7d24745bb05795c86d95b7c8dd23c85d3c54264d856
MD5 hash:
e02ac6cd9f3a8b04f9fd33b35df84507
SHA1 hash:
bcb19863d8754bf7e83c2d9936330d8f9879dacd
Link:
https://www.unpac.me/results/63b3e76b-d034-49d9-bb75-82f357b45088/
SH256 hash:
3f9a1fdffdcf07e7a11c551bca4021860b602b43f15fe09e2673fb9cefe05cd1
MD5 hash:
c33fdb9faf579855a4341ade368e925c
SHA1 hash:
dcbc17b5ff2515b96d2666ff02d77cabc100e6dc
Detections:
win_asyncrat_w0
Create hunting rule
Link:
https://www.unpac.me/results/63b3e76b-d034-49d9-bb75-82f357b45088/
SH256 hash:
099a7566c4df824ab93cbeba826f8b76c222783a984f13c9b62d373754e81308
MD5 hash:
cd95409562c8fdfc118f63916bb416df
SHA1 hash:
5c1e921b5f50752a6b28cb6c648521cd5de6bb80
Link:
https://www.unpac.me/results/63b3e76b-d034-49d9-bb75-82f357b45088/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/099a7566c4df824ab93cbeba826f8b76c222783a984f13c9b62d373754e81308

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:asyncrat
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect AsyncRat in memory
Reference:internal research
Rule name:INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse
Create hunting rule
Author:ditekSHen
Description:Detects file containing reversed ASEP Autorun registry keys
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_asyncrat_j1
Create hunting rule
Author:Johannes Bader @viql
Description:detects AsyncRAT
Rule name:win_asyncrat_w0
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect AsyncRat in memory
Reference:internal research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

BitRAT

Executable exe 099a7566c4df824ab93cbeba826f8b76c222783a984f13c9b62d373754e81308

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/201289/
  
URLhaus
https://urlhaus.abuse.ch/url/1738292/

Comments


Avatar
zbet commented on 2021-11-02 07:00:06 UTC

url : hxxp://ddl8.data.hu/get/317983/13078369/YConsoleApp112.exe