MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 09a365ac0a698062b59ea6b45f9d4b5d32ba3f70b9a93df77521c29603e14047. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BitRAT


Vendor detections: 8


Intelligence 8 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 09a365ac0a698062b59ea6b45f9d4b5d32ba3f70b9a93df77521c29603e14047
SHA3-384 hash: 59a1df8c7481dc3a6150043a5fd8b4a01514aaa494b5a3863400deaed00bd3aba99d9c3d9ae414dd6e6bc3b0cd494168
SHA1 hash: 57c046f1a1b2f868c285854ede0b3ab35d06b904
MD5 hash: 199c6ca4dd9c770e65fa6ab057338df8
humanhash: twelve-victor-butter-uncle
File name:Yfqbmuahufznqznknlmwfrtnauqppwcobt.exe
Download: download sample
Signature BitRAT
Create hunting rule
File size:893'952 bytes
First seen:2021-10-04 18:52:12 UTC
Last seen:2021-10-04 19:57:47 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash b007c2633498ce5e9ac88f6c5e852d8f (2 x BitRAT, 1 x RemcosRAT)
ssdeep 12288:jlDYMzwNJM3m4uZQvFTt0jjqipWUUtWZPO19tT3jmin4uq8S:7KpKvFTmjjTWUrZW19tT3jmin4t8S
Threatray 180 similar samples on MalwareBazaar
TLSH T1BD154D3B72E48572D1D12AFEA81D6694AC223D14393590CA95DCFB7C39393F12A3A1D3
File icon (PE):PE icon
dhash icon 616110152b2b5130 (12 x RemcosRAT, 5 x Formbook, 4 x BitRAT)
Reporter GovCERT_CH
Tags:BitRAT exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
360
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Yfqbmuahufznqznknlmwfrtnauqppwcobt.exe
Verdict:
No threats detected
Analysis date:
2021-10-04 18:55:55 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/84ecacb4-f15a-487d-b417-3b6dd1fe1006

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/194777/
Detection(s):
SecuriteInfo.com.Trojan.Win32.Save.a.19802.32094.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
greyware keylogger packed
Link:
https://www.filescan.io/uploads/615c109d98a6280f39324dc2/reports/b90a5d08-1664-446f-b032-d52e80340cdc/overview
Malware family:
Remcos RAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7ca070de-137f-4022-ae39-5b9e433675ad
Result
Threat name:
BitRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/864275
Signature
C2 URLs / IPs found in malware configuration
Creates a thread in another existing process (thread injection)
Found malware configuration
Hides threads from debuggers
Injects a PE file into a foreign processes
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Writes to foreign memory regions
Yara detected BitRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 496706 Sample: Yfqbmuahufznqznknlmwfrtnauq... Startdate: 04/10/2021 Architecture: WINDOWS Score: 92 44 u876134.nvpn.to 2->44 54 Found malware configuration 2->54 56 Multi AV Scanner detection for submitted file 2->56 58 Yara detected BitRAT 2->58 60 C2 URLs / IPs found in malware configuration 2->60 9 Yfqbmuahufznqznknlmwfrtnauqppwcobt.exe 1 23 2->9         started        14 Yfqbmua.exe 13 2->14         started        16 Yfqbmua.exe 15 2->16         started        signatures3 process4 dnsIp5 48 cdn.discordapp.com 162.159.130.233, 443, 49749, 49750 CLOUDFLARENETUS United States 9->48 42 C:\Users\Public\Libraries\...\Yfqbmua.exe, PE32 9->42 dropped 64 Writes to foreign memory regions 9->64 66 Creates a thread in another existing process (thread injection) 9->66 68 Injects a PE file into a foreign processes 9->68 18 DpiScaling.exe 1 2 9->18         started        22 cmd.exe 1 9->22         started        24 cmd.exe 1 9->24         started        70 Multi AV Scanner detection for dropped file 14->70 26 mobsync.exe 14->26         started        50 162.159.134.233, 443, 49766 CLOUDFLARENETUS United States 16->50 52 192.168.2.1 unknown unknown 16->52 28 mobsync.exe 16->28         started        file6 signatures7 process8 dnsIp9 46 u876134.nvpn.to 194.5.98.145, 2405, 49764, 49773 DANILENKODE Netherlands 18->46 62 Hides threads from debuggers 18->62 30 reg.exe 1 22->30         started        32 conhost.exe 22->32         started        34 cmd.exe 1 24->34         started        36 conhost.exe 24->36         started        signatures10 process11 process12 38 conhost.exe 30->38         started        40 conhost.exe 34->40         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/09a365ac0a698062b59ea6b45f9d4b5d32ba3f70b9a93df77521c29603e14047/
Threat name:
Win32.Trojan.Bingoml
Create hunting rule
Status:
Malicious
First seen:
2021-10-04 18:52:38 UTC
AV detection:
13 of 28 (46.43%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=bgrwllakngagfnm6u22f7hklluzlup3qxgut353vehbjma7bibdq._file
Verdict:
malicious
Similar samples:
026668d9855f0c4aac1cb86f163e6e28569a5a4d53d0bde93ac9880a90a8225c
BitRAT
2e9931ce396fe83b4bb02bfda2e15c99ed8b0f11574fe26db531d46354fe5199
BitRAT
3ab89e55bbd69e15b4115d8cc2881040f24db3b7ba4ea63dc08ba72e2799e9d3
BitRAT
6ee87843a613bf888304843d62cec0507600503af4260024e4b37efdd829cd40
BitRAT
7aa3e6c93ac645c2b56f93eb9fe7de45a7fb9958d491190eb6d06198a65e6ca7
BitRAT
7ae01f6bce5549321cb64da949f88142e6b9f7ed8a8121cdba3e8aa205f586be
BitRAT
8552402ead517097114a73e0c23f8765d59ac4e8462a6d4b3ac86f74b45d0596
BitRAT
e9f2ab5922434c4c7eba4bf7d32037e3535e39af2426c761a535e91ef16ff585
BitRAT
eac2512bff3db9994fa6e61b9ce95ea395e87009200fc18b017e2101e529541b
BitRAT
fba31a212526660d90a18e87db2427d72a328a87b35b5783567af5917423ed60
BitRAT
+ 170 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  6/10
Tags:
persistence
Link:
https://tria.ge/reports/211004-xjl2rsghe9/
Behaviour
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Adds Run key to start application
Unpacked files
SH256 hash:
09a365ac0a698062b59ea6b45f9d4b5d32ba3f70b9a93df77521c29603e14047
MD5 hash:
199c6ca4dd9c770e65fa6ab057338df8
SHA1 hash:
57c046f1a1b2f868c285854ede0b3ab35d06b904
Link:
https://www.unpac.me/results/ec9e8e3c-e1a0-4a69-baee-92593d610f51/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/09a365ac0a698062b59ea6b45f9d4b5d32ba3f70b9a93df77521c29603e14047

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_DiscordURL
Create hunting rule
Author:ditekSHen
Description:Detects executables Discord URL observed in first stage droppers
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_EnvVarScheduledTasks
Create hunting rule
Author:ditekSHen
Description:detects Windows exceutables potentially bypassing UAC (ab)using Environment Variables in Scheduled Tasks
Rule name:MALWARE_Win_BitRAT
Create hunting rule
Author:ditekSHen
Description:Detects BitRAT RAT

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

BitRAT

Executable exe 09a365ac0a698062b59ea6b45f9d4b5d32ba3f70b9a93df77521c29603e14047

(this sample)

  
Dropped by
BitRAT
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/194777/

Comments