MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 09a70564723d4a33bb06b1ad49c656f3b4ff32bc50af5fdd08bf3f1f70735bdb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BitRAT


Vendor detections: 11


Intelligence 11 IOCs 1 YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 09a70564723d4a33bb06b1ad49c656f3b4ff32bc50af5fdd08bf3f1f70735bdb
SHA3-384 hash: 48b6c6adfe4160892158f742ef9571a52c39ef30e7a47a367e5bb6abd8f185a9bbcc02f4f6d24b44df95b6fe9411ce6c
SHA1 hash: b03c044dc6d123c97121ce0b2730b6de3abf4d21
MD5 hash: 0e460c38a2cb05f01053a570686d6c56
humanhash: wolfram-minnesota-red-berlin
File name:0E460C38A2CB05F01053A570686D6C56.exe
Download: download sample
Signature BitRAT
Create hunting rule
File size:3'196'416 bytes
First seen:2021-07-13 18:15:56 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash aad05474bfee082c9529c0427d51edae (4 x BitRAT)
ssdeep 49152:NQnXDFBU2iIBb0xY/6sUYY8e7o0goV6P:yzXbFZCBvr79goV
Threatray 1'500 similar samples on MalwareBazaar
TLSH T16DE55B4437005729C57DB7BC0499E2268AF2E8CBFF52C697AFD0BDD3BE954801A164CA
Reporter abuse_ch
Tags:BitRAT exe RAT


Avatar
abuse_ch
BitRAT C2:
73.138.124.217:8808

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
73.138.124.217:8808 https://threatfox.abuse.ch/ioc/160116/

Intelligence

File Origin
# of uploads :
1
# of downloads :
153
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
0E460C38A2CB05F01053A570686D6C56.exe
Verdict:
Malicious activity
Analysis date:
2021-07-13 18:19:44 UTC
Tags:
trojan bitrat rat stealer
Link:
https://app.any.run/tasks/0347e7c9-e164-4858-82dd-b477467e6fe4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
BitRAT
Create hunting rule
Link:
https://www.capesandbox.com/analysis/171490/
Detection(s):
PUA.Win.Packer.Upolyx-12
Create hunting rule

Win.Packed.Genkryptik-9869489-0
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
BitRAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/bde86850-e36d-4f46-8bd3-bd602ce6b3df
Result
Threat name:
BitRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
81 / 100
Link:
https://www.joesandbox.com/analysis/815816
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contains functionality to hide a thread from the debugger
Contains functionality to inject code into remote processes
Creates files in alternative data streams (ADS)
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Yara detected BitRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 448227 Sample: 3EjHGXdmf3.exe Startdate: 13/07/2021 Architecture: WINDOWS Score: 81 48 Antivirus / Scanner detection for submitted sample 2->48 50 Multi AV Scanner detection for submitted file 2->50 52 Yara detected BitRAT 2->52 54 Machine Learning detection for sample 2->54 6 3EjHGXdmf3.exe 4 2->6         started        10 Edge.exe 2->10         started        13 Edge.exe 2->13         started        process3 dnsIp4 24 C:\Users\user\...\Ak347ykvlvSucS2v.exe, PE32 6->24 dropped 26 C:\Users\user\...\41IruILLekEUyDf9.exe, PE32 6->26 dropped 56 Contains functionality to inject code into remote processes 6->56 15 41IruILLekEUyDf9.exe 2 4 6->15         started        20 Ak347ykvlvSucS2v.exe 2 6->20         started        28 adata.hopto.org 10->28 58 Hides threads from debuggers 10->58 30 adata.hopto.org 13->30 file5 signatures6 process7 dnsIp8 32 adata.hopto.org 73.138.124.217, 49708, 49709, 49713 COMCAST-7922US United States 15->32 34 192.168.2.1 unknown unknown 15->34 22 C:\Users\user\AppData\Local:13-07-2021, HTML 15->22 dropped 36 Antivirus detection for dropped file 15->36 38 Multi AV Scanner detection for dropped file 15->38 40 Creates files in alternative data streams (ADS) 15->40 46 2 other signatures 15->46 42 Machine Learning detection for dropped file 20->42 44 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 20->44 file9 signatures10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/09a70564723d4a33bb06b1ad49c656f3b4ff32bc50af5fdd08bf3f1f70735bdb/
Threat name:
Win32.Backdoor.ParalaxRat
Create hunting rule
Status:
Malicious
First seen:
2021-07-13 00:42:00 UTC
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=bgtqkzdshvfdhoygwgwutrsw6o2p6mv4kcxv7xiix47r64dtlpnq._file
Verdict:
malicious
Similar samples:
3d63c22ce814418819c6a1783e542bd75a23ca4321f49208391f18dd781b27e7
BitRAT
4a820b04406f4c710b08b1675a7ffa778c806285dd115404fb415a8096baadda
BitRAT
52dbaf7435516b388d60abebda89615a4c2286a663de889a15b45be3b71b0def
BitRAT
60b1e21007ef93c3ac0bb8fcb0d063f2429aae47b4715d0324096887aeb165f8
BitRAT
9438c974f3cdefd5a097e55bde4734a2db9438be7c8012fa455d4d8bceb537ca
BitRAT
befaecfa9c1207b951dcf8e72b803cb32d237f16d9e49df1c6c29fcf690b4ec3
BitRAT
+ 1'490 additional samples on MalwareBazaar
Result
Malware family:
xenarmor
Create hunting rule
Score:
  10/10
Tags:
family:xenarmor password persistence recovery spyware stealer upx
Link:
https://tria.ge/reports/210713-b6welt6vgn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Reads data files stored by FTP clients
Reads local data of messenger clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Executes dropped EXE
UPX packed file
ACProtect 1.3x - 1.4x DLL software
XenArmor Suite
Unpacked files
SH256 hash:
6cd72cd8aa0b883dcc811e1dbae80b0fa48e646c288e43be1c03b7bc527d6d64
MD5 hash:
aae8ca9ecb86ad8a90eef59be0696315
SHA1 hash:
7f3868ebc8eeb9e452057176ef8b1df017db969f
Link:
https://www.unpac.me/results/af996ef8-c77e-40a3-8924-71fda5ebc6de/
SH256 hash:
c12640ed63fc7f6a5c685015ea2359649875e363b106847dd3b4a6d4ba602611
MD5 hash:
862bccf337437d8cdef98b57cbe4f6da
SHA1 hash:
224992961b45c0f81aa69fb684793e070a01344c
Link:
https://www.unpac.me/results/af996ef8-c77e-40a3-8924-71fda5ebc6de/
SH256 hash:
09a70564723d4a33bb06b1ad49c656f3b4ff32bc50af5fdd08bf3f1f70735bdb
MD5 hash:
0e460c38a2cb05f01053a570686d6c56
SHA1 hash:
b03c044dc6d123c97121ce0b2730b6de3abf4d21
Link:
https://www.unpac.me/results/af996ef8-c77e-40a3-8924-71fda5ebc6de/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/09a70564723d4a33bb06b1ad49c656f3b4ff32bc50af5fdd08bf3f1f70735bdb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MALWARE_Win_BitRAT
Create hunting rule
Author:ditekSHen
Description:Detects BitRAT RAT

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/171490/

Comments