MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 09df08b715bf11a0bc6cb5cdc5cd724927ba6c6a18ca2896f153d9b424196767. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BitRAT


Vendor detections: 9


Intelligence 9 IOCs 1 YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 09df08b715bf11a0bc6cb5cdc5cd724927ba6c6a18ca2896f153d9b424196767
SHA3-384 hash: 16d0b3a10cb7e8bb544a2a0f615b1d6405cc3b29244f7855f9a4f11cbf69d4da2f34587062f2a467a0b2003d50196e45
SHA1 hash: 93999f28d1c8391d60830be5202233b63db93301
MD5 hash: bdcdb05af6a2ac95bb13857ab6b6debc
humanhash: king-nine-winter-west
File name:420e88e90e3407586f40e136a30a04ae.exe
Download: download sample
Signature BitRAT
Create hunting rule
File size:1'799'680 bytes
First seen:2021-07-30 14:55:18 UTC
Last seen:2021-07-30 18:20:31 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 39acbbcf6426a89e2dc936bbf317bfd5 (1 x ArkeiStealer, 1 x RedLineStealer, 1 x BitRAT)
ssdeep 49152:7jr8QuQLqpb0/udMUNPlam4t1Uyru4YNsbN:7nhuQWb0/uWUNPlL4t1dNYUN
Threatray 330 similar samples on MalwareBazaar
TLSH T11E851230BA50D034E5BB22F855BA93BDA82CBDA29B7440C762D53AFE4A346D5DC30357
dhash icon ead8ac9cc6e68ee0 (118 x RaccoonStealer, 102 x RedLineStealer, 46 x Smoke Loader)
Reporter abuse_ch
Tags:BitRAT exe RAT


Avatar
abuse_ch
BitRAT C2:
191.101.130.145:2880

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
191.101.130.145:2880 https://threatfox.abuse.ch/ioc/164577/

Intelligence

File Origin
# of uploads :
3
# of downloads :
600
Origin country :
n/a
Vendor Threat Intelligence
Detection:
BitRAT
Create hunting rule
Link:
https://www.capesandbox.com/analysis/175313/
Detection(s):
SecuriteInfo.com.Trojan.Siggen14.48429.4445.29495.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6fc91d98-3d8b-4fc6-b104-c643ad6451a4
Result
Threat name:
BitRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/824549
Signature
Contains functionality to inject code into remote processes
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Uses dynamic DNS services
Yara detected BitRAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/09df08b715bf11a0bc6cb5cdc5cd724927ba6c6a18ca2896f153d9b424196767/
Threat name:
Win32.Trojan.Azorult
Create hunting rule
Status:
Malicious
First seen:
2021-07-30 14:56:05 UTC
File Type:
PE (Exe)
Extracted files:
8
AV detection:
21 of 28 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=bhpqrnyvx4i2bpdmwxg4ltlsjet3u3dkddfcrfxrkpm3ijazm5tq._file
Verdict:
malicious
Similar samples:
18b96a50da281d031e2ce58c2143a9c1bf4868c710bbcc61b7d147038b449e2b
BitRAT
259c654cdd235de9942f23bc7465252d50f2edf6e0b2dc320658fc00bc054ac4
BitRAT
52dbaf7435516b388d60abebda89615a4c2286a663de889a15b45be3b71b0def
BitRAT
60b1e21007ef93c3ac0bb8fcb0d063f2429aae47b4715d0324096887aeb165f8
BitRAT
8c584a322deb7e0731b90ae30dbdfe4821d13ad8ae7ade8fffd28ebbf0ca2504
BitRAT
af7800b9d14d41db33e7aeb100aac52bcae40bd7dfa2f151ffb4e76e810ea965
BitRAT
befaecfa9c1207b951dcf8e72b803cb32d237f16d9e49df1c6c29fcf690b4ec3
BitRAT
f69b86e22b03881dc837afc9a2c0d4f6555e1e9eb19f7c826b3eb695feaa76bb
BitRAT
+ 320 additional samples on MalwareBazaar
Result
Malware family:
xenarmor
Create hunting rule
Score:
  10/10
Tags:
family:bitrat family:xenarmor password recovery spyware stealer suricata trojan upx
Link:
https://tria.ge/reports/210730-km91tyraxx/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Loads dropped DLL
Reads data files stored by FTP clients
Reads local data of messenger clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
UPX packed file
ACProtect 1.3x - 1.4x DLL software
BitRAT
BitRAT Payload
XenArmor Suite
suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)
Unpacked files
SH256 hash:
159cb1f7d5d8fba6e258a2be526bb6c2fa8a7606acfad56fdfe6e90cfcbbda0e
MD5 hash:
2917c78b2aab7765150afa4635597f81
SHA1 hash:
293720850595b68d32d1723da3650bac0776be89
Link:
https://www.unpac.me/results/6cc1d590-d7bb-40ff-8549-e5ddf6e5c0f1/
SH256 hash:
09df08b715bf11a0bc6cb5cdc5cd724927ba6c6a18ca2896f153d9b424196767
MD5 hash:
bdcdb05af6a2ac95bb13857ab6b6debc
SHA1 hash:
93999f28d1c8391d60830be5202233b63db93301
Link:
https://www.unpac.me/results/6cc1d590-d7bb-40ff-8549-e5ddf6e5c0f1/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/09df08b715bf11a0bc6cb5cdc5cd724927ba6c6a18ca2896f153d9b424196767

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_BitRAT
Create hunting rule
Author:ditekSHen
Description:Detects BitRAT RAT

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/175313/

Comments