MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0a3e948bfd52c09e29e2269763daf88e129f6db89a51e14a32f96d99877256ad. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BitRAT


Vendor detections: 10


Intelligence 10 IOCs 1 YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0a3e948bfd52c09e29e2269763daf88e129f6db89a51e14a32f96d99877256ad
SHA3-384 hash: c8e5859119010f1a4658323b21114c8998f28f7196a42fa10450a35d2d7029613cff58215ec13eb6243d382724bd3713
SHA1 hash: 2f04341bdaa03f9fd204a84867d2e1e964898dcf
MD5 hash: 80b4bade5685de1c11fba8fae8c78b91
humanhash: ten-quebec-east-delaware
File name:80B4BADE5685DE1C11FBA8FAE8C78B91.exe
Download: download sample
Signature BitRAT
Create hunting rule
File size:2'249'216 bytes
First seen:2021-07-18 15:35:51 UTC
Last seen:2021-07-18 16:47:12 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'609 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 49152:F0g69zFKbQ80g6pFAgbIoABgWy9XSnlw8ZpDP4TWNtrqx0KObVo:F0g69ob6pFAgc//BppX
Threatray 297 similar samples on MalwareBazaar
TLSH T102A5F0808EDFDECEC65F627FA40A0C9218EED7564397A2E0DB424E30B7951278D651E3
Reporter abuse_ch
Tags:BitRAT exe RAT


Avatar
abuse_ch
BitRAT C2:
91.109.190.9:25874

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
91.109.190.9:25874 https://threatfox.abuse.ch/ioc/160963/

Intelligence

File Origin
# of uploads :
2
# of downloads :
171
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
BF4PureCracker.exe
Verdict:
Malicious activity
Analysis date:
2021-07-15 05:58:55 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/8a150b95-9dac-4eb1-a401-3f1dcc4d99bd

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/172421/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.46630276.4018.30817.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b560e332-6949-49f0-bdf3-c6ee3527ca7c
Result
Threat name:
BitRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/817937
Signature
.NET source code contains potential unpacker
Connects to many ports of the same IP (likely port scanning)
Contains functionality to hide a thread from the debugger
Creates an undocumented autostart registry key
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected BitRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 450348 Sample: DLfeAqJGSY.exe Startdate: 18/07/2021 Architecture: WINDOWS Score: 100 41 www.yahoo.com 2->41 43 new-fp-shed.wg1.b.yahoo.com 2->43 45 firewall.publicvm.com 2->45 61 Multi AV Scanner detection for dropped file 2->61 63 Multi AV Scanner detection for submitted file 2->63 65 Yara detected BitRAT 2->65 67 7 other signatures 2->67 9 DLfeAqJGSY.exe 3 10 2->9         started        signatures3 process4 file5 33 C:\Users\user\AppData\...\nvcontainer.exe, PE32 9->33 dropped 35 C:\Users\user\AppData\...\DLfeAqJGSY.exe, PE32 9->35 dropped 37 C:\Users\...\nvcontainer.exe:Zone.Identifier, ASCII 9->37 dropped 39 3 other malicious files 9->39 dropped 69 Creates an undocumented autostart registry key 9->69 71 Writes to foreign memory regions 9->71 73 Injects a PE file into a foreign processes 9->73 13 DLfeAqJGSY.exe 9->13         started        17 wscript.exe 1 9->17         started        19 powershell.exe 18 9->19         started        21 2 other processes 9->21 signatures6 process7 dnsIp8 47 firewall.publicvm.com 91.109.190.9, 25874, 49735, 49736 IELOIELOMainNetworkFR France 13->47 49 192.168.2.1 unknown unknown 13->49 75 Multi AV Scanner detection for dropped file 13->75 77 Machine Learning detection for dropped file 13->77 79 Hides threads from debuggers 13->79 81 Contains functionality to hide a thread from the debugger 13->81 83 Wscript starts Powershell (via cmd or directly) 17->83 23 powershell.exe 24 17->23         started        51 www.yahoo.com 19->51 53 new-fp-shed.wg1.b.yahoo.com 19->53 25 conhost.exe 19->25         started        55 www.yahoo.com 21->55 57 www.yahoo.com 21->57 59 2 other IPs or domains 21->59 27 conhost.exe 21->27         started        29 conhost.exe 21->29         started        signatures9 process10 process11 31 conhost.exe 23->31         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0a3e948bfd52c09e29e2269763daf88e129f6db89a51e14a32f96d99877256ad/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-07-15 17:05:12 UTC
File Type:
PE (.Net Exe)
Extracted files:
29
AV detection:
26 of 46 (56.52%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=bi7jjc75klaj4kpce2lwhwxyryjj63nytji6csrs7fwztb3sk2wq._file
Verdict:
malicious
Similar samples:
299afdf96e5691a426fc9d0579dfde112bd6931c961d688b83c984f2f7f67be7
BitRAT
52dbaf7435516b388d60abebda89615a4c2286a663de889a15b45be3b71b0def
BitRAT
550e7873f18235369c6f215691400034417580534f8084e9712de1ead2db8827
BitRAT
8218b8f30ab4a80e24dcbe79984f5ab0bb8311674098b068f14325487d7d4a47
BitRAT
ade9445823ca1711a80264706d612f5815743d69352619df4c4505cbaf50c640
BitRAT
befaecfa9c1207b951dcf8e72b803cb32d237f16d9e49df1c6c29fcf690b4ec3
BitRAT
+ 287 additional samples on MalwareBazaar
Result
Malware family:
bitrat
Create hunting rule
Score:
  10/10
Tags:
family:bitrat trojan
Link:
https://tria.ge/reports/210718-lwb78jytp2/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
BitRAT
BitRAT Payload
Unpacked files
SH256 hash:
9ade002a741cd68852a574f3027761fc39f1d45e2086d6e6ca66c6175530e979
MD5 hash:
0b0538b6a006687103839c1e18e87392
SHA1 hash:
e9accf507decc8ef0d84fa1faebb2307ac1ea393
Link:
https://www.unpac.me/results/30415356-0c77-4ec6-8880-dffe3d43c9f5/
SH256 hash:
17769a2f7d1461841918ecca01ce871a9656f114e671e4af1182ae0fed08ce1a
MD5 hash:
6caf4ad9280fe05085c4d63bd7a9fb06
SHA1 hash:
e3f895c5a6171e9c63456f9064a7489ed5a47f23
Link:
https://www.unpac.me/results/30415356-0c77-4ec6-8880-dffe3d43c9f5/
SH256 hash:
f446333aaecc8c98b90559da65001a59948406e1070c96ae32917838cc952cdf
MD5 hash:
6d6f71e950d0da263e7ca5afcdc0b335
SHA1 hash:
781badf8465ed820b4698e425c5cc77040f120cd
Link:
https://www.unpac.me/results/30415356-0c77-4ec6-8880-dffe3d43c9f5/
SH256 hash:
7b9469b456930be671ac08570ec4b058508aaeabecf5bbd6cd54c03c76d38a42
MD5 hash:
d694f6bf3c935847c4eae9d8ac6d35d5
SHA1 hash:
703751e1f9bc97941eb1b9bd781456195fca7feb
Link:
https://www.unpac.me/results/30415356-0c77-4ec6-8880-dffe3d43c9f5/
SH256 hash:
0a3e948bfd52c09e29e2269763daf88e129f6db89a51e14a32f96d99877256ad
MD5 hash:
80b4bade5685de1c11fba8fae8c78b91
SHA1 hash:
2f04341bdaa03f9fd204a84867d2e1e964898dcf
Link:
https://www.unpac.me/results/30415356-0c77-4ec6-8880-dffe3d43c9f5/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0a3e948bfd52c09e29e2269763daf88e129f6db89a51e14a32f96d99877256ad

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MALWARE_Win_BitRAT
Create hunting rule
Author:ditekSHen
Description:Detects BitRAT RAT
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/172421/

Comments