MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0a9f7e6ef8592c3807d409340f351188d49da9b7cbe210b875995d85921a5e91. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

BitRAT

Vendor detections: 11

Intelligence 11 IOCs YARA 1 File information Comments

SHA256 hash:	0a9f7e6ef8592c3807d409340f351188d49da9b7cbe210b875995d85921a5e91
SHA3-384 hash:	d0aec78d92b0d4fc964bda4a8043a03cd64bfaa0ecf1919b14a5a25c6505febbd1e15d3c9bdc993bfbf3ffcb827cd43f
SHA1 hash:	6cecd51374d6a408ac95b1e01d67ebdc30ab19bf
MD5 hash:	8cf0c65f06309e62448877c27675ed38
humanhash:	december-fourteen-summer-kitten
File name:	03_extracted.exe
Download:	download sample
Signature	BitRAT Create hunting rule
File size:	1'511'424 bytes
First seen:	2021-08-02 22:24:08 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	6ed4f5f04d62b18d96b26d6db7c18840 (230 x SalatStealer, 78 x BitRAT, 42 x RedLineStealer)
ssdeep	24576:NndRKZCy2BrhCeU2i2cJijFbCBTPmiY05tJMSQp5ysA7Yg1nLkz2dUdLCkrY:VXDFBU2iIBb0xY/6sUYYbdUK
Threatray	344 similar samples on MalwareBazaar
TLSH	T1C26533F0265F9B3AF65AC87C79B61D03DC74C2A2652749163E6CD8BD30FEB611484C62
Reporter	Racco42
Tags:	BitRAT exe

Intelligence

File Origin

# of uploads :

# of downloads :

125

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

03_extracted.exe

Verdict:

Malicious activity

Analysis date:

2021-08-02 22:26:30 UTC

Tags:

trojan bitrat rat

Link:

https://app.any.run/tasks/5e23cdc4-7d46-4cac-b688-182191bf2b07

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

BitRAT

Link:

https://www.capesandbox.com/analysis/175895/

Detection(s):

PUA.Win.Packer.Upolyx-12

Win.Malware.Mikey-9819889-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a custom TCP request

Creating a window

Setting a global event handler

Connection attempt

Replacing executable files

Sending a UDP request

Moving of the original file

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Setting a global event handler for the keyboard

Deleting of the original file

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

BitRAT

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/51e02b88-a3bc-4971-ade7-c53c09e3f1a9

Result

Threat name:

BitRAT

Detection:

malicious

Classification:

troj.evad

Score:

84 / 100

Link:

https://www.joesandbox.com/analysis/825778

Signature

Antivirus / Scanner detection for submitted sample

Contains functionality to hide a thread from the debugger

Contains functionality to inject code into remote processes

Creates files in alternative data streams (ADS)

Hides threads from debuggers

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Yara detected BitRAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/0a9f7e6ef8592c3807d409340f351188d49da9b7cbe210b875995d85921a5e91/

Threat name:

Win32.Trojan.Graftor

Status:

Malicious

First seen:

2021-08-02 19:54:41 UTC

AV detection:

29 of 46 (63.04%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=bkpx43xylewdqb6ube2a6nirrdkj3knxzprbbodvtfoyleq2l2iq._file

Verdict:

malicious

BitRAT

09df08b715bf11a0bc6cb5cdc5cd724927ba6c6a18ca2896f153d9b424196767

BitRAT

127a77aec69d301ec0eff62153eb160c7a195df26de7ac8617572b2433be6528

BitRAT

18b96a50da281d031e2ce58c2143a9c1bf4868c710bbcc61b7d147038b449e2b

BitRAT

af7800b9d14d41db33e7aeb100aac52bcae40bd7dfa2f151ffb4e76e810ea965

BitRAT

f1041f8beb103e1f63fa8d5234ed3b5a55a37d1c675755040dbb08836c210a90

BitRAT

+ 334 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

10/10

Tags:

persistence suricata upx

Link:

https://tria.ge/reports/210802-grw9p36qh2/

Behaviour

Suspicious behavior: RenamesItself

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of NtSetInformationThreadHideFromDebugger

Adds Run key to start application

suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)

Unpacked files

SH256 hash:

f30977b56d9bcc93c53d0bce13f893a7dc12fbf4674988ad8837e980c0801473

MD5 hash:

0f61b73b9d5f06bc8bd3d5d9f2f30e88

SHA1 hash:

114290c7d17e829f739e34ff5279ec5bda62b237

Link:

https://www.unpac.me/results/f09bd0b7-c49b-4ecd-aa79-e185a2ed6395/

SH256 hash:

0a9f7e6ef8592c3807d409340f351188d49da9b7cbe210b875995d85921a5e91

MD5 hash:

8cf0c65f06309e62448877c27675ed38

SHA1 hash:

6cecd51374d6a408ac95b1e01d67ebdc30ab19bf

Link:

https://www.unpac.me/results/f09bd0b7-c49b-4ecd-aa79-e185a2ed6395/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/0a9f7e6ef8592c3807d409340f351188d49da9b7cbe210b875995d85921a5e91

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MALWARE_Win_BitRAT Create hunting rule
Author:	ditekSHen
Description:	Detects BitRAT RAT

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Cape

https://www.capesandbox.com/analysis/175895/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample