MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0b38682544ecd94b8ce910e22593dd8a4671f38aa52a53aa314af9fd24a65d19. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BitRAT


Vendor detections: 10


Intelligence 10 IOCs 1 YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0b38682544ecd94b8ce910e22593dd8a4671f38aa52a53aa314af9fd24a65d19
SHA3-384 hash: 1b5085e08af211861a6bbaedcaf3e86bb2ce19d28baf76c73b9f1e6fab7b65c41f3f32f36b10d66d5e6c6c08f4668f5e
SHA1 hash: c4b0b7894e1110fc6dc4f0d1a591a3acdab22bfb
MD5 hash: e7bab8f16adf2f5ba2f2247ce37bf8d7
humanhash: fillet-lamp-east-river
File name:order invoice.exe
Download: download sample
Signature BitRAT
Create hunting rule
File size:2'091'008 bytes
First seen:2022-07-19 09:35:49 UTC
Last seen:2022-07-19 13:33:18 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 49152:kK0OmWtjqFDyFiZdnH/YQFkbF87EkBC/6s5IZO9no:30pmFGdnH/j57EMC/6s5I0do
Threatray 739 similar samples on MalwareBazaar
TLSH T164A5337273A18B6DCA7B0FB914A146116B768F853171EB4E4E5B71CD6A73FC20680F22
TrID 64.2% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.5% (.SCR) Windows screen saver (13101/52/3)
9.2% (.EXE) Win64 Executable (generic) (10523/12/4)
5.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.9% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 74f0dcccccd4c0d4 (10 x AgentTesla, 6 x RemcosRAT, 5 x BitRAT)
Reporter abuse_ch
Tags:BitRAT exe RAT


Avatar
abuse_ch
BitRAT C2:
103.133.105.50:1234

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
103.133.105.50:1234 https://threatfox.abuse.ch/ioc/838661/

Intelligence

File Origin
# of uploads :
2
# of downloads :
336
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/291821/
Detection(s):
SecuriteInfo.com.Trojan.Siggen18.25681.29562.23397.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a process with a hidden window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/62d67bbb0e298a94f3dda68b/reports/7f976f74-bffa-41f5-b3a5-492d69bfea71/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
BitRAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a26da29c-b228-4cf8-8fff-7de2d39db8f8
Result
Threat name:
BitRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1036395
Signature
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected BitRAT
Yara detected Generic Downloader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 668885 Sample: order invoice.exe Startdate: 19/07/2022 Architecture: WINDOWS Score: 100 35 Malicious sample detected (through community Yara rule) 2->35 37 Yara detected BitRAT 2->37 39 Yara detected AntiVM3 2->39 41 8 other signatures 2->41 7 order invoice.exe 7 2->7         started        process3 file4 25 C:\Users\user\AppData\Roaming\QNalNtYY.exe, PE32 7->25 dropped 27 C:\Users\...\QNalNtYY.exe:Zone.Identifier, ASCII 7->27 dropped 29 C:\Users\user\AppData\Local\...\tmpBD4E.tmp, XML 7->29 dropped 31 C:\Users\user\...\order invoice.exe.log, ASCII 7->31 dropped 43 Adds a directory exclusion to Windows Defender 7->43 45 Injects a PE file into a foreign processes 7->45 11 order invoice.exe 1 2 7->11         started        15 powershell.exe 23 7->15         started        17 schtasks.exe 1 7->17         started        19 order invoice.exe 7->19         started        signatures5 process6 dnsIp7 33 103.133.105.50, 1234, 49773, 49774 VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN Viet Nam 11->33 47 Hides threads from debuggers 11->47 21 conhost.exe 15->21         started        23 conhost.exe 17->23         started        signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0b38682544ecd94b8ce910e22593dd8a4671f38aa52a53aa314af9fd24a65d19/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2022-07-19 09:36:13 UTC
File Type:
PE (.Net Exe)
Extracted files:
62
AV detection:
24 of 39 (61.54%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=bm4gqjke5tmuxdhjcdrcle65rjdhd44kuuvfhkrrjl472jfglumq._file
Verdict:
malicious
Similar samples:
39d1c62236097f35dbcb91310c722882def7fe38bf1d7803b15b879580e44d22
BitRAT
51af4d4e1af93fd32fd240a7ec9df52e2af9f7d7567c7f7dff776ce0b4852323
BitRAT
59a818fb1f5c0edafb3c7b99fc43b652ae310ff25f22d4e35947207a28c4a3a8
BitRAT
6d9ae2b15c6995be94b84f2a1d86fc8945594215678711318c88a447263a201e
BitRAT
704e26dbdebc8b3ad1391f5b9d671f8b9550609455821540151ff70e17bed798
BitRAT
92af4545d62a5b2af0dd493c5270a03ae5d9163b3fbda51b4dcb81996e5ee94f
BitRAT
d9f858f28cab427ea59133d06469903d937cd10334a0fdd5f77fe529e3d0ece1
BitRAT
+ 729 additional samples on MalwareBazaar
Result
Malware family:
xenarmor
Create hunting rule
Score:
  10/10
Tags:
family:bitrat family:xenarmor collection password recovery spyware stealer suricata trojan upx
Link:
https://tria.ge/reports/220719-lkxn4sbhhm/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses Microsoft Outlook accounts
Checks computer location settings
Loads dropped DLL
Reads data files stored by FTP clients
Reads local data of messenger clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
UPX packed file
ACProtect 1.3x - 1.4x DLL software
BitRAT
XenArmor Suite
suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)
Malware Config
C2 Extraction:
103.133.105.50:1234
Unpacked files
SH256 hash:
19047ee67c4ac827c786c3ebb3facd52f7e9fe028b643baadebf5879f27ccaed
MD5 hash:
ddcddae0d2728849d3e06a9a9635fc93
SHA1 hash:
22d13455fe0a37b30b28eaa2d60b731cad5adb83
Detections:
win_bit_rat_auto
Create hunting rule
Link:
https://www.unpac.me/results/452c1ab2-e164-4c72-981a-bb1c4feb4147/
Parent samples :
0b38682544ecd94b8ce910e22593dd8a4671f38aa52a53aa314af9fd24a65d19
5e1f9db033fe27d7a3d646459411c94db634c512844e9eeab40c1b635cac1588
SH256 hash:
39c2d879c57f07305ce60412dc8a88f02e51f1a14a06cc605768d1d7f5313807
MD5 hash:
db51fe170a9e5d6ec5429a2fbd9d0353
SHA1 hash:
e30a58125fc41322db6cf2ccb6a6d414ed379016
Link:
https://www.unpac.me/results/452c1ab2-e164-4c72-981a-bb1c4feb4147/
SH256 hash:
f6d1cda2efe2622064025631b2a1ee8e5bdc057798de203ed5841916e662b4a1
MD5 hash:
fb7cc194309b03e66b160fe20f371762
SHA1 hash:
7b6fe95b9b6af1328d43ef9fff27919d807b9c47
Link:
https://www.unpac.me/results/452c1ab2-e164-4c72-981a-bb1c4feb4147/
SH256 hash:
11524dfa0ecd52aa6073961fd1d1bd6fef2a46c0de68a88ff83d6d3b6b54445d
MD5 hash:
36ed9e0efa0dadcd2cf9a2f585702604
SHA1 hash:
45937ce317f9b34a25aad9f1cc55aed7fda805ca
Link:
https://www.unpac.me/results/452c1ab2-e164-4c72-981a-bb1c4feb4147/
SH256 hash:
35eefbc6571defc479c15f535497ca7555dcee951760a3d13d2100822645771f
MD5 hash:
d11e37379477337b2bb9acc44fb6315e
SHA1 hash:
015a609c2646fadc3aa2b3db61ed437bf7cf4a2d
Link:
https://www.unpac.me/results/452c1ab2-e164-4c72-981a-bb1c4feb4147/
SH256 hash:
0b38682544ecd94b8ce910e22593dd8a4671f38aa52a53aa314af9fd24a65d19
MD5 hash:
e7bab8f16adf2f5ba2f2247ce37bf8d7
SHA1 hash:
c4b0b7894e1110fc6dc4f0d1a591a3acdab22bfb
Link:
https://www.unpac.me/results/452c1ab2-e164-4c72-981a-bb1c4feb4147/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0b38682544ecd94b8ce910e22593dd8a4671f38aa52a53aa314af9fd24a65d19

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/291821/

Comments