MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0c32d3b8dc349aac990a76c405f39b973ed2664847602f4100200ae12ccabd6d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BitRAT


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0c32d3b8dc349aac990a76c405f39b973ed2664847602f4100200ae12ccabd6d
SHA3-384 hash: f5e29d66a7f0f9c44b1b5a74bab3c526ccd269f74eb98b3df135706daa647b4d2c794698abaf6f08ca1273fed9c22a05
SHA1 hash: 778a9cf9d4b9220f21b8b7f3b7f77a4b3969c69c
MD5 hash: ba855deabb0649ec0b8afc9c96e5f149
humanhash: minnesota-tennessee-minnesota-yellow
File name:ba855deabb0649ec0b8afc9c96e5f149.exe
Download: download sample
Signature BitRAT
Create hunting rule
File size:349'716 bytes
First seen:2020-11-28 10:20:34 UTC
Last seen:2020-11-28 11:48:46 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash b0701deda97f8f775ded6a80cfec3216 (1 x BitRAT, 1 x NanoCore)
ssdeep 6144:ZZfyS6WhLQk6P85reOAgcdDc8DD+ZOna9bVcXTZ+L/9taRvIJDBS16f:ZZfyihj6Upcdw8Gsn4YAaRvI1Bq
Threatray 30 similar samples on MalwareBazaar
TLSH 2F74014779C0C4B3C4289AB900B7DEB015357F703EA2759B3BC4B72A6A733E1256624E
Reporter abuse_ch
Tags:BitRAT exe


Avatar
abuse_ch
Unknown payload URL:
http://michaelcardillo.com/images/t01.exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
222
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/105895/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a file in the %temp% subdirectories
Creating a file
Running batch commands
Launching a process
Creating a window
DNS request
Sending an HTTP GET request
Creating a process from a recently created file
Creating a process with a hidden window
Moving a recently created file
Sending a custom TCP request
Deleting a recently created file
Delayed writing of the file
Setting a global event handler
Replacing files
Setting a global event handler for the keyboard
Unauthorized injection to a system process
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
BitRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/549999
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contains functionality to inject code into remote processes
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
May use the Tor software to hide its network traffic
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: System File Execution Location Anomaly
System process connects to network (likely due to code injection or exploit)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected BitRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 324110 Sample: zSPIyck1p9.exe Startdate: 28/11/2020 Architecture: WINDOWS Score: 100 63 Multi AV Scanner detection for domain / URL 2->63 65 Antivirus detection for dropped file 2->65 67 Antivirus / Scanner detection for submitted sample 2->67 69 7 other signatures 2->69 8 zSPIyck1p9.exe 4 2->8         started        process3 file4 45 C:\Users\user\AppData\Local\...\sysfont.exe, PE32 8->45 dropped 47 C:\...\d1375ea43f974b55972107027dd676c3.xml, XML 8->47 dropped 77 Maps a DLL or memory area into another process 8->77 12 MSBuild.exe 16 8->12         started        17 cmd.exe 1 8->17         started        19 conhost.exe 8->19         started        signatures5 process6 dnsIp7 61 michaelcardillo.com 181.214.142.116, 49713, 80 ASDETUKhttpwwwheficedcomGB Chile 12->61 49 C:\Users\user\...\DWTbfHOjMKoHUjWs.exe, PE32 12->49 dropped 51 C:\Users\user\AppData\Local\...\t01[1].exe, PE32 12->51 dropped 83 Contains functionality to inject code into remote processes 12->83 21 DWTbfHOjMKoHUjWs.exe 1 13 12->21         started        25 schtasks.exe 1 17->25         started        file8 signatures9 process10 file11 37 C:\Users\user\AppData\Local\...\dllhost.exe, PE32 21->37 dropped 39 C:\Users\user\AppData\Local\...\zlib1.dll, PE32 21->39 dropped 41 C:\Users\user\AppData\...\libwinpthread-1.dll, PE32 21->41 dropped 43 5 other files (none is malicious) 21->43 dropped 71 Antivirus detection for dropped file 21->71 73 Machine Learning detection for dropped file 21->73 75 Hides threads from debuggers 21->75 27 dllhost.exe 9 21->27         started        31 dllhost.exe 4 21->31         started        33 dllhost.exe 1 21->33         started        35 dllhost.exe 1 21->35         started        signatures12 process13 dnsIp14 53 93.115.86.8, 443, 49739 VOXILITYGB United Kingdom 27->53 55 154.35.175.225, 443, 49733 RETHEMHOSTINGUS United States 27->55 59 5 other IPs or domains 27->59 79 System process connects to network (likely due to code injection or exploit) 27->79 81 Multi AV Scanner detection for dropped file 27->81 57 178.33.183.251, 443, 49760 OVHFR France 31->57 signatures15
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0c32d3b8dc349aac990a76c405f39b973ed2664847602f4100200ae12ccabd6d/
Threat name:
Win32.Trojan.Glupteba
Create hunting rule
Status:
Malicious
First seen:
2020-11-24 01:42:07 UTC
AV detection:
25 of 28 (89.29%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
38a36c357a50c0f3d6ba6cbaa600507d485271ac452212850dff78f1a430f9e1
BitRAT
4e4cd19c835a2fafb63df3429c6db21507e34fcb33c3072c93f28fb4fc32967b
BitRAT
6269fd417f93e7c0d7cab576b35dc3b6f6a58c0f04e75533bad84987c228f0e6
BitRAT
723e6b54cd996205412396bbfba18171a8e4e7297dd2492b35ec198e122849cb
BitRAT
75fa551eec71d6d8b9817266813715c2bbb7a537005587f9f1e0d058a05febc6
BitRAT
7eed0a7abb529f2d7208babe7ab96ea673878fad3fcd7779340b4d6dc3d8468e
BitRAT
7faef4d80d1100c3a233548473d4dd7d5bb570dd83e8d6e5faff509d6726baf2
BitRAT
83db3e008537b9da1f048cf2a36931238afcdabf35ecbeedecd808ea6bee3bf3
BitRAT
c074b02a7c31f653ce16773fe3d97884a5d4cefed346918b79db7f060661f9f0
BitRAT
c829aa312e2ea1c043566e26517b2bf90e9c12ed68e9d7d24577ebc13f2cf3b1
BitRAT
+ 20 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/201128-b397sdpdg6/
Behaviour
Creates scheduled task(s)
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
21b48239fca1a10005bad41f6605949f2f4d5c4f37e2dda42f493c5e0f7cd2ac
MD5 hash:
638f5127a04b5eb252b6c36db2fbd9b4
SHA1 hash:
7e5a53b44697d0b5cc0eedead6502b419d6f5bdb
Link:
https://www.unpac.me/results/fefbe3f7-c08a-42a2-b5b5-e25339235906/
SH256 hash:
0c32d3b8dc349aac990a76c405f39b973ed2664847602f4100200ae12ccabd6d
MD5 hash:
ba855deabb0649ec0b8afc9c96e5f149
SHA1 hash:
778a9cf9d4b9220f21b8b7f3b7f77a4b3969c69c
Link:
https://www.unpac.me/results/fefbe3f7-c08a-42a2-b5b5-e25339235906/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
URLhaus
https://urlhaus.abuse.ch/url/863107/
Cape
Cape
https://www.capesandbox.com/analysis/105895/

Comments