MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0cf6c64800271784234f89dd95925d58075254e5756946de94f447b6defee4fc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BitRAT


Vendor detections: 5


Intelligence 5 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0cf6c64800271784234f89dd95925d58075254e5756946de94f447b6defee4fc
SHA3-384 hash: 30422b3df3cfb8001e462a363b7753db27a32663414364d5236b6d9ee3430454128df12a9110086e320f39b17e1a0d57
SHA1 hash: 6c1d9589726ec133821038a12a9f02fdeaabb2a5
MD5 hash: a088e0fe6f3784d7f16fa7e2c8add5bb
humanhash: saturn-edward-hydrogen-oven
File name:Receipt.exe
Download: download sample
Signature BitRAT
Create hunting rule
File size:637'440 bytes
First seen:2020-10-27 09:28:39 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:4sd03Jq8HcD+jrXfKWEczIWcNrjU78H0Z67/5Mg6DGMV8imFEq:63Uuc6jTfuugkm007hMgTM/r
Threatray 32 similar samples on MalwareBazaar
TLSH FDD40211B0D47AA7C5A94FB32136DE7093B1AF19AE1BF508CAB13AE449B37D007A4C17
Reporter abuse_ch
Tags:BitRAT exe


Avatar
abuse_ch
Malspam distributing BitRAT:

HELO: slot0.alerti.xyz
Sending IP: 142.11.194.235
From: Rose Robert <postmaster@alerti.xyz>
Subject: Credit Card Payment Receipt
Attachment: Receipt.rar (contains "Receipt.exe")

BitRAT payload URL:
http://blindlemmingchiffon.net/lyrics/99.exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
86
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/79745/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Result
Threat name:
BitRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/513126
Signature
Antivirus detection for dropped file
Contains functionality to inject code into remote processes
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
May use the Tor software to hide its network traffic
Multi AV Scanner detection for dropped file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Sigma detected: System File Execution Location Anomaly
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM_3
Yara detected BitRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 305677 Sample: Receipt.exe Startdate: 27/10/2020 Architecture: WINDOWS Score: 100 60 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->60 62 Antivirus detection for dropped file 2->62 64 Multi AV Scanner detection for dropped file 2->64 66 9 other signatures 2->66 8 Receipt.exe 6 2->8         started        process3 file4 44 C:\Users\user\AppData\RoamingJDpuGzK.exe, Unknown 8->44 dropped 46 C:\Users\user\AppData\Local\...\tmp9B2A.tmp, Unknown 8->46 dropped 76 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 8->76 78 Contains functionality to inject code into remote processes 8->78 12 Receipt.exe 15 8->12         started        16 schtasks.exe 1 8->16         started        18 Receipt.exe 8->18         started        20 Receipt.exe 8->20         started        signatures5 process6 dnsIp7 52 blindlemmingchiffon.net 181.214.142.131, 49707, 80 ASDETUKhttpwwwheficedcomGB Chile 12->52 48 C:\Users\user\...\F50z4ZtclM9ZQkz1.exe, PE32 12->48 dropped 50 C:\Users\user\AppData\Local\...\99[1].exe, PE32 12->50 dropped 22 F50z4ZtclM9ZQkz1.exe 1 13 12->22         started        26 conhost.exe 16->26         started        file8 process9 file10 36 C:\Users\user\AppData\Local\...\dllhost.exe, PE32 22->36 dropped 38 C:\Users\user\AppData\Local\...\zlib1.dll, PE32 22->38 dropped 40 C:\Users\user\AppData\...\libwinpthread-1.dll, PE32 22->40 dropped 42 5 other files (none is malicious) 22->42 dropped 68 Antivirus detection for dropped file 22->68 70 Multi AV Scanner detection for dropped file 22->70 72 Machine Learning detection for dropped file 22->72 74 2 other signatures 22->74 28 dllhost.exe 9 22->28         started        32 dllhost.exe 4 22->32         started        34 dllhost.exe 1 22->34         started        signatures11 process12 dnsIp13 54 100.15.249.55, 443, 49726 UUNETUS United States 28->54 56 199.249.230.83, 443, 49724 QUINTEXUS United States 28->56 58 6 other IPs or domains 28->58 80 System process connects to network (likely due to code injection or exploit) 28->80 82 Multi AV Scanner detection for dropped file 28->82 signatures14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0cf6c64800271784234f89dd95925d58075254e5756946de94f447b6defee4fc/
Threat name:
ByteCode-MSIL.Trojan.Ymacco
Create hunting rule
Status:
Malicious
First seen:
2020-10-26 15:58:41 UTC
AV detection:
21 of 29 (72.41%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=bt3mmsaae4lyii2prhozles5ladvevhfovuunxuu6rd3nxx64t6a._file
Verdict:
unknown
Similar samples:
07b296fafcefb5dbbf7148a96fc968664011aca0070b72732fb00886fbea9741
BitRAT
08eb7d52f9f2817aa4e6f89628f9d4e4fe9c4f8bfcebf48807de7ad03e8fdbf4
BitRAT
0e63da56ac2a690976edd3e5b6224486f805c88f17d954bb462eed825c3c2fc4
BitRAT
3703314f1bc96e78c1b3378534c311eec37ead98618ba0b2e6c4e7483a25f097
BitRAT
4bb2bfa075e9870bbf9ee55dc7bf9a76f3405245380f2183d0b71fad9e9114ad
BitRAT
62054515cdc2c6bbea085a7bdc44145d246076ef01523e9262d337713faa5336
BitRAT
8e816e44eb6ebdc6b99876142caba3fc1f8a0633edec29e8c1ae3f57e1ca55c9
BitRAT
bcdb474b57e41b200904ce423a9d3195d4c51de6efc2b713a2df42068fb1377d
BitRAT
e6dfcee5a6edf1015136b0173ff2bb953982545f581ecf4a6fdd922c2818c609
BitRAT
fa1c05c7ea1e94e08982755ca1d13051a6cd334fa3e93aa98b5bcc2ebb910f59
BitRAT
+ 22 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  9/10
Tags:
upx evasion spyware
Link:
https://tria.ge/reports/201027-ty6r1vt2k2/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Looks up external IP address via web service
Maps connected drives based on registry
Checks BIOS information in registry
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Executes dropped EXE
Looks for VMWare Tools registry key
UPX packed file
Looks for VirtualBox Guest Additions in registry
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:IPPort_combo_mem
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:Ping_Del_method_bin_mem
Create hunting rule
Author:James_inthe_box
Description:cmd ping IP nul del
Rule name:Rooter
Create hunting rule
Author:Seth Hardy
Description:Rooter
Rule name:RooterStrings
Create hunting rule
Author:Seth Hardy
Description:Rooter Identifying Strings
Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/
Rule name:win_bit_rat_w0
Create hunting rule
Author:KrabsOnSecurity
Description:String-based rule for detecting BitRAT malware payload

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

BitRAT

rar 9f12d89e8dea898be08de4b406e285e38531b18bffb9d3544206fe19d566b447

BitRAT

Executable exe 0cf6c64800271784234f89dd95925d58075254e5756946de94f447b6defee4fc

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/755548/
  
Dropped by
MD5 15b3dc32b12d43e68ad8f0c166395f6e
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/79745/
  
Dropped by
SHA256 9f12d89e8dea898be08de4b406e285e38531b18bffb9d3544206fe19d566b447

Comments