MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 127a77aec69d301ec0eff62153eb160c7a195df26de7ac8617572b2433be6528. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BitRAT


Vendor detections: 9


Intelligence 9 IOCs 1 YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 127a77aec69d301ec0eff62153eb160c7a195df26de7ac8617572b2433be6528
SHA3-384 hash: defb51451850e8f3f903c638c88f6855db2ffefd512a75f2781d850b064367decb755731a4e9aed2f73991803f6075a5
SHA1 hash: ea1b2bb908f6288464789d44b8f0e34b0424b68e
MD5 hash: 65f355ac3f88a2badf9be48edd47d730
humanhash: shade-harry-juliet-mobile
File name:ea1b2bb908f6288464789d44b8f0e34b0424b68e.exe
Download: download sample
Signature BitRAT
Create hunting rule
File size:1'682'640 bytes
First seen:2021-07-30 17:31:00 UTC
Last seen:2021-07-30 18:36:56 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 49152:NhVKDyZmcNu50oUsFMM8kSGO4HDbri5M/j3NWOILStmh9mmP:NhcDyZmh50zM8kdpnrIMBWpSto9l
Threatray 333 similar samples on MalwareBazaar
TLSH T1ED75232FB396B724CA484871C4E3921417B3BE576637C3483ACEB18A9F737965C94B84
dhash icon c37a6e9ad895b933 (1 x BitRAT)
Reporter abuse_ch
Tags:BitRAT exe RAT


Avatar
abuse_ch
BitRAT C2:
185.244.30.143:31337

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
185.244.30.143:31337 https://threatfox.abuse.ch/ioc/164904/

Intelligence

File Origin
# of uploads :
2
# of downloads :
574
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
ea1b2bb908f6288464789d44b8f0e34b0424b68e.exe
Verdict:
Malicious activity
Analysis date:
2021-07-30 17:32:38 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/5060e00d-ca08-41c9-b85c-90c1dfcb03fa

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/175329/
Detection(s):
SecuriteInfo.com.Trojan.Inject4.14768.10917.25201.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/95758040-885e-4eeb-a014-0f7d37fe09df
Result
Threat name:
BitRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/824616
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Contains functionality to hide a thread from the debugger
Creates files in alternative data streams (ADS)
Hides threads from debuggers
Multi AV Scanner detection for submitted file
Yara detected BitRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 457028 Sample: eInFMnZWWV.exe Startdate: 30/07/2021 Architecture: WINDOWS Score: 80 33 Multi AV Scanner detection for submitted file 2->33 35 Yara detected BitRAT 2->35 37 .NET source code contains potential unpacker 2->37 39 2 other signatures 2->39 6 eInFMnZWWV.exe 3 2->6         started        10 AdobeUpdateService.exe 3 2->10         started        12 AdobeUpdateService.exe 2 2->12         started        process3 file4 23 C:\Users\user\AppData\...\eInFMnZWWV.exe.log, ASCII 6->23 dropped 41 Contains functionality to hide a thread from the debugger 6->41 14 eInFMnZWWV.exe 2 2 6->14         started        19 AdobeUpdateService.exe 10->19         started        21 AdobeUpdateService.exe 12->21         started        signatures5 process6 dnsIp7 27 185.244.30.143, 31337, 49710, 49711 DAVID_CRAIGGG Netherlands 14->27 25 C:\Users\user\AppData\Local:30-07-2021, HTML 14->25 dropped 29 Creates files in alternative data streams (ADS) 14->29 31 Hides threads from debuggers 14->31 file8 signatures9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/127a77aec69d301ec0eff62153eb160c7a195df26de7ac8617572b2433be6528/
Threat name:
ByteCode-MSIL.Backdoor.Cmy3u
Create hunting rule
Status:
Malicious
First seen:
2021-07-28 20:01:01 UTC
AV detection:
17 of 28 (60.71%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=cj5hplwgtuyb5qhp6yqvh2ywbr5bsxpsnxt2zbqxk4vsim56muua._file
Verdict:
malicious
Similar samples:
09df08b715bf11a0bc6cb5cdc5cd724927ba6c6a18ca2896f153d9b424196767
BitRAT
18b96a50da281d031e2ce58c2143a9c1bf4868c710bbcc61b7d147038b449e2b
BitRAT
60b1e21007ef93c3ac0bb8fcb0d063f2429aae47b4715d0324096887aeb165f8
BitRAT
8c584a322deb7e0731b90ae30dbdfe4821d13ad8ae7ade8fffd28ebbf0ca2504
BitRAT
af7800b9d14d41db33e7aeb100aac52bcae40bd7dfa2f151ffb4e76e810ea965
BitRAT
befaecfa9c1207b951dcf8e72b803cb32d237f16d9e49df1c6c29fcf690b4ec3
BitRAT
+ 323 additional samples on MalwareBazaar
Result
Malware family:
bitrat
Create hunting rule
Score:
  10/10
Tags:
family:bitrat persistence trojan upx
Link:
https://tria.ge/reports/210730-mgkr4ae7rx/
Behaviour
Modifies registry class
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Executes dropped EXE
UPX packed file
BitRAT
BitRAT Payload
Unpacked files
SH256 hash:
69754841e2e407b6e1093b201ed49610d61da364ca6cb4e3919caab7183c7454
MD5 hash:
46da0cf6b0dbbfc139495bfac62e9348
SHA1 hash:
4f75b3768ecd9f7bbb7d1d6bdfb202de7719d083
Link:
https://www.unpac.me/results/bb7f73ca-288e-48fd-8272-65dde6d4bbac/
SH256 hash:
2f88b3a5a9b6ce1a3b7d1445dc7326fa131c4c81e21201b9596aaae850132bad
MD5 hash:
757704d96724fe6a61cba54e9aa8f931
SHA1 hash:
1cf662f0bbff9e855cb338c0265b0779e15b46ee
Link:
https://www.unpac.me/results/bb7f73ca-288e-48fd-8272-65dde6d4bbac/
SH256 hash:
127a77aec69d301ec0eff62153eb160c7a195df26de7ac8617572b2433be6528
MD5 hash:
65f355ac3f88a2badf9be48edd47d730
SHA1 hash:
ea1b2bb908f6288464789d44b8f0e34b0424b68e
Link:
https://www.unpac.me/results/bb7f73ca-288e-48fd-8272-65dde6d4bbac/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/127a77aec69d301ec0eff62153eb160c7a195df26de7ac8617572b2433be6528

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MALWARE_Win_BitRAT
Create hunting rule
Author:ditekSHen
Description:Detects BitRAT RAT
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/175329/

Comments