MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 142a30f9ba3c2e1efbdf15241721da3b20d7b6436761d3eaafdcc095dc681fc4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

BitRAT

Vendor detections: 8

Intelligence 8 IOCs YARA 2 File information Comments

SHA256 hash:	142a30f9ba3c2e1efbdf15241721da3b20d7b6436761d3eaafdcc095dc681fc4
SHA3-384 hash:	02b9efd2d17f646c223fe5a81a7d683804fd1f14345f91ad377f4ab623a3bb201b95c5fbb07dd73cfbb17f2e4dd1be4f
SHA1 hash:	9d91e4cc3c59c258ae2655119692c13c899d68d2
MD5 hash:	7538dd6e69d0c65d2dc0eb091c3ced18
humanhash:	failed-seven-eleven-floor
File name:	spworks.msi
Download:	download sample
Signature	BitRAT Create hunting rule
File size:	3'969'024 bytes
First seen:	2021-07-29 10:50:05 UTC
Last seen:	Never
File type:	msi
MIME type:	application/x-msi
ssdeep	98304:D77Pmq33rE/JDLPWZADUGer7B6iY74M/mmlwXVZaFB:L+R/eZADUXR
Threatray	324 similar samples on MalwareBazaar
TLSH	T12506CF02FA46C562D2570230A96E77BA053CFD344B2085C3B3947A6C59B66D17A3BF3B
Reporter	ankit_anubhav
Tags:	BitRAT msi

Intelligence

File Origin

# of uploads :

# of downloads :

105

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/174980/

Detection(s):

Doc.Dropper.HexEncodedEXEHeader-9789587-1

Result

Verdict:

MALICIOUS

Link:

https://labs.inquest.net/dfi/sha256/142a30f9ba3c2e1efbdf15241721da3b20d7b6436761d3eaafdcc095dc681fc4

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

BitRAT

Detection:

malicious

Classification:

troj.evad

Score:

64 / 100

Link:

https://www.joesandbox.com/analysis/823744

Signature

Hides threads from debuggers

Multi AV Scanner detection for submitted file

Uses Atom Bombing / ProGate to inject into other processes

Yara detected BitRAT

Behaviour

Behavior Graph:

Download SVG

Gathering data

Threat name:

Win32.Backdoor.ParalaxRat

Status:

Malicious

First seen:

2021-07-29 10:50:19 UTC

AV detection:

20 of 46 (43.48%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=cqvdb6n2hqxb5667cusboio2hmqnpnsdm5q5h2vp3tajlxdid7ca._file

Verdict:

malicious

BitRAT

259c654cdd235de9942f23bc7465252d50f2edf6e0b2dc320658fc00bc054ac4

BitRAT

52dbaf7435516b388d60abebda89615a4c2286a663de889a15b45be3b71b0def

BitRAT

60b1e21007ef93c3ac0bb8fcb0d063f2429aae47b4715d0324096887aeb165f8

BitRAT

8c584a322deb7e0731b90ae30dbdfe4821d13ad8ae7ade8fffd28ebbf0ca2504

BitRAT

ab7553549ec32422ee868e71eb96fae87439a4c1333e400d455f31d0b74c8ef2

BitRAT

befaecfa9c1207b951dcf8e72b803cb32d237f16d9e49df1c6c29fcf690b4ec3

BitRAT

d2b6ad926987074e93a769eaf34598a4df8bbb839208c57d4fc1516f9ed1eaa6

BitRAT

e64680fcc09a464e9c482987f8727df5d25ec4bbc312db6a51d557178f9ab17a

BitRAT

+ 314 additional samples on MalwareBazaar

Result

Malware family:

bitrat

Score:

10/10

Tags:

family:bitrat trojan

Link:

https://tria.ge/reports/210729-12trbwz7ya/

Behaviour

Checks SCSI registry key(s)

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Drops file in Windows directory

Suspicious use of NtSetInformationThreadHideFromDebugger

Enumerates connected drives

Executes dropped EXE

BitRAT

BitRAT Payload

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.55

Link:

https://yomi.yoroi.company/submissions/142a30f9ba3c2e1efbdf15241721da3b20d7b6436761d3eaafdcc095dc681fc4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Executable_Converted_to_MSI Create hunting rule

Rule name:	INDICATOR_MSI_EXE2MSI Create hunting rule
Author:	ditekSHen
Description:	Detects executables converted to .MSI packages using a free online converter.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/174980/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample