MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 16473f40935d37eb176a1ce1f80fb9e47057e037102bc9ebc73bb06556797aaf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BitRAT


Vendor detections: 7


Intelligence 7 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 16473f40935d37eb176a1ce1f80fb9e47057e037102bc9ebc73bb06556797aaf
SHA3-384 hash: a38078bb7a15e3dbcbc53f21a25ac1fb9a11f5113536cbd60f0c5d33835c995aed2b62a2e62820c67cd490b2723407ef
SHA1 hash: b75970f5e985690b12d03e243f65d89de03c15f8
MD5 hash: 39ad59b5bd8149f3c787602e40df18eb
humanhash: eighteen-colorado-utah-stairway
File name:SWIFT-COPY Payment advice3243343.exe
Download: download sample
Signature BitRAT
Create hunting rule
File size:3'126'728 bytes
First seen:2021-01-10 12:47:45 UTC
Last seen:2021-01-10 14:43:14 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 49152:f4iaAJdkZBb3qUXFp19gje+L0DEbs5v63gnQ:f4iaAJWZBb3qUXFp+Lyyyn
Threatray 140 similar samples on MalwareBazaar
TLSH 16E56A05A34ADB89C9583177DE9862BC13C2FDEBDE10CAA71709BD2174F35E16D8D288
Reporter abuse_ch
Tags:BitRAT exe


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: vps8237.youcloud.hk
Sending IP: 203.135.139.174
From: Lin Zhu <cs@zinomall.com>
Subject: FW: TOP URGENT-Swift copy
Attachment: SWIFT-COPY Payment advice3243343.bz (contains "SWIFT-COPY Payment advice3243343.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
219
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SWIFT-COPY Payment advice3243343.exe
Verdict:
Malicious activity
Analysis date:
2021-01-10 12:49:08 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/97f587c9-9c93-49c3-8b0c-44cd3e347f17

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/111159/
Detection(s):
PUA.Win.Trojan.Generic-6629274-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Running batch commands
Launching a process
Creating a file in the %temp% directory
Creating a file in the %AppData% directory
Creating a process from a recently created file
Creating a file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Result
Threat name:
BitRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/577459
Signature
Allocates memory in foreign processes
Contains functionality to hide a thread from the debugger
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Writes to foreign memory regions
Yara detected AntiVM_3
Yara detected BitRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 337779 Sample: SWIFT-COPY Payment advice32... Startdate: 10/01/2021 Architecture: WINDOWS Score: 100 37 greathop.fastestmaking.com 2->37 43 Multi AV Scanner detection for submitted file 2->43 45 Yara detected BitRAT 2->45 47 Yara detected AntiVM_3 2->47 49 Initial sample is a PE file and has a suspicious name 2->49 8 SWIFT-COPY Payment advice3243343.exe 5 2->8         started        signatures3 process4 file5 25 C:\Users\user\AppData\...\facebookholding.exe, PE32 8->25 dropped 27 C:\Users\user\AppData\...\AddInProcess32.exe, PE32 8->27 dropped 29 C:\...\facebookholding.exe:Zone.Identifier, ASCII 8->29 dropped 31 SWIFT-COPY Payment advice3243343.exe.log, ASCII 8->31 dropped 51 Hides that the sample has been downloaded from the Internet (zone.identifier) 8->51 12 facebookholding.exe 3 8->12         started        15 cmd.exe 1 8->15         started        signatures6 process7 signatures8 53 Multi AV Scanner detection for dropped file 12->53 55 Writes to foreign memory regions 12->55 57 Allocates memory in foreign processes 12->57 59 2 other signatures 12->59 17 AddInProcess32.exe 1 12->17         started        21 conhost.exe 15->21         started        23 reg.exe 1 1 15->23         started        process9 dnsIp10 33 greathop.fastestmaking.com 172.106.111.244, 5433 AS40676US United States 17->33 35 192.168.2.1 unknown unknown 17->35 39 Hides threads from debuggers 17->39 41 Contains functionality to hide a thread from the debugger 17->41 signatures11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/16473f40935d37eb176a1ce1f80fb9e47057e037102bc9ebc73bb06556797aaf/
Threat name:
ByteCode-MSIL.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-01-10 09:01:52 UTC
AV detection:
15 of 29 (51.72%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=czdt6qetlu36wf3kdtq7qd5z4ryfpybxcav4t26hhoygkvtzpkxq._file
Verdict:
unknown
Similar samples:
0ec43ae5c8b1e95538f25ffe83123138a3d6083f5d9b2bdee312844689fa1f05
BitRAT
1b9d8a1acd648a53e514a157a426e2429616a1787292a93e6a434382dab1c982
BitRAT
30dac0d69e366db4ce57a0935d5619e4bcebfcbaa9f14b7618970cc2aaa522f4
BitRAT
4feb056769f2ac7fb07a65bfd3d5ca0fc22e8f3b3cf046fc586c782935ca2445
BitRAT
698a07ee43319ed49e3a64c97c8626d26b7a9d5ff6c7c02d9ce87d0089c9ed90
BitRAT
7862be8b6b58fc073c3b91badfeab7f5d939725074f2022be9430f89c594692d
BitRAT
b0fc68d01809511045e3837cd93da4eca31cbe69d432287ffe1a716597147f18
BitRAT
b22c648668d77e156bb1d3df67f22c0731bc3ea1010b4ddba7317f3f71b33329
BitRAT
cc6b0848a3a848c9ee7ce3f63d1e3f95393f6593140e2aab400146c06e593793
BitRAT
de0f6d3156577dbace690119ed748be66c64e539402780878490839dd0b24234
BitRAT
+ 130 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence upx
Link:
https://tria.ge/reports/210110-f35p1h8j26/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
UPX packed file
Unpacked files
SH256 hash:
16473f40935d37eb176a1ce1f80fb9e47057e037102bc9ebc73bb06556797aaf
MD5 hash:
39ad59b5bd8149f3c787602e40df18eb
SHA1 hash:
b75970f5e985690b12d03e243f65d89de03c15f8
Link:
https://www.unpac.me/results/fa30f100-418a-418c-bf66-9b36f092a6b2/
SH256 hash:
4f81e273da20c5b9835ce6ca57cc061d77764f9e3927bdb1505cb791bf50b046
MD5 hash:
29e19b5dce96140a8b90152b16bd44af
SHA1 hash:
4f3dc6eb876bb58f53966980a9c451a04ec17d8a
Link:
https://www.unpac.me/results/fa30f100-418a-418c-bf66-9b36f092a6b2/
SH256 hash:
a60900adc31e8e28ff541b91a55de5d9719c0d1ddc3022eb6f6fb5ac19cc9e4f
MD5 hash:
831fb0609b3509b4fb31ac662ac69217
SHA1 hash:
985c33fa2b01e305995e2ea166b961b01f0f6335
Link:
https://www.unpac.me/results/fa30f100-418a-418c-bf66-9b36f092a6b2/
SH256 hash:
3eda4d12a558e79076ff888ccd8a51803e8c818a0afee83b1d14236b14e9fcd7
MD5 hash:
e76da79fb3dee2016913a7d8f568a89e
SHA1 hash:
9ecad792e8b7ae325743e36d959e1d2ce90d597e
Link:
https://www.unpac.me/results/fa30f100-418a-418c-bf66-9b36f092a6b2/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.53
Link:
https://yomi.yoroi.company/submissions/16473f40935d37eb176a1ce1f80fb9e47057e037102bc9ebc73bb06556797aaf

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

BitRAT

rar 48e1c30bbe17c2248a1e9ef5e2696698ad800c96ed27ee1fe9fa53f1d8739ec2

BitRAT

Executable exe 16473f40935d37eb176a1ce1f80fb9e47057e037102bc9ebc73bb06556797aaf

(this sample)

  
Dropped by
MD5 4c8c068b6b8b16390dbfba7162bc23dd
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 48e1c30bbe17c2248a1e9ef5e2696698ad800c96ed27ee1fe9fa53f1d8739ec2
Cape
Cape
https://www.capesandbox.com/analysis/111159/

Comments