MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 185d25898a718d3e3ff6d12a3ad18f12734c73859ed4ff1993ce1e4a011485f2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BitRAT


Vendor detections: 10


Intelligence 10 IOCs 1 YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 185d25898a718d3e3ff6d12a3ad18f12734c73859ed4ff1993ce1e4a011485f2
SHA3-384 hash: c13113702731a889cdf2790df4e9ee65c92a423cef5354b75d721de80a2f673325942431413d729b7ff21252a71a1436
SHA1 hash: 08dc28e43ffe977e4e8f0fd31b3a26d1684bea12
MD5 hash: 6a2cf7ab3cdc6f7eb2743a941d70e39a
humanhash: october-fillet-ink-johnny
File name:6A2CF7AB3CDC6F7EB2743A941D70E39A.exe
Download: download sample
Signature BitRAT
Create hunting rule
File size:133'120 bytes
First seen:2021-07-29 17:05:38 UTC
Last seen:2021-07-29 17:39:18 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 1536:PwIOiU5aRa6u6etvWQUyyYDNIrzrqzzStminRnQQ/Mfiswog:YSIkWJWQWYeqzzStminRnQQ/Mfih
Threatray 316 similar samples on MalwareBazaar
TLSH T1FDD30C21B3EC5248F2F76E79427545244B733DA98C79D62C0D9994AE0EB3F40CE62B36
dhash icon c1c0ea78da1b76f0 (1 x BitRAT)
Reporter abuse_ch
Tags:BitRAT exe RAT


Avatar
abuse_ch
BitRAT C2:
142.44.145.208:6060

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
142.44.145.208:6060 https://threatfox.abuse.ch/ioc/164555/

Intelligence

File Origin
# of uploads :
2
# of downloads :
170
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
6A2CF7AB3CDC6F7EB2743A941D70E39A.exe
Verdict:
Malicious activity
Analysis date:
2021-07-29 17:07:48 UTC
Tags:
trojan bitrat rat
Link:
https://app.any.run/tasks/29a422a6-8bf6-40ee-8599-533169eb4479

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
BitRAT
Create hunting rule
Link:
https://www.capesandbox.com/analysis/175120/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.37290357.14524.16704.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f2ccb9aa-d1b2-45a3-89a7-fbbd137be2ec
Result
Threat name:
BitRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
48 / 100
Link:
https://www.joesandbox.com/analysis/824035
Signature
.NET source code contains potential unpacker
Connects to many ports of the same IP (likely port scanning)
Contains functionality to hide a thread from the debugger
Creates files in alternative data streams (ADS)
Creates multiple autostart registry keys
Hides threads from debuggers
Machine Learning detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Process Start Without DLL
Yara detected BitRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 456447 Sample: GgIUkupW7u.exe Startdate: 29/07/2021 Architecture: WINDOWS Score: 48 74 www.torrent2exe.com 2->74 76 tracker.coppersurfer.tk 2->76 78 3 other IPs or domains 2->78 90 Multi AV Scanner detection for submitted file 2->90 92 Yara detected BitRAT 2->92 94 .NET source code contains potential unpacker 2->94 96 2 other signatures 2->96 9 GgIUkupW7u.exe 16 8 2->9         started        14 wsl64.EXE 14 3 2->14         started        16 wsl64.EXE 2->16         started        18 T2E.exe 2->18         started        signatures3 process4 dnsIp5 80 cdn.discordapp.com 9->80 58 C:\Users\user\AppData\Roaming\...\wsl64.EXE, PE32 9->58 dropped 60 C:\Users\user\AppData\...behaviorgraphgIUkupW7u.exe.log, ASCII 9->60 dropped 108 Creates multiple autostart registry keys 9->108 20 Switch.exe 3 9->20         started        23 RegAsm.exe 9->23         started        82 162.159.134.233, 443, 49725 CLOUDFLARENETUS United States 14->82 84 cdn.discordapp.com 14->84 110 Multi AV Scanner detection for dropped file 14->110 25 RegAsm.exe 1 1 14->25         started        86 cdn.discordapp.com 16->86 62 C:\Users\user\AppData\Local\Temp\Switch.exe, PE32 16->62 dropped 28 RegAsm.exe 16->28         started        30 Switch.exe 16->30         started        file6 signatures7 process8 file9 98 Multi AV Scanner detection for dropped file 20->98 100 Machine Learning detection for dropped file 20->100 32 T2E.exe 20->32         started        36 T2ESetup.exe 19 20->36         started        39 T2ESetup.exe 2 23 20->39         started        102 Contains functionality to hide a thread from the debugger 23->102 54 C:\Users\user\AppData\Local:29-07-2021, ASCII 25->54 dropped 104 Creates files in alternative data streams (ADS) 25->104 106 Hides threads from debuggers 25->106 56 C:\Users\user\AppData\Local\...\T2ESetup.exe, PE32 30->56 dropped 41 T2E.exe 30->41         started        signatures10 process11 dnsIp12 68 117.251.75.169 BSNL-NIBNationalInternetBackboneIN India 32->68 70 5.18.232.233 ZTELECOM-ASRU Russian Federation 32->70 72 100 other IPs or domains 32->72 88 Creates multiple autostart registry keys 32->88 43 T2ESetup.exe 32->43         started        46 C:\Users\user\AppData\Local\Temp\...\T2E.exe, PE32 36->46 dropped 48 C:\Users\user\AppData\Local\...\System.dll, PE32 36->48 dropped 50 C:\Users\user\AppData\Local\...\T2ESetup.exe, PE32 36->50 dropped 52 C:\Users\user\AppData\Local\...\System.dll, PE32 39->52 dropped file13 signatures14 process15 file16 64 C:\Users\user\AppData\Local\...\System.dll, PE32 43->64 dropped 66 C:\Users\user\AppData\...\InstallOptions.dll, PE32 43->66 dropped
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/185d25898a718d3e3ff6d12a3ad18f12734c73859ed4ff1993ce1e4a011485f2/
Threat name:
ByteCode-MSIL.Spyware.Solmyr
Create hunting rule
Status:
Malicious
First seen:
2021-07-25 19:12:43 UTC
AV detection:
8 of 28 (28.57%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=dboslcmkoggt4p7w2evdvumpcjzuy44ft3kp6gmtzypeuaiuqxza._file
Verdict:
malicious
Similar samples:
0a3e948bfd52c09e29e2269763daf88e129f6db89a51e14a32f96d99877256ad
BitRAT
299afdf96e5691a426fc9d0579dfde112bd6931c961d688b83c984f2f7f67be7
BitRAT
5077111b1030c224e7f95035c72a76aaba1cdb91c941962f12a32ab733007b91
BitRAT
8218b8f30ab4a80e24dcbe79984f5ab0bb8311674098b068f14325487d7d4a47
BitRAT
ab7553549ec32422ee868e71eb96fae87439a4c1333e400d455f31d0b74c8ef2
BitRAT
af7800b9d14d41db33e7aeb100aac52bcae40bd7dfa2f151ffb4e76e810ea965
BitRAT
ef9e853a343f1d3588eeaf60c443add28e376fd97f3bc77309b8436349b60bb3
BitRAT
+ 306 additional samples on MalwareBazaar
Result
Malware family:
bitrat
Create hunting rule
Score:
  10/10
Tags:
family:bitrat persistence suricata trojan
Link:
https://tria.ge/reports/210729-8j9sta9gva/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
NSIS installer
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Downloads MZ/PE file
Executes dropped EXE
BitRAT
BitRAT Payload
suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)
Unpacked files
SH256 hash:
185d25898a718d3e3ff6d12a3ad18f12734c73859ed4ff1993ce1e4a011485f2
MD5 hash:
6a2cf7ab3cdc6f7eb2743a941d70e39a
SHA1 hash:
08dc28e43ffe977e4e8f0fd31b3a26d1684bea12
Link:
https://www.unpac.me/results/f6726d48-e1a6-490d-94c2-c2c81a328ae6/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/185d25898a718d3e3ff6d12a3ad18f12734c73859ed4ff1993ce1e4a011485f2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_BitRAT
Create hunting rule
Author:ditekSHen
Description:Detects BitRAT RAT
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/175120/

Comments