MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 18b96a50da281d031e2ce58c2143a9c1bf4868c710bbcc61b7d147038b449e2b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

BitRAT

Vendor detections: 10

Intelligence 10 IOCs 1 YARA 1 File information Comments

SHA256 hash:	18b96a50da281d031e2ce58c2143a9c1bf4868c710bbcc61b7d147038b449e2b
SHA3-384 hash:	0c6283f8e40bc26fbb065a0e501e3a5bc22557642201b951e57dc5c861cf9865addc792f1133a7f986a2225de0318cc4
SHA1 hash:	d38a1ba30cd2711ffb46fa72bdaf0f29cb7d1964
MD5 hash:	955ac34a2a20fd96b038376ec0ed5142
humanhash:	lemon-fruit-hot-hamper
File name:	INVOICE2021-07.exe
Download:	download sample
Signature	BitRAT Create hunting rule
File size:	1'801'216 bytes
First seen:	2021-07-29 21:07:42 UTC
Last seen:	2021-07-29 21:47:00 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	c27a98a29b21693846ec47ce91a249f1 (2 x RaccoonStealer, 2 x Smoke Loader, 2 x GCleaner)
ssdeep	24576:ufNb0+uSi+JZxvZZHUqDBUP+OeEQIehk8BylYTiKjX8aHEYn0NLG8drnJviDEAoL:Oi+JZplKP+OeIO5CUgLG9DWKDEb
Threatray	329 similar samples on MalwareBazaar
TLSH	T1818522307AA0D436E1EB56F981B593A9B81C7F71973440CB62ED3AEA52322F59C31347
dhash icon	ead8ac9cc6e68ea0 (38 x RaccoonStealer, 18 x RedLineStealer, 12 x Smoke Loader)
Reporter	James_inthe_box
Tags:	BitRAT exe

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
191.101.130.145:2880	https://threatfox.abuse.ch/ioc/164577/

Intelligence

File Origin

# of uploads :

# of downloads :

158

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

INVOICE2021-07.exe

Verdict:

Malicious activity

Analysis date:

2021-07-29 21:09:21 UTC

Tags:

trojan bitrat rat

Link:

https://app.any.run/tasks/33d89e7d-a469-4861-a368-fbe5a6be963b

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

BitRAT

Link:

https://www.capesandbox.com/analysis/175142/

Detection(s):

SecuriteInfo.com.W32.AIDetect.malware1.9380.4634.UNOFFICIAL

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

SmokeLoader

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/75b8c53e-80a8-4541-8317-83eea3433d3c

Result

Threat name:

BitRAT

Detection:

malicious

Classification:

troj.evad

Score:

80 / 100

Link:

https://www.joesandbox.com/analysis/824130

Signature

Contains functionality to inject code into remote processes

Hides threads from debuggers

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Uses dynamic DNS services

Yara detected BitRAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/18b96a50da281d031e2ce58c2143a9c1bf4868c710bbcc61b7d147038b449e2b/

Threat name:

Win32.Trojan.Azorult

Status:

Malicious

First seen:

2021-07-29 21:07:23 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

15 of 28 (53.57%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=dc4wuug2faoqghrm4wgccq5jyg7uq2ghcc54yynx2fdqhc2etyvq._file

Verdict:

malicious

BitRAT

3d63c22ce814418819c6a1783e542bd75a23ca4321f49208391f18dd781b27e7

BitRAT

52dbaf7435516b388d60abebda89615a4c2286a663de889a15b45be3b71b0def

BitRAT

60b1e21007ef93c3ac0bb8fcb0d063f2429aae47b4715d0324096887aeb165f8

BitRAT

8c584a322deb7e0731b90ae30dbdfe4821d13ad8ae7ade8fffd28ebbf0ca2504

BitRAT

af7800b9d14d41db33e7aeb100aac52bcae40bd7dfa2f151ffb4e76e810ea965

BitRAT

befaecfa9c1207b951dcf8e72b803cb32d237f16d9e49df1c6c29fcf690b4ec3

BitRAT

f69b86e22b03881dc837afc9a2c0d4f6555e1e9eb19f7c826b3eb695feaa76bb

BitRAT

+ 319 additional samples on MalwareBazaar

Result

Malware family:

xenarmor

Score:

10/10

Tags:

family:bitrat family:xenarmor password recovery spyware stealer suricata trojan upx

Link:

https://tria.ge/reports/210729-7mckhxwv32/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Loads dropped DLL

Reads data files stored by FTP clients

Reads local data of messenger clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

UPX packed file

ACProtect 1.3x - 1.4x DLL software

BitRAT

BitRAT Payload

XenArmor Suite

suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)

Unpacked files

SH256 hash:

159cb1f7d5d8fba6e258a2be526bb6c2fa8a7606acfad56fdfe6e90cfcbbda0e

MD5 hash:

2917c78b2aab7765150afa4635597f81

SHA1 hash:

293720850595b68d32d1723da3650bac0776be89

Link:

https://www.unpac.me/results/18905c43-6265-4d12-9c78-c1c96e0b5ca0/

SH256 hash:

18b96a50da281d031e2ce58c2143a9c1bf4868c710bbcc61b7d147038b449e2b

MD5 hash:

955ac34a2a20fd96b038376ec0ed5142

SHA1 hash:

d38a1ba30cd2711ffb46fa72bdaf0f29cb7d1964

Link:

https://www.unpac.me/results/18905c43-6265-4d12-9c78-c1c96e0b5ca0/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/18b96a50da281d031e2ce58c2143a9c1bf4868c710bbcc61b7d147038b449e2b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.