MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 18da6bd51f14bd9ffca136121586de47bad598fb4652f9a48044290377fcec61. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BitRAT


Vendor detections: 7


Intelligence 7 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 18da6bd51f14bd9ffca136121586de47bad598fb4652f9a48044290377fcec61
SHA3-384 hash: 6bcef9707c38e83b5e7639bddd24f41675afc32eea9847c938be5242906350d5a8bd2a8e3602c5d9d21ff8fd12bc1f56
SHA1 hash: 9ab4420fc25c66fca63aa43f17fcb956def07433
MD5 hash: 344811104b9deac44b95852d3dbf89ec
humanhash: golf-kitten-finch-uranus
File name:SWIFT_COPY00993Payment_advic4555pdf.exe
Download: download sample
Signature BitRAT
Create hunting rule
File size:2'995'656 bytes
First seen:2021-01-11 08:13:09 UTC
Last seen:2021-01-11 09:29:56 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 49152:zZKJZKR18FgZZBb3qUXFp19g/e+L0DEbs5w:zZKJZKR18FyZBb3qUXFJ+Lyy
Threatray 165 similar samples on MalwareBazaar
TLSH E9D5AE02B358FB89C990B1BB0AD8A6A85FD3F4E76600CE9D57194E3734772C27D8D648
Reporter abuse_ch
Tags:BitRAT exe


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: vps8237.youcloud.hk
Sending IP: 203.135.139.174
From: Lin Zhu <cs@zinomall.com>
Subject: FW: TOP URGENT-Swift copy
Attachment: swiftcopy00993paymentadvic4555pdf.z (contains "SWIFT_COPY00993Payment_advic4555pdf.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
133
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SWIFT_COPY00993Payment_advic4555pdf.exe
Verdict:
Malicious activity
Analysis date:
2021-01-11 08:14:11 UTC
Tags:
trojan bitrat rat stealer
Link:
https://app.any.run/tasks/e98b135f-2d17-4a59-a635-248c325091ff

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/111221/
Detection(s):
PUA.Win.Trojan.Generic-6629274-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Running batch commands
Launching a process
Creating a file in the %AppData% directory
Creating a process from a recently created file
Creating a file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
BitRAT
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/577680
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
Contains functionality to hide a thread from the debugger
Contains functionality to inject code into remote processes
Detected unpacking (changes PE section rights)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Multi AV Scanner detection for submitted file
Sample uses process hollowing technique
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
Yara detected AntiVM_3
Yara detected BitRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 337894 Sample: SWIFT_COPY00993Payment_advi... Startdate: 11/01/2021 Architecture: WINDOWS Score: 100 57 greathop.fastestmaking.com 2->57 69 Antivirus detection for dropped file 2->69 71 Multi AV Scanner detection for submitted file 2->71 73 Yara detected BitRAT 2->73 75 3 other signatures 2->75 11 SWIFT_COPY00993Payment_advic4555pdf.exe 4 2->11         started        signatures3 process4 file5 43 C:\Users\user\AppData\Roaming\alspeed.exe, PE32 11->43 dropped 45 C:\Users\user\...\alspeed.exe:Zone.Identifier, ASCII 11->45 dropped 47 SWIFT_COPY00993Pay...dvic4555pdf.exe.log, ASCII 11->47 dropped 95 Hides that the sample has been downloaded from the Internet (zone.identifier) 11->95 15 alspeed.exe 3 11->15         started        18 cmd.exe 1 11->18         started        signatures6 process7 signatures8 101 Contains functionality to inject code into remote processes 15->101 103 Hides that the sample has been downloaded from the Internet (zone.identifier) 15->103 105 Injects a PE file into a foreign processes 15->105 107 Contains functionality to hide a thread from the debugger 15->107 20 alspeed.exe 1 21 15->20         started        25 conhost.exe 18->25         started        27 reg.exe 1 1 18->27         started        process9 dnsIp10 63 cropepsa.com 20->63 65 api.telegram.org 149.154.167.220, 443, 49769 TELEGRAMRU United Kingdom 20->65 67 3 other IPs or domains 20->67 41 C:\Users\user\AppData\Local\...\cIYNze3l.exe, MS-DOS 20->41 dropped 85 Writes to foreign memory regions 20->85 87 Allocates memory in foreign processes 20->87 89 Sample uses process hollowing technique 20->89 93 2 other signatures 20->93 29 cIYNze3l.exe 24 20->29         started        33 alspeed.exe 20->33         started        file11 91 Uses the Telegram API (likely for C&C communication) 63->91 signatures12 process13 file14 49 C:\Users\user\AppData\Local\...\Unknown.dll, PE32 29->49 dropped 51 C:\Users\user\AppData\...\vcruntime140.dll, PE32 29->51 dropped 53 C:\Users\user\AppData\Local\...\softokn3.dll, PE32 29->53 dropped 55 17 other files (none is malicious) 29->55 dropped 97 Detected unpacking (changes PE section rights) 29->97 99 Injects a PE file into a foreign processes 29->99 35 cIYNze3l.exe 5 29->35         started        signatures15 process16 dnsIp17 59 www.xenarmor.com 35->59 61 xenarmor.com 69.64.94.128, 49772, 80 CODERO-DFWUS United States 35->61 77 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 35->77 79 Tries to steal Instant Messenger accounts or passwords 35->79 81 Tries to steal Mail credentials (via file access) 35->81 83 2 other signatures 35->83 39 conhost.exe 35->39         started        signatures18 process19
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/18da6bd51f14bd9ffca136121586de47bad598fb4652f9a48044290377fcec61/
Threat name:
Win32.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2021-01-10 16:36:18 UTC
AV detection:
7 of 46 (15.22%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ddngxvi7cs6z77fbgyjblbw6i65nlgh3izjptjeaiquqg5745rqq._file
Verdict:
unknown
Similar samples:
16473f40935d37eb176a1ce1f80fb9e47057e037102bc9ebc73bb06556797aaf
BitRAT
1cc6b22673f09ee5dd4fa5b54b0244ab8f81ad0064e900d211f62890263a5ab7
BitRAT
3d402a866fb1dc18d7eaaa64013502d3184c25b9f5c93bfa916b5d15cda34a11
BitRAT
3e8debf82b69f5842a21c7bbaf83071c7944f257843d31aad36664dc9e951fff
BitRAT
4feb056769f2ac7fb07a65bfd3d5ca0fc22e8f3b3cf046fc586c782935ca2445
BitRAT
8ebf7cb165e953d4253556cb857bf6978d138890e0f85a8f74c13401350ac887
BitRAT
9b7b121dfaa8fe9005cebcc4fbface3382e339b8e05eb29e2e6aa37c419ed81b
BitRAT
b0fc68d01809511045e3837cd93da4eca31cbe69d432287ffe1a716597147f18
BitRAT
e2d112bd0fd186acce6eebc6ec5d389c69fd6ae1154d0f44938de68dedec29cc
BitRAT
fdeac1758dae3e3811f020f3d9d44fb984c4397c924c4c8e880f4e41fdf130f7
BitRAT
+ 155 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence spyware upx
Link:
https://tria.ge/reports/210111-ctnm1dlqhx/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Executes dropped EXE
UPX packed file
Unpacked files
SH256 hash:
4f81e273da20c5b9835ce6ca57cc061d77764f9e3927bdb1505cb791bf50b046
MD5 hash:
29e19b5dce96140a8b90152b16bd44af
SHA1 hash:
4f3dc6eb876bb58f53966980a9c451a04ec17d8a
Link:
https://www.unpac.me/results/1f1493d4-c543-43b1-9730-b6a3008ec785/
SH256 hash:
a60900adc31e8e28ff541b91a55de5d9719c0d1ddc3022eb6f6fb5ac19cc9e4f
MD5 hash:
831fb0609b3509b4fb31ac662ac69217
SHA1 hash:
985c33fa2b01e305995e2ea166b961b01f0f6335
Link:
https://www.unpac.me/results/1f1493d4-c543-43b1-9730-b6a3008ec785/
SH256 hash:
3eda4d12a558e79076ff888ccd8a51803e8c818a0afee83b1d14236b14e9fcd7
MD5 hash:
e76da79fb3dee2016913a7d8f568a89e
SHA1 hash:
9ecad792e8b7ae325743e36d959e1d2ce90d597e
Link:
https://www.unpac.me/results/1f1493d4-c543-43b1-9730-b6a3008ec785/
SH256 hash:
18da6bd51f14bd9ffca136121586de47bad598fb4652f9a48044290377fcec61
MD5 hash:
344811104b9deac44b95852d3dbf89ec
SHA1 hash:
9ab4420fc25c66fca63aa43f17fcb956def07433
Link:
https://www.unpac.me/results/1f1493d4-c543-43b1-9730-b6a3008ec785/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/18da6bd51f14bd9ffca136121586de47bad598fb4652f9a48044290377fcec61

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

BitRAT

z fadbc6b1463c25f17f3ad6e7dfb302386e3169bccf336217d827a41b6423e35b

BitRAT

Executable exe 18da6bd51f14bd9ffca136121586de47bad598fb4652f9a48044290377fcec61

(this sample)

  
Dropped by
MD5 2bec486fb2fa8ba69d54336bf496c448
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/111221/
  
Dropped by
SHA256 fadbc6b1463c25f17f3ad6e7dfb302386e3169bccf336217d827a41b6423e35b

Comments