MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1aec33c9dc704ad71932eee6e128c9eb0908cab49d85f5a0f788484777a68a57. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BitRAT


Vendor detections: 11


Intelligence 11 IOCs 1 YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1aec33c9dc704ad71932eee6e128c9eb0908cab49d85f5a0f788484777a68a57
SHA3-384 hash: 8ae85fa12bfa3150e5d9ee96a3c837b3829de459a397b626da43a7336c0b2bf4d0c75e11e7017d4ec446ad9020bebc73
SHA1 hash: 70cb92dfc7e0dd76d7db1ee2877d87be8be8b638
MD5 hash: d7bda4ea100c3b9b58d9a9095628c064
humanhash: eleven-six-delta-london
File name:d7bda4ea100c3b9b58d9a9095628c064.exe
Download: download sample
Signature BitRAT
Create hunting rule
File size:73'728 bytes
First seen:2021-10-30 08:41:47 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 26929006cc8d1e53cefbb91369e4f82d (1 x BitRAT)
ssdeep 384:a19+zaCOr3013DGTJtREFRXSx6N8G1iF4uEDrEEEEEEEEEEEENaY:QCOrk1T+REF4x6Z1k4uw
Threatray 547 similar samples on MalwareBazaar
TLSH T12073DD77768CDB49C01B13F9C4DB8BF25636AE11CA030987B6453FAE3E36342266568C
File icon (PE):PE icon
dhash icon 4c8f133bc6061006 (1 x BitRAT)
Reporter abuse_ch
Tags:BitRAT exe RAT


Avatar
abuse_ch
BitRAT C2:
41.36.83.211:1440

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
41.36.83.211:1440 https://threatfox.abuse.ch/ioc/239792/

Intelligence

File Origin
# of uploads :
1
# of downloads :
209
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
d7bda4ea100c3b9b58d9a9095628c064.exe
Verdict:
No threats detected
Analysis date:
2021-10-30 08:49:35 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/a6e85606-c52e-4fe7-b81e-4c39bf42b11f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
Running batch commands
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7d6c8648-4e30-4690-9317-748b863ab74f
Result
Threat name:
BitRAT Hive RAT Quasar
Create hunting rule
Detection:
malicious
Classification:
spre.troj.expl.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/879761
Signature
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Benign windows process drops PE files
Contains functionality to hide a thread from the debugger
Contains functionality to inject code into remote processes
Creates files in alternative data streams (ADS)
Creates multiple autostart registry keys
Disables Windows Defender (deletes autostart)
Found strings related to Crypto-Mining
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Infects executable files (exe, dll, sys, html)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has a writeable .text section
Powershell drops PE file
Sigma detected: Powershell Defender Exclusion
Sigma detected: Powershell download and execute file
Sigma detected: PowerShell DownloadFile
Sigma detected: WScript or CScript Dropper
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to download and execute files (via powershell)
Tries to evade analysis by execution special instruction which cause usermode exception
Uses known network protocols on non-standard ports
Uses regedit.exe to modify the Windows registry
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected Beds Obfuscator
Yara detected BitRAT
Yara detected Hive RAT
Yara detected Quasar RAT
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 512195 Sample: rpWXlHY6Yu.exe Startdate: 30/10/2021 Architecture: WINDOWS Score: 100 85 yoworldservices.space 2->85 87 prda.aadg.msidentity.com 2->87 115 Multi AV Scanner detection for domain / URL 2->115 117 Malicious sample detected (through community Yara rule) 2->117 119 Antivirus detection for dropped file 2->119 121 19 other signatures 2->121 11 rpWXlHY6Yu.exe 2->11         started        14 explorer.exe 2->14         started        signatures3 process4 signatures5 149 Adds a directory exclusion to Windows Defender 11->149 16 cmd.exe 1 11->16         started        19 cmd.exe 1 11->19         started        21 wscript.exe 14->21         started        process6 file7 101 Suspicious powershell command line found 16->101 103 Tries to download and execute files (via powershell) 16->103 105 Adds a directory exclusion to Windows Defender 16->105 24 powershell.exe 16->24         started        26 powershell.exe 16->26         started        30 powershell.exe 16->30         started        37 10 other processes 16->37 32 powershell.exe 15 19->32         started        35 conhost.exe 19->35         started        67 C:\Users\user\AppData\Roaming\Avast.exe, PE32 21->67 dropped 107 Benign windows process drops PE files 21->107 109 Creates multiple autostart registry keys 21->109 signatures8 process9 dnsIp10 39 BITBACKK.exe 24->39         started        95 cdn.discordapp.com 162.159.135.233, 443, 49710, 49711 CLOUDFLARENETUS United States 26->95 77 C:\Users\user\Desktop\Cert.reg, Little-endian 26->77 dropped 44 dlscord.exe 26->44         started        46 hivee.exe 30->46         started        97 192.168.2.1 unknown unknown 32->97 111 Uses regedit.exe to modify the Windows registry 32->111 113 Powershell drops PE file 32->113 99 162.159.133.233, 443, 49715, 49716 CLOUDFLARENETUS United States 37->99 79 C:\Users\user\AppData\Roaming\hivee.exe, PE32 37->79 dropped 81 C:\Users\user\AppData\Roaming\dlscord.exe, PE32 37->81 dropped 83 C:\Users\user\AppData\Roaming\BITBACKK.exe, PE32 37->83 dropped 48 regedit.exe 37->48         started        file11 signatures12 process13 dnsIp14 93 yoworldservices.space 39->93 69 C:\Users\user\AppData\...\spotiify.exe (copy), PE32 39->69 dropped 71 C:\Users\user\AppData\Local\Temp\tbPLVy.exe, PE32 39->71 dropped 73 C:\Users\user\AppData\Local:30-10-2021, HTML 39->73 dropped 131 Antivirus detection for dropped file 39->131 133 Multi AV Scanner detection for dropped file 39->133 135 Creates files in alternative data streams (ADS) 39->135 147 4 other signatures 39->147 50 tbPLVy.exe 39->50         started        75 C:\Users\user\AppData\Roaming\...\dlscord.exe, PE32 44->75 dropped 137 Machine Learning detection for dropped file 44->137 139 Uses schtasks.exe or at.exe to add and modify task schedules 44->139 141 Hides that the sample has been downloaded from the Internet (zone.identifier) 44->141 143 Injects a PE file into a foreign processes 46->143 55 hivee.exe 46->55         started        145 Disables Windows Defender (deletes autostart) 48->145 file15 signatures16 process17 dnsIp18 89 ddos.dnsnb8.net 63.251.106.25, 49719, 49740, 799 VOXEL-DOT-NETUS United States 50->89 61 C:\Program Files (x86)\AutoIt3\...\SciTE.exe, PE32 50->61 dropped 63 C:\Program Files (x86)\AutoIt3\...\MyProg.exe, MS-DOS 50->63 dropped 123 Antivirus detection for dropped file 50->123 125 Multi AV Scanner detection for dropped file 50->125 127 Machine Learning detection for dropped file 50->127 129 2 other signatures 50->129 57 WerFault.exe 50->57         started        91 yoworldservices.space 55->91 65 C:\Users\user\AppData\Localxecution.vbs, ASCII 55->65 dropped 59 explorer.exe 55->59         started        file19 signatures20 process21
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1aec33c9dc704ad71932eee6e128c9eb0908cab49d85f5a0f788484777a68a57/
Threat name:
Win32.Trojan.YoDdos
Create hunting rule
Status:
Malicious
First seen:
2021-10-26 22:50:07 UTC
AV detection:
23 of 44 (52.27%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=dlwdhso4obfnogjs53tockgj5meqrsvutwc7lihxrbeeo55grjlq._file
Verdict:
malicious
Similar samples:
1d0e8150809cb78fb1cf2cad89dc63b884ef4459e93ce4fbb4676ff705bb2679
BitRAT
5752c23fde5267870a7e7487767566c82e60a9bf93eb2e6b63976649abe8505d
BitRAT
704e26dbdebc8b3ad1391f5b9d671f8b9550609455821540151ff70e17bed798
BitRAT
898216543dfbe03ead8ae9e2963d972b1963da5e00addab93702a9ec1a4b216a
BitRAT
9a498a01595504b0d2afc00ce9ebf2c3e7ce6d557fef89cf9d99759ee032d921
BitRAT
b9a1c2a5ed66d7d8acf7c41a44fd0534cecf86a8e673e389a4e5b01c79d29c36
BitRAT
f94934b7aa314b6b2ca25bfd06090f70e37eb99af3a84cd9c02b222d9fbcbe7a
BitRAT
fd463d6ccf33883236cae97f301cfb62e9844a73c885d58f22ebcd3ecc18dcfe
BitRAT
+ 537 additional samples on MalwareBazaar
Result
Malware family:
quasar
Create hunting rule
Score:
  10/10
Tags:
family:hiverat family:quasar botnet:anubisv2 aspackv2 persistence rat spyware stealer trojan upx
Link:
https://tria.ge/reports/211030-kl1xgsbdfk/
Behaviour
Creates scheduled task(s)
Modifies registry class
Runs .reg file with regedit
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
ASPack v2.12-2.42
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
UPX packed file
HiveRAT Payload
HiveRAT
Quasar Payload
Quasar RAT
Malware Config
C2 Extraction:
yoworldservices.space:1338
Dropper Extraction:
https://cdn.discordapp.com/attachments/612689775702573066/894910938065547284/Cert.reg
https://cdn.discordapp.com/attachments/612689775702573066/894910945422368798/hivee.exe
https://cdn.discordapp.com/attachments/612689775702573066/894910956184961054/BITBACKK.exe
https://cdn.discordapp.com/attachments/612689775702573066/897976122757746728/dlscord.exe
https://cdn.discordapp.com/attachments/612689775702573066/898608127153410129/PaladinsHackFIX.zip
Unpacked files
SH256 hash:
1aec33c9dc704ad71932eee6e128c9eb0908cab49d85f5a0f788484777a68a57
MD5 hash:
d7bda4ea100c3b9b58d9a9095628c064
SHA1 hash:
70cb92dfc7e0dd76d7db1ee2877d87be8be8b638
Link:
https://www.unpac.me/results/a0b44f3f-421b-400f-b401-61c79e2ed2ad/
Malware family:
QuasarRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/1aec33c9dc70/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1aec33c9dc704ad71932eee6e128c9eb0908cab49d85f5a0f788484777a68a57

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_ASPack
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ASPack
Rule name:INDICATOR_EXE_Packed_ConfuserExMod_BedsProtector
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod Beds Protector
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCMD
Create hunting rule
Author:ditekSHen
Description:Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF
Rule name:MALWARE_Win_FirebirdRAT
Create hunting rule
Author:ditekSHen
Description:Firebird/Hive RAT payload
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_unidentified_045_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.unidentified_045.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments