MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1d2ad0e9b26a1e83ea43e5c17658df821c78bf4044aa0c6d71d01452584a67b4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BitRAT


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1d2ad0e9b26a1e83ea43e5c17658df821c78bf4044aa0c6d71d01452584a67b4
SHA3-384 hash: 12a1fe87b854f87b2b3f2b04ed6a8d731abad72a3ce61801575dc228c7855cae08ab0417d10d844d57214993a69f407a
SHA1 hash: 6acd7d390c9ada4ffa83d50241cbc1af1fc1dd96
MD5 hash: a27c7214242993d5a07fa69f2f7c09bb
humanhash: football-zebra-berlin-chicken
File name:a27c7214242993d5a07fa69f2f7c09bb
Download: download sample
Signature BitRAT
Create hunting rule
File size:711'168 bytes
First seen:2021-07-23 12:24:24 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 58af898a8945f807ca70ebf9933b9268 (4 x RemcosRAT, 1 x BitRAT)
ssdeep 12288:RcOqhpe5sWWUgjIkdcCMTOArWe/C36lAnm4vNOpRKa:R7q+sWiItCoCdv
Threatray 332 similar samples on MalwareBazaar
TLSH T1D1E45A51A161DAF7C6413978491B662888E1FC3839746D922AE0F87CFEBF1C42C1DE97
dhash icon 72c28292b2a888e0 (7 x RemcosRAT, 1 x BitRAT, 1 x AveMariaRAT)
Reporter zbetcheckin
Tags:32 BitRAT exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
124
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
2eaf147e46a106eaf7a6c8e618060e2f.exe
Verdict:
Malicious activity
Analysis date:
2021-07-23 11:41:53 UTC
Tags:
loader trojan stealer raccoon rat azorult vidar
Link:
https://app.any.run/tasks/59091886-85d6-497c-a82c-deb8e6600af2

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
BitRAT
Create hunting rule
Link:
https://www.capesandbox.com/analysis/173629/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware2.19331.4272.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/26ea52ca-fc8b-4ba5-ba1f-c3df5b66cb2e
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/820751
Signature
Contains functionality to hide a thread from the debugger
Creates files in alternative data streams (ADS)
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Execution from Suspicious Folder
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 453162 Sample: KRooWcCysc Startdate: 23/07/2021 Architecture: WINDOWS Score: 84 47 arsaxa.ac.ug 2->47 57 Multi AV Scanner detection for submitted file 2->57 59 Machine Learning detection for sample 2->59 61 Sigma detected: Execution from Suspicious Folder 2->61 9 KRooWcCysc.exe 1 24 2->9         started        14 Wxqlaqq.exe 13 2->14         started        16 Wxqlaqq.exe 14 2->16         started        signatures3 process4 dnsIp5 53 cdn.discordapp.com 162.159.130.233, 443, 49742, 49743 CLOUDFLARENETUS United States 9->53 45 C:\Users\Public\Libraries\...\Wxqlaqq.exe, PE32 9->45 dropped 67 Injects a PE file into a foreign processes 9->67 69 Contains functionality to hide a thread from the debugger 9->69 18 KRooWcCysc.exe 1 1 9->18         started        23 cmd.exe 1 9->23         started        25 cmd.exe 1 9->25         started        55 162.159.133.233, 443, 49756 CLOUDFLARENETUS United States 14->55 71 Multi AV Scanner detection for dropped file 14->71 73 Machine Learning detection for dropped file 14->73 27 Wxqlaqq.exe 14->27         started        29 Wxqlaqq.exe 16->29         started        file6 signatures7 process8 dnsIp9 49 arsaxa.ac.ug 79.134.225.25, 49748, 49749, 49750 FINK-TELECOM-SERVICESCH Switzerland 18->49 51 192.168.2.1 unknown unknown 18->51 43 C:\Users\user\AppData\Local:23-07-2021, ASCII 18->43 dropped 63 Creates files in alternative data streams (ADS) 18->63 65 Hides threads from debuggers 18->65 31 reg.exe 1 23->31         started        33 conhost.exe 23->33         started        35 cmd.exe 1 25->35         started        37 conhost.exe 25->37         started        file10 signatures11 process12 process13 39 conhost.exe 31->39         started        41 conhost.exe 35->41         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1d2ad0e9b26a1e83ea43e5c17658df821c78bf4044aa0c6d71d01452584a67b4/
Threat name:
Win32.Backdoor.Remcos
Create hunting rule
Status:
Malicious
First seen:
2021-07-23 12:04:36 UTC
AV detection:
18 of 28 (64.29%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=duvnb2nsnipih2sd4xaxmwg7qiohrp2aisvay3lr2akfewckm62a._file
Verdict:
malicious
Similar samples:
20b8d427a1603e1262b0c7d9a5119d0ea775cb69c690098ecd12a1037a443892
BitRAT
299c548532e82b62f4b52ad642613b9cecc89c9be39a1da630afbc06cb7cce85
BitRAT
367fd8584be5901c9b262975ab5e5700e0e3010d697f1161b6aafabcc7f07d07
BitRAT
46a376d25369d059b1c149d8fb4821aa3ddb504bb381a02f3d5e4e019a41ed4d
BitRAT
4757d64431cbf911d9a6cc5b1cd96ee7f733dd0eb05c41f1fa100ba3d354d4a5
BitRAT
82e96593173c1407d138cca5418a00b0f5cd9960b32d8f03052eca9b33e68b44
BitRAT
d8f95b86b00cd4ba851931bc543ea4c20a8629335ea04d85d2dbd4829d53a2d4
BitRAT
e7aa9ed4edc37d0b7515085211d1107ff1a54f2ca2651bd6698ae345663b93c6
BitRAT
f353dc700a77a88665e2d6cb4f73396ba3b4437cc3ee9a6a7e095de5f77277c5
BitRAT
+ 322 additional samples on MalwareBazaar
Result
Malware family:
bitrat
Create hunting rule
Score:
  10/10
Tags:
family:bitrat persistence trojan upx
Link:
https://tria.ge/reports/210723-yg1nslessx/
Behaviour
Modifies registry key
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
UPX packed file
BitRAT
BitRAT Payload
Unpacked files
SH256 hash:
d174ea83359cec0b0a35da88fa2a1791a1308e35a5e36e83f51a2723e48582a6
MD5 hash:
5c63077607b089e7045eb5e93d8324d9
SHA1 hash:
9ca12c4d6e4a97269d26fe6755aae441276bff42
Link:
https://www.unpac.me/results/4b8256a5-d3ef-4103-9398-b3820558f55e/
SH256 hash:
1d2ad0e9b26a1e83ea43e5c17658df821c78bf4044aa0c6d71d01452584a67b4
MD5 hash:
a27c7214242993d5a07fa69f2f7c09bb
SHA1 hash:
6acd7d390c9ada4ffa83d50241cbc1af1fc1dd96
Link:
https://www.unpac.me/results/4b8256a5-d3ef-4103-9398-b3820558f55e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1d2ad0e9b26a1e83ea43e5c17658df821c78bf4044aa0c6d71d01452584a67b4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_BitRAT
Create hunting rule
Author:ditekSHen
Description:Detects BitRAT RAT

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

BitRAT

Executable exe 1d2ad0e9b26a1e83ea43e5c17658df821c78bf4044aa0c6d71d01452584a67b4

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/173629/
  
URLhaus
https://urlhaus.abuse.ch/url/948788/
  
URLhaus
https://urlhaus.abuse.ch/url/1475911/

Comments


Avatar
zbet commented on 2021-07-23 12:24:24 UTC

url : hxxp://danielmi.ac.ug/rc.exe