MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1e4234a0e38cd728fd1e6a3d992afe6f327d824142a2a9274d471a18cc2055ae. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BitRAT


Vendor detections: 8


Intelligence 8 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1e4234a0e38cd728fd1e6a3d992afe6f327d824142a2a9274d471a18cc2055ae
SHA3-384 hash: f6971e46a35ccb9739df28c4c85571c2c6cb212060a2e81266d9c0c0265653306410dfa4ade9bd9935f4af2446cdb686
SHA1 hash: 50448c53b1c3d41043ccc670af178e2e735ab8f1
MD5 hash: bd71eb2c2ebeda0aa0ee14855755e590
humanhash: hamper-music-twelve-carbon
File name:bd71eb2c2ebeda0aa0ee14855755e590.exe
Download: download sample
Signature BitRAT
Create hunting rule
File size:6'714'880 bytes
First seen:2021-06-07 05:56:49 UTC
Last seen:2021-06-07 07:18:51 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'609 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 98304:zI4BkD7pFwwhfAqVo9Eo7bfkNxU+1Nhga4a/ZSm:zSDYwlhNqa4a/ZSm
Threatray 255 similar samples on MalwareBazaar
TLSH D166F13B3693689CC1440B7144A99CD8B2F567473622CBAF75CB538C9F0062FB71E5AA
Reporter abuse_ch
Tags:BitRAT exe RAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
162
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
bd71eb2c2ebeda0aa0ee14855755e590.exe
Verdict:
Suspicious activity
Analysis date:
2021-06-07 06:20:38 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/0c0d94c7-c525-4fa4-8367-2934d7ae61bb

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/164885/
Detection(s):
SecuriteInfo.com.W32.MSIL_Kryptik.DRD.genEldorado.21841.16363.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Sending a custom TCP request
Creating a window
Sending a UDP request
Running batch commands
Launching a process
Creating a file in the %temp% directory
Creating a file in the Windows subdirectories
Creating a process from a recently created file
Creating a file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/797829
Signature
.NET source code contains very large array initializations
Creates an autostart registry key pointing to binary in C:\Windows
Drops executables to the windows directory (C:\Windows) and starts them
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Execution from Suspicious Folder
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1e4234a0e38cd728fd1e6a3d992afe6f327d824142a2a9274d471a18cc2055ae/
Threat name:
Win32.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2021-06-07 05:57:20 UTC
File Type:
PE (.Net Exe)
Extracted files:
1267
AV detection:
10 of 46 (21.74%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=dzbdjihdrtlsr7i6ni6zskx6n4zh3asbikrksj2ni4nbrtbakwxa._file
Verdict:
unknown
Similar samples:
3097b8c703159cf613aba9c2f42b090a391c060402af0c322b29f26e4bf4c22e
BitRAT
8e8b3b7c12c9e7113b882eb559fe9fd5cac868f8e3238942bcc9fa893521c5a4
BitRAT
99a9903d77272e93c262ae1391ef64f0639835f0cc9fc8b07f6fbc4d1bf40c5a
BitRAT
9d5a4507ca16ca47315c7b7f58279cf23bbb9ffda2340367130d1d5b2d00740e
BitRAT
bcf09c801e101acbaa20ef272f86c7eac2c311bf20c6a5b6e245fc0b92be576e
BitRAT
cb5d45a2aff741e92a19428d7b5c5dbec63183e42035b190d732c3dd7d75918a
BitRAT
d4021060ba2ca5034165d5a2c735bdaa54bad25180ebf0f8e0c6d5f6af69e18e
BitRAT
dd62faf4995b64622a600017699ab4a601dd66027d3fc958d0b372e3d80a1353
BitRAT
e915c55dbb5ec35506d25685a0c1a841b257af3bb30745ec5be6019f9d6e5bb3
BitRAT
f138fb2bb1b74757f02ed6159d3766cd5bbae760e04907ea7520bc09dd968783
BitRAT
+ 245 additional samples on MalwareBazaar
Result
Malware family:
bitrat
Create hunting rule
Score:
  10/10
Tags:
family:bitrat agilenet persistence trojan
Link:
https://tria.ge/reports/210607-nr16vl77l2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Windows directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Obfuscated with Agile.Net obfuscator
Executes dropped EXE
BitRAT
BitRAT Payload
Unpacked files
SH256 hash:
1e4234a0e38cd728fd1e6a3d992afe6f327d824142a2a9274d471a18cc2055ae
MD5 hash:
bd71eb2c2ebeda0aa0ee14855755e590
SHA1 hash:
50448c53b1c3d41043ccc670af178e2e735ab8f1
Link:
https://www.unpac.me/results/e508508a-e995-4635-8e93-60e339d01abe/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
BitRat
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1e4234a0e38cd728fd1e6a3d992afe6f327d824142a2a9274d471a18cc2055ae

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

BitRAT

Executable exe 1e4234a0e38cd728fd1e6a3d992afe6f327d824142a2a9274d471a18cc2055ae

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1320436/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/164885/

Comments