MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 22c86ceaed13287d9bdcc4bb9e7ee4c383c5c1422eee3f75a10f7fd0ffe3b589. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BitRAT


Vendor detections: 9


Intelligence 9 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 22c86ceaed13287d9bdcc4bb9e7ee4c383c5c1422eee3f75a10f7fd0ffe3b589
SHA3-384 hash: e6c0220b47c0736c0e5caadb75a4a32b87e95cd5d8a63c1b27f60b6efd9422dfed4ca40d6a2038844ec800d3173865da
SHA1 hash: 88ba734a58814c21b5352266b00c2f5c1425296e
MD5 hash: 2faaf3267e581c03463c3a2c256d697e
humanhash: sink-zulu-freddie-carolina
File name:Statement.exe
Download: download sample
Signature BitRAT
Create hunting rule
File size:2'246'656 bytes
First seen:2021-01-19 13:02:49 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 49152:hgYUnpySEMB9H+5lCMnqukrKFW2bK49EZl:FUnL9HqlCMqukre9Vil
Threatray 460 similar samples on MalwareBazaar
TLSH A2A512922E04EE01E179A7B5E42A65F473EEAD14D719C50B6CC9FEBD333390A860D532
Reporter abuse_ch
Tags:BitRAT exe RAT


Avatar
abuse_ch
Malspam distributing BitRAT:

HELO: mail.getemails.host
Sending IP: 163.44.206.131
From: Account <admin@getemails.host>
Reply-To: danielren101@gmail.com
Subject: Re: Statement Update
Attachment: Statement.iso (contains "Statement.exe")

BitRAT C2:
185.157.162.107:4783

Intelligence

File Origin
# of uploads :
1
# of downloads :
156
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Statement.exe
Verdict:
Malicious activity
Analysis date:
2021-01-19 13:21:57 UTC
Tags:
trojan bitrat rat
Link:
https://app.any.run/tasks/1ddf69e7-e1ca-4761-b389-c557d047f206

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/112888/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Unauthorized injection to a recently created process
Creating a file
Setting a global event handler
Sending a custom TCP request
Setting a global event handler for the keyboard
Enabling autorun by creating a file
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
BitRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/585095
Signature
.NET source code contains potential unpacker
Contains functionality to hide a thread from the debugger
Contains functionality to inject code into remote processes
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM_3
Yara detected BitRAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/22c86ceaed13287d9bdcc4bb9e7ee4c383c5c1422eee3f75a10f7fd0ffe3b589/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-01-19 13:03:11 UTC
AV detection:
13 of 28 (46.43%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=elegz2xncmuh3g64ys5z47xeyob4lqkcf3xd65nbb575b77dwweq._file
Verdict:
malicious
Similar samples:
1c1b2595e6838a1ee24e806ff60b80a40ad7166caaaaf65080deda57c7292c53
BitRAT
2ddd796e9b53ab3d7eaf4093529077f637f182a934a851af24da8c8f189aeed3
BitRAT
50e2c6aac34de9ed4e1b3fcfcd5aaa34892696f2681aa5e8c45a5dbe0915a43c
BitRAT
56d0c7b288fe323703e31519f296d7a1ed4811bc8eb7cf87c56082499aaff297
BitRAT
76e5467f267a4bca00af800094c3a92f6bd51de54737f07c533d091e2f219b40
BitRAT
8fdc007dd13e7c0c5bbe426da723499db81518697eb84d2fd2a0181996d276fa
BitRAT
9ffa16b91dc10936865d1d9849940c9d27276fd6acd6ab947d31e7f80322eea2
BitRAT
b8d2de495b9ec7f42b0f25b1fc532915a4378b683daafb1ecb5171624ea7a83c
BitRAT
ef3436a1198e62ccb908d35b3dea6cfed17414f2e59ab62686277d978f5fd73c
BitRAT
f1080a2b8c64a3c7b9ba733360e7e70947859b250f4ed760a35f7104a70d6d91
BitRAT
+ 450 additional samples on MalwareBazaar
Result
Malware family:
bitrat
Create hunting rule
Score:
  10/10
Tags:
family:bitrat trojan upx
Link:
https://tria.ge/reports/210119-a8h1r3jren/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
UPX packed file
BitRAT
BitRAT Payload
Unpacked files
SH256 hash:
5c4901f8c21bf5ac763d80ff8a1b7bc49e8fa419ab396015e53ba195c38a4859
MD5 hash:
f7881ab315a9e4293093ece884dc2057
SHA1 hash:
a076728f16dd45dfc614b93bf8a7199fc3919a34
Link:
https://www.unpac.me/results/4f97ea74-2e5b-4cb1-963f-0905c4963573/
SH256 hash:
b9af1b9224ac3de3b502e3c159e78a46d60f967230e3bea85b3c16ee4ae8e39f
MD5 hash:
b20f6dae5f8a515e6a4fdb0aacdce960
SHA1 hash:
cd4880e9bed8d9e732860c4692d543e9471684bd
Link:
https://www.unpac.me/results/4f97ea74-2e5b-4cb1-963f-0905c4963573/
SH256 hash:
4929844472b33b929b11ffa1a0fd0f77cce91110cc2884dfd86fdfd205bfa207
MD5 hash:
7bbba612dade9476db6f17af58c4acd7
SHA1 hash:
29f289e07cdb1e5ef870ff5fa67e5289c9b0b795
Link:
https://www.unpac.me/results/4f97ea74-2e5b-4cb1-963f-0905c4963573/
SH256 hash:
22c86ceaed13287d9bdcc4bb9e7ee4c383c5c1422eee3f75a10f7fd0ffe3b589
MD5 hash:
2faaf3267e581c03463c3a2c256d697e
SHA1 hash:
88ba734a58814c21b5352266b00c2f5c1425296e
Link:
https://www.unpac.me/results/4f97ea74-2e5b-4cb1-963f-0905c4963573/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/22c86ceaed13287d9bdcc4bb9e7ee4c383c5c1422eee3f75a10f7fd0ffe3b589

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Email_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Email in files like avemaria
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

BitRAT

iso 3ea4691598800d0d5b7aa9aeaaae75c92c35a238adc57b1a49cd91d464dacae3

BitRAT

Executable exe 22c86ceaed13287d9bdcc4bb9e7ee4c383c5c1422eee3f75a10f7fd0ffe3b589

(this sample)

  
Dropped by
MD5 6de159a55d12287671f21def0a88b833
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/112888/
  
Dropped by
SHA256 3ea4691598800d0d5b7aa9aeaaae75c92c35a238adc57b1a49cd91d464dacae3

Comments