MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 22cfc4b78b3482f98f18795cd81276a8984604fa808ee9364d0db3fa49dbc598. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BitRAT


Vendor detections: 9


Intelligence 9 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 22cfc4b78b3482f98f18795cd81276a8984604fa808ee9364d0db3fa49dbc598
SHA3-384 hash: 7eeb2d4d262364775805df88cb07f750f1ca8964312d82989444a31876ee5c50d9b3068c74fd70d0c0dcb8aa36a9e69f
SHA1 hash: 6e4c8136b2d720712a072238010ca3b24e269eca
MD5 hash: eb6ac9d5508beacc227bd3888f835cd6
humanhash: harry-oranges-washington-single
File name:New Stone inquiry 01022021 897GFRSDDCADEN.scr
Download: download sample
Signature BitRAT
Create hunting rule
File size:1'140'744 bytes
First seen:2021-03-01 06:52:12 UTC
Last seen:2021-03-01 08:53:41 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash b4043a309d0347d03a7fb07fb4b5acc1 (2 x AveMariaRAT, 1 x RemcosRAT, 1 x BitRAT)
ssdeep 24576:VhTP85JKIq20xIQ40TMt7zVT6lVIN4gZi4:vTPAvTzVT6lKN4L4
Threatray 106 similar samples on MalwareBazaar
TLSH 97358E12A2534CB6C162173B993B4274D5A5BE30B5385D4636ACAD6CBFEF3603C1F982
Reporter abuse_ch
Tags:BitRAT RAT scr


Avatar
abuse_ch
BitRAT C2:
plunder.nsupdate.info:8070

Intelligence

File Origin
# of uploads :
2
# of downloads :
119
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
New Stone inquiry 01022021 897GFRSDDCADEN.scr
Verdict:
Malicious activity
Analysis date:
2021-03-01 07:01:28 UTC
Tags:
trojan bitrat rat
Link:
https://app.any.run/tasks/c8b2ac81-a35f-467a-944d-f574e1b949d0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/120117/
Detection(s):
SecuriteInfo.com.Mal.Generic-S.3464.3125.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
DNS request
Sending a custom TCP request
Creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
BitRAT Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/621678
Signature
Creates files in alternative data streams (ADS)
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Sigma detected: Executables Started in Suspicious Folder
Sigma detected: Execution in Non-Executable Folder
Sigma detected: Suspicious Program Location Process Starts
Yara detected BitRAT
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 359833 Sample: New Stone inquiry 01022021 ... Startdate: 01/03/2021 Architecture: WINDOWS Score: 100 35 plunder.nsupdate.info 2->35 43 Multi AV Scanner detection for domain / URL 2->43 45 Yara detected BitRAT 2->45 47 Yara detected Xmrig cryptocurrency miner 2->47 49 4 other signatures 2->49 7 New Stone inquiry 01022021 897GFRSDDCADEN.exe 1 18 2->7         started        12 Ozyzbtec.exe 2->12         started        14 Ozyzbtec.exe 2->14         started        signatures3 process4 dnsIp5 37 billaccountant.com 172.67.132.232, 443, 49714 CLOUDFLARENETUS United States 7->37 27 C:\Users\Public\Libraries\Ozyzbtec.exe, PE32 7->27 dropped 29 C:\Users\Public\Libraries\Ozyzb, ASCII 7->29 dropped 51 Injects a PE file into a foreign processes 7->51 16 New Stone inquiry 01022021 897GFRSDDCADEN.exe 1 1 7->16         started        53 Multi AV Scanner detection for dropped file 12->53 55 Machine Learning detection for dropped file 12->55 21 Ozyzbtec.exe 12->21         started        23 Ozyzbtec.exe 14->23         started        file6 signatures7 process8 dnsIp9 31 plunder.nsupdate.info 5.2.68.70, 49718, 49722, 49723 LITESERVERNL Netherlands 16->31 33 192.168.2.1 unknown unknown 16->33 25 C:\Users\user\AppData\Local:01-03-2021, ASCII 16->25 dropped 39 Creates files in alternative data streams (ADS) 16->39 41 Hides threads from debuggers 16->41 file10 signatures11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/22cfc4b78b3482f98f18795cd81276a8984604fa808ee9364d0db3fa49dbc598/
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2021-03-01 06:52:18 UTC
AV detection:
15 of 48 (31.25%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=elh4jn4lgsbptdyypfonqetwvcmembh2qchosnsnbwz7uso3ywma._file
Verdict:
malicious
Similar samples:
22c86ceaed13287d9bdcc4bb9e7ee4c383c5c1422eee3f75a10f7fd0ffe3b589
BitRAT
2ddd796e9b53ab3d7eaf4093529077f637f182a934a851af24da8c8f189aeed3
BitRAT
50e2c6aac34de9ed4e1b3fcfcd5aaa34892696f2681aa5e8c45a5dbe0915a43c
BitRAT
56d0c7b288fe323703e31519f296d7a1ed4811bc8eb7cf87c56082499aaff297
BitRAT
76e5467f267a4bca00af800094c3a92f6bd51de54737f07c533d091e2f219b40
BitRAT
83665f8cf0fc798b6dbeca777554aeaeb9d9cc53e27674c36e67294729d118f0
BitRAT
b8d2de495b9ec7f42b0f25b1fc532915a4378b683daafb1ecb5171624ea7a83c
BitRAT
ef3436a1198e62ccb908d35b3dea6cfed17414f2e59ab62686277d978f5fd73c
BitRAT
f1080a2b8c64a3c7b9ba733360e7e70947859b250f4ed760a35f7104a70d6d91
BitRAT
fcb2107f5b1fe383bdd0f8ec5d085a1ed2be421ce2c1616a767b597c6b7003f7
BitRAT
+ 96 additional samples on MalwareBazaar
Result
Malware family:
bitrat
Create hunting rule
Score:
  10/10
Tags:
family:bitrat persistence trojan upx
Link:
https://tria.ge/reports/210301-g4z6ed4qea/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
UPX packed file
BitRAT
BitRAT Payload
Unpacked files
SH256 hash:
5bcde4d165f66f58ce0446462a038b7ae84e2fd2275885f61f68287547aac66d
MD5 hash:
34cb499bbd566c24dcf888e9bab46083
SHA1 hash:
3bb97e3103868691e57e7cf3be88a7ff30f46ea1
Link:
https://www.unpac.me/results/9d50d6cb-40e1-4da8-8e5b-5fb83ca23ce7/
SH256 hash:
22cfc4b78b3482f98f18795cd81276a8984604fa808ee9364d0db3fa49dbc598
MD5 hash:
eb6ac9d5508beacc227bd3888f835cd6
SHA1 hash:
6e4c8136b2d720712a072238010ca3b24e269eca
Link:
https://www.unpac.me/results/9d50d6cb-40e1-4da8-8e5b-5fb83ca23ce7/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/22cfc4b78b3482f98f18795cd81276a8984604fa808ee9364d0db3fa49dbc598

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Email_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Email in files like avemaria
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/
Rule name:upx_packed
Create hunting rule
Description:UPX packed file

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

BitRAT

Executable exe 22cfc4b78b3482f98f18795cd81276a8984604fa808ee9364d0db3fa49dbc598

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/120117/

Comments