MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 234bb96bcf4b2b06f5627928a2532feab2bae8a270a609889b629c589a919c09. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BitRAT


Vendor detections: 11


Intelligence 11 IOCs 1 YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 234bb96bcf4b2b06f5627928a2532feab2bae8a270a609889b629c589a919c09
SHA3-384 hash: 22743cd9e2992aa592170fe7d4bfe24a906b86363b8f191f7fdc1d4d946922abb1772b923b86b4910da453afadb3ca3a
SHA1 hash: 533a27b2a731d90938398df2270206c9211371cd
MD5 hash: 3c2e2174b73b828f7c62fa09a0130425
humanhash: beer-west-beryllium-oklahoma
File name:Document.exe
Download: download sample
Signature BitRAT
Create hunting rule
File size:987'648 bytes
First seen:2021-10-03 02:35:52 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 22c62dafdcddec00c41ec119b235881b (1 x BitRAT)
ssdeep 12288:fqhq9twNlAA2fg9igx//wTw4bZmPDjIj1WmBgO90Oe6jkOGbGPoznemM4:feF/2fg9igp/wTwuGDjIYSjGyozM4
Threatray 640 similar samples on MalwareBazaar
TLSH T112256C6B9EE55D76C066027D0CD6C3A23525EF1B2E3BE4111BFF1C6C5F2A2A1342C692
File icon (PE):PE icon
dhash icon 88c7ce3cbddc2f31 (24 x RemcosRAT, 12 x Formbook, 8 x Loki)
Reporter abuse_ch
Tags:BitRAT exe RAT


Avatar
abuse_ch
BitRAT C2:
193.187.91.102:9090

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
193.187.91.102:9090 https://threatfox.abuse.ch/ioc/229870/

Intelligence

File Origin
# of uploads :
1
# of downloads :
199
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Document.exe
Verdict:
Malicious activity
Analysis date:
2021-10-03 02:36:56 UTC
Tags:
trojan bitrat rat
Link:
https://app.any.run/tasks/541a3bc0-0d08-47f6-bec0-db2e80fe41f0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/194254/
Detection(s):
Win.Trojan.Remcos-9897068-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Connection attempt
Sending a custom TCP request
Modifying an executable file
Launching the default Windows debugger (dwwin.exe)
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
keylogger packed
Link:
https://www.filescan.io/uploads/615c2e92e3d213d202b7735a/reports/6fb4b2a9-6b62-4d63-b5e2-e181e19539a9/overview
Malware family:
BitRAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e7b7ec2a-b026-4409-a6ce-cc01e365efb5
Result
Threat name:
BitRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/863320
Signature
C2 URLs / IPs found in malware configuration
Creates a thread in another existing process (thread injection)
Found malware configuration
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Writes to foreign memory regions
Yara detected BitRAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/234bb96bcf4b2b06f5627928a2532feab2bae8a270a609889b629c589a919c09/
Threat name:
Win32.Backdoor.Remcos
Create hunting rule
Status:
Malicious
First seen:
2021-10-03 02:36:06 UTC
AV detection:
15 of 45 (33.33%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=enf3s26pjmvqn5lcpeukeuzp5kzlv2fcoctatce3mkofrgurtqeq._file
Verdict:
malicious
Similar samples:
026668d9855f0c4aac1cb86f163e6e28569a5a4d53d0bde93ac9880a90a8225c
BitRAT
2e9931ce396fe83b4bb02bfda2e15c99ed8b0f11574fe26db531d46354fe5199
BitRAT
315f4c28f44b06f955d48328845043a22a9c68a0f85a63ecc01e24d7bece90f1
BitRAT
3ab89e55bbd69e15b4115d8cc2881040f24db3b7ba4ea63dc08ba72e2799e9d3
BitRAT
6ee87843a613bf888304843d62cec0507600503af4260024e4b37efdd829cd40
BitRAT
7ae01f6bce5549321cb64da949f88142e6b9f7ed8a8121cdba3e8aa205f586be
BitRAT
aa5c39997004aa4812c18e151a5bfd5d2fda4a380c8d1f34111cafcee955dcff
BitRAT
db2b53d49bd5464be6cb3d4492094e8c0b7c3a7cc87b6a2a3f57d30fb3454d1c
BitRAT
eac2512bff3db9994fa6e61b9ce95ea395e87009200fc18b017e2101e529541b
BitRAT
ed3331b6bb3e0e76b387c9427bde9adc6fee9d147dcf924161ec2893bc31df69
BitRAT
+ 630 additional samples on MalwareBazaar
Result
Malware family:
bitrat
Create hunting rule
Score:
  10/10
Tags:
family:bitrat persistence suricata trojan upx
Link:
https://tria.ge/reports/211003-c3k9csfaeq/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of NtSetInformationThreadHideFromDebugger
Adds Run key to start application
UPX packed file
BitRAT
BitRAT Payload
suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)
Unpacked files
SH256 hash:
f808a11e5b1cb4332bb4d65cdbcf1e0ca7323b15bcf73cb7462ad3eb30f05703
MD5 hash:
6cfdeebc3c72279486ddd229eb14b009
SHA1 hash:
e3a2a0a2a0fabd55415c9007f52c79fe9e19e0a7
Link:
https://www.unpac.me/results/6e0c50b1-f462-4b88-ad80-a79bde0c8199/
SH256 hash:
234bb96bcf4b2b06f5627928a2532feab2bae8a270a609889b629c589a919c09
MD5 hash:
3c2e2174b73b828f7c62fa09a0130425
SHA1 hash:
533a27b2a731d90938398df2270206c9211371cd
Link:
https://www.unpac.me/results/6e0c50b1-f462-4b88-ad80-a79bde0c8199/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.88
Link:
https://yomi.yoroi.company/submissions/234bb96bcf4b2b06f5627928a2532feab2bae8a270a609889b629c589a919c09

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_DiscordURL
Create hunting rule
Author:ditekSHen
Description:Detects executables Discord URL observed in first stage droppers
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_EnvVarScheduledTasks
Create hunting rule
Author:ditekSHen
Description:detects Windows exceutables potentially bypassing UAC (ab)using Environment Variables in Scheduled Tasks
Rule name:MALWARE_Win_BitRAT
Create hunting rule
Author:ditekSHen
Description:Detects BitRAT RAT

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/194254/

Comments