MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2448bed4db497e26e9def8dc20369bfd843bcb0e73dab435fe61ead1cc2f869a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

BitRAT

Vendor detections: 9

Intelligence 9 IOCs YARA 5 File information Comments

SHA256 hash:	2448bed4db497e26e9def8dc20369bfd843bcb0e73dab435fe61ead1cc2f869a
SHA3-384 hash:	364364af952aaa7820e9d57abb29d0cfe82d3ca57962b8bea5eb81ce6c3c59f4bb3377d9dd9e624b8b3d5a7a65fc9973
SHA1 hash:	818d4c1b24a865fc63d56083210f13702da7a4a1
MD5 hash:	fa0b6d3c4c059a046944771a8d6fe7ca
humanhash:	social-india-gee-hawaii
File name:	fa0b6d3c4c059a046944771a8d6fe7ca
Download:	download sample
Signature	BitRAT Create hunting rule
File size:	7'053'312 bytes
First seen:	2021-06-28 06:43:28 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	ae28306bf70f5963ea0555dfe529913b (3 x BitRAT)
ssdeep	196608:/2KZtT4C9f41RkCDIhWbk/jtKdFJSl9dxHlKe5:/XZtTfu8CDY3/IdFJ69ddV
Threatray	27 similar samples on MalwareBazaar
TLSH	F36622222E2D40F5E399C831D427BE9621B5DE19DA4164F06CD7ADCFE8338B4E252D4E
Reporter	zbetcheckin
Tags:	32 BitRAT exe

Intelligence

File Origin

# of uploads :

# of downloads :

126

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

9872C5836F6267C8A7A0355AF11FD10F.exe

Verdict:

Malicious activity

Analysis date:

2021-06-28 02:46:14 UTC

Tags:

trojan amadey opendir loader bitrat rat redline stealer

Link:

https://app.any.run/tasks/0a16ea11-b3af-41cd-af9e-119d573c756e

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

BitRAT

Link:

https://www.capesandbox.com/analysis/168533/

Detection(s):

SecuriteInfo.com.Trojan.Heur.02214421.29049.29922.UNOFFICIAL

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/f41ce2a9-013d-4349-9244-de5f31b54ab5

Result

Threat name:

BitRAT Xmrig

Detection:

malicious

Classification:

troj.evad.mine

Score:

88 / 100

Link:

https://www.joesandbox.com/analysis/808691

Signature

Hides threads from debuggers

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

PE file contains section with special chars

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Yara detected BitRAT

Yara detected Xmrig cryptocurrency miner

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/2448bed4db497e26e9def8dc20369bfd843bcb0e73dab435fe61ead1cc2f869a/

Threat name:

Win32.Spyware.Solmyr

Status:

Malicious

First seen:

2021-06-28 06:44:11 UTC

AV detection:

15 of 46 (32.61%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=erel5vg3jf7cn2o67docanu37wcdxsyoopnlinp6mhvndtbpq2na._file

Result

Malware family:

bitrat

Score:

10/10

Tags:

family:bitrat trojan

Link:

https://tria.ge/reports/210628-gr7cf1x2gx/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of NtSetInformationThreadHideFromDebugger

BitRAT

BitRAT Payload

Unpacked files

SH256 hash:

dece55b36674d9a3e79da42a0a35fd77ad7376f43332c0ef998ed10c12ba3263

MD5 hash:

a3b09e464329944684d7b0fd4a3da59f

SHA1 hash:

930987f7fae11596f8ab9b8841bcf8f9a86c9e49

Link:

https://www.unpac.me/results/f6c4629b-d6b3-4570-94a0-9cd0b9f8534e/

SH256 hash:

2448bed4db497e26e9def8dc20369bfd843bcb0e73dab435fe61ead1cc2f869a

MD5 hash:

fa0b6d3c4c059a046944771a8d6fe7ca

SHA1 hash:

818d4c1b24a865fc63d56083210f13702da7a4a1

Link:

https://www.unpac.me/results/f6c4629b-d6b3-4570-94a0-9cd0b9f8534e/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/2448bed4db497e26e9def8dc20369bfd843bcb0e73dab435fe61ead1cc2f869a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Email_stealer_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Email in files like avemaria

Rule name:	INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu Create hunting rule
Author:	ditekSHen
Description:	Detect executables with stomped PE compilation timestamp that is greater than local current time

Rule name:	INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture Create hunting rule
Author:	ditekSHen
Description:	Detect executables with stomped PE compilation timestamp that is greater than local current time

Rule name:	MALWARE_Win_BitRAT Create hunting rule
Author:	ditekSHen
Description:	Detects BitRAT RAT

Rule name:	Ping_Del_method_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	cmd ping IP nul del

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

BitRAT

exe 2448bed4db497e26e9def8dc20369bfd843bcb0e73dab435fe61ead1cc2f869a

(this sample)

Delivery method

Distributed via web download

URLhaus

https://urlhaus.abuse.ch/url/1406310/

Cape

https://www.capesandbox.com/analysis/168533/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample