MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2774da0c82b3700d74725edf23bef248083b6df616c7b494c05d4b5aec3ef2f2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BitRAT


Vendor detections: 6


Intelligence 6 IOCs YARA 4 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2774da0c82b3700d74725edf23bef248083b6df616c7b494c05d4b5aec3ef2f2
SHA3-384 hash: 862478da1761b2c7951d0cef5a04eb971d064efd182f4fa7ce815781eb8dde95922d8c65e5ac9b0a417de82131e2d70a
SHA1 hash: a5c1f5a313a378d81a90d8010102c393040923c9
MD5 hash: 379838e742cfc29b58df5a63e68a1fef
humanhash: sixteen-nuts-happy-hot
File name:379838e742cfc29b58df5a63e68a1fef
Download: download sample
Signature BitRAT
Create hunting rule
File size:3'098'416 bytes
First seen:2021-10-05 19:42:49 UTC
Last seen:2021-10-05 20:44:29 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 49152:YJXZRkXRxWCBu72E76E5jXVL5w9lmVOALga7n0YA:KA
Threatray 490 similar samples on MalwareBazaar
TLSH T111E5EF3FF61BF4A6EED7A939A09035143CA62D7B3C4C64683188A641D176EC07E47E63
File icon (PE):PE icon
dhash icon 48494acc4c4a2148 (1 x RedLineStealer, 1 x BitRAT, 1 x Neshta)
Reporter zbetcheckin
Tags:32 BitRAT exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
502
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/195193/
Detection(s):
SecuriteInfo.com.Trojan.Generic.30251330.3166.11774.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Launching a process
Creating a file in the %temp% directory
Creating a window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
obfuscated obfuscated overlay packed warp
Link:
https://www.filescan.io/uploads/615caac9b95458900cdca1a2/reports/28cb61bf-1a2b-4835-b1e1-4c813452e419/overview
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/719ceafd-c3c3-4089-bf31-54590969373f
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/865091
Signature
.NET source code contains potential unpacker
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Deletes itself after installation
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Multi AV Scanner detection for submitted file
Sigma detected: Powershell Used To Disable Windows Defender AV Security Monitoring
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 497519 Sample: Xt3NUwCtXA Startdate: 05/10/2021 Architecture: WINDOWS Score: 84 36 Icon mismatch, binary includes an icon from a different legit application in order to fool users 2->36 38 Multi AV Scanner detection for submitted file 2->38 40 Yara detected AntiVM3 2->40 42 3 other signatures 2->42 7 Xt3NUwCtXA.exe 4 2->7         started        process3 file4 32 C:\Users\user\AppData\...\AdvancedRun.exe, PE32 7->32 dropped 34 C:\Users\user\AppData\...\Xt3NUwCtXA.exe.log, ASCII 7->34 dropped 44 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 7->44 11 powershell.exe 7->11         started        14 powershell.exe 17 7->14         started        16 powershell.exe 16 7->16         started        18 4 other processes 7->18 signatures5 process6 signatures7 46 Deletes itself after installation 11->46 20 conhost.exe 11->20         started        22 conhost.exe 14->22         started        24 conhost.exe 16->24         started        26 AdvancedRun.exe 18->26         started        28 conhost.exe 18->28         started        30 AdvancedRun.exe 18->30         started        process8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2774da0c82b3700d74725edf23bef248083b6df616c7b494c05d4b5aec3ef2f2/
Threat name:
ByteCode-MSIL.Trojan.CrysanPacker
Create hunting rule
Status:
Malicious
First seen:
2021-09-28 16:56:00 UTC
AV detection:
24 of 45 (53.33%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
1f4ccad233d733ecf2c0374593f95ea0bd521a17e82206b17fd74948faca974c
BitRAT
3207b29dc3b4396073112e25e54d5806aa95234b460aaea32e970d9ba725559e
BitRAT
519ba7ae267491633e2a01e55735586ba94829871e5c4ec2fe0a5c8fafe004b8
BitRAT
70cb4ed4ee85184589dc4b5bb72dd1313b133b428e6604bde1a7e1da7fb216ae
BitRAT
954988371d8cebea1a69f2c1a47d50b13b9eb82630e5fbc5069105bd12b7b541
BitRAT
a24f5f4b32db9b6d284e1abd91640aefffd14dcc2c3c7b3942f6a7c02cfdbed2
BitRAT
a397a5fde8ef63a32f7867346eebabd48d1ddf0a60c0d95abf431d9d2c51e017
BitRAT
b3847e885fde014d20644ed7e2ac69d8c6708b05700a416721de68e77d7cd66f
BitRAT
c7ce97bf28191b9f81871421f7f6fea0c86fca516d3e8706e16c0f07e9e7ed5b
BitRAT
d642eb17671f269eddc3d1045845374a45eda0a7c3fd197d8b7f6a3355ba01d6
BitRAT
+ 480 additional samples on MalwareBazaar
Result
Malware family:
bitrat
Create hunting rule
Score:
  10/10
Tags:
family:bitrat trojan
Link:
https://tria.ge/reports/211005-ye866safaq/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Loads dropped DLL
Executes dropped EXE
Nirsoft
BitRAT
BitRAT Payload
Unpacked files
SH256 hash:
ca5355e4916725af7b6899be5e2064f97b475f11d5df8c630c3bb79009461c99
MD5 hash:
0bbb14d662055bab9f8646a31c12435a
SHA1 hash:
ebfb89bbe39df67040d2dd0bc8290ec9ef621342
Link:
https://www.unpac.me/results/24305d9b-dfbb-48f6-bceb-f92e34f0fc6f/
SH256 hash:
2774da0c82b3700d74725edf23bef248083b6df616c7b494c05d4b5aec3ef2f2
MD5 hash:
379838e742cfc29b58df5a63e68a1fef
SHA1 hash:
a5c1f5a313a378d81a90d8010102c393040923c9
Link:
https://www.unpac.me/results/24305d9b-dfbb-48f6-bceb-f92e34f0fc6f/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/2774da0c82b3/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.38
Link:
https://yomi.yoroi.company/submissions/2774da0c82b3700d74725edf23bef248083b6df616c7b494c05d4b5aec3ef2f2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

BitRAT

Executable exe 2774da0c82b3700d74725edf23bef248083b6df616c7b494c05d4b5aec3ef2f2

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/195193/
  
URLhaus
https://urlhaus.abuse.ch/url/1656728/

Comments


Avatar
zbet commented on 2021-10-05 19:42:50 UTC

url : hxxps://timesync.live/db/Excel.exe