MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2a254dcb87e159b1cbc69f3b57521cbd423b016d0ec5310b4b81ba254cb9d7dc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FirebirdRAT


Vendor detections: 4


Intelligence 4 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2a254dcb87e159b1cbc69f3b57521cbd423b016d0ec5310b4b81ba254cb9d7dc
SHA3-384 hash: 8445da42ab551b9ce9a73d77e1d2d2da4caefa21842e3b8747d7b6312f1efb87c15cdc3f062b4fd1bc777e2397e55642
SHA1 hash: 94a61b58d1a9a01d6f7256426c41cf21c448fb9a
MD5 hash: 3a29b9a0698503da1e735c62c400af38
humanhash: april-august-two-papa
File name:8hK46hsSpopjJ30.exe
Download: download sample
Signature FirebirdRAT
Create hunting rule
File size:381'440 bytes
First seen:2020-04-07 09:46:40 UTC
Last seen:2020-04-07 10:36:32 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'749 x AgentTesla, 19'653 x Formbook, 12'246 x SnakeKeylogger)
ssdeep 6144:5EZcJkLXNh/1i65vsNepcUlf+bJi3H08ewV/ETs4oR1HmkJJt5o4PbNAul8uurLE:5EG6Nh/1/vsycUlf+NiXpewV/ETstHxh
Threatray 28 similar samples on MalwareBazaar
TLSH 8E84021E33E05F26F5BD67FCED60516243B0B616A8E2D35E8DC1B0A60C9BB114A4E74B
Reporter abuse_ch
Tags:exe FirebirdRAT RAT


Avatar
abuse_ch
DHL themed malspam distributing FirebirdRAT:

HELO: WIN-H7DQ93BTGVV
Sending IP: 208.123.119.167
From: assistant@dhl.com <assistant@dhl.com>
Subject: Your DHL Shipment AWB-5172133166
Attachment: DHL_Shipment_AWB5172133171.xls

FirebirdRAT payload URL:
https://unfoundation.website/file/8hK46hsSpopjJ30.exe

Obtains C2 server from pastebin:
https://pastebin.com/raw/03v3hHFA

FirebirdRAT C2:
172.94.4.82:3440

Intelligence

File Origin
# of uploads :
2
# of downloads :
107
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Gen.NN.ZemsilF.34106.xm0@a8d3xqe.32533.UNOFFICIAL
Create hunting rule

Result
Threat name:
Firebird Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/341213
Behaviour
Behavior Graph:
n/a
Gathering data
Threat name:
ByteCode-MSIL.Trojan.Agensla
Create hunting rule
Status:
Malicious
First seen:
2020-04-07 10:10:05 UTC
File Type:
PE (.Net Exe)
Extracted files:
8
AV detection:
24 of 31 (77.42%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
078c67a8252dfe41570becacfff128cfe41892cadf334f7cc54bf590be251f99
FirebirdRAT
11bc884254e626c8052bd409d4b12f9a509770e0818bf4f8eb6925b1c756c4a3
FirebirdRAT
1ba58755718a8f0d5959c93b672ea00ff08a5c5274e24e90af00f383c4886482
FirebirdRAT
3af75844da3783e0800e1118c738e938c395d6fae845bbb8cd7f0bbb10c72838
FirebirdRAT
5fb3c9a42ded740fdc4f9329592f9bc151b184e052cb17ee3e084e3f23e86465
FirebirdRAT
6128357f81ebdcaed7e73757f223b9529ce8bd92b39cf5faa976fca0b4b25c2b
FirebirdRAT
68023ea49be4cba35a3fbf6b636b2a0e019b94108b0acf0af26489d7ea04ecd9
FirebirdRAT
8bcdf38413b8a324719ce8e1efcd1918ea10439cc2e5bc4d5582d5f0e1ac695d
FirebirdRAT
c284a2e86b82dfd1150e8ac123e2e17cea5ab5766eb552eece73ade72c10c9d5
FirebirdRAT
c3caec952f2b019b54e04ff03e37b8ce818d1ee94cdcba4f11b5a8b513222745
FirebirdRAT
+ 18 additional samples on MalwareBazaar
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_agent_tesla_g1
Create hunting rule
Author:Slavo Greminger, SWITCH-CERT

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FirebirdRAT

Excel file xls e922916214a015a499123249001cdfb4b87aa2daf4e4a595e91b45e7880d7ec8

FirebirdRAT

Executable exe 2a254dcb87e159b1cbc69f3b57521cbd423b016d0ec5310b4b81ba254cb9d7dc

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/336094/
  
Dropped by
MD5 f4d75ac5ddd1b72169f1d188d893814f
  
Dropped by
SHA256 e922916214a015a499123249001cdfb4b87aa2daf4e4a595e91b45e7880d7ec8
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments