MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2dfe2bfefe91c1209836e4017cb2a3bb001a6de6314545f8a8eb6794a2adc204. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BitRAT


Vendor detections: 9


Intelligence 9 IOCs 1 YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2dfe2bfefe91c1209836e4017cb2a3bb001a6de6314545f8a8eb6794a2adc204
SHA3-384 hash: 3618584cfd4492aaec2b552c69a9dedfc2da93ed28875ea59e9cb0120e9fbe81d369d9b7823084ee13535f72bb1495c1
SHA1 hash: 6d1161bb446902b7810191460534bcfc16d60a93
MD5 hash: 8d8676c68f72dbc38fb5e6aea9bface2
humanhash: mexico-nitrogen-hamper-lima
File name:8d8676c68f72dbc38fb5e6aea9bface2.exe
Download: download sample
Signature BitRAT
Create hunting rule
File size:2'570'240 bytes
First seen:2021-08-29 12:15:08 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 49152:g05hmzZS+dwD9Z6ysSSsEa1xox6Qn6ZDun:YzZBWsSSsEYxot6Zin
Threatray 448 similar samples on MalwareBazaar
TLSH T10AC57886DEEF4F8FC98F35B5541EAC4318DE849841358AADED43AD85B7C168308621F7
dhash icon 0cf2c0c4d0c1f20c (4 x BitRAT, 3 x DCRat, 3 x RedLineStealer)
Reporter abuse_ch
Tags:BitRAT exe RAT


Avatar
abuse_ch
BitRAT C2:
37.0.11.183:4444

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
37.0.11.183:4444 https://threatfox.abuse.ch/ioc/201603/

Intelligence

File Origin
# of uploads :
1
# of downloads :
163
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
8d8676c68f72dbc38fb5e6aea9bface2.exe
Verdict:
Suspicious activity
Analysis date:
2021-08-29 12:16:17 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/8f9e8219-70fe-4274-98f1-2605c3e42c16

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/183253/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file
Setting a global event handler
Sending a custom TCP request
Creating a process with a hidden window
Creating a window
DNS request
Connection attempt
Sending an HTTP GET request
Sending a UDP request
Creating a file in the %AppData% subdirectories
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Setting a global event handler for the keyboard
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7c2070a4-3387-4c48-a376-88ed0a8fc9a2
Result
Threat name:
BitRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/841041
Signature
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Contains functionality to hide a thread from the debugger
Creates files in alternative data streams (ADS)
Found malware configuration
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Writes to foreign memory regions
Yara detected BitRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 473472 Sample: h4mUI3yqzl.exe Startdate: 29/08/2021 Architecture: WINDOWS Score: 92 60 Found malware configuration 2->60 62 Yara detected BitRAT 2->62 64 .NET source code contains potential unpacker 2->64 66 3 other signatures 2->66 6 h4mUI3yqzl.exe 16 8 2->6         started        10 NvidiaShare.exe 14 4 2->10         started        13 NvidiaShare.exe 3 2->13         started        process3 dnsIp4 46 google.com 142.250.185.142, 49706, 49718, 49726 GOOGLEUS United States 6->46 48 www.google.com 142.250.186.132, 49707, 49720, 49727 GOOGLEUS United States 6->48 34 C:\Users\user\AppData\...34vidiaShare.exe, PE32 6->34 dropped 36 C:\Users\user\AppData\...\h4mUI3yqzl.exe, PE32 6->36 dropped 38 C:\Users\...38vidiaShare.exe:Zone.Identifier, ASCII 6->38 dropped 44 2 other malicious files 6->44 dropped 15 h4mUI3yqzl.exe 1 1 6->15         started        40 C:\Users\user\AppData\...40vidiaShare.exe, PE32 10->40 dropped 42 C:\Users\...42vidiaShare.exe:Zone.Identifier, ASCII 10->42 dropped 68 Writes to foreign memory regions 10->68 70 Injects a PE file into a foreign processes 10->70 20 NvidiaShare.exe 10->20         started        22 NvidiaShare.exe 10->22         started        24 NvidiaShare.exe 10->24         started        30 6 other processes 10->30 26 NvidiaShare.exe 13->26         started        28 NvidiaShare.exe 13->28         started        file5 signatures6 process7 dnsIp8 50 37.0.11.183, 4444, 49714, 49715 WKD-ASIE Netherlands 15->50 32 C:\Users\user\AppData\Local:29-08-2021, ASCII 15->32 dropped 52 Creates files in alternative data streams (ADS) 15->52 54 Machine Learning detection for dropped file 15->54 56 Hides threads from debuggers 15->56 58 Contains functionality to hide a thread from the debugger 15->58 file9 signatures10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2dfe2bfefe91c1209836e4017cb2a3bb001a6de6314545f8a8eb6794a2adc204/
Threat name:
ByteCode-MSIL.Downloader.Seraph
Create hunting rule
Status:
Malicious
First seen:
2021-08-29 12:16:07 UTC
AV detection:
11 of 28 (39.29%)
Threat level:
  3/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=fx7cx7x6shasbgbw4qaxzmvdxmabu3pggfcul6fi5ntzjivnyica._file
Verdict:
malicious
Similar samples:
03957e1a76e380308206465031a99a1db9e7afce4b82e021f0f8f94888b791b2
BitRAT
0b6efdd0f3f4dddee58af21631051999c5e9d7968a3ba2e7a34388c42375a457
BitRAT
0eaeab189b978e9babdb4324c22d4bb708e3b33c0016f52e37aa66efae4a310e
BitRAT
185d25898a718d3e3ff6d12a3ad18f12734c73859ed4ff1993ce1e4a011485f2
BitRAT
4bddc1b65b7a24af3d24bddcd3722811775f3f98a65fbc433c762e1615af28c1
BitRAT
6e2510a76f130a0a009432183ed26d35d328cf34e8b4c9655327a9a8a89b8dd7
BitRAT
b4f128cdd69eb21d1de98b00303e01258993fe7fba7467aa8ab642df03ffd890
BitRAT
c3e53e28198dfe92caa7b46355f543dd18c0353ef42f2e28862682a79e863735
BitRAT
e386c831df697e516fedcab1ad8a879ae057a5f4f321a873dcd31e9c6760009e
BitRAT
+ 438 additional samples on MalwareBazaar
Result
Malware family:
bitrat
Create hunting rule
Score:
  10/10
Tags:
family:bitrat persistence trojan
Link:
https://tria.ge/reports/210829-4mmkjyttqe/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
BitRAT
BitRAT Payload
Unpacked files
SH256 hash:
b9d7a3a85e2b4cd011e3e444cee54af648e1439b75b4bfb4668a98fb8491733c
MD5 hash:
b7b18b4f9bb65265dccdbfffd30d1bef
SHA1 hash:
ce3bfd9cda1b1e87500c97324cb129262cafd8a1
Link:
https://www.unpac.me/results/6c994a6d-00a5-4a4c-84ea-de61c19ae74a/
SH256 hash:
9951dd5201fa695b62cbfedfc6d6c000ed897ca665895d2ccaec2c2b438b019e
MD5 hash:
54f04e41c412a51235c0c61d03067756
SHA1 hash:
69ab7a2dc7b95485adfcbf60805d00633321b9ef
Link:
https://www.unpac.me/results/6c994a6d-00a5-4a4c-84ea-de61c19ae74a/
SH256 hash:
7d0b4774e0b3fc18999d38b560b2fd96dbb1a3ba48871006db2ea4dd7126acb6
MD5 hash:
5e9a327b67f5a8f179281779c34b00f7
SHA1 hash:
5d3b90aa33d69a960d18c34f9073b688099425ea
Link:
https://www.unpac.me/results/6c994a6d-00a5-4a4c-84ea-de61c19ae74a/
SH256 hash:
2dfe2bfefe91c1209836e4017cb2a3bb001a6de6314545f8a8eb6794a2adc204
MD5 hash:
8d8676c68f72dbc38fb5e6aea9bface2
SHA1 hash:
6d1161bb446902b7810191460534bcfc16d60a93
Link:
https://www.unpac.me/results/6c994a6d-00a5-4a4c-84ea-de61c19ae74a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/2dfe2bfefe91c1209836e4017cb2a3bb001a6de6314545f8a8eb6794a2adc204

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

BitRAT

Executable exe 2dfe2bfefe91c1209836e4017cb2a3bb001a6de6314545f8a8eb6794a2adc204

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1567692/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/183253/

Comments