MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3a53fc0060de3daa43eda52ecb4348ede9d1d95ba89e81906c19da1afd9376b5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BitRAT


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3a53fc0060de3daa43eda52ecb4348ede9d1d95ba89e81906c19da1afd9376b5
SHA3-384 hash: d4bba423ba4d370bf544a3a637a9b392c4a02837e3693f731bd3d60e35b330882c72cac9e2872d475f520a1d8d2791f9
SHA1 hash: 01216b175571f1375867a7eccf4394e564014c9a
MD5 hash: 8fb21ec8fa5a28c03a3c9d37064eba62
humanhash: romeo-arizona-nitrogen-blue
File name:Order SHWSO1018810 Nilorn Trading Company Ltd.exe
Download: download sample
Signature BitRAT
Create hunting rule
File size:2'712'576 bytes
First seen:2020-10-15 10:55:18 UTC
Last seen:2020-10-15 12:16:06 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 24576:R//1gNsyV0xDMi4DxXT3eVtaKD7M6slbmWyXdrMl23EukfF3uPMbCFimVl7st5Yb:RFg+xJ0TKjD7MvmtNrMl23IfFrmVpE
Threatray 11 similar samples on MalwareBazaar
TLSH EDC5F12273924688D964737A0428B9D623AAFDC76A14CB1D774F631C8D630EB7F0E359
Reporter abuse_ch
Tags:BitRAT exe


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: slot0.jdctraders.store
Sending IP: 45.95.169.96
From: Klavdija Vezjak <info@jdctraders.store>
Subject: Repeat Order
Attachment: PR-2008-0644.zip (contains "Order SHWSO1018810 Nilorn Trading Company Ltd.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
81
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/71263/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.44071637.29423.15966.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Running batch commands
Creating a process with a hidden window
Creating a file
Result
Threat name:
BitRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/492154
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contains functionality to hide a thread from the debugger
Contains functionality to inject code into remote processes
Creates an undocumented autostart registry key
Drops PE files to the user root directory
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses cmd line tools excessively to alter registry or file data
Yara detected BitRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 298524 Sample: Order SHWSO1018810 Nilorn T... Startdate: 15/10/2020 Architecture: WINDOWS Score: 100 62 servr.superbanifabused1.xyz 2->62 68 Antivirus / Scanner detection for submitted sample 2->68 70 Multi AV Scanner detection for submitted file 2->70 72 Yara detected BitRAT 2->72 74 4 other signatures 2->74 10 Order SHWSO1018810 Nilorn Trading Company Ltd.exe 2 2->10         started        signatures3 process4 file5 60 Order SHWSO1018810...Company Ltd.exe.log, ASCII 10->60 dropped 86 Hides that the sample has been downloaded from the Internet (zone.identifier) 10->86 14 cmd.exe 1 10->14         started        16 cmd.exe 2 10->16         started        signatures6 process7 file8 20 AutoPicker.exe 1 14->20         started        23 conhost.exe 14->23         started        58 C:\Users\user\AutoPicker.exe, PE32 16->58 dropped 66 Drops PE files to the user root directory 16->66 25 conhost.exe 16->25         started        27 conhost.exe 16->27         started        29 reg.exe 16->29         started        signatures9 process10 signatures11 76 Antivirus detection for dropped file 20->76 78 Multi AV Scanner detection for dropped file 20->78 80 Uses cmd line tools excessively to alter registry or file data 20->80 82 5 other signatures 20->82 31 cmd.exe 1 20->31         started        34 AutoPicker.exe 1 20->34         started        37 cmd.exe 20->37         started        39 7 other processes 20->39 process12 dnsIp13 88 Uses cmd line tools excessively to alter registry or file data 31->88 41 reg.exe 1 1 31->41         started        44 conhost.exe 31->44         started        64 servr.superbanifabused1.xyz 79.134.225.39, 49730, 49737, 49743 FINK-TELECOM-SERVICESCH Switzerland 34->64 90 Hides threads from debuggers 34->90 46 conhost.exe 37->46         started        48 reg.exe 37->48         started        50 conhost.exe 39->50         started        52 reg.exe 39->52         started        54 conhost.exe 39->54         started        56 9 other processes 39->56 signatures14 process15 signatures16 84 Creates an undocumented autostart registry key 41->84
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3a53fc0060de3daa43eda52ecb4348ede9d1d95ba89e81906c19da1afd9376b5/
Threat name:
Win32.Trojan.Ymacco
Create hunting rule
Status:
Malicious
First seen:
2020-10-14 16:15:10 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hjj7yada3y62uq7nuuxmwq2i5xu5dwk3vcpidedmdhnbv7mto22q._file
Verdict:
suspicious
Similar samples:
04c27b0ff1c12b58c1520db0ffc14e7ced2f5adae24e08a3ff66fcc1723676cf
BitRAT
1a198ecee66fc8ec13774ac287557d82678d9b2a2f0192f9b180cc046840a36a
BitRAT
38a36c357a50c0f3d6ba6cbaa600507d485271ac452212850dff78f1a430f9e1
BitRAT
4a09bedcd448deaaaff205dabbc19a34f5b47a9714ac85a5a827c0aabeb2db7f
BitRAT
52f5e7a9a44771795325822713ff8c37f4efa674bbbb375523c3982ab79a52dd
BitRAT
7eed0a7abb529f2d7208babe7ab96ea673878fad3fcd7779340b4d6dc3d8468e
BitRAT
ad8e44c480c85fe9c5562da973bebfa09d729044c83eef7017760da5602910ac
BitRAT
ba318072fe85e168c5fd55a30760ac306f75fa76c2d5ec40533b0505cda1c26d
BitRAT
be2a4d827c93a657161aba979c162fc390c0f9193b11fefc3dab9fe8cf03e110
BitRAT
ef67b30b7ae1fd2b27a17f1e0172954912c78c541f7cb162ff003a9b42f128c4
BitRAT
+ 1 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
upx persistence
Link:
https://tria.ge/reports/201015-1576f5w3f6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Loads dropped DLL
Executes dropped EXE
UPX packed file
Modifies WinLogon for persistence
Unpacked files
SH256 hash:
3a53fc0060de3daa43eda52ecb4348ede9d1d95ba89e81906c19da1afd9376b5
MD5 hash:
8fb21ec8fa5a28c03a3c9d37064eba62
SHA1 hash:
01216b175571f1375867a7eccf4394e564014c9a
Link:
https://www.unpac.me/results/445bb273-2d3d-47ec-9c37-4fb633d8e1cf/
SH256 hash:
4f690f3cf792f24a571f09740cf25d0979bde8c11180a26864056643c30479cd
MD5 hash:
304cc4a1948539064cfec5b70bd83e21
SHA1 hash:
32b3754f52323fd71b8349f01c9dd4bc4fecd880
Link:
https://www.unpac.me/results/445bb273-2d3d-47ec-9c37-4fb633d8e1cf/
SH256 hash:
f9c341679423a3ac010b7da292ab6d1ef0ae7e995cd085ada95e1384ba3af38c
MD5 hash:
b1c72a8e99542c64507470535686ddd9
SHA1 hash:
fe3bec4b6e2b7091db68705feb59090c24c8b6ed
Link:
https://www.unpac.me/results/445bb273-2d3d-47ec-9c37-4fb633d8e1cf/
SH256 hash:
cc38ce4a25daf5fa22dcf50147074fdd0a31211216576a21d616be8c5c4273d8
MD5 hash:
33ee9a11246a255796ab24a1235b02bb
SHA1 hash:
bea449858ef70b405c0aec5d5875d4160cdcef64
Detections:
win_bit_rat_w0
Create hunting rule
Link:
https://www.unpac.me/results/445bb273-2d3d-47ec-9c37-4fb633d8e1cf/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Backdoor
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3a53fc0060de3daa43eda52ecb4348ede9d1d95ba89e81906c19da1afd9376b5

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

BitRAT

zip 210007bd80339f57edb214c0d2429efbfb5a8349746c005f8140eab932c1817f

BitRAT

Executable exe 3a53fc0060de3daa43eda52ecb4348ede9d1d95ba89e81906c19da1afd9376b5

(this sample)

  
Dropped by
MD5 fe3596ae8aba7e6a9c5f20f8da202e21
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/71263/
  
Dropped by
SHA256 210007bd80339f57edb214c0d2429efbfb5a8349746c005f8140eab932c1817f

Comments