MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3c433cb1c5fbe7966fc5545c22a795866484b7bab4600598629939ed4a542b01. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BitRAT


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3c433cb1c5fbe7966fc5545c22a795866484b7bab4600598629939ed4a542b01
SHA3-384 hash: b176796bc7d3877cccdde0d593d81ba8bd57c2f215f1ed69a51e709e5eb58325b8e8ef9257e7ed7c2b5a7f8c601b46dc
SHA1 hash: cbb7af7ecc36efcabcb470643bca94989c4dd4b8
MD5 hash: 5368930e073889874745e520be58b06d
humanhash: rugby-don-one-bulldog
File name:SecuriteInfo.com.Trojan.Win32.Save.a.24731.24808
Download: download sample
Signature BitRAT
Create hunting rule
File size:2'226'176 bytes
First seen:2021-03-29 10:43:42 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'647 x AgentTesla, 19'451 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 49152:2W/ExXa6l03M2hVE/5JF+gpUqQfSkrrvzlPo79L4NoJ5ROq5W:dEg6G3M8K/F+gIakvelQCOy
Threatray 128 similar samples on MalwareBazaar
TLSH ECA5230C9A8FD92BD316CBF68177E0B9077EB9C4FDD702B5750AA84EE9ED16D0100A25
Reporter SecuriteInfoCom
Tags:BitRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
117
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.Trojan.Win32.Save.a.24731.24808
Verdict:
Malicious activity
Analysis date:
2021-03-29 10:45:50 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/63b4bddf-1a11-4860-af49-9184fe517558

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
BitRAT
Create hunting rule
Link:
https://www.capesandbox.com/analysis/127555/
Detection(s):
SecuriteInfo.com.Trojan.Win32.Save.a.24731.24808.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a file in the %AppData% directory
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file
Creating a window
Setting a global event handler
Connection attempt
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Setting a global event handler for the keyboard
Enabling autorun
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/45854931-c708-4b5a-8ec7-a119ace594f2
Result
Threat name:
BitRAT Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/656772
Signature
Allocates memory in foreign processes
Contains functionality to hide a thread from the debugger
Contains functionality to inject code into remote processes
Creates an undocumented autostart registry key
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected BitRAT
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3c433cb1c5fbe7966fc5545c22a795866484b7bab4600598629939ed4a542b01/
Threat name:
ByteCode-MSIL.Downloader.Seraph
Create hunting rule
Status:
Malicious
First seen:
2021-03-29 08:37:04 UTC
AV detection:
15 of 29 (51.72%)
Threat level:
  3/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=hrbtzmof7ptzm36fkrocfj4vqzsijn52wrqalgdcte462ssufmaq._file
Verdict:
malicious
Similar samples:
0bc2a5a5f41749cfba076f97404885868975ceab944455666c0d35342cd72219
BitRAT
15c2c10245cefd160439ac103fe27981519904fe88ea614d8b900fe37120759b
BitRAT
57962424bffff920ffddd397bb18ea1dcb43b641ff8a8d72c73c8e6db3d9b63d
BitRAT
6173a7ce15143ef14d5109785782e3e2aadd6108535eff03e765d50a5f586c17
BitRAT
7840f0892f2762590368de7091d31be8ace3a3ca1982dd5efd22c938a1552a47
BitRAT
98f10643b82275794bc9708dbffdb248e5f715a7207e1c4a4a453cd7cfa7a059
BitRAT
b895fbf7b60e9534de3a12e5e6c3b5dbe8a5f6149be49e50beae19e0a9006999
BitRAT
be06f303ae133e36f87ef001dc369f0212f76b26ad53ec171fd2dcdde9463cea
BitRAT
ed89efa7c8159a2158076d37effc5f0f12bba88955ee9345cf67210ec0a6e43c
BitRAT
fe0a8d4538509b238f96d42c57d73ffb49d1967c4b6dc8b397a4684446a04460
BitRAT
+ 118 additional samples on MalwareBazaar
Result
Malware family:
bitrat
Create hunting rule
Score:
  10/10
Tags:
family:bitrat persistence trojan
Link:
https://tria.ge/reports/210329-vrdxw7e4r6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
BitRAT
BitRAT Payload
Modifies WinLogon for persistence
Unpacked files
SH256 hash:
ad8ce7797b66755b59bee77558a9165929c7cfbd6f45b03fdaf269a4f1288462
MD5 hash:
a416747e91d17f8217cfff8a47e7e5b8
SHA1 hash:
3ecb0b3a7886fb13a3425a2e525bc1fcde3f14d6
Link:
https://www.unpac.me/results/f97e0e06-b33d-49d8-8fb8-1d9d8ec6bb68/
SH256 hash:
fcb18a0a8b57fcc6a4b22aec3b3a4f156daabb3c80409a2068aad679072e5428
MD5 hash:
f3b59c0292db2b3ec9ce7e414dd8f0e0
SHA1 hash:
f4bc8f1123f7f4b1f061b5a2779b28f7687ef456
Link:
https://www.unpac.me/results/f97e0e06-b33d-49d8-8fb8-1d9d8ec6bb68/
SH256 hash:
3c433cb1c5fbe7966fc5545c22a795866484b7bab4600598629939ed4a542b01
MD5 hash:
5368930e073889874745e520be58b06d
SHA1 hash:
cbb7af7ecc36efcabcb470643bca94989c4dd4b8
Link:
https://www.unpac.me/results/f97e0e06-b33d-49d8-8fb8-1d9d8ec6bb68/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3c433cb1c5fbe7966fc5545c22a795866484b7bab4600598629939ed4a542b01

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Email_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Email in files like avemaria
Rule name:MALWARE_Win_BitRAT
Create hunting rule
Author:ditekSHen
Description:Detects BitRAT RAT

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

BitRAT

Executable exe 3c433cb1c5fbe7966fc5545c22a795866484b7bab4600598629939ed4a542b01

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1098254/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/127555/

Comments