MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3d2c7d89a5f621b42e657be3304c2b7aa256645ff359f2a38bed6e187506530a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BitRAT


Vendor detections: 6


Intelligence 6 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3d2c7d89a5f621b42e657be3304c2b7aa256645ff359f2a38bed6e187506530a
SHA3-384 hash: 5df84cbf57448c9b65f87656cd8891b4a4f4c3eb1924246f1e16141e9998f007eb2629510f2001f349ab2aebe2a2c423
SHA1 hash: 2bcd2d0120a0790a6027f55c027800663a16f3c5
MD5 hash: 1b275af0aa3be404275f74660ba932de
humanhash: cat-zebra-don-edward
File name:PO#706251-02 and Price list box_056-0833 & 056-0832.exe
Download: download sample
Signature BitRAT
Create hunting rule
File size:2'161'664 bytes
First seen:2020-10-27 14:29:38 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'747 x AgentTesla, 19'638 x Formbook, 12'244 x SnakeKeylogger)
ssdeep 49152:+uVrJwuTYrJwNGXd4WNj+68HdaDls+NkJo/jg:+mTkaNG3NjRDCwkJ
Threatray 18 similar samples on MalwareBazaar
TLSH 6DA501227754DB95E57D6378E42041F043F8BD1AEB39D20BBDA47E8D7970B8183A2B42
Reporter abuse_ch
Tags:BitRAT exe RAT


Avatar
abuse_ch
Malspam distributing BitRAT:

HELO: slot0.jardipondi.com
Sending IP: 45.153.203.126
From: Barb Wardman <office@jardipondi.com>
Subject: GQS90722
Attachment: PO706251.bz2 (contains "PO#706251-02 and Price list box_056-0833 & 056-0832.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
76
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/79958/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Result
Threat name:
BitRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/513759
Signature
.NET source code contains potential unpacker
Contains functionality to hide a thread from the debugger
Contains functionality to inject code into remote processes
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM_3
Yara detected BitRAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3d2c7d89a5f621b42e657be3304c2b7aa256645ff359f2a38bed6e187506530a/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-10-27 12:29:01 UTC
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=huwh3cnf6yq3iltfpprtatblpkrfmzc76nm7fi4l5vxbq5igkmfa._file
Verdict:
unknown
Similar samples:
32a780401adf987b558a2c7c4d1c9786360adb0a463d576ee01c1c71bc5fe9af
BitRAT
3a53fc0060de3daa43eda52ecb4348ede9d1d95ba89e81906c19da1afd9376b5
BitRAT
736cb846af9e2de5730d5b788603d49374fee0e309d2681392456aa41ec3eda1
BitRAT
78a59829f0dd9b3ec88a68096284de67dd8806d3690d11f017f7b2893a98354d
BitRAT
a480e43cedb669fbdf2f5fff38293350b8254d5b4db28c23464c3b39d8b2ac44
BitRAT
ab2c0f5c33bb3c2240359f2854eaf5e31864cb49730dab67d654ee1ab9fb6f8d
BitRAT
cb00ac9191b829c788bd5c7c17a4125268a9480c77bc3515eaf7ecc468582ab3
BitRAT
e1f08269363e55708c850e156f5f4cdc50acc14efdce1f3464a70c91548c7548
BitRAT
ef67b30b7ae1fd2b27a17f1e0172954912c78c541f7cb162ff003a9b42f128c4
BitRAT
f671b1f716f0176dbaec5ea7ca024cb32f65fe5ceceaf99a80ce080132ec9dd7
BitRAT
+ 8 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  9/10
Tags:
evasion upx
Link:
https://tria.ge/reports/201027-glyb4plgae/
Behaviour
Creates scheduled task(s)
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Maps connected drives based on registry
Checks BIOS information in registry
Looks for VMWare Tools registry key
UPX packed file
Looks for VirtualBox Guest Additions in registry
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3d2c7d89a5f621b42e657be3304c2b7aa256645ff359f2a38bed6e187506530a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/
Rule name:win_bit_rat_w0
Create hunting rule
Author:KrabsOnSecurity
Description:String-based rule for detecting BitRAT malware payload

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

BitRAT

rar 8e164ee7a82299337f2ede47f0a6738a313be8060a86a09ba588d5da4223bc6c

BitRAT

Executable exe 3d2c7d89a5f621b42e657be3304c2b7aa256645ff359f2a38bed6e187506530a

(this sample)

  
Dropped by
MD5 70e77b101a286a57984c58036bafe405
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 8e164ee7a82299337f2ede47f0a6738a313be8060a86a09ba588d5da4223bc6c
Cape
Cape
https://www.capesandbox.com/analysis/79958/

Comments