MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3e483d19170652c8c74d9a42ef17804b4739e6290f08e54c68f8311e390b0c1f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BitRAT


Vendor detections: 6


Intelligence 6 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3e483d19170652c8c74d9a42ef17804b4739e6290f08e54c68f8311e390b0c1f
SHA3-384 hash: 7d9693033ea5522955675bcf146ca63fd77334ed44d023623807a16aaab1d5954bce5afc9e9a03d465fa926ecb6388e5
SHA1 hash: 146a64561a0c8911bd9b237effeab00204663149
MD5 hash: 628d42e07e7293f87ddc73c825825f14
humanhash: tango-idaho-carbon-north
File name:SWB-HP_12.03.2020.scr
Download: download sample
Signature BitRAT
Create hunting rule
File size:1'939'968 bytes
First seen:2020-12-03 17:36:55 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 49152:pk3XYKwtovNso0Yg048sx9/8VLQYHU1ZT:mYKwvoW0lsx9/8VLe1
Threatray 39 similar samples on MalwareBazaar
TLSH CE95CE9C361076DFC867CD7289681C64FB90ACBB875BD603905326ECAA6D49BCF140F6
Reporter abuse_ch
Tags:BitRAT DEU geo RAT scr UniCredit


Avatar
abuse_ch
Malspam distributing BitRAT:

HELO: mail2.om18.serverdomain.org
Sending IP: 89.107.188.4
From: Unicredit Bank GMBH<commercial@unicreditgroup.eu>
Reply-To: commercial.rlavel@gmail.com
Subject: Zahlungsaviso
Attachment: SWB-HP_12.03.2020.pdf.jpg.img (contains "SWB-HP_12.03.2020.scr")

BitRAT C2:
jegebit.duckdns.org:43360 (193.239.147.22)

Intelligence

File Origin
# of uploads :
1
# of downloads :
207
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/106652/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/554973
Signature
Contains functionality to hide a thread from the debugger
Contains functionality to inject code into remote processes
Found Tor onion address
Hides threads from debuggers
Injects a PE file into a foreign processes
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3e483d19170652c8c74d9a42ef17804b4739e6290f08e54c68f8311e390b0c1f/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-12-03 17:37:06 UTC
AV detection:
17 of 28 (60.71%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=hzed2gixazjmrr2ntjbo6f4ajndttzrjb4eoktdi7ayr4oilbqpq._file
Verdict:
unknown
Similar samples:
0cf6c64800271784234f89dd95925d58075254e5756946de94f447b6defee4fc
BitRAT
3a53fc0060de3daa43eda52ecb4348ede9d1d95ba89e81906c19da1afd9376b5
BitRAT
723e6b54cd996205412396bbfba18171a8e4e7297dd2492b35ec198e122849cb
BitRAT
736cb846af9e2de5730d5b788603d49374fee0e309d2681392456aa41ec3eda1
BitRAT
78fc1b0ad5b1bf8392a5e1a6dde5dab2fbee2f2fbb833c3c4ba85ace7e9c35e5
BitRAT
cd857ee1ccdff34a0cd65732a18bc3a99d53e388423dcff0a73ca0307dcb1f7a
BitRAT
de5c46975f4bd7759bf711ea3ecc5833c0eadac92b466806e3a2cdcb57b7da19
BitRAT
e1f08269363e55708c850e156f5f4cdc50acc14efdce1f3464a70c91548c7548
BitRAT
ef67b30b7ae1fd2b27a17f1e0172954912c78c541f7cb162ff003a9b42f128c4
BitRAT
fb63a3112ca1b2cb9d57ab6bc9a2b90c9ec4c5f4995e77c44823440de7dea711
BitRAT
+ 29 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
upx
Link:
https://tria.ge/reports/201203-adqd7w7cbe/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
UPX packed file
Unpacked files
SH256 hash:
9584f6d01e6452371cc9b4828030a13045d99c243c497b63628828e66aabe26f
MD5 hash:
7476e403eef14ac403c63c7279831780
SHA1 hash:
8387f558e30dc115987ac2b5c174a41302471abf
Link:
https://www.unpac.me/results/42da365b-c5ec-4f37-a98d-8f657d6743bd/
SH256 hash:
3e483d19170652c8c74d9a42ef17804b4739e6290f08e54c68f8311e390b0c1f
MD5 hash:
628d42e07e7293f87ddc73c825825f14
SHA1 hash:
146a64561a0c8911bd9b237effeab00204663149
Link:
https://www.unpac.me/results/42da365b-c5ec-4f37-a98d-8f657d6743bd/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3e483d19170652c8c74d9a42ef17804b4739e6290f08e54c68f8311e390b0c1f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

BitRAT

img ed608fdcfdc9f197a859950ec585539bf0f6a13f83e50887837bd0bbb338476d

BitRAT

Executable exe 3e483d19170652c8c74d9a42ef17804b4739e6290f08e54c68f8311e390b0c1f

(this sample)

  
Dropped by
MD5 dc2f23454ac82c4062bede950ff365f3
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/106652/
  
Dropped by
SHA256 ed608fdcfdc9f197a859950ec585539bf0f6a13f83e50887837bd0bbb338476d

Comments