MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3f558725f854c9668efb18a9b88e4b24798170953fd74607f8678afa3982bffe. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

BitRAT

Vendor detections: 9

Intelligence 9 IOCs 1 YARA File information Comments

SHA256 hash:	3f558725f854c9668efb18a9b88e4b24798170953fd74607f8678afa3982bffe
SHA3-384 hash:	7d07d902be69968a13141aef9eb95b209b999b9de2931ef5ffb65d0ea1c462beb706d9da02c03aae71f07955c3cabdff
SHA1 hash:	201d2cf050703a3c030d996c01812ae7804f8008
MD5 hash:	7e9811681ab52fd4e2ac4441f6a3cc20
humanhash:	snake-nitrogen-purple-beryllium
File name:	a1d9736DPC.exe
Download:	download sample
Signature	BitRAT Create hunting rule
File size:	1'776'128 bytes
First seen:	2022-10-28 05:55:35 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
ssdeep	49152:1BteuU1W+Up1gB9/hsG5jtSXWOjhGBRjIugWeRpTC:QuU1F2gH/mjtGBxJgWWTC
TLSH	T1EF8523291F9FC536CB66087F1F93A9063F4FBB3143E6B2F26AA705194CBB5958812580
TrID	63.5% (.EXE) Win64 Executable (generic) (10523/12/4) 12.2% (.EXE) OS/2 Executable (generic) (2029/13) 12.0% (.EXE) Generic Win/DOS Executable (2002/3) 12.0% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):
dhash icon	70c0d0d0c8ccf0f0 (8 x Formbook, 4 x NanoCore, 3 x RedLineStealer)
Reporter	abuse_ch
Tags:	BitRAT exe RAT

abuse_ch

BitRAT C2:
192.3.76.153:5200

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
192.3.76.153:5200	https://threatfox.abuse.ch/ioc/952394/

Intelligence

File Origin

# of uploads :

# of downloads :

277

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/325345/

Detection(s):

SecuriteInfo.com.Win64.PWSX-gen.17863.30711.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a custom TCP request

Launching a process

Creating a file

Creating a window

Сreating synchronization primitives

Setting a global event handler

Setting a global event handler for the keyboard

Unauthorized injection to a system process

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/635ba6389b2225917c1c2700/reports/cefba58a-d25e-4a60-a546-be5dad11a926/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/49fdbfb3-7c10-4f76-8b3b-76487f48d0da

Result

Threat name:

BitRAT

Detection:

malicious

Classification:

troj.evad

Score:

84 / 100

Link:

https://www.joesandbox.com/analysis/1100085

Signature

C2 URLs / IPs found in malware configuration

Hides threads from debuggers

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

System process connects to network (likely due to code injection or exploit)

Writes to foreign memory regions

Yara detected BitRAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/3f558725f854c9668efb18a9b88e4b24798170953fd74607f8678afa3982bffe/

Threat name:

ByteCode-MSIL.Trojan.Pwsx

Status:

Malicious

First seen:

2022-10-28 06:18:49 UTC

File Type:

PE+ (.Net Exe)

Extracted files:

AV detection:

15 of 26 (57.69%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=h5kyojpyktewndx3dcu3rdsler4yc4evh7lumb7ym6fpuomcx77a._file

Verdict:

malicious

Result

Malware family:

bitrat

Score:

10/10

Tags:

family:bitrat trojan upx

Link:

https://tria.ge/reports/221028-gm124aefd5/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

UPX packed file

BitRAT

Malware Config

C2 Extraction:

192.3.76.153:5200

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/348eb17c-cbd2-414b-8e85-2ef3f6ad8dda

Unpacked files

SH256 hash:

3f558725f854c9668efb18a9b88e4b24798170953fd74607f8678afa3982bffe

MD5 hash:

7e9811681ab52fd4e2ac4441f6a3cc20

SHA1 hash:

201d2cf050703a3c030d996c01812ae7804f8008

Link:

https://www.unpac.me/results/19b845bd-f2f1-44ae-a61a-cdc892412839/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/3f558725f854/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.35

Link:

https://yomi.yoroi.company/submissions/3f558725f854c9668efb18a9b88e4b24798170953fd74607f8678afa3982bffe

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/325345/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample