MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 403943dce6fbb57dfaf602189ee84bcef2ac109b952027bff8e1cc49c6b81d9d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BitRAT


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 403943dce6fbb57dfaf602189ee84bcef2ac109b952027bff8e1cc49c6b81d9d
SHA3-384 hash: 978718bb36d4a0ea9f8fff50f94f028af18c7b76805b00547a3451b52b62c99e077ab9df13f3b3d73037c74907945d12
SHA1 hash: 1bd60482d86f4945f242e6347092d1086e0e30fa
MD5 hash: 3d7e98447bb74768ab909be7dfbc294c
humanhash: diet-uncle-wisconsin-illinois
File name:svchost.exe
Download: download sample
Signature BitRAT
Create hunting rule
File size:45'056 bytes
First seen:2021-01-30 06:17:42 UTC
Last seen:2021-01-30 07:57:41 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 768:gxbAnObgnLwdPOjYf67t/FhR97T33lq/RwrZWVPjpwy1GMTF+L+CxEbd/GD8:/qJwtWUyz+kd/Go
Threatray 85 similar samples on MalwareBazaar
TLSH E313924173E94E02F2BA7F7834726607077BB9D66E37DB1D1B64168E0027AC48E25B53
Reporter abuse_ch
Tags:BitRAT exe RAT


Avatar
abuse_ch
Malspam distributing BitRAT:

HELO: smtp202.alice.it
Sending IP: 82.57.200.98
From: Romeo Giovanni<3386761967@tim.it>
Reply-To: <sales@prodigy.com.mx>
Subject: Re: PO91666
Attachment: PAYMENT.rar (contains "svchost.exe")

BitRAT C2:
shockremover.duckdns.org:1234 (23.227.202.13)

Intelligence

File Origin
# of uploads :
2
# of downloads :
221
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
svchost.exe
Verdict:
Malicious activity
Analysis date:
2021-01-30 06:21:24 UTC
Tags:
trojan bitrat rat
Link:
https://app.any.run/tasks/fc004c19-cb61-42c2-8785-803a0dc9815b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/114865/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Unauthorized injection to a recently created process
Sending a UDP request
DHCP request
Modifying a system file
Using the Windows Management Instrumentation requests
Creating a window
DNS request
Sending an HTTP GET request
Sending an HTTP GET request to an infection source
Enabling autorun by creating a file
Result
Threat name:
BitRAT
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/594484
Signature
Adds a directory exclusion to Windows Defender
Changes security center settings (notifications, updates, antivirus, firewall)
Connects to a pastebin service (likely for C&C)
Contains functionality to hide a thread from the debugger
Contains functionality to inject code into remote processes
Creates an undocumented autostart registry key
Creates autostart registry keys with suspicious names
Creates files in alternative data streams (ADS)
Creates multiple autostart registry keys
Drops PE files to the startup folder
Drops PE files with benign system names
Hides threads from debuggers
Injects a PE file into a foreign processes
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Powershell adding suspicious path to exclusion list
Sigma detected: System File Execution Location Anomaly
System process connects to network (likely due to code injection or exploit)
Uses dynamic DNS services
Yara detected BitRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 346279 Sample: svchost.exe Startdate: 30/01/2021 Architecture: WINDOWS Score: 100 54 shockremover.duckdns.org 2->54 56 pastebin.com 2->56 68 Multi AV Scanner detection for dropped file 2->68 70 Sigma detected: Powershell adding suspicious path to exclusion list 2->70 72 Multi AV Scanner detection for submitted file 2->72 74 5 other signatures 2->74 8 svchost.exe 24 6 2->8         started        13 svchost.exe 2->13         started        15 svchost.exe 2->15         started        17 11 other processes 2->17 signatures3 process4 dnsIp5 60 193.239.147.103, 49717, 49728, 49734 DEDIPATH-LLCUS Brunei Darussalam 8->60 62 pastebin.com 104.23.98.190, 443, 49724 CLOUDFLARENETUS United States 8->62 64 192.168.2.1 unknown unknown 8->64 50 C:\Users\user\AppData\Roaming\...\svchost.exe, PE32 8->50 dropped 52 C:\Users\user\...\svchost.exe:Zone.Identifier, ASCII 8->52 dropped 84 System process connects to network (likely due to code injection or exploit) 8->84 86 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 8->86 88 Creates an undocumented autostart registry key 8->88 92 9 other signatures 8->92 19 svchost.exe 8->19         started        24 WerFault.exe 8->24         started        26 cmd.exe 8->26         started        30 4 other processes 8->30 90 Changes security center settings (notifications, updates, antivirus, firewall) 13->90 28 MpCmdRun.exe 13->28         started        66 127.0.0.1 unknown unknown 17->66 file6 signatures7 process8 dnsIp9 58 shockremover.duckdns.org 23.227.202.13, 1234, 49729, 49732 HVC-ASUS United States 19->58 46 C:\Users\user\AppData\Local:30-01-2021, HTML 19->46 dropped 76 System process connects to network (likely due to code injection or exploit) 19->76 78 Creates files in alternative data streams (ADS) 19->78 80 Creates multiple autostart registry keys 19->80 82 Hides threads from debuggers 19->82 48 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 24->48 dropped 32 conhost.exe 26->32         started        34 timeout.exe 26->34         started        36 conhost.exe 28->36         started        38 conhost.exe 30->38         started        40 conhost.exe 30->40         started        42 conhost.exe 30->42         started        44 conhost.exe 30->44         started        file10 signatures11 process12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/403943dce6fbb57dfaf602189ee84bcef2ac109b952027bff8e1cc49c6b81d9d/
Threat name:
ByteCode-MSIL.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-01-30 00:24:40 UTC
AV detection:
5 of 29 (17.24%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ia4uhxhg7o2x36xwaimj52clz3zkyee3suqcpp7y4hgetrvydwoq._file
Verdict:
malicious
Similar samples:
1c1b2595e6838a1ee24e806ff60b80a40ad7166caaaaf65080deda57c7292c53
BitRAT
22dbe6172d32b9b90d66036688e440a9026524f8c4c61b1c05f45dbd63919483
BitRAT
2ddd796e9b53ab3d7eaf4093529077f637f182a934a851af24da8c8f189aeed3
BitRAT
3cf331e46b6f16ef2a591637b64865d81b19e016ad3f4f3280aa1a872f1261ab
BitRAT
41fc81a9ebcb9f6405555db22b71ca764939d1dbcf113e446418e3cb6d394184
BitRAT
56d0c7b288fe323703e31519f296d7a1ed4811bc8eb7cf87c56082499aaff297
BitRAT
76e5467f267a4bca00af800094c3a92f6bd51de54737f07c533d091e2f219b40
BitRAT
7911f1a67c2580f0390dd9eea76d879801c77cb2e114a307e28cb3d31b23f340
BitRAT
8fdc007dd13e7c0c5bbe426da723499db81518697eb84d2fd2a0181996d276fa
BitRAT
9ffa16b91dc10936865d1d9849940c9d27276fd6acd6ab947d31e7f80322eea2
BitRAT
+ 75 additional samples on MalwareBazaar
Result
Malware family:
bitrat
Create hunting rule
Score:
  10/10
Tags:
family:bitrat evasion persistence ransomware trojan
Link:
https://tria.ge/reports/210130-ahjynr2mke/
Behaviour
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Program crash
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Maps connected drives based on registry
Checks BIOS information in registry
Drops startup file
Windows security modification
Looks for VMWare Tools registry key
Looks for VirtualBox Guest Additions in registry
BitRAT
BitRAT Payload
Modifies WinLogon for persistence
Modifies Windows Defender Real-time Protection settings
Turns off Windows Defender SpyNet reporting
Windows security bypass
Unpacked files
SH256 hash:
403943dce6fbb57dfaf602189ee84bcef2ac109b952027bff8e1cc49c6b81d9d
MD5 hash:
3d7e98447bb74768ab909be7dfbc294c
SHA1 hash:
1bd60482d86f4945f242e6347092d1086e0e30fa
Link:
https://www.unpac.me/results/6bd6e294-5366-4927-bced-d01253d3ae00/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Dropper
Score:
0.80
Link:
https://yomi.yoroi.company/submissions/403943dce6fbb57dfaf602189ee84bcef2ac109b952027bff8e1cc49c6b81d9d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Email_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Email in files like avemaria

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

BitRAT

rar 7ece9ef7a3e21dd75486410c8ffbc7790cbaeb9d5aeb95c86f891c1a108cbf7c

BitRAT

Executable exe 403943dce6fbb57dfaf602189ee84bcef2ac109b952027bff8e1cc49c6b81d9d

(this sample)

  
Dropped by
MD5 de9554e145e1df53e979ef47f26675e4
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 7ece9ef7a3e21dd75486410c8ffbc7790cbaeb9d5aeb95c86f891c1a108cbf7c
Cape
Cape
https://www.capesandbox.com/analysis/114865/

Comments