MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 40f3e277da7a04b58913ba390827cfd51b318f40768c58f81361b832096ce1ef. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BitRAT


Vendor detections: 16


Intelligence 16 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 40f3e277da7a04b58913ba390827cfd51b318f40768c58f81361b832096ce1ef
SHA3-384 hash: 0fb5b011172d66dfc71b63686b071b4e89b36df3d83d33f9e9671b9106240fdaa1296d60e5b63eef252000a8a96f491b
SHA1 hash: 615aced62a15e9a1733bfb2c390ba83f024bbbd7
MD5 hash: b8d03a02e654dfc840f21297b8dc99b2
humanhash: earth-connecticut-salami-moon
File name:bawo.exe
Download: download sample
Signature BitRAT
Create hunting rule
File size:8'126'464 bytes
First seen:2023-09-26 13:54:57 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'206 x SnakeKeylogger)
ssdeep 196608:KUYuomDLdUgXNjeOoUoB/mZMnsDJKB4o+uBxKd8c:TzoQLd0O6B7c0BTLjbc
Threatray 829 similar samples on MalwareBazaar
TLSH T1338623708148D6EFE4CFFABC9A43ABC0E738FC4F5675A51D0588312FAA387981916752
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10523/12/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon ccb2e0f8e2a69ac4 (1 x BitRAT)
Reporter JAMESWT_WT
Tags:BitRAT exe payorderreceipt-info

Intelligence

File Origin
# of uploads :
1
# of downloads :
341
Origin country :
IT IT
Vendor Threat Intelligence
Malware family:
bitrat
Create hunting rule
ID:
1
File name:
bawo.exe
Verdict:
Malicious activity
Analysis date:
2023-09-26 14:05:40 UTC
Tags:
bitrat rat remote
Link:
https://app.any.run/tasks/d1f92ef8-cfdd-48cb-8911-7a8fab5cc44c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
BitRAT
Create hunting rule
Link:
https://www.capesandbox.com/analysis/451303/
Detection(s):
SecuriteInfo.com.Win32.RATX-gen.11703.20157.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Running batch commands
Creating a file
Creating a window
Сreating synchronization primitives
Creating a file in the %AppData% subdirectories
DNS request
Setting a global event handler
Sending a custom TCP request
Creating a process from a recently created file
Launching the default Windows debugger (dwwin.exe)
Setting a global event handler for the keyboard
Unauthorized injection to a system process
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed packed smartassembly
Link:
https://www.filescan.io/uploads/6512e2be1edabd9982a05b90/reports/d013d4e3-cfb7-46d5-9f9b-9eff97a3dbd4/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/40f3e277da7a04b58913ba390827cfd51b318f40768c58f81361b832096ce1ef
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
BitRAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e722042c-bb65-4c93-8ad5-d3601b9c50d2
Result
Threat name:
BitRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1314574
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Drops PE files with benign system names
Found malware configuration
Found stalling execution ending in API Sleep call
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Schedule system process
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected BitRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1314574 Sample: bawo.exe Startdate: 26/09/2023 Architecture: WINDOWS Score: 100 65 bitnow7005.duckdns.org 2->65 71 Found malware configuration 2->71 73 Malicious sample detected (through community Yara rule) 2->73 75 Multi AV Scanner detection for submitted file 2->75 77 7 other signatures 2->77 9 bawo.exe 2 2->9         started        12 svchost.exe 1 2->12         started        14 svchost.exe 2->14         started        16 3 other processes 2->16 signatures3 process4 signatures5 87 Writes to foreign memory regions 9->87 89 Allocates memory in foreign processes 9->89 91 Injects a PE file into a foreign processes 9->91 18 RegAsm.exe 1 9->18         started        22 cmd.exe 2 9->22         started        24 cmd.exe 3 9->24         started        27 cmd.exe 1 9->27         started        93 Multi AV Scanner detection for dropped file 12->93 95 Machine Learning detection for dropped file 12->95 29 cmd.exe 12->29         started        33 3 other processes 12->33 31 RegAsm.exe 14->31         started        35 3 other processes 14->35 37 8 other processes 16->37 process6 dnsIp7 67 bitnow7005.duckdns.org 2.59.254.205, 49777, 49780, 49781 CMCSUS Germany 18->67 69 192.168.2.1 unknown unknown 18->69 79 Found stalling execution ending in API Sleep call 18->79 81 Hides threads from debuggers 18->81 83 Uses schtasks.exe or at.exe to add and modify task schedules 22->83 85 Drops PE files with benign system names 22->85 39 conhost.exe 22->39         started        63 C:\Users\user\AppData\Roaming\...\svchost.exe, PE32 24->63 dropped 41 conhost.exe 24->41         started        43 conhost.exe 27->43         started        45 schtasks.exe 1 27->45         started        49 2 other processes 29->49 47 WerFault.exe 3 10 33->47         started        51 2 other processes 33->51 53 4 other processes 35->53 55 10 other processes 37->55 file8 signatures9 process10 process11 57 WerFault.exe 43->57         started        59 WerFault.exe 43->59         started        61 WerFault.exe 43->61         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/40f3e277da7a04b58913ba390827cfd51b318f40768c58f81361b832096ce1ef/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2023-09-26 13:50:48 UTC
File Type:
PE (.Net Exe)
Extracted files:
20
AV detection:
15 of 23 (65.22%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=idz6e562picllcitxi4qqj6p2untdd2ao2gfr6atmg4declm4hxq._file
Verdict:
malicious
Similar samples:
10265ef7d6568a1b67cd65013ecc2bb5bf98b11b8186a5f13f432da0c69613b6
BitRAT
2bcc4315b528b9e1b1896042dd07483b4f9275271f05fb484bd92c2cb2b13d97
BitRAT
311dc36ff1b1c092fe3c27ea3d7c699b77d092da4d5f1ccb5fc8e35b9a4adf5c
BitRAT
346d81a65c711916cd277904f95215f6971b48c0fa001a9eff9edf9fd1097d2d
BitRAT
96716d490f2357faf8ebb019edb959af47c06b94c51a8852b2b15b2cd3022c56
BitRAT
abf9b6a9caacf86ccc918d23393a24096d08345375f2765bbb6a675fad211c49
BitRAT
bc0374c212e401d5f220df5657a980fc40fc210af0a7c34dd8d43556d8b2a4be
BitRAT
bdcf3c8b8f3f71c76e5a192bd9dbce2061379edb57eba0d41fdc69f9172a9d6b
BitRAT
c08717041abe9ab94e3923f4e08a09583ab195ac3d460642b18568362c32a71e
BitRAT
+ 819 additional samples on MalwareBazaar
Result
Malware family:
bitrat
Create hunting rule
Score:
  10/10
Tags:
family:bitrat trojan
Link:
https://tria.ge/reports/230926-q75epabb46/
Behaviour
Creates scheduled task(s)
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Executes dropped EXE
BitRAT
Malware Config
C2 Extraction:
bitnow7005.duckdns.org:7005
Unpacked files
SH256 hash:
3a987fd51423f186242c3fbbdab59113c11d4ac67109e90ab948d5d0591699fb
MD5 hash:
f476d51502264ca561c1d4786200e94f
SHA1 hash:
fe02bf714fccdbdfd8ebb29b580596a3cdcd5c26
Detections:
BitRat
Create hunting rule
win_bit_rat_auto
Create hunting rule
Link:
https://www.unpac.me/results/a43a27b7-1d73-4ee9-ba9e-4c66f3277fa0/
SH256 hash:
9b5f30215f085c77858542cbf13cde8fdb9377373542e4fcb0ff1aa2e8f1ba3d
MD5 hash:
9f715a6c91b90f1fd99511b468e685b3
SHA1 hash:
6454b37d1b9c8d8abca3bfa19f3ca11c00f4baab
Link:
https://www.unpac.me/results/a43a27b7-1d73-4ee9-ba9e-4c66f3277fa0/
SH256 hash:
40f3e277da7a04b58913ba390827cfd51b318f40768c58f81361b832096ce1ef
MD5 hash:
b8d03a02e654dfc840f21297b8dc99b2
SHA1 hash:
615aced62a15e9a1733bfb2c390ba83f024bbbd7
Link:
https://www.unpac.me/results/a43a27b7-1d73-4ee9-ba9e-4c66f3277fa0/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/40f3e277da7a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/40f3e277da7a04b58913ba390827cfd51b318f40768c58f81361b832096ce1ef

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with SmartAssembly
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

BitRAT

Executable exe 40f3e277da7a04b58913ba390827cfd51b318f40768c58f81361b832096ce1ef

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/451303/
  
URLhaus
https://urlhaus.abuse.ch/url/2714276/
  
Delivery method
Distributed via web download

Comments