MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 43749e8d0c848f2143447b979748f3605e7773abe0550da6ec111473003247c3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BitRAT


Vendor detections: 9


Intelligence 9 IOCs 1 YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 43749e8d0c848f2143447b979748f3605e7773abe0550da6ec111473003247c3
SHA3-384 hash: a6b5c87bd3d64023c2a79d965159bd6739eabc0f4934670a8c4e4fa3bc25e07ceef4a8d74dda008152674cf74863b837
SHA1 hash: dc8bdfc7d7553aa153d23250b2352f9de788f5c8
MD5 hash: fca51e6e902f2944a26435d1551db3ab
humanhash: alanine-oregon-violet-connecticut
File name:Wesnvuotnnnxvacefgejmjccyfnnrjmdmc.exe
Download: download sample
Signature BitRAT
Create hunting rule
File size:893'952 bytes
First seen:2021-07-20 00:35:57 UTC
Last seen:2021-07-20 01:34:49 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 7fce049e3b7a69eaa13655a22e62310f (1 x RemcosRAT, 1 x BitRAT)
ssdeep 24576:6GnYY3RMu58Ru1tipkWybDaU0sSo764z:6Gl0UmsSo76
Threatray 633 similar samples on MalwareBazaar
TLSH T10E158F22A340C43FD2F3377DEC1797B198597E166E28784A3FEA290C4E352623B29557
Reporter abuse_ch
Tags:BitRAT exe RAT


Avatar
abuse_ch
BitRAT C2:
20.88.54.36:2222

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
20.88.54.36:2222 https://threatfox.abuse.ch/ioc/161258/

Intelligence

File Origin
# of uploads :
2
# of downloads :
152
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Wesnvuotnnnxvacefgejmjccyfnnrjmdmc.exe
Verdict:
Malicious activity
Analysis date:
2021-07-20 00:40:12 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/9f144b49-244f-482b-a46c-72ed17860f23

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/172671/
Detection(s):
SecuriteInfo.com.Trojan.DownLoader40.47191.3181.21516.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/10cf5b7c-3a65-44fb-80f5-68f132359427
Result
Threat name:
BitRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/818602
Signature
Creates a thread in another existing process (thread injection)
Hides threads from debuggers
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Injects a PE file into a foreign processes
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Uses cmd line tools excessively to alter registry or file data
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected BitRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 451013 Sample: Wesnvuotnnnxvacefgejmjccyfn... Startdate: 20/07/2021 Architecture: WINDOWS Score: 100 53 clientconfig.passport.net 2->53 67 Multi AV Scanner detection for domain / URL 2->67 69 Icon mismatch, binary includes an icon from a different legit application in order to fool users 2->69 71 Multi AV Scanner detection for submitted file 2->71 73 Yara detected BitRAT 2->73 9 Wesnvuotnnnxvacefgejmjccyfnnrjmdmc.exe 1 24 2->9         started        14 Wesnvuo.exe 13 2->14         started        16 Wesnvuo.exe 14 2->16         started        signatures3 process4 dnsIp5 57 cdn.discordapp.com 162.159.134.233, 443, 49720, 49721 CLOUDFLARENETUS United States 9->57 51 C:\Users\Public\Libraries\...\Wesnvuo.exe, PE32 9->51 dropped 75 Writes to foreign memory regions 9->75 77 Creates a thread in another existing process (thread injection) 9->77 79 Injects a PE file into a foreign processes 9->79 18 cmd.exe 1 9->18         started        21 logagent.exe 1 9->21         started        24 cmd.exe 1 9->24         started        26 WerFault.exe 20 9 9->26         started        81 Multi AV Scanner detection for dropped file 14->81 28 mshta.exe 14->28         started        30 dialer.exe 16->30         started        file6 signatures7 process8 dnsIp9 61 Uses cmd line tools excessively to alter registry or file data 18->61 63 Uses schtasks.exe or at.exe to add and modify task schedules 18->63 32 cmd.exe 1 18->32         started        35 conhost.exe 18->35         started        55 resereved.nerdpol.ovh 20.88.54.36, 2222, 49734 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 21->55 65 Hides threads from debuggers 21->65 37 reg.exe 1 24->37         started        39 conhost.exe 24->39         started        signatures10 process11 signatures12 59 Uses cmd line tools excessively to alter registry or file data 32->59 41 conhost.exe 32->41         started        43 reg.exe 1 1 32->43         started        45 schtasks.exe 1 32->45         started        47 reg.exe 1 32->47         started        49 conhost.exe 37->49         started        process13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/43749e8d0c848f2143447b979748f3605e7773abe0550da6ec111473003247c3/
Threat name:
Win32.Trojan.Woreflint
Create hunting rule
Status:
Malicious
First seen:
2021-07-20 00:36:05 UTC
AV detection:
9 of 46 (19.57%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=in2j5dimqshscq2epolzoshtmbpho45l4bkq3jxmcekhgabsi7bq._file
Verdict:
malicious
Similar samples:
0d182038f62a038b380a4d3c3769d5eb389b08b194b7dce13606252e7e1aff1c
BitRAT
16f26624a8c348f7497a5bb568b329f64d531ff41cb6a3fd3b5fb4ce9ae0133b
BitRAT
4bb5887d12b822628da418c65c8999b402dd262a58f4ee133a51f00a0c9e7881
BitRAT
90306073ee2c014074fd1d7dfb9567f26184cba1bbe4352eec7b1d781066ee8c
BitRAT
b3d6d97ed4c74d16ab89046ee019d874b8cc1a8ca257e132b3d2cbd146a48545
BitRAT
c26154711ca9d9d48de370f242deb560bd0b99a0c8f12a2d1db5d4cd6e25d107
BitRAT
da0e1f4eee4e74fc5dfb4602fbdb8a7175ba33674ca14575f8001f1b1bed0aa0
BitRAT
dce7bd6ffb24e1022633df291493bc759eda61266bc34c9753ab7912c31b7e96
BitRAT
ebe0b8890392475537625aeefaec22b5f0115011e135117d7afd9325eb47fad8
BitRAT
f353dc700a77a88665e2d6cb4f73396ba3b4437cc3ee9a6a7e095de5f77277c5
BitRAT
+ 623 additional samples on MalwareBazaar
Result
Malware family:
bitrat
Create hunting rule
Score:
  10/10
Tags:
family:bitrat persistence trojan upx
Link:
https://tria.ge/reports/210720-bd1elm12ax/
Behaviour
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Adds Run key to start application
UPX packed file
BitRAT
BitRAT Payload
Unpacked files
SH256 hash:
3c89381eb5d9bc9b2cc8835190944650d0fab08f3f5bd80e7d60c805c34f85a3
MD5 hash:
046256d9fc63f3f656d8a381e787ccdd
SHA1 hash:
d60bbe23be14e9acd5d9f718ce5686dbcf65e518
Link:
https://www.unpac.me/results/62a3658d-ed40-48e3-85e0-da1e62e4c827/
SH256 hash:
43749e8d0c848f2143447b979748f3605e7773abe0550da6ec111473003247c3
MD5 hash:
fca51e6e902f2944a26435d1551db3ab
SHA1 hash:
dc8bdfc7d7553aa153d23250b2352f9de788f5c8
Link:
https://www.unpac.me/results/62a3658d-ed40-48e3-85e0-da1e62e4c827/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/43749e8d0c848f2143447b979748f3605e7773abe0550da6ec111473003247c3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_BitRAT
Create hunting rule
Author:ditekSHen
Description:Detects BitRAT RAT

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/172671/

Comments