MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 48b52d4b7b3e9621acf8e19504a165024dbdbccf4f450dbe89c52d2a48a70f19. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BitRAT


Vendor detections: 5


Intelligence 5 IOCs 1 YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 48b52d4b7b3e9621acf8e19504a165024dbdbccf4f450dbe89c52d2a48a70f19
SHA3-384 hash: 215c175f33f51249895eeb61b041ce1671d042240c2a804024aac9ddd7693c34e75a92dbf4f728b4fafa4493f9450f6c
SHA1 hash: 1221f4a4b5a5fa0f9a2a6cb0a90b78743cc37ee4
MD5 hash: 44b19208f04d5006d58df86fbc3f0f6c
humanhash: jersey-twelve-edward-potato
File name:2021 Order 8059685865,pdf.exe
Download: download sample
Signature BitRAT
Create hunting rule
File size:60'096 bytes
First seen:2021-03-25 11:57:10 UTC
Last seen:2021-03-25 13:35:42 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 1536:bTTqOTIcnCs2s/ywXUzFDD+vyZMBvNjs6/:bKOTznzn/yt/Svh
Threatray 19 similar samples on MalwareBazaar
TLSH 054350DC1A4808EBE46DF934B0952D029230E9FBE4118F6B94CB92D7F453B9629C497F
Reporter abuse_ch
Tags:BitRAT exe RAT


Avatar
abuse_ch
BitRAT C2:
217.138.212.57:54515

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
217.138.212.57:54515 https://threatfox.abuse.ch/ioc/5209/

Intelligence

File Origin
# of uploads :
2
# of downloads :
145
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
2021 Order 8059685865,pdf.exe
Verdict:
Suspicious activity
Analysis date:
2021-03-25 12:03:50 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/61a5a22f-af97-457d-85eb-538b6c403f76

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.Win32.Save.a.19225.28175.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
DNS request
Sending a UDP request
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
suspicious
Classification:
n/a
Score:
23 / 100
Link:
https://www.joesandbox.com/analysis/653848
Signature
Initial sample is a PE file and has a suspicious name
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/48b52d4b7b3e9621acf8e19504a165024dbdbccf4f450dbe89c52d2a48a70f19/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-03-25 11:58:05 UTC
AV detection:
12 of 29 (41.38%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=jc2s2s33h2lcdlhy4gkqjilfajg33pgpj5cq3pujyuwsusfhb4mq._file
Verdict:
suspicious
Similar samples:
0036f48bec73d5fa22ff748cfbba749eca799c26076c59800c9b56b8c99982d5
BitRAT
52a0451136f10436c0c03139d900855a141880389ca57e9a1472a01dc28c2c47
BitRAT
61ae998518441b3cc2de4761cb58b183fd403165fcc6a6e4c2ecea8686c20e26
BitRAT
64f7230663961a028299cbdf42863e3402e6325864e453ad5ec743e05f3a5ce6
BitRAT
750ac1c22fae6298acf85f62700ebbc8ccd8aff1f3ff20b28d8baa075a73c4bf
BitRAT
7b4405a91c3efb1637ed21a1b2fc3ce965fcd2770513e71d6ba0f2b7608e5822
BitRAT
7e27cccf7b35b0eb3092c56794510356fdea2326551b1c4c71256bc7d36ecffc
BitRAT
afd0e2a33836232d156324023353331d3dbc04364b85f61f7e01a7504cf14a18
BitRAT
bd52197839d89a6a0326dd6f7dd0bae4f3b5e19d6e11759be1ab818a6d7cdc17
BitRAT
f01dbed6e7c2bdd717fc4fa8b8924e3ded176c2e7eb8171c5699e118c4f6b69b
BitRAT
+ 9 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/210325-kdktxv6wve/
Behaviour
Modifies system certificate store
Suspicious use of AdjustPrivilegeToken
Unpacked files
SH256 hash:
48b52d4b7b3e9621acf8e19504a165024dbdbccf4f450dbe89c52d2a48a70f19
MD5 hash:
44b19208f04d5006d58df86fbc3f0f6c
SHA1 hash:
1221f4a4b5a5fa0f9a2a6cb0a90b78743cc37ee4
Link:
https://www.unpac.me/results/bd21af6a-8abe-48ac-b188-275adad84016/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.10
Link:
https://yomi.yoroi.company/submissions/48b52d4b7b3e9621acf8e19504a165024dbdbccf4f450dbe89c52d2a48a70f19

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Email_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Email in files like avemaria
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:MALWARE_Win_BitRAT
Create hunting rule
Author:ditekSHen
Description:Detects BitRAT RAT
Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments