MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4a09bedcd448deaaaff205dabbc19a34f5b47a9714ac85a5a827c0aabeb2db7f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BitRAT


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4a09bedcd448deaaaff205dabbc19a34f5b47a9714ac85a5a827c0aabeb2db7f
SHA3-384 hash: 2782b28e5ed60c01177e3fadf210f6cafeeeeac2127a2a2ee5efc78e6b05e32c5cc03fb21e643b699a4a6fef6251d760
SHA1 hash: b1a6176e2728ad6ae57c6087d6506ab2a7da5758
MD5 hash: 81b9dab45b74806fb648cbc9de2f90be
humanhash: sixteen-green-don-fourteen
File name:AYDIN Request Order Turkey OCT2020.scr
Download: download sample
Signature BitRAT
Create hunting rule
File size:2'369'984 bytes
First seen:2020-10-09 11:32:06 UTC
Last seen:2020-10-09 12:54:31 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 49152:vQgHYB6ORwy+DTgwdH0mQuyYvcX4L7y3IJNa:vQgHC64P+wBmQdYkr3ma
Threatray 21 similar samples on MalwareBazaar
TLSH 04B59C30B4278F06E5B969F2C47A70A0D0F035DA6C57D2AC1CC56ED7A2D8758834AFB9
Reporter abuse_ch
Tags:BitRAT scr


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: box0.tamgroup-inc.com
Sending IP: 192.145.37.212
From: Erdal AYDIN <office@tamgroup-inc.com>
Subject: AYDIN Request Order Turkey OCT2020
Attachment: AYDIN Request Order Turkey OCT2020.rar (contains "AYDIN Request Order Turkey OCT2020.scr")

Intelligence

File Origin
# of uploads :
2
# of downloads :
125
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/69541/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a process with a hidden window
Sending a UDP request
Adding an access-denied ACE
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Forced shutdown of a system process
Enabling autorun by creating a file
Enabling autorun
Result
Threat name:
BitRAT
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/486664
Signature
Binary contains a suspicious time stamp
Creates an undocumented autostart registry key
Creates autostart registry keys with suspicious names
Creates files in alternative data streams (ADS)
Creates multiple autostart registry keys
Drops PE files to the startup folder
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected BitRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 295776 Sample: AYDIN Request Order Turkey ... Startdate: 09/10/2020 Architecture: WINDOWS Score: 100 55 nexty.dnsupdate.info 2->55 63 Multi AV Scanner detection for dropped file 2->63 65 Multi AV Scanner detection for submitted file 2->65 67 Yara detected BitRAT 2->67 69 7 other signatures 2->69 8 AYDIN Request Order Turkey OCT2020.exe 3 4 2->8         started        12 AYDIN Request Order Turkey OCT2020.exe 2->12         started        14 AYDIN Request Order Turkey OCT2020.exe 2 2->14         started        16 3 other processes 2->16 signatures3 process4 file5 51 C:\...\AYDIN Request Order Turkey OCT2020.exe, PE32 8->51 dropped 53 AYDIN Request Orde...exe:Zone.Identifier, ASCII 8->53 dropped 75 Creates an undocumented autostart registry key 8->75 77 Hides threads from debuggers 8->77 18 ilasm.exe 1 7 8->18         started        23 timeout.exe 1 8->23         started        25 WerFault.exe 23 9 8->25         started        79 Creates autostart registry keys with suspicious names 12->79 81 Creates multiple autostart registry keys 12->81 27 timeout.exe 12->27         started        29 ilasm.exe 14->29         started        31 timeout.exe 1 14->31         started        35 2 other processes 14->35 33 ilasm.exe 16->33         started        37 4 other processes 16->37 signatures6 process7 dnsIp8 57 myexternalip.com 216.239.32.21, 443, 49724 GOOGLEUS United States 18->57 59 nexty.dnsupdate.info 79.134.225.98, 49723, 49743, 8070 FINK-TELECOM-SERVICESCH Switzerland 18->59 61 192.168.2.1 unknown unknown 18->61 49 C:\Users\user\AppData\Local:09-10-2020, HTML 18->49 dropped 71 Creates files in alternative data streams (ADS) 18->71 73 Hides threads from debuggers 18->73 39 conhost.exe 23->39         started        41 conhost.exe 31->41         started        43 conhost.exe 37->43         started        45 conhost.exe 37->45         started        47 conhost.exe 37->47         started        file9 signatures10 process11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4a09bedcd448deaaaff205dabbc19a34f5b47a9714ac85a5a827c0aabeb2db7f/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-10-09 10:39:07 UTC
AV detection:
20 of 29 (68.97%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jie35xgujdpkvl7saxnlxqm2gt23i6uxcswiljnie7akvpvs3n7q._file
Verdict:
unknown
Similar samples:
19ea2b24f4d65b8169f982300901dba2253a880e3bd3f07dfcf933c0fe67a139
BitRAT
4bf5091bc067f8255252ad26fb03b715301433af9334dd100b9b6586983979f0
BitRAT
5b92d7f869973b50de0c707ce58afacd6f1202364283c7dffa6ffd79a41a93eb
BitRAT
5edcb867ea82f70e5c2c8fcf09239b0b5f1f9d7305c6715db9c5f428b47d940f
BitRAT
76bb1098a0fc09328f1ac34847f16e4ad19d802ffb41ed2e2726aa42eae3a20e
BitRAT
7a86f1fa947ada93a5a8ecf5824ce2034152e50ba8b53fe6904fd10c62e88adf
BitRAT
8bc8f11f65265cd267e36dd30710793863582fd6e4c554d50fa5a083d015ced6
BitRAT
ab594b591e16cbe9906f93021934fab9d7ecceea8c0f03399fbd683f19885f90
BitRAT
ba318072fe85e168c5fd55a30760ac306f75fa76c2d5ec40533b0505cda1c26d
BitRAT
ea34ce44176906af3dd7ec1e4d9db0df144f5769ce3298d88864698c54164c9b
BitRAT
+ 11 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
upx persistence
Link:
https://tria.ge/reports/201009-m6xwp9s8ka/
Behaviour
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Looks up external IP address via web service
Drops startup file
UPX packed file
Modifies WinLogon for persistence
Unpacked files
SH256 hash:
4a09bedcd448deaaaff205dabbc19a34f5b47a9714ac85a5a827c0aabeb2db7f
MD5 hash:
81b9dab45b74806fb648cbc9de2f90be
SHA1 hash:
b1a6176e2728ad6ae57c6087d6506ab2a7da5758
Link:
https://www.unpac.me/results/022597ef-6595-4e5d-8601-d4afae483257/
SH256 hash:
7e4f301ff2c6f2533aa78700b23c3f39cc42264f3aca99df71c500abbcdffa82
MD5 hash:
57ea1fe1fe332b8df2df9ea4368dea0a
SHA1 hash:
ea99c7a4fadfd6186081dc932219a603ef8a491e
Link:
https://www.unpac.me/results/022597ef-6595-4e5d-8601-d4afae483257/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4a09bedcd448deaaaff205dabbc19a34f5b47a9714ac85a5a827c0aabeb2db7f

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

BitRAT

rar 669a1f87db403ac60038abc86331755ed968c855bca8cb575b93bccac110d517

BitRAT

Executable exe 4a09bedcd448deaaaff205dabbc19a34f5b47a9714ac85a5a827c0aabeb2db7f

(this sample)

  
Dropped by
MD5 9c46968fc7096ff2af133a6ff9454ff7
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/69541/
  
Dropped by
SHA256 669a1f87db403ac60038abc86331755ed968c855bca8cb575b93bccac110d517

Comments