MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4e1c013bf36b27f78e0fdc7ab5a67bc3f62f33c97f5848daf40df7ec7d842fa4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

BitRAT

Vendor detections: 8

Intelligence 8 IOCs YARA 1 File information Comments

SHA256 hash:	4e1c013bf36b27f78e0fdc7ab5a67bc3f62f33c97f5848daf40df7ec7d842fa4
SHA3-384 hash:	2b4cab2a99abafed9fcf7463b9b3c361e453eadc87e54ecd503fd792929c1b92891e69b682d449db4731eeb0b2b07fec
SHA1 hash:	9790217e8b9a2134f2abf451ac68c847dc31c905
MD5 hash:	15478642d48681a67374167d173d4f84
humanhash:	cardinal-mirror-music-mockingbird
File name:	http___185.215.113.102_Rbget.exe
Download:	download sample
Signature	BitRAT Create hunting rule
File size:	5'085'872 bytes
First seen:	2021-08-27 13:15:54 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	a015e6773f75ebc5c3c4382777305de7 (1 x BitRAT)
ssdeep	98304:6jT71ntlY5xzFunCcZ2iH9oFfQPjpw6D8cKuEBQ5Qbg+db778Fm/S3DdK1NPgf6K:i3fCcZZ2VQtbXQ9A5DdK1NPgCWXaYRX7
TLSH	T1C1369D1906A25F72D56F3ABD892BD0C7BD19D2928CB640BDCDD0892F74E3E6037A4B44
dhash icon	e0e0c1c8f8b3d9f9 (1 x BitRAT)
Reporter	Racco42
Tags:	BitRAT exe

Intelligence

File Origin

# of uploads :

# of downloads :

240

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

shipment reference.js

Verdict:

Malicious activity

Analysis date:

2021-08-27 13:04:31 UTC

Tags:

loader trojan bitrat rat

Link:

https://app.any.run/tasks/408024fc-ab40-48f2-8ec7-f6aa86b43415

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

BitRAT

Link:

https://www.capesandbox.com/analysis/182928/

Detection(s):

SecuriteInfo.com.W32.AIDetect.malware1.24367.2491.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Searching for the window

Sending a UDP request

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/6d040fa3-4fb7-435f-98fc-e071e3620705

Result

Threat name:

BitRAT

Detection:

malicious

Classification:

troj.evad

Score:

84 / 100

Link:

https://www.joesandbox.com/analysis/840411

Signature

C2 URLs / IPs found in malware configuration

Creates files in alternative data streams (ADS)

Found malware configuration

Hides threads from debuggers

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

PE file has a writeable .text section

Yara detected BitRAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/4e1c013bf36b27f78e0fdc7ab5a67bc3f62f33c97f5848daf40df7ec7d842fa4/

Threat name:

Win32.Trojan.Cmy3u

Status:

Malicious

First seen:

2021-08-27 09:15:20 UTC

AV detection:

18 of 28 (64.29%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=jyoaco7tnmt7pdqp3r5lljt3yp3c6m6jp5merwxubx36y7mef6sa._file

Verdict:

unknown

Result

Malware family:

bitrat

Score:

10/10

Tags:

family:bitrat persistence suricata trojan

Link:

https://tria.ge/reports/210827-e4mfflht7s/

Behaviour

Suspicious behavior: RenamesItself

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of SetWindowsHookEx

Suspicious use of NtSetInformationThreadHideFromDebugger

Adds Run key to start application

BitRAT

BitRAT Payload

suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)

Unpacked files

SH256 hash:

4fb5f23ccab0593c9890f0888bf5a36b5f6cec1f5c509362f992fbc6e72784fd

MD5 hash:

83d3eff4dcb30efe201ae892cda9ecda

SHA1 hash:

df77cb331f73171ba380fd88b62f339fc6ffa75f

Link:

https://www.unpac.me/results/8302fb86-51a4-4f18-a4c4-39f4e643c1ed/

SH256 hash:

4e1c013bf36b27f78e0fdc7ab5a67bc3f62f33c97f5848daf40df7ec7d842fa4

MD5 hash:

15478642d48681a67374167d173d4f84

SHA1 hash:

9790217e8b9a2134f2abf451ac68c847dc31c905

Link:

https://www.unpac.me/results/8302fb86-51a4-4f18-a4c4-39f4e643c1ed/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/4e1c013bf36b27f78e0fdc7ab5a67bc3f62f33c97f5848daf40df7ec7d842fa4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture Create hunting rule
Author:	ditekSHen
Description:	Detect executables with stomped PE compilation timestamp that is greater than local current time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Cape

https://www.capesandbox.com/analysis/182928/

URLhaus

https://urlhaus.abuse.ch/url/1569926/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample