MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4e4cd19c835a2fafb63df3429c6db21507e34fcb33c3072c93f28fb4fc32967b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BitRAT


Vendor detections: 7


Intelligence 7 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4e4cd19c835a2fafb63df3429c6db21507e34fcb33c3072c93f28fb4fc32967b
SHA3-384 hash: 11c08afd7f8295be085aadf53c5e47aa3989db5b2bd84d0daa3134994a2d94097e9080482641aab5c4e76bd725f2b532
SHA1 hash: 9504381c5eab1bc654b1288c89d89e83ebb51891
MD5 hash: 31a88aa50333f66a395ab681141717b2
humanhash: black-juliet-robin-lima
File name:64664646.exe
Download: download sample
Signature BitRAT
Create hunting rule
File size:5'837'824 bytes
First seen:2020-11-12 08:03:27 UTC
Last seen:2024-07-24 14:07:19 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 6ed4f5f04d62b18d96b26d6db7c18840 (221 x SalatStealer, 78 x BitRAT, 42 x RedLineStealer)
ssdeep 98304:7iMJlft4wjr2iW86xwnhKAFhovosyo31CPwDv3uFZjhUg2EeJUO9WLQ0qmA1LxtL:7iQ14w+Hxwhzav1yo31CPwDv3uFZjegQ
Threatray 32 similar samples on MalwareBazaar
TLSH 5046DF9030E55D5EDD966B7CC6EB9327363DFA840B67C7131B21AA3A4E13EC62E90305
Reporter JoulK
Tags:BitRAT exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
130
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
PUA.Win.Packer.Upx-48
Create hunting rule

PUA.Win.Packer.Upolyx-12
Create hunting rule

PUA.Win.Packer.Upx-49
Create hunting rule

PUA.Win.Packer.UpxProtector-1
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
DNS request
Creating a file
Creating a process from a recently created file
Creating a process with a hidden window
Moving a recently created file
Sending a custom TCP request
Deleting a recently created file
Setting a global event handler
Delayed writing of the file
Replacing files
Setting a global event handler for the keyboard
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
BitRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/532108
Signature
Antivirus / Scanner detection for submitted sample
Hides threads from debuggers
Machine Learning detection for sample
May check the online IP address of the machine
May use the Tor software to hide its network traffic
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected BitRAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4e4cd19c835a2fafb63df3429c6db21507e34fcb33c3072c93f28fb4fc32967b/
Threat name:
Win32.Trojan.Graftor
Create hunting rule
Status:
Malicious
First seen:
2020-11-12 08:04:08 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jzgndhedlix27nr56nbjy3nscud6gt6lgpbqolet6kh3j7bssz5q._file
Verdict:
unknown
Similar samples:
23cfbb0bf1e110a79678f45c29897e6090b660d3df420bbb916fc3f1bc12eead
BitRAT
38a36c357a50c0f3d6ba6cbaa600507d485271ac452212850dff78f1a430f9e1
BitRAT
6269fd417f93e7c0d7cab576b35dc3b6f6a58c0f04e75533bad84987c228f0e6
BitRAT
723e6b54cd996205412396bbfba18171a8e4e7297dd2492b35ec198e122849cb
BitRAT
75fa551eec71d6d8b9817266813715c2bbb7a537005587f9f1e0d058a05febc6
BitRAT
7eed0a7abb529f2d7208babe7ab96ea673878fad3fcd7779340b4d6dc3d8468e
BitRAT
7faef4d80d1100c3a233548473d4dd7d5bb570dd83e8d6e5faff509d6726baf2
BitRAT
8bb55767bfda131b71a547dd7075f7e43cfda859ab8241188bab784e96096acc
BitRAT
9c0f286d5217ba8e607661f85013cdf95304829e512843d3e5615f9e3058fedb
BitRAT
c829aa312e2ea1c043566e26517b2bf90e9c12ed68e9d7d24577ebc13f2cf3b1
BitRAT
+ 22 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
upx
Link:
https://tria.ge/reports/201112-fwatr5rdvs/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of NtSetInformationThreadHideFromDebugger
Looks up external IP address via web service
Loads dropped DLL
Executes dropped EXE
UPX packed file
Unpacked files
SH256 hash:
4e4cd19c835a2fafb63df3429c6db21507e34fcb33c3072c93f28fb4fc32967b
MD5 hash:
31a88aa50333f66a395ab681141717b2
SHA1 hash:
9504381c5eab1bc654b1288c89d89e83ebb51891
Link:
https://www.unpac.me/results/0d280593-6129-4fb7-886c-0cdf9db611bc/
SH256 hash:
6ac6f502f8fb075867e005daf823e6158fc6c64378fbb8e9352ccb2adc3601bf
MD5 hash:
d5e5d9e894311e199c174c8c1a756534
SHA1 hash:
2505579f93cc32d727bd161bd71d3d9824cb628e
Detections:
win_bit_rat_w0
Create hunting rule
Link:
https://www.unpac.me/results/0d280593-6129-4fb7-886c-0cdf9db611bc/
SH256 hash:
bf17144d079649dcf2f770f4527ddb27dab66a51a77d5725d5fb358c847fa88a
MD5 hash:
bbcb4489c483ca0ac14336cda6f941b3
SHA1 hash:
3b5bc6b21f5dce2d6c400b7f5793b909ee771d66
Link:
https://www.unpac.me/results/0d280593-6129-4fb7-886c-0cdf9db611bc/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/
Rule name:win_bit_rat_w0
Create hunting rule
Author:KrabsOnSecurity
Description:String-based rule for detecting BitRAT malware payload

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

BitRAT

Executable exe 4e4cd19c835a2fafb63df3429c6db21507e34fcb33c3072c93f28fb4fc32967b

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/810000/

Comments