MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 51af4d4e1af93fd32fd240a7ec9df52e2af9f7d7567c7f7dff776ce0b4852323. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BitRAT


Vendor detections: 10


Intelligence 10 IOCs 1 YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 51af4d4e1af93fd32fd240a7ec9df52e2af9f7d7567c7f7dff776ce0b4852323
SHA3-384 hash: b666c6d6713027bcf2761dfd543b3e348f16eabb6464279def3cb6a4d63db2eb1c1370be111ab252d711160fbaaae61b
SHA1 hash: 9ffd0e64c8bfca6d5357f371beab758be27c77ba
MD5 hash: 18c182c4077190695fed94110763f415
humanhash: west-pizza-tennessee-double
File name:ORDER.exe
Download: download sample
Signature BitRAT
Create hunting rule
File size:1'719'808 bytes
First seen:2021-08-16 11:45:56 UTC
Last seen:2021-08-16 12:53:34 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:W90TRM73PniQuHgaEmuGfp11D+vfa+/Cckkbz5xhabm9Q2NGbGBajhX8iy:ldMzPsHgtJGh118UQzzsbmq7qBg
Threatray 393 similar samples on MalwareBazaar
TLSH T1758533B66AC8C1A3D64B40B50157DFF19EFF0AD0E2A7C54576CC796CDA138228C3869D
dhash icon 41d898999999e9a1 (3 x BitRAT)
Reporter abuse_ch
Tags:BitRAT exe RAT


Avatar
abuse_ch
BitRAT C2:
185.140.53.134:7565

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
185.140.53.134:7565 https://threatfox.abuse.ch/ioc/190116/

Intelligence

File Origin
# of uploads :
2
# of downloads :
146
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
ORDER.exe
Verdict:
Malicious activity
Analysis date:
2021-08-16 11:47:10 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/7d93075c-bb51-4d3a-b389-ce0c242614ea

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
BitRAT
Create hunting rule
Link:
https://www.capesandbox.com/analysis/179519/
Detection(s):
SecuriteInfo.com.Variant.Strictor.49514.9199.18036.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Creating a window
DNS request
Sending a UDP request
Launching a process
Creating a process with a hidden window
Creating a file in the Windows subdirectories
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/897b820f-9197-475c-ae79-091eb2a13373
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/833465
Signature
.NET source code contains potential unpacker
Creates an undocumented autostart registry key
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Uses dynamic DNS services
Wscript starts Powershell (via cmd or directly)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 465896 Sample: ORDER.exe Startdate: 16/08/2021 Architecture: WINDOWS Score: 96 41 martaencaja.ddns.net 2->41 47 Multi AV Scanner detection for dropped file 2->47 49 Multi AV Scanner detection for submitted file 2->49 51 .NET source code contains potential unpacker 2->51 53 6 other signatures 2->53 9 ORDER.exe 4 10 2->9         started        signatures3 process4 file5 33 C:\Users\user\AppData\Roaming\1.exe, PE32 9->33 dropped 35 C:\Users\user\AppData\Local\Temp\ORDER.exe, PE32 9->35 dropped 37 C:\Users\user\...\1.exe:Zone.Identifier, ASCII 9->37 dropped 39 3 other malicious files 9->39 dropped 55 Creates an undocumented autostart registry key 9->55 13 ORDER.exe 9->13         started        17 wscript.exe 1 9->17         started        19 powershell.exe 17 9->19         started        21 2 other processes 9->21 signatures6 process7 dnsIp8 43 martaencaja.ddns.net 185.140.53.134, 49734, 49736, 49738 DAVID_CRAIGGG Sweden 13->43 45 192.168.2.1 unknown unknown 13->45 57 Multi AV Scanner detection for dropped file 13->57 59 Machine Learning detection for dropped file 13->59 61 Hides threads from debuggers 13->61 63 Wscript starts Powershell (via cmd or directly) 17->63 23 powershell.exe 24 17->23         started        25 conhost.exe 19->25         started        27 conhost.exe 21->27         started        29 conhost.exe 21->29         started        signatures9 process10 process11 31 conhost.exe 23->31         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/51af4d4e1af93fd32fd240a7ec9df52e2af9f7d7567c7f7dff776ce0b4852323/
Threat name:
ByteCode-MSIL.Trojan.Strictor
Create hunting rule
Status:
Malicious
First seen:
2021-08-16 11:20:22 UTC
AV detection:
11 of 46 (23.91%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=kgxu2tq27e75gl6sict6zhpvfyvpt56xkz6h67p7o5wobnefemrq._file
Verdict:
malicious
Similar samples:
03e5f5529c62c94e1216b6fdb248c8e94fa1d28b4a1b2317df31c281423fb826
BitRAT
09df08b715bf11a0bc6cb5cdc5cd724927ba6c6a18ca2896f153d9b424196767
BitRAT
127a77aec69d301ec0eff62153eb160c7a195df26de7ac8617572b2433be6528
BitRAT
18b96a50da281d031e2ce58c2143a9c1bf4868c710bbcc61b7d147038b449e2b
BitRAT
704e26dbdebc8b3ad1391f5b9d671f8b9550609455821540151ff70e17bed798
BitRAT
b610d1ae855f79028cabdbd3c1160bc330ef68a7f30ab5544d00b09af341cc68
BitRAT
bf6b69cb7063d748e6404300ed8b587473b20b2239605862ccbec909bccf7485
BitRAT
dcb73a0ea23548167bd5724418377fe1e8c88f1be3125c0df6cc89722bb26f33
BitRAT
+ 383 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/210816-a4ddn5tv7j/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Unpacked files
SH256 hash:
5deed1daf25ee5ec1a7607bffe6fe14ac023fcda7858a247bd048db2a29dacc7
MD5 hash:
ed3182b68a7a9317705cd0a78c45a7b2
SHA1 hash:
b2243d687fe87e69b07b3ea8b9149605646c67e3
Link:
https://www.unpac.me/results/eae6d1da-ced9-4830-9f27-7f3d4c623eab/
SH256 hash:
0e1770dbae348f0f2399a2ef9c863200da34e9e4e1e6c54b89f9f9c82e06a966
MD5 hash:
f283b19d61d19f38bfb6e95fe4bd7cc4
SHA1 hash:
66e87af5258be5d8acfd29ba98af192b313dc02d
Link:
https://www.unpac.me/results/eae6d1da-ced9-4830-9f27-7f3d4c623eab/
SH256 hash:
dd74ce4b3914add45781cea83ba8389e074d047cdf7af8af7dcdc653369e6e77
MD5 hash:
7eec341af371b83d9d6199136d79b557
SHA1 hash:
5e646a27c0f4a6bc8e57970375e0692584edcd23
Link:
https://www.unpac.me/results/eae6d1da-ced9-4830-9f27-7f3d4c623eab/
SH256 hash:
51af4d4e1af93fd32fd240a7ec9df52e2af9f7d7567c7f7dff776ce0b4852323
MD5 hash:
18c182c4077190695fed94110763f415
SHA1 hash:
9ffd0e64c8bfca6d5357f371beab758be27c77ba
Link:
https://www.unpac.me/results/eae6d1da-ced9-4830-9f27-7f3d4c623eab/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/51af4d4e1af93fd32fd240a7ec9df52e2af9f7d7567c7f7dff776ce0b4852323

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/179519/

Comments