MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 522de9741550dc1f29b224a934ad3bd4c8454975a3e8aa3a1215cfe884eb0aff. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BitRAT


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 522de9741550dc1f29b224a934ad3bd4c8454975a3e8aa3a1215cfe884eb0aff
SHA3-384 hash: 1e8da9d5666b73499caed6eb9cd465c2684f08a4df1f3054e465020da5940e4bb073b0c1ac87867d171ec8637ccf9f84
SHA1 hash: 9fb6432955174ef70c599685c3464ff25a40f487
MD5 hash: 8b0ccd873b1a29112ef30b67ce01e11d
humanhash: indigo-hydrogen-jig-robert
File name:PO_pdf.exe
Download: download sample
Signature BitRAT
Create hunting rule
File size:390'155 bytes
First seen:2020-10-19 07:29:04 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 7c2c71dfce9a27650634dc8b1ca03bf0 (160 x Loki, 58 x Formbook, 55 x Adware.Generic)
ssdeep 6144:pPCganNdc2aj/SDwTPSh1/vRWwItW47KXXReIuRguQrz+7bqzAgGMMilNXWuIGQT:nanTc21DwPSD/vRWDtW4mXXR59rz+vMC
Threatray 602 similar samples on MalwareBazaar
TLSH 8184230EBB61DDC3D542417125BAB6A2B7FBCE15268E1E075B482E95BC513832A3F321
Reporter abuse_ch
Tags:BitRAT exe


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: GUEST.home
Sending IP: 45.63.67.54
From: Karla Magdalena Quintanilla<karla_magdalena_quintanilla@whirlpool.com>
Reply-To: <karla_magdalena_quintanilla@whirlpool.com>
Subject: Quote- W11438184
Attachment: PO.rar (contains "PO_pdf.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
102
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/72795/
Detection(s):
PUA.Win.Downloader.Soft32downloader-6691270-0
Create hunting rule

PUA.Win.Adware.Browserio-6725861-0
Create hunting rule

SecuriteInfo.com.Artemis162931E90DCF.4593.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a file in the %AppData% subdirectories
Creating a file
Launching a process
Launching cmd.exe command interpreter
Creating a window
Unauthorized injection to a system process
Result
Threat name:
BitRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/495027
Signature
Contain functionality to detect virtual machines
Contains functionality to hide a thread from the debugger
Contains functionality to inject code into remote processes
Creates an undocumented autostart registry key
Creates files in alternative data streams (ADS)
Hides threads from debuggers
Hijacks the control flow in another process
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Tries to detect virtualization through RDTSC time measurements
Yara detected BitRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 299993 Sample: PO_pdf.exe Startdate: 19/10/2020 Architecture: WINDOWS Score: 100 57 Multi AV Scanner detection for dropped file 2->57 59 Multi AV Scanner detection for submitted file 2->59 61 Yara detected BitRAT 2->61 63 3 other signatures 2->63 10 PO_pdf.exe 2 44 2->10         started        process3 signatures4 81 Contain functionality to detect virtual machines 10->81 13 rundll32.exe 10->13         started        process5 signatures6 85 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 13->85 87 Hijacks the control flow in another process 13->87 89 Maps a DLL or memory area into another process 13->89 16 cmd.exe 15 13->16         started        21 cmd.exe 13->21         started        23 cmd.exe 13->23         started        process7 dnsIp8 53 seleccionibericos.com 82.98.139.159, 443, 49732 DINAHOSTING-ASES Spain 16->53 39 C:\Users\user\...\R7plO2SJ2nVOIMY7.exe, PE32 16->39 dropped 41 C:\Users\user\AppData\Local\...\tls[1].exe, PE32 16->41 dropped 65 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 16->65 25 R7plO2SJ2nVOIMY7.exe 17 16->25         started        67 Contains functionality to inject code into remote processes 21->67 69 Tries to detect virtualization through RDTSC time measurements 21->69 71 Contains functionality to hide a thread from the debugger 21->71 file9 signatures10 process11 file12 45 C:\Users\user\AppData\Local\...\CoachPig.dll, PE32 25->45 dropped 47 C:\Users\user\AppData\...\sbsmscorsec.dll, PE32 25->47 dropped 49 C:\Users\user\AppData\...\CMAccept.exe, PE32 25->49 dropped 51 8 other files (none is malicious) 25->51 dropped 83 Machine Learning detection for dropped file 25->83 29 rundll32.exe 25->29         started        signatures13 process14 signatures15 91 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 29->91 93 Hijacks the control flow in another process 29->93 95 Maps a DLL or memory area into another process 29->95 32 cmd.exe 3 2 29->32         started        37 cmd.exe 29->37         started        process16 dnsIp17 55 45.147.231.65, 3002, 49735, 49736 COMBAHTONcombahtonGmbHDE Germany 32->55 43 C:\Users\user\AppData\Local:19-10-2020, HTML 32->43 dropped 73 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 32->73 75 Creates files in alternative data streams (ADS) 32->75 77 Creates an undocumented autostart registry key 32->77 79 Hides threads from debuggers 32->79 file18 signatures19
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/522de9741550dc1f29b224a934ad3bd4c8454975a3e8aa3a1215cfe884eb0aff/
Threat name:
Win32.Spyware.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2020-10-19 01:38:47 UTC
AV detection:
22 of 28 (78.57%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=kiw6s5avkdob6knsesutjlj32teekslvupukuoqscxh6rbhlbl7q._file
Verdict:
unknown
Similar samples:
0e4c5cf2d1d60e4931c7af6021073006379935d688f5f55ad21fb29844d75a5a
BitRAT
46ceaed6d9f20fc2b5d51a63957ea0a5772f33ac4d58b1024cce8eb1c207567e
BitRAT
570672980a21fd2c45d02d6c6765bbce984f207f0f6ec0ec7c4a38eafe6c8931
BitRAT
5d9004bb38a2e4c6ee1528f75e8453e778d9f39a3e7d9f02ee7821eae65cf886
BitRAT
5e23eed104a5bd67c8ae3abe1f3554abac8500bf9f916992df36246b06f14419
BitRAT
72ec3dcd3d7a197c45c66605330968f86044d6a2ec37bf843e33b7f4668781f9
BitRAT
959621ed5f48dbbefe1c0e0e0a87bba88bc7a6b39cd1e10af930e1b969de9f97
BitRAT
9ea8141b737b1dd5d56c800d4f84048014d83489f0fb3a78e42076a81186e30d
BitRAT
c2f42cfcfafad77546d57cbfde6a6f4c1c75d684a81304d1ec901285b1873bd3
BitRAT
fad58c442302c02a2750bc532c0c4705f6193e8cabb2acbc88181cdd328d6145
BitRAT
+ 592 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
upx persistence
Link:
https://tria.ge/reports/201019-gs5b42al8e/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
NSIS installer
Suspicious use of NtSetInformationThreadHideFromDebugger
Adds Run key to start application
Loads dropped DLL
Blacklisted process makes network request
Executes dropped EXE
UPX packed file
Unpacked files
SH256 hash:
522de9741550dc1f29b224a934ad3bd4c8454975a3e8aa3a1215cfe884eb0aff
MD5 hash:
8b0ccd873b1a29112ef30b67ce01e11d
SHA1 hash:
9fb6432955174ef70c599685c3464ff25a40f487
Link:
https://www.unpac.me/results/b21652f9-bb6a-48ab-8a69-47d80efeafa4/
SH256 hash:
791eded8cc07f2acf5fcae6b83bed733707df4b3cf5603287f982ef17c2a7229
MD5 hash:
0bf89fd2e99a592eed550e16dbeef9ba
SHA1 hash:
6b9394eaeb63891602e7ed48612c4e3d09d62a11
Link:
https://www.unpac.me/results/b21652f9-bb6a-48ab-8a69-47d80efeafa4/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Formbook
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/522de9741550dc1f29b224a934ad3bd4c8454975a3e8aa3a1215cfe884eb0aff

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

BitRAT

rar 3732270c924b8968b9986ccc94c2348ed897cd650f850cb8c42dbe4a8cc96c2e

BitRAT

Executable exe 522de9741550dc1f29b224a934ad3bd4c8454975a3e8aa3a1215cfe884eb0aff

(this sample)

  
Dropped by
MD5 84894241aa93646f03399bd4603e787f
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/72795/
  
Dropped by
SHA256 3732270c924b8968b9986ccc94c2348ed897cd650f850cb8c42dbe4a8cc96c2e

Comments