MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 52dbaf7435516b388d60abebda89615a4c2286a663de889a15b45be3b71b0def. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

BitRAT

Vendor detections: 10

Intelligence 10 IOCs 1 YARA 4 File information Comments

SHA256 hash:	52dbaf7435516b388d60abebda89615a4c2286a663de889a15b45be3b71b0def
SHA3-384 hash:	bbca9557715a36caa38b979be790c01b87cf9f0fd1db918fa23f1af1a99b7017e6e25ec2eb5f8a5cc659196d8ee5ea7d
SHA1 hash:	7610397613a8333bc75c138ecf818ff5def76359
MD5 hash:	6570f922593bca44d7dd06f0b0212169
humanhash:	ink-sierra-triple-grey
File name:	6570F922593BCA44D7DD06F0B0212169.exe
Download:	download sample
Signature	BitRAT Create hunting rule
File size:	1'511'424 bytes
First seen:	2021-07-09 23:30:45 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	6ed4f5f04d62b18d96b26d6db7c18840 (230 x SalatStealer, 78 x BitRAT, 42 x RedLineStealer)
ssdeep	24576:DndRKZCy2BrhCeU2i2cJijFbCBTPmiY05tJMSQp5ysA7Yg1nLkz1dGWbqS:LXDFBU2iIBb0xY/6sUYYmLbq
Threatray	556 similar samples on MalwareBazaar
TLSH	T1FD6533E14F4E977AF65BCC3C79A61D03CC79D262216A55067E6CC0BE30FFAA21845C62
Reporter	abuse_ch
Tags:	BitRAT exe RAT

abuse_ch

BitRAT C2:
20.151.200.9:6606

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
20.151.200.9:6606	https://threatfox.abuse.ch/ioc/159451/

Intelligence

File Origin

# of uploads :

# of downloads :

147

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

6570F922593BCA44D7DD06F0B0212169.exe

Verdict:

Malicious activity

Analysis date:

2021-07-09 23:36:37 UTC

Tags:

trojan rat asyncrat

Link:

https://app.any.run/tasks/4bef5d1b-ede2-4269-b03d-4ebd80290642

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

BitRAT

Link:

https://www.capesandbox.com/analysis/170744/

Detection(s):

PUA.Win.Packer.Upolyx-12

Win.Malware.Mikey-9819889-0

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

BitRAT

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/ac3becb0-26b4-43fb-972f-4e3035a5e99d

Result

Threat name:

BitRAT

Detection:

malicious

Classification:

troj.evad

Score:

80 / 100

Link:

https://www.joesandbox.com/analysis/814245

Signature

Antivirus / Scanner detection for submitted sample

Hides threads from debuggers

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Yara detected BitRAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/52dbaf7435516b388d60abebda89615a4c2286a663de889a15b45be3b71b0def/

Threat name:

Win32.Trojan.Graftor

Status:

Malicious

First seen:

2021-07-07 02:55:00 UTC

AV detection:

22 of 29 (75.86%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=kln265bvkfvtrdlavpv5vclbljgcfbvgmppirgqvwrn6hny3bxxq._file

Verdict:

malicious

BitRAT

299afdf96e5691a426fc9d0579dfde112bd6931c961d688b83c984f2f7f67be7

BitRAT

3d63c22ce814418819c6a1783e542bd75a23ca4321f49208391f18dd781b27e7

BitRAT

4a820b04406f4c710b08b1675a7ffa778c806285dd115404fb415a8096baadda

BitRAT

6c212901b861bddfecd68559ceecc3a35898d965b4e56aeb67febbfa65dc9d52

BitRAT

a52ed9486d2ccdf0a9e29fe70ea7df8ddcb8bc06f9329664a310ae32d1308d6f

BitRAT

ade9445823ca1711a80264706d612f5815743d69352619df4c4505cbaf50c640

BitRAT

befaecfa9c1207b951dcf8e72b803cb32d237f16d9e49df1c6c29fcf690b4ec3

BitRAT

+ 546 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

8/10

Tags:

upx

Link:

https://tria.ge/reports/210709-pa1ej6xd3s/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of NtSetInformationThreadHideFromDebugger

Unpacked files

SH256 hash:

dec9ccfc971f310ae6af558cbd209b2d045a2f9ce6bb1f3d7d620015513d23fc

MD5 hash:

df47050b28693c2931a13e327dbb7b68

SHA1 hash:

f226ce2d5dfee334d85918d0f7542f8436ec38c8

Link:

https://www.unpac.me/results/8e35a280-8120-4b47-9902-f45267ed0a24/

SH256 hash:

52dbaf7435516b388d60abebda89615a4c2286a663de889a15b45be3b71b0def

MD5 hash:

6570f922593bca44d7dd06f0b0212169

SHA1 hash:

7610397613a8333bc75c138ecf818ff5def76359

Link:

https://www.unpac.me/results/8e35a280-8120-4b47-9902-f45267ed0a24/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.89

Link:

https://yomi.yoroi.company/submissions/52dbaf7435516b388d60abebda89615a4c2286a663de889a15b45be3b71b0def

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Email_stealer_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Email in files like avemaria

Rule name:	INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture Create hunting rule
Author:	ditekSHen
Description:	Detect executables with stomped PE compilation timestamp that is greater than local current time

Rule name:	MALWARE_Win_BitRAT Create hunting rule
Author:	ditekSHen
Description:	Detects BitRAT RAT

Rule name:	suspicious_packer_section Create hunting rule
Author:	@j0sm1
Description:	The packer/protector section names/keywords
Reference:	http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/170744/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample