MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 54375a390c52d783d96492938d05920567a0232c2c22436161e83f21745b7711. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

BitRAT

Vendor detections: 12

Intelligence 12 IOCs YARA 4 File information Comments

SHA256 hash:	54375a390c52d783d96492938d05920567a0232c2c22436161e83f21745b7711
SHA3-384 hash:	30d5d0cdf1bcf49aa828e3266826721da09ae09816db1bf3c10cb45ad1ab23e9f05d51f5c97066f4ede8d02985a3fcd0
SHA1 hash:	4c67dd3dbb393ba68e602ed43223001bb88d94e4
MD5 hash:	29e932d3d12d1811d99691acb7f228bc
humanhash:	artist-oklahoma-two-thirteen
File name:	UmeMemqbMti9.exe
Download:	download sample
Signature	BitRAT Create hunting rule
File size:	990'208 bytes
First seen:	2023-09-05 00:08:11 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	948cc502fe9226992dce9417f952fce3 (1'182 x CredentialFlusher, 446 x Formbook, 231 x AgentTesla)
ssdeep	24576:BqDEvCTbMWu7rQYlBQcBiT6rprG8aNrpmD:BTvC/MTQYxsWR7aNo
Threatray	765 similar samples on MalwareBazaar
TLSH	T18625AF0273D1C062FF9B92334B5AF6515BBC69260123E62F13981DB9BE701B1563E7A3
TrID	88.3% (.CPL) Windows Control Panel Item (generic) (197083/11/60) 4.7% (.EXE) Win64 Executable (generic) (10523/12/4) 2.2% (.EXE) Win16 NE executable (generic) (5038/12/1) 2.0% (.EXE) Win32 Executable (generic) (4505/5/1) 0.9% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):
dhash icon	aae2f3e38383b629 (2'034 x Formbook, 1'183 x CredentialFlusher, 666 x AgentTesla)
Reporter	Mitman93
Tags:	BitRAT exe

Intelligence

File Origin

# of uploads :

# of downloads :

312

Origin country :

Vendor Threat Intelligence

Malware family:

bitrat

ID:

File name:

UmeMemqbMti9.exe

Verdict:

Malicious activity

Analysis date:

2023-09-05 00:13:42 UTC

Tags:

bitrat rat remote

Link:

https://app.any.run/tasks/f8e44e53-dc66-49a2-8f71-6725f915df86

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/446164/

Detection(s):

SecuriteInfo.com.Trojan.Generic.33203615.28472.17882.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Creating a window

Gathering data

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

autoit control greyware keylogger lolbin packed shell32

Link:

https://www.filescan.io/uploads/64f6719f560864d1b6751fc6/reports/337bcb65-d406-4ae8-b4ef-b58147a8df3c/overview

Verdict:

Malicious

Labled as:

Malware

Link:

https://www.hybrid-analysis.com/sample/54375a390c52d783d96492938d05920567a0232c2c22436161e83f21745b7711

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/4cc663f8-d0a2-46a8-9609-246d5abb04a0

Result

Threat name:

BitRAT

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1303145

Signature

Allocates memory in foreign processes

Antivirus detection for URL or domain

Binary is likely a compiled AutoIt script file

C2 URLs / IPs found in malware configuration

Connects to a pastebin service (likely for C&C)

Contains functionality to modify clipboard data

Found API chain indicative of sandbox detection

Found malware configuration

Hides threads from debuggers

Injects a PE file into a foreign processes

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Writes to foreign memory regions

Yara detected BitRAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/54375a390c52d783d96492938d05920567a0232c2c22436161e83f21745b7711/

Threat name:

Win32.Trojan.Casdet

Status:

Malicious

First seen:

2023-09-05 00:09:06 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

8 of 24 (33.33%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=kq3vuoimkllyhwleskjy2bmsavt2aizmfqregylb5a7sc5c3o4iq._file

Verdict:

malicious

BitRAT

719548921d3a99d8bf31d9c2d543803c0c39a620a8386f8ac557b7ebe5d024d2

BitRAT

935195b8b2fc62b32c1fe86d02ce9cf5f97dd367ba476d72a5b49bf0953f4df2

BitRAT

9d2ebaf8bfad87755256c2eb157012c48451a4b2e000e9b220466c37481f81b7

BitRAT

b88e6baf28fcfa45e9f951160e8dc0b017218171d4c4636fb628136c2bf6c1ac

BitRAT

e600b012427e134b3289c2b2875eba4d93f75f88246f811ec5e55a38e29561b1

BitRAT

+ 755 additional samples on MalwareBazaar

Result

Malware family:

bitrat

Score:

10/10

Tags:

family:bitrat trojan upx

Link:

https://tria.ge/reports/230905-affz1sca9y/

Behaviour

Modifies system certificate store

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Program crash

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Legitimate hosting services abused for malware hosting/C2

UPX packed file

Blocklisted process makes network request

BitRAT

Malware Config

C2 Extraction:

xwm.dynuddns.com:8889

Unpacked files

SH256 hash:

54375a390c52d783d96492938d05920567a0232c2c22436161e83f21745b7711

MD5 hash:

29e932d3d12d1811d99691acb7f228bc

SHA1 hash:

4c67dd3dbb393ba68e602ed43223001bb88d94e4

Link:

https://www.unpac.me/results/41133546-4bae-4ec4-b6ac-c79a774e2c00/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/54375a390c52/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/54375a390c52d783d96492938d05920567a0232c2c22436161e83f21745b7711

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	AutoIT_Compiled Create hunting rule
Author:	@bartblaze
Description:	Identifies compiled AutoIT script (as EXE).

Rule name:	cobalt_strike_tmp01925d3f Create hunting rule
Author:	The DFIR Report
Description:	files - file ~tmp01925d3f.exe
Reference:	https://thedfirreport.com

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	maldoc_find_kernel32_base_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/446164/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample