MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5548b857ac6b402388302ea82b0fda3ad06783a217b91e731559736bd5734685. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

BitRAT

Vendor detections: 12

Intelligence 12 IOCs YARA 2 File information Comments

SHA256 hash:	5548b857ac6b402388302ea82b0fda3ad06783a217b91e731559736bd5734685
SHA3-384 hash:	f4782b8f1a6f2bef9590f0c69d19032f72b68c59836254ec6fcc81ea25d90c10245b798274e7037812780d151f4865bd
SHA1 hash:	4bfd5fdab7fcdb5a6d91fe24d35870f60b12cf7f
MD5 hash:	1c2697eec9a66c7da1bb6a0024a9431e
humanhash:	green-wyoming-golf-delaware
File name:	1c2697eec9a66c7da1bb6a0024a9431e.exe
Download:	download sample
Signature	BitRAT Create hunting rule
File size:	8'177'152 bytes
First seen:	2022-01-31 07:23:24 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	2b817dc1b1849c6a436f0647be7673e0 (15 x BitRAT)
ssdeep	196608:LIRcbH4jSteTGvSxwhzav1yo31CPwDv3uFZjeg2EeJUO9WLQkDxtw3iFFrS6XOfA:LdHsfuSxwZ6v1CPwDv3uFteg2EeJUO9E
Threatray	647 similar samples on MalwareBazaar
TLSH	T1B786D011B5958C6BD5565238CAEFB33B223CF6600B23C7C367506A394E73AC13E66B16
Reporter	abuse_ch
Tags:	BitRAT exe

Intelligence

File Origin

# of uploads :

# of downloads :

179

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

1c2697eec9a66c7da1bb6a0024a9431e.exe

Verdict:

Malicious activity

Analysis date:

2022-01-31 08:36:50 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/f1b852fb-7918-422c-a9f2-a0cd4ba265df

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/228318/

Detection(s):

PUA.Win.Packer.Upolyx-12

PUA.Win.Packer.Upx-49

PUA.Win.Packer.UpxProtector-1

Win.Malware.Mikey-9819889-0

Win.Dropper.BitRAT-9908151-1

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

DNS request

Creating a window

Сreating synchronization primitives

Creating a file

Creating a process from a recently created file

Creating a process with a hidden window

Moving a recently created file

Sending a custom TCP request

Setting a global event handler

Delayed writing of the file

Setting a global event handler for the keyboard

Result

Malware family:

n/a

Score:

6/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/5580/overview

Behaviour

MalwareBazaar

MeasuringTime

CheckCmdLine

EvasionQueryPerformanceCounter

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

anti-debug anti-vm greyware packed print.exe spyeye

Link:

https://www.filescan.io/uploads/61f78e97d7fd65ae55fb2e92/reports/afd629de-ae65-43f0-b634-0c2d8e6506ca/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

BitRAT

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/07a96c9f-f4e7-4cfd-aeed-4e5e7ef7cf6c

Result

Threat name:

BitRAT

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/930700

Behaviour

Behavior Graph:

n/a

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/5548b857ac6b402388302ea82b0fda3ad06783a217b91e731559736bd5734685/

Threat name:

Win32.Trojan.Tiggre

Status:

Malicious

First seen:

2021-09-02 07:29:54 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

32 of 43 (74.42%)

Threat level:

5/5

Verdict:

malicious

BitRAT

5667180956271f2f540ecaa2cc350ac3c51b5468315c8e6e5f94fa4dca91cb4f

BitRAT

71d0b7098599a1499e71ecfb828eef37868f31e4bc0e64d1249b90bd4404c5da

BitRAT

895be5d5816339f3f7100cfa36463d9652048babe690920fc195e4a39d7ab6c5

BitRAT

93ac463d55f59133067b2b6d985a077b45924421db0293da03cf15ac2a933b92

BitRAT

9a6e4a0945252684df6638c58bcc3f0eeb38923ab8b56972585692d43ecc532b

BitRAT

b2cda7b8c8214e29b01cc8915de2535db62546e158f7f29b4f5cfa292b66b9a8

BitRAT

c829aa312e2ea1c043566e26517b2bf90e9c12ed68e9d7d24577ebc13f2cf3b1

BitRAT

+ 637 additional samples on MalwareBazaar

Result

Malware family:

bitrat

Score:

10/10

Tags:

family:bitrat upx

Link:

https://tria.ge/reports/220131-h8dz5agfdn/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of NtSetInformationThreadHideFromDebugger

Looks up external IP address via web service

Loads dropped DLL

Executes dropped EXE

UPX packed file

ACProtect 1.3x - 1.4x DLL software

Malware Config

C2 Extraction:

kjhegxechiassewleatp3wbjyo7jqm2yhhofutzuvd2sem3pnd5hscad.onion:80

Unpacked files

SH256 hash:

bf17144d079649dcf2f770f4527ddb27dab66a51a77d5725d5fb358c847fa88a

MD5 hash:

bbcb4489c483ca0ac14336cda6f941b3

SHA1 hash:

3b5bc6b21f5dce2d6c400b7f5793b909ee771d66

Link:

https://www.unpac.me/results/1c1d1638-3275-435f-b1b9-e2964fd982e2/

SH256 hash:

5548b857ac6b402388302ea82b0fda3ad06783a217b91e731559736bd5734685

MD5 hash:

1c2697eec9a66c7da1bb6a0024a9431e

SHA1 hash:

4bfd5fdab7fcdb5a6d91fe24d35870f60b12cf7f

Link:

https://www.unpac.me/results/1c1d1638-3275-435f-b1b9-e2964fd982e2/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/5548b857ac6b402388302ea82b0fda3ad06783a217b91e731559736bd5734685

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	BitcoinAddress Create hunting rule
Author:	Didier Stevens (@DidierStevens)
Description:	Contains a valid Bitcoin address

Rule name:	MALWARE_Win_BitRAT Create hunting rule
Author:	ditekSHen
Description:	Detects BitRAT RAT

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/228318/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample