MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5586ef434d41ac7bb60ad57a628edf85fcc53ec6617680e3b77730054eb1076d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BitRAT


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5586ef434d41ac7bb60ad57a628edf85fcc53ec6617680e3b77730054eb1076d
SHA3-384 hash: d743dabeba2fad86820b0066c54fa05bc817b7a88e4636721d416ea82ea03cd2e848211900f34568ed917a2c2f0da31c
SHA1 hash: 351978b673a71d15ed2d3c881457e4aebb4a286f
MD5 hash: 6282b0c5f353fb2e52ef52934fdf4c9a
humanhash: one-orange-quebec-hydrogen
File name:INVOICE-ORDER CONFIRM.exe
Download: download sample
Signature BitRAT
Create hunting rule
File size:3'239'424 bytes
First seen:2021-03-06 06:46:33 UTC
Last seen:2021-03-06 08:39:36 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 24576:gOI7hTTqKdijAEoZHeMg19R8qjhlNy1jIGrkvrxwIiHjeukGwCLYnHc1hNajGAAu:XwxZzC9pcNVE9nukGK8LcjBAxgsfo7
Threatray 88 similar samples on MalwareBazaar
TLSH B6E5022533457EB1E2580E32C9139151D3E08E5B3732F7CB79E43EDAA96664ECA1F04A
Reporter abuse_ch
Tags:BitRAT exe


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: mx1.serviunix.com
Sending IP: 181.48.186.3
From: Maria Elena Castrillon Gaviria <mcastrillon@iprocom.co>
Subject: PROFORM INVOICE
Attachment: INVOICE-ORDER CONFIRM.rar (contains "INVOICE-ORDER CONFIRM.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
228
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
INVOICE-ORDER CONFIRM.exe
Verdict:
Malicious activity
Analysis date:
2021-03-06 06:48:52 UTC
Tags:
trojan bitrat rat
Link:
https://app.any.run/tasks/72f15987-a3ab-4172-a656-1ce2eaaf00d3

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/122593/
Detection(s):
SecuriteInfo.com.Trojan.Win32.Save.a.17262.9359.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Sending a custom TCP request
Creating a window
Sending a UDP request
Running batch commands
Launching a process
Creating a file in the %AppData% directory
Creating a process from a recently created file
Creating a file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
64 / 100
Link:
https://www.joesandbox.com/analysis/630442
Signature
.NET source code contains very large array initializations
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5586ef434d41ac7bb60ad57a628edf85fcc53ec6617680e3b77730054eb1076d/
Threat name:
ByteCode-MSIL.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2021-03-06 06:47:08 UTC
AV detection:
9 of 47 (19.15%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=kwdo6q2nigwhxnqk2v5gfdw7qx6mkpwgmf3iby5xo4yaktvra5wq._file
Verdict:
unknown
Similar samples:
1e358cdd08320d9b811ec7772ac2d2e3eb2a4c2d61da189a3a6aaa0cff000c97
BitRAT
99a9903d77272e93c262ae1391ef64f0639835f0cc9fc8b07f6fbc4d1bf40c5a
BitRAT
9dde30eea4bc51f6561d857ecb624f09e3257c3a015ff49a8f22f206fcab45c1
BitRAT
9e4326708091e0200c65e604aa974e6032c0533e2fa1e71d39f8d78ebacd8195
BitRAT
a364cf1f815223ccb6ec8462e1c883567de1f8ccb8c3ba259aedef55210ae037
BitRAT
afeb708ad46713f215fe9e8bfada31b7b518fcd081f1592778d514fc41012d3f
BitRAT
cfa2a92908f847cecdc4485e2ecc75d095c1ccbfb6dc64f9cda00a8b208c1f1f
BitRAT
d65fa2504374d19e221d6631799f41426450d650355098be07f7cfa667d80bf9
BitRAT
dd62faf4995b64622a600017699ab4a601dd66027d3fc958d0b372e3d80a1353
BitRAT
de30003e6ddb359c6ff472c95be691529ca67a4b2d32d12bcd89dfe9432235ca
BitRAT
+ 78 additional samples on MalwareBazaar
Result
Malware family:
bitrat
Create hunting rule
Score:
  10/10
Tags:
family:bitrat agilenet persistence trojan upx
Link:
https://tria.ge/reports/210306-clpm4sxgpx/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Obfuscated with Agile.Net obfuscator
Executes dropped EXE
UPX packed file
BitRAT
BitRAT Payload
Unpacked files
SH256 hash:
5586ef434d41ac7bb60ad57a628edf85fcc53ec6617680e3b77730054eb1076d
MD5 hash:
6282b0c5f353fb2e52ef52934fdf4c9a
SHA1 hash:
351978b673a71d15ed2d3c881457e4aebb4a286f
Link:
https://www.unpac.me/results/ad7226c2-e72f-463e-b197-b2f3445e3176/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.51
Link:
https://yomi.yoroi.company/submissions/5586ef434d41ac7bb60ad57a628edf85fcc53ec6617680e3b77730054eb1076d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

BitRAT

rar 1e9d1d19cd4ac0e24e07f458ca82c1535991a1f1b7da777f93399f33a37ea339

BitRAT

Executable exe 5586ef434d41ac7bb60ad57a628edf85fcc53ec6617680e3b77730054eb1076d

(this sample)

  
Dropped by
MD5 be380430287e874f10f75e4ca81f8a11
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/122593/
  
Dropped by
SHA256 1e9d1d19cd4ac0e24e07f458ca82c1535991a1f1b7da777f93399f33a37ea339

Comments