MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 56d0c7b288fe323703e31519f296d7a1ed4811bc8eb7cf87c56082499aaff297. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BitRAT


Vendor detections: 6


Intelligence 6 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 56d0c7b288fe323703e31519f296d7a1ed4811bc8eb7cf87c56082499aaff297
SHA3-384 hash: 0650e3ef6b121cf37ca76fa848db4893565b6e683001f77a4d6af0c386337490d89542ff367ee2c3db072350a1c33c5a
SHA1 hash: 9dc896674e6e11c25de7b049c707d195e4f94ba0
MD5 hash: 86b700d7a93e286768075df6eaceed3b
humanhash: magnesium-zebra-lima-emma
File name:Shipment ConfirmationPaper - Customer Copy_pdf.exe
Download: download sample
Signature BitRAT
Create hunting rule
File size:45'056 bytes
First seen:2021-01-19 07:27:17 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 768:blXyQpWE0eoxXkT+dHRdQ6D2pO+4P8TFhxgRj6OmfSPZQDZ4tAbYsDt5MPV7WP7W:bdLl3GbzQ+UTFmwvMPVuW
Threatray 79 similar samples on MalwareBazaar
TLSH 9713700832E8DB06E8BD97F46871605493B274AF39B6E31D0DC234DE19B9F904A91F5B
Reporter abuse_ch
Tags:BitRAT exe RAT


Avatar
abuse_ch
Malspam distributing BitRAT:

HELO: newpacifis.com
Sending IP: 62.173.149.238
From: Shipment Tracker Notice<z0ais@newpacifis.com>
Subject: Delivery Confirmation copy for victim-email
Attachment: Shipment Confirmation Paper.img (contains "Shipment ConfirmationPaper - Customer Copy_pdf.exe")

BitRAT C2:
195.206.105.10:3988

Intelligence

File Origin
# of uploads :
1
# of downloads :
172
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Shipment ConfirmationPaper - Customer Copy_pdf.exe
Verdict:
Malicious activity
Analysis date:
2021-01-19 07:59:54 UTC
Tags:
trojan bitrat rat
Link:
https://app.any.run/tasks/59526354-0f03-46b8-b920-8d73e608a631

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/112778/
Result
Verdict:
Clean
Maliciousness:

Behaviour
DNS request
Sending a custom TCP request
Sending a UDP request
Launching the default Windows debugger (dwwin.exe)
Result
Threat name:
BitRAT
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.evad
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/584718
Signature
Connects to a pastebin service (likely for C&C)
Drops PE files to the startup folder
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Suspicious powershell command line found
Yara detected BitRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 341393 Sample: Shipment ConfirmationPaper ... Startdate: 19/01/2021 Architecture: WINDOWS Score: 76 54 Yara detected BitRAT 2->54 56 Suspicious powershell command line found 2->56 58 Machine Learning detection for sample 2->58 60 2 other signatures 2->60 9 Shipment ConfirmationPaper - Customer Copy_pdf.exe 15 3 2->9         started        12 Shipment ConfirmationPaper - Customer Copy_pdf.exe 2 2->12         started        process3 dnsIp4 52 paste.ee 172.67.219.133, 443, 49714, 49725 CLOUDFLARENETUS United States 9->52 15 cmd.exe 1 9->15         started        68 Injects a PE file into a foreign processes 12->68 18 Shipment ConfirmationPaper - Customer Copy_pdf.exe 12->18         started        signatures5 process6 dnsIp7 70 Suspicious powershell command line found 15->70 21 powershell.exe 18 15->21         started        23 wscript.exe 15->23         started        26 conhost.exe 15->26         started        28 timeout.exe 1 15->28         started        42 bita.plumfixa.com 195.206.105.10, 3988, 49745, 49749 M247GB Romania 18->42 44 192.168.2.1 unknown unknown 18->44 72 Hides threads from debuggers 18->72 30 WerFault.exe 18->30         started        32 WerFault.exe 18->32         started        signatures8 process9 signatures10 34 Shipment ConfirmationPaper - Customer Copy_pdf.exe 2 21->34         started        64 Drops PE files to the startup folder 23->64 process11 dnsIp12 46 104.21.45.223, 443, 49744 CLOUDFLARENETUS United States 34->46 48 paste.ee 34->48 62 Injects a PE file into a foreign processes 34->62 38 Shipment ConfirmationPaper - Customer Copy_pdf.exe 34->38         started        signatures13 process14 dnsIp15 50 bita.plumfixa.com 38->50 66 Hides threads from debuggers 38->66 signatures16
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/56d0c7b288fe323703e31519f296d7a1ed4811bc8eb7cf87c56082499aaff297/
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=k3impmui7yzdoa7dcum7ffwxuhwuqen4r2347b6fmcbetgvp6klq._file
Verdict:
malicious
Similar samples:
10a2b667b6294c999ff6db8e6b89ac9272aaebb1c4fa526125c646ac5c7b6b28
BitRAT
1c1b2595e6838a1ee24e806ff60b80a40ad7166caaaaf65080deda57c7292c53
BitRAT
22dbe6172d32b9b90d66036688e440a9026524f8c4c61b1c05f45dbd63919483
BitRAT
243e8ba43bcdb6634c77835df678964743893a30f4d2abe9596f2add2882e074
BitRAT
2ddd796e9b53ab3d7eaf4093529077f637f182a934a851af24da8c8f189aeed3
BitRAT
3cf331e46b6f16ef2a591637b64865d81b19e016ad3f4f3280aa1a872f1261ab
BitRAT
80104e0ad490b44a632a15e5875e7626db7f35fa94d7aadf19c45a621d75c7e0
BitRAT
8fdc007dd13e7c0c5bbe426da723499db81518697eb84d2fd2a0181996d276fa
BitRAT
9ffa16b91dc10936865d1d9849940c9d27276fd6acd6ab947d31e7f80322eea2
BitRAT
ef3436a1198e62ccb908d35b3dea6cfed17414f2e59ab62686277d978f5fd73c
BitRAT
+ 69 additional samples on MalwareBazaar
Result
Malware family:
bitrat
Create hunting rule
Score:
  10/10
Tags:
family:bitrat trojan
Link:
https://tria.ge/reports/210119-ndnl6p3g9e/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Looks up external IP address via web service
Drops startup file
BitRAT
BitRAT Payload
Unpacked files
SH256 hash:
56d0c7b288fe323703e31519f296d7a1ed4811bc8eb7cf87c56082499aaff297
MD5 hash:
86b700d7a93e286768075df6eaceed3b
SHA1 hash:
9dc896674e6e11c25de7b049c707d195e4f94ba0
Link:
https://www.unpac.me/results/133c8c8c-8278-44d8-a2d9-1992491fe635/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/56d0c7b288fe323703e31519f296d7a1ed4811bc8eb7cf87c56082499aaff297

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Email_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Email in files like avemaria
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

BitRAT

img ab1712dbad9d26b882d4b619ae90b1293d4fca025916f04a2df4e6c2b5c20d4d

BitRAT

Executable exe 56d0c7b288fe323703e31519f296d7a1ed4811bc8eb7cf87c56082499aaff297

(this sample)

  
Dropped by
MD5 84e2323a786e025d04d5279946d870c4
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 ab1712dbad9d26b882d4b619ae90b1293d4fca025916f04a2df4e6c2b5c20d4d
Cape
Cape
https://www.capesandbox.com/analysis/112778/

Comments