MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5bf8991a61f6a801bc10ffca78c4ee78236dfc1a920f29a678c8072b5c2d67ce. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

BitRAT

Vendor detections: 15

Intelligence 15 IOCs 1 YARA 3 File information Comments

SHA256 hash:	5bf8991a61f6a801bc10ffca78c4ee78236dfc1a920f29a678c8072b5c2d67ce
SHA3-384 hash:	5fb5c25ad5cae0ecaaeacc64ca71dfe26ea57ca8a5054098cb33de0a7ee997268e69fbc04243fce6f86a85233c0a013f
SHA1 hash:	f32858fbdff39c46f9b8d6888c6bb2bf95b5c0d5
MD5 hash:	b7e6714fff0772bde6bc8cbb3ae7f11b
humanhash:	california-princess-robert-fillet
File name:	b7e6714fff0772bde6bc8cbb3ae7f11b.exe
Download:	download sample
Signature	BitRAT Create hunting rule
File size:	3'943'424 bytes
First seen:	2022-05-26 02:11:25 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	71955ccbbcbb24efa9f89785e7cce225 (57 x BitRAT)
ssdeep	98304:877Pmq33rE/JDLPWZADUGer7B6iY74M/HmlwXVZaFB:K+R/eZADUXR
Threatray	708 similar samples on MalwareBazaar
TLSH	T15806CF02FA46C562D2170230E96E77BE053CF9354B2085C3B3946E6859B66D17A3BF3B
TrID	40.3% (.EXE) Win64 Executable (generic) (10523/12/4) 19.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 17.2% (.EXE) Win32 Executable (generic) (4505/5/1) 7.7% (.EXE) OS/2 Executable (generic) (2029/13) 7.6% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter	abuse_ch
Tags:	BitRAT exe RAT

abuse_ch

BitRAT C2:
23.84.180.96:5506

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
23.84.180.96:5506	https://threatfox.abuse.ch/ioc/635776/

Intelligence

File Origin

# of uploads :

# of downloads :

355

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

bitrat

ID:

File name:

b7e6714fff0772bde6bc8cbb3ae7f11b.exe

Verdict:

Malicious activity

Analysis date:

2022-05-26 02:14:30 UTC

Tags:

trojan bitrat rat

Link:

https://app.any.run/tasks/dbe0a12b-13de-4efd-8a44-5d4fd74afc78

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

BitRAT

Link:

https://www.capesandbox.com/analysis/274632/

Detection(s):

Win.Malware.Mikey-9819889-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Сreating synchronization primitives

DNS request

Setting a global event handler

Sending a custom TCP request

Setting a global event handler for the keyboard

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

anti-debug anti-vm exploit greyware mikey rat

Link:

https://www.filescan.io/uploads/628ee1fd206e0816183e4ae2/reports/874a2388-4b16-424f-837d-22637644d89a/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

BitRAT

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/58fb08cc-240a-4141-9495-914e6c32e777

Result

Threat name:

BitRAT

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1001925

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Contains functionality to hide a thread from the debugger

Found malware configuration

Hides threads from debuggers

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected BitRAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/5bf8991a61f6a801bc10ffca78c4ee78236dfc1a920f29a678c8072b5c2d67ce/

Threat name:

Win32.Backdoor.Tiggre

Status:

Malicious

First seen:

2022-05-21 00:03:19 UTC

File Type:

PE (Exe)

AV detection:

24 of 26 (92.31%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=lp4jsgtb62uadpaq77fhrrhoparw37a2sihstjtyzadswxbnm7ha._file

Verdict:

malicious

BitRAT

6f2bfcf2a18e32505a684d6636e68f098a1fae5ceff3f8eacc17f9910709dca2

BitRAT

72458cc243d77848194d37b59aa4081b974d013163899b639d7de3fc03d70a63

BitRAT

9f65568942c70fe8448977f148737a3d283cbfd0155c1f570c6f823bafeb9821

BitRAT

beced991de014438e5a42627fd44721a06fd4fa67b8a58319fc00eb6316169a1

BitRAT

d7c1130bfed2081ab246aa229e524dd38eb91b22af6db68ddb89f1c760379d9a

BitRAT

f3941a25493fe512c5800ffe411c0d4f3b673da008b655c2343734f077963c66

BitRAT

+ 698 additional samples on MalwareBazaar

Result

Malware family:

bitrat

Score:

10/10

Tags:

family:bitrat suricata

Link:

https://tria.ge/reports/220526-cmt7bsfeg4/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of NtSetInformationThreadHideFromDebugger

suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)

Malware Config

C2 Extraction:

hypervisor.access.ly:5506

Unpacked files

SH256 hash:

5bf8991a61f6a801bc10ffca78c4ee78236dfc1a920f29a678c8072b5c2d67ce

MD5 hash:

b7e6714fff0772bde6bc8cbb3ae7f11b

SHA1 hash:

f32858fbdff39c46f9b8d6888c6bb2bf95b5c0d5

Detections:

win_bit_rat_auto

Link:

https://www.unpac.me/results/d4f62f03-35a0-4368-b472-f3b3c3afacd8/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/5bf8991a61f6a801bc10ffca78c4ee78236dfc1a920f29a678c8072b5c2d67ce

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	BitcoinAddress Create hunting rule
Author:	Didier Stevens (@DidierStevens)
Description:	Contains a valid Bitcoin address

Rule name:	MALWARE_Win_BitRAT Create hunting rule
Author:	ditekSHen
Description:	Detects BitRAT RAT

Rule name:	win_bit_rat_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.bit_rat.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/274632/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample