MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 64c5cef637dfe34195d0a1f447c6ff12e21df911ee05afa060c6e867ab1a67d8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

BitRAT

Vendor detections: 8

Intelligence 8 IOCs YARA File information Comments

SHA256 hash:	64c5cef637dfe34195d0a1f447c6ff12e21df911ee05afa060c6e867ab1a67d8
SHA3-384 hash:	3495ad9178cb42504dfdd03c481d7a541ff428db826d152bcee97376c37ca580db2b930aade19729f9132193ff4a995e
SHA1 hash:	5652458396d0d097f0a148f10c47a843ec720a1f
MD5 hash:	55c5907f6fb3cb0345040952270e7b4a
humanhash:	stairway-london-whiskey-coffee
File name:	PO_INV_2435158.xll
Download:	download sample
Signature	BitRAT Create hunting rule
File size:	568'832 bytes
First seen:	2021-12-20 08:41:33 UTC
Last seen:	Never
File type:	xll
MIME type:	application/x-dosexec
imphash	a31761b5a590c4c499d5f4a347d75c12 (23 x Formbook, 17 x AgentTesla, 6 x RedLineStealer)
ssdeep	12288:Nn/zDvGHAykHSzLW/4+8bzbBSreMdvUgFK/UqW:hzbGHAzHAjX1VcL
Threatray	19 similar samples on MalwareBazaar
TLSH	T1BAC48D57F7C7FAB0E6BE827A86B1851C527774920260A78F674072896D23392493DF0F
Reporter	Anonymous
Tags:	xll

Intelligence

File Origin

# of uploads :

# of downloads :

132

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

https://baclav.com/VhLxVesk/PO_INV_2435158.xll

Verdict:

Suspicious activity

Analysis date:

2021-11-23 07:08:30 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/e4911ceb-df42-4d7f-8a8d-7d2231cc925c

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

SecuriteInfo.com.Artemis4EBC548DF517.17970.15145.UNOFFICIAL

Result

Verdict:

Malicious

File Type:

Office Add-Ins - Suspicious

Link:

https://app.docguard.net/64c5cef637dfe34195d0a1f447c6ff12e21df911ee05afa060c6e867ab1a67d8/results/dashboard

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware packed packed

Link:

https://www.filescan.io/uploads/61c041de4ab5c44cbf4a04fd/reports/255cefb5-e9fe-428c-8d07-b485ad5c0bf4/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/64c5cef637dfe34195d0a1f447c6ff12e21df911ee05afa060c6e867ab1a67d8/

Threat name:

ByteCode-MSIL.Trojan.Generic

Status:

Suspicious

First seen:

2021-11-23 12:28:08 UTC

File Type:

PE+ (Dll)

Extracted files:

AV detection:

17 of 42 (40.48%)

Threat level:

5/5

Verdict:

malicious

Result

Malware family:

n/a

Score:

10/10

Tags:

n/a

Link:

https://tria.ge/reports/211220-kl1xgsahdp/

Behaviour

Checks processor information in registry

Enumerates system info in registry

Modifies Internet Explorer settings

Modifies registry class

Suspicious behavior: AddClipboardFormatListener

Suspicious use of SetWindowsHookEx

Loads dropped DLL

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/64c5cef637dfe34195d0a1f447c6ff12e21df911ee05afa060c6e867ab1a67d8

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Distributed via e-mail link

URLhaus

https://urlhaus.abuse.ch/url/1903599/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample