MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 657a84ee835cf7d47f30fa352ab511e15ec8235bf7876f4264cf9885e10aee57. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BitRAT


Vendor detections: 5


Intelligence 5 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 657a84ee835cf7d47f30fa352ab511e15ec8235bf7876f4264cf9885e10aee57
SHA3-384 hash: f38399ee6a1d551dbc5c8879cebdaa350d437e5d2f5feb7d2171854e3bd66f0993a8c2da60241da1557c908200b6d6c5
SHA1 hash: d96423f7cce4bc21ba2d0aee774c7db85e84ab82
MD5 hash: 0ca40808fdaccc210951a3c46bd79415
humanhash: michigan-violet-princess-two
File name:0ca40808fdaccc210951a3c46bd79415.exe
Download: download sample
Signature BitRAT
Create hunting rule
File size:1'768'359 bytes
First seen:2020-10-21 10:47:10 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 7c2c71dfce9a27650634dc8b1ca03bf0 (160 x Loki, 58 x Formbook, 55 x Adware.Generic)
ssdeep 49152:aV3cLjmi3DQn6It81l0TzL09QeeeoGmKpTBT:VLjFTu6w81l0TXqQ0o7GF
Threatray 305 similar samples on MalwareBazaar
TLSH 628533A679B0E87FD35015B626D9DEAB3B71CF820102EEC6C366765E7C77248016F290
Reporter abuse_ch
Tags:BitRAT exe RAT


Avatar
abuse_ch
BitRAT C2:
45.147.231.65:3002

Intelligence

File Origin
# of uploads :
1
# of downloads :
85
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/74094/
Detection(s):
PUA.Win.Downloader.Soft32downloader-6691270-0
Create hunting rule

PUA.Win.Adware.Browserio-6725861-0
Create hunting rule

SecuriteInfo.com.Artemis162931E90DCF.4593.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a file
Sending a UDP request
Creating a file in the %AppData% subdirectories
Launching a process
Deleting a recently created file
Creating a window
Forced shutdown of a system process
Unauthorized injection to a system process
Result
Threat name:
BitRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/505698
Signature
Contains functionality to hide a thread from the debugger
Contains functionality to inject code into remote processes
Creates an undocumented autostart registry key
Creates files in alternative data streams (ADS)
Hides threads from debuggers
Hijacks the control flow in another process
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Yara detected BitRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 301911 Sample: aC24xtchGS.exe Startdate: 21/10/2020 Architecture: WINDOWS Score: 100 36 Multi AV Scanner detection for dropped file 2->36 38 Multi AV Scanner detection for submitted file 2->38 40 Yara detected BitRAT 2->40 7 aC24xtchGS.exe 36 2->7         started        process3 file4 24 C:\Users\user\AppData\Local\...\Aluminium.dll, PE32 7->24 dropped 26 C:\Users\user\AppData\...\mscoreer.dll, PE32 7->26 dropped 28 C:\Users\user\AppData\...\msats10ui.dll, PE32 7->28 dropped 30 5 other files (none is malicious) 7->30 dropped 10 rundll32.exe 7->10         started        process5 signatures6 42 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 10->42 44 Hijacks the control flow in another process 10->44 46 Maps a DLL or memory area into another process 10->46 13 notepad.exe 3 2 10->13         started        18 notepad.exe 10->18         started        20 cmd.exe 10->20         started        22 4 other processes 10->22 process7 dnsIp8 34 45.147.231.65, 3002 COMBAHTONcombahtonGmbHDE Germany 13->34 32 C:\Users\user\AppData\Local:21-10-2020, HTML 13->32 dropped 48 System process connects to network (likely due to code injection or exploit) 13->48 50 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 13->50 52 Creates files in alternative data streams (ADS) 13->52 60 2 other signatures 13->60 54 Contains functionality to inject code into remote processes 18->54 56 Tries to detect virtualization through RDTSC time measurements 18->56 58 Contains functionality to hide a thread from the debugger 18->58 file9 signatures10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/657a84ee835cf7d47f30fa352ab511e15ec8235bf7876f4264cf9885e10aee57/
Threat name:
Win32.Spyware.FormBook
Create hunting rule
Status:
Malicious
First seen:
2020-10-21 09:06:36 UTC
AV detection:
25 of 29 (86.21%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=mv5ij3udlt35i7zq7i2svnir4fpmqi2366dw6qtez6milyik5zlq._file
Verdict:
unknown
Similar samples:
0e4c5cf2d1d60e4931c7af6021073006379935d688f5f55ad21fb29844d75a5a
BitRAT
46ceaed6d9f20fc2b5d51a63957ea0a5772f33ac4d58b1024cce8eb1c207567e
BitRAT
570672980a21fd2c45d02d6c6765bbce984f207f0f6ec0ec7c4a38eafe6c8931
BitRAT
5d9004bb38a2e4c6ee1528f75e8453e778d9f39a3e7d9f02ee7821eae65cf886
BitRAT
5e23eed104a5bd67c8ae3abe1f3554abac8500bf9f916992df36246b06f14419
BitRAT
72ec3dcd3d7a197c45c66605330968f86044d6a2ec37bf843e33b7f4668781f9
BitRAT
959621ed5f48dbbefe1c0e0e0a87bba88bc7a6b39cd1e10af930e1b969de9f97
BitRAT
9ea8141b737b1dd5d56c800d4f84048014d83489f0fb3a78e42076a81186e30d
BitRAT
c2f42cfcfafad77546d57cbfde6a6f4c1c75d684a81304d1ec901285b1873bd3
BitRAT
fad58c442302c02a2750bc532c0c4705f6193e8cabb2acbc88181cdd328d6145
BitRAT
+ 295 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
upx persistence
Link:
https://tria.ge/reports/201021-6kv2ytzh4x/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of NtSetInformationThreadHideFromDebugger
Adds Run key to start application
Loads dropped DLL
Blacklisted process makes network request
UPX packed file
Unpacked files
SH256 hash:
657a84ee835cf7d47f30fa352ab511e15ec8235bf7876f4264cf9885e10aee57
MD5 hash:
0ca40808fdaccc210951a3c46bd79415
SHA1 hash:
d96423f7cce4bc21ba2d0aee774c7db85e84ab82
Link:
https://www.unpac.me/results/ab8aa842-2170-4d4a-8ca1-2f7d67b756c9/
SH256 hash:
358d530e6d5b48f9a57a4aaefe7b2cbbbf8d385f9e04f3745f9bb1ab292dd91b
MD5 hash:
313bc82cdc7f3253989fe738f13a028b
SHA1 hash:
fcca86e13f9555b5012fa928bc6aa08ab3b206b2
Link:
https://www.unpac.me/results/ab8aa842-2170-4d4a-8ca1-2f7d67b756c9/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/
Rule name:win_bit_rat_w0
Create hunting rule
Author:KrabsOnSecurity
Description:String-based rule for detecting BitRAT malware payload

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

BitRAT

Executable exe 657a84ee835cf7d47f30fa352ab511e15ec8235bf7876f4264cf9885e10aee57

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/74094/
  
URLhaus
https://urlhaus.abuse.ch/url/728279/
  
Delivery method
Distributed via web download

Comments