MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 697414e831f2574b2dc65e397d2dddc2acca45c47890308750af5cccbb2d46a8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BitRAT


Vendor detections: 9


Intelligence 9 IOCs 1 YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 697414e831f2574b2dc65e397d2dddc2acca45c47890308750af5cccbb2d46a8
SHA3-384 hash: c86a6d9e17b7df09b9e5f05c2f942e13411a6a4f8aee07d6c261e180c4d8961a1b880e018b284b6f616deae83c1cb2c6
SHA1 hash: 20e0e67522ee702e9f5f32d44af685cfc8b56009
MD5 hash: 1d9afc3b06154312da8b0b9395e8fe7f
humanhash: emma-seventeen-red-blossom
File name:ORDER.scr.exe
Download: download sample
Signature BitRAT
Create hunting rule
File size:2'304'000 bytes
First seen:2021-08-26 05:40:38 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 49152:rpNxojZEgpJE8R7Wwlh78ebqNR9FGwQreXQ:rp7ojZhpJzRiwlhgsqvlYe
Threatray 480 similar samples on MalwareBazaar
TLSH T155B52292923C2DE7F8EC7DF692626BAC09591C818C31D60AD51F3CD8F873617DA192C5
dhash icon 27d0d8d4d4d8d027 (24 x AgentTesla, 8 x SnakeKeylogger, 7 x Formbook)
Reporter abuse_ch
Tags:BitRAT exe RAT


Avatar
abuse_ch
BitRAT C2:
37.0.11.212:4444

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
37.0.11.212:4444 https://threatfox.abuse.ch/ioc/197552/

Intelligence

File Origin
# of uploads :
1
# of downloads :
149
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
ORDER.scr.exe
Verdict:
Suspicious activity
Analysis date:
2021-08-26 05:43:23 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/ada315ea-f7c9-490a-8f63-cd2f1bf645ee

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/182476/
Detection(s):
Win.Malware.Score-7597125-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Launching a process
Creating a process with a hidden window
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e55f5f3f-48f9-4da3-bc72-4cebe54d097c
Result
Threat name:
BitRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/839474
Signature
.NET source code contains potential unpacker
Contains functionality to hide a thread from the debugger
Creates an undocumented autostart registry key
Deletes itself after installation
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Writes to foreign memory regions
Yara detected BitRAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/697414e831f2574b2dc65e397d2dddc2acca45c47890308750af5cccbb2d46a8/
Threat name:
ByteCode-MSIL.Ransomware.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-08-26 05:41:05 UTC
AV detection:
6 of 39 (15.38%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=nf2bj2br6jluwlogly4x2lo5ykwmuroepcidbb2qv5omzozni2ua._file
Verdict:
malicious
Similar samples:
03957e1a76e380308206465031a99a1db9e7afce4b82e021f0f8f94888b791b2
BitRAT
0b6efdd0f3f4dddee58af21631051999c5e9d7968a3ba2e7a34388c42375a457
BitRAT
0eaeab189b978e9babdb4324c22d4bb708e3b33c0016f52e37aa66efae4a310e
BitRAT
185d25898a718d3e3ff6d12a3ad18f12734c73859ed4ff1993ce1e4a011485f2
BitRAT
4bddc1b65b7a24af3d24bddcd3722811775f3f98a65fbc433c762e1615af28c1
BitRAT
b4f128cdd69eb21d1de98b00303e01258993fe7fba7467aa8ab642df03ffd890
BitRAT
c3e53e28198dfe92caa7b46355f543dd18c0353ef42f2e28862682a79e863735
BitRAT
e386c831df697e516fedcab1ad8a879ae057a5f4f321a873dcd31e9c6760009e
BitRAT
+ 470 additional samples on MalwareBazaar
Result
Malware family:
bitrat
Create hunting rule
Score:
  10/10
Tags:
family:bitrat persistence suricata trojan
Link:
https://tria.ge/reports/210826-mxzvr9jhsj/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
BitRAT
BitRAT Payload
Modifies WinLogon for persistence
suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)
Unpacked files
SH256 hash:
b375680d1aad8ecff7bb54f489bcef84fab601f402f7866ae295a10423188c2b
MD5 hash:
4bd520a1ed7e07c2f78711c6179facbb
SHA1 hash:
ca2942bed625a32a8872482f465129038324f4fe
Link:
https://www.unpac.me/results/792b84f8-56b8-49e2-b183-3d2dc4eb57d7/
SH256 hash:
17efe64a21995998e836a0a20559e9aa36b1480b73483b2400a8028049e7e9cd
MD5 hash:
ac10051fbc4a062c23174965d95e9f29
SHA1 hash:
865dd7f6855a4c0697873b175b1a9f1de85260fe
Link:
https://www.unpac.me/results/792b84f8-56b8-49e2-b183-3d2dc4eb57d7/
SH256 hash:
13150b10ed754b828d4b8de44bafe4aaf6bf5aeeaa37953f0b4082dff32a130b
MD5 hash:
5337b9ddb1ee2dde2abfcbb221cce3c5
SHA1 hash:
259c1f392aaae3667a8ead3c218c12585750a602
Link:
https://www.unpac.me/results/792b84f8-56b8-49e2-b183-3d2dc4eb57d7/
SH256 hash:
351698559abdd38f9ba5eb2824bacaa0ef76e5467effe03d403a63ebdb36a8f5
MD5 hash:
021807f3c0f0cde1c54ca6e21bf6e8e8
SHA1 hash:
1b91698f0421ef373dfb90e6cfd608d8296c0a15
Link:
https://www.unpac.me/results/792b84f8-56b8-49e2-b183-3d2dc4eb57d7/
SH256 hash:
697414e831f2574b2dc65e397d2dddc2acca45c47890308750af5cccbb2d46a8
MD5 hash:
1d9afc3b06154312da8b0b9395e8fe7f
SHA1 hash:
20e0e67522ee702e9f5f32d44af685cfc8b56009
Link:
https://www.unpac.me/results/792b84f8-56b8-49e2-b183-3d2dc4eb57d7/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/697414e831f2574b2dc65e397d2dddc2acca45c47890308750af5cccbb2d46a8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/182476/

Comments