MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6a6d545fd995dbffb75332ad4a05e32f20777410b36e633c42e4f6c8cdc685d2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BitRAT


Vendor detections: 10


Intelligence 10 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6a6d545fd995dbffb75332ad4a05e32f20777410b36e633c42e4f6c8cdc685d2
SHA3-384 hash: 8c099769347848fb49a8f1f9292514a9d8065a4ba089884d1f396686b6fc8354b1a98a04a94b951b78d73f29023443d6
SHA1 hash: 6e7882f260d11bff03c8b70ea6ee2f5262746c89
MD5 hash: 784307274334e2f6a527d66d258ebf4d
humanhash: indigo-wisconsin-pluto-shade
File name:Gnqavfhmcsecxlwdiltkkverstraextmrm.exe
Download: download sample
Signature BitRAT
Create hunting rule
File size:839'682 bytes
First seen:2021-06-25 18:57:07 UTC
Last seen:2021-06-25 19:38:29 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 6a48f924a282039a5db311ed672f90ea (1 x BitRAT)
ssdeep 12288:7NgPr+1U2uRKPWYhvkmeYSd4FlAj06s1LCj+jSiuPBR5lpbTYwOQU6/Q:7NgKxw/UcmlTnxYj+SBR8bwQ
Threatray 29 similar samples on MalwareBazaar
TLSH 1D057D63BA928877D16104785D0BDFB4A91B7F10653864C1ABF02D6DFF3B7607A3908A
Reporter James_inthe_box
Tags:BitRAT exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
113
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Gnqavfhmcsecxlwdiltkkverstraextmrm.exe
Verdict:
Malicious activity
Analysis date:
2021-06-25 18:57:58 UTC
Tags:
trojan bitrat rat
Link:
https://app.any.run/tasks/80245f20-6586-4eec-b977-6578bab75378

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
BitRAT
Create hunting rule
Link:
https://www.capesandbox.com/analysis/168383/
Detection(s):
PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Loki
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/644fd1a0-3f18-40c1-ba57-239ec3920c9a
Result
Threat name:
BitRAT Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/808282
Signature
Creates a thread in another existing process (thread injection)
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Writes to foreign memory regions
Yara detected BitRAT
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6a6d545fd995dbffb75332ad4a05e32f20777410b36e633c42e4f6c8cdc685d2/
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2021-06-25 18:56:58 UTC
File Type:
PE (Exe)
Extracted files:
14
AV detection:
11 of 29 (37.93%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=njwvix6zsxn77n2tgkwuubpdf4qho5aqwnxggpcc4t3mrtogqxja._file
Verdict:
malicious
Similar samples:
047ca53bf616a52ba6946c0a6cf6676a3030b0baf6d987b6268203caebd87b74
BitRAT
0c3748f23fb4ade0edb0e497f0f39adc528cec04ac7530e15e3f5baad6b69567
BitRAT
0ff6edaf3533a3627afc5e2d74446e0c315087afe958b5fb2cc0a7ccb793d501
BitRAT
33f0d367ae282d4c9b9a6acbfefd3e86999eb84fc65c43d99f1de1b95c1f80af
BitRAT
3d263b6e2cdc6e43060faf06203a211ed5f716238157fc36f3f0d5b21777c0ac
BitRAT
3f5ccdc99b29651852d447f8587f5cfa5e108ea10dba0eed36d436a4b6e73719
BitRAT
5ad62a0916dd95d285d01f236f6f4d73573ad62cbe84644b2c60b41c1fd9278e
BitRAT
7a192e61d40bed06f4bad4e004d2a1152f3c1955c4cbe6dcbe4076f400670374
BitRAT
92258f992fbf15509591d96b11cb50eda41cf0c19f35fdd089c311ca5eace947
BitRAT
9d109cc4f855ab857f7bc081a7bd0e2be2a46d59282970f1a189a019b4467173
BitRAT
+ 19 additional samples on MalwareBazaar
Result
Malware family:
bitrat
Create hunting rule
Score:
  10/10
Tags:
family:bitrat persistence trojan upx
Link:
https://tria.ge/reports/210625-ql96rz9gsa/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of NtSetInformationThreadHideFromDebugger
Adds Run key to start application
UPX packed file
BitRAT
BitRAT Payload
Unpacked files
SH256 hash:
fc2e68d5cf20e3f0bd18bb95bfac6e5e9e2f776c422394b743f2fc0be818c120
MD5 hash:
ee143f66c22c13a2bd87fc8490cc3de5
SHA1 hash:
743457daeb10809e06d7cf11e2d2dc48512c395f
Link:
https://www.unpac.me/results/d3b77b33-27ca-47a0-a3b7-9f315463faad/
SH256 hash:
6a6d545fd995dbffb75332ad4a05e32f20777410b36e633c42e4f6c8cdc685d2
MD5 hash:
784307274334e2f6a527d66d258ebf4d
SHA1 hash:
6e7882f260d11bff03c8b70ea6ee2f5262746c89
Link:
https://www.unpac.me/results/d3b77b33-27ca-47a0-a3b7-9f315463faad/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6a6d545fd995dbffb75332ad4a05e32f20777410b36e633c42e4f6c8cdc685d2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Email_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Email in files like avemaria
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_EnvVarScheduledTasks
Create hunting rule
Author:ditekSHen
Description:detects Windows exceutables potentially bypassing UAC (ab)using Environment Variables in Scheduled Tasks
Rule name:MALWARE_Win_BitRAT
Create hunting rule
Author:ditekSHen
Description:Detects BitRAT RAT
Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/168383/

Comments