MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6c0b8d19ccb66f0fbe99c4882d620a3bc5c95a78e67a8fc7f69918c404bfd4a0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

BitRAT

Vendor detections: 7

Intelligence 7 IOCs 1 YARA 3 File information Comments

SHA256 hash:	6c0b8d19ccb66f0fbe99c4882d620a3bc5c95a78e67a8fc7f69918c404bfd4a0
SHA3-384 hash:	51fbca9e33538825625eaf7af2c9f071f633f7daa0c1739039a6e9d4d755b36196b4179500799da14683d6a90f6341f7
SHA1 hash:	b6186ca1301c5b05910013a62d08d01751c74e3e
MD5 hash:	233c0db3afe81ec0b12859e9ed2ad96e
humanhash:	utah-beryllium-wyoming-london
File name:	P0#27-08-2021.exe
Download:	download sample
Signature	BitRAT Create hunting rule
File size:	2'149'128 bytes
First seen:	2021-08-27 10:20:59 UTC
Last seen:	2021-08-27 11:03:30 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	49152:RHRk1X5GhWaMRWWxVAe25ZoyJk3d4iGm44ut:dmGbh7uyJkiivI
Threatray	406 similar samples on MalwareBazaar
TLSH	T1A8A52300D6A1EFA1CABF4D3AD1FAD84929374DE18E31D7EAC0DCBD65340638949E6943
dhash icon	4db292f2d88cb40b (15 x RemcosRAT, 13 x AgentTesla, 7 x NanoCore)
Reporter	abuse_ch
Tags:	BitRAT exe RAT

abuse_ch

BitRAT C2:
79.134.225.103:8443

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
79.134.225.103:8443	https://threatfox.abuse.ch/ioc/200881/

Intelligence

File Origin

# of uploads :

# of downloads :

207

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

P0#27-08-2021.exe

Verdict:

Malicious activity

Analysis date:

2021-08-27 10:22:54 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/f4b42817-65ed-42ef-873c-5edd0f1f1a76

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

BitRAT

Link:

https://www.capesandbox.com/analysis/182910/

Detection(s):

SecuriteInfo.com.W32.MSIL_Kryptik.EVZ.genEldorado.13026.11387.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Malware family:

Quasar RAT

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/83fec332-ae9b-4039-80d9-99a45ce8a5dc

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/6c0b8d19ccb66f0fbe99c4882d620a3bc5c95a78e67a8fc7f69918c404bfd4a0/

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=nqfy2gomwzxq7puzysec2yqkhpc4swty4z5i7r7wtemmibf72sqa._file

Verdict:

unknown

BitRAT

24fcb2c5bee18a1ace6dca1924a4fa86d0840a29ebfebd271a4f1399e758a895

BitRAT

28184c88216897491c60fc75dbd6bd99a2f436a5cf8c7f4322f10d2245b4dba5

BitRAT

2af6f37a02bc512145fe57de3bb9b8a334267f927bb2c9032485717829861ea7

BitRAT

30f3eecdbc1298dc6ba731ffc775390ee61b2bda813ba8f7763c9c39293ce33c

BitRAT

685dce7a17356b2a9fe68600ab29af885c591d23221e8f65396478d3a1f5ae03

BitRAT

82f425150e933ae4f1f3174cf68bbfdb0e8ed8767b511e80ff95595881c9867b

BitRAT

aa8387d7f0ca4dd4df76445ce68a9851356a9407084c999190baf887ff617bfe

BitRAT

+ 396 additional samples on MalwareBazaar

Result

Malware family:

bitrat

Score:

10/10

Tags:

family:bitrat persistence trojan

Link:

https://tria.ge/reports/210827-lyp83eck5j/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Adds Run key to start application

Loads dropped DLL

Executes dropped EXE

BitRAT

BitRAT Payload

Unpacked files

SH256 hash:

b7dbf2f7df0e13ce312b0efab74ebe9a342823456c5b145bf704357a693bef73

MD5 hash:

601504d650f1d36002167112c9fd0026

SHA1 hash:

a831a1ae91b42ec7f4be4402aafac3e3c8c20445

Link:

https://www.unpac.me/results/19106d01-1035-4df8-9c38-4cf8dff354bf/

SH256 hash:

39081e4007af60b2ec0ca8c5ff8318c37ae4ff05560ac2544f6a699da44097b3

MD5 hash:

c05d1001eb3e382490ce5378ed1dcc2e

SHA1 hash:

9546d5a429188e8d74a921a76025f3ff4bdc8129

Link:

https://www.unpac.me/results/19106d01-1035-4df8-9c38-4cf8dff354bf/

SH256 hash:

ab9185b6b48589903efdf543b48048c35af5d0a93edaa771dee61c9fa43f63e2

MD5 hash:

f328c1fc9d7248441ec289d1c3dec118

SHA1 hash:

21cd78ac4013e834e39b062bd4c3218357ce9630

Link:

https://www.unpac.me/results/19106d01-1035-4df8-9c38-4cf8dff354bf/

SH256 hash:

6c0b8d19ccb66f0fbe99c4882d620a3bc5c95a78e67a8fc7f69918c404bfd4a0

MD5 hash:

233c0db3afe81ec0b12859e9ed2ad96e

SHA1 hash:

b6186ca1301c5b05910013a62d08d01751c74e3e

Link:

https://www.unpac.me/results/19106d01-1035-4df8-9c38-4cf8dff354bf/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.13

Link:

https://yomi.yoroi.company/submissions/6c0b8d19ccb66f0fbe99c4882d620a3bc5c95a78e67a8fc7f69918c404bfd4a0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/182910/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample