MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6c2a2251861a6d2701814843fadac940cf4d34db9f446f0698352fd866b31739. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BitRAT


Vendor detections: 9


Intelligence 9 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6c2a2251861a6d2701814843fadac940cf4d34db9f446f0698352fd866b31739
SHA3-384 hash: 244a5649046529589b883bff41a06b16be15b33b0a62193d306503b0e6098676daab656287800a24dee65d1c80bc1134
SHA1 hash: a2915c1be9e6134b7bf3ca5ca00eeb0c969bedab
MD5 hash: 1b09de36dfe5850d7e3fbd6b39c89a43
humanhash: twenty-carpet-three-october
File name:1b09de36dfe5850d7e3fbd6b39c89a43.exe
Download: download sample
Signature BitRAT
Create hunting rule
File size:4'538'880 bytes
First seen:2021-02-11 09:58:16 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 98304:odZKncXpZhCPgnZpfAlAMlrl2jrdyDKW9DqsNHammeZU:xi2oZ9AOkl23dyDosNHa7eZ
Threatray 1'456 similar samples on MalwareBazaar
TLSH CD2612AC36607A9EC5B7C8368DA81C34FB78B466171BD20790570AAD9D0DE5BDF200F6
Reporter abuse_ch
Tags:BitRAT exe RAT


Avatar
abuse_ch
BitRAT C2:
51.81.241.89:8331

Intelligence

File Origin
# of uploads :
1
# of downloads :
108
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
1b09de36dfe5850d7e3fbd6b39c89a43.exe
Verdict:
Malicious activity
Analysis date:
2021-02-11 10:01:06 UTC
Tags:
trojan bitrat rat
Link:
https://app.any.run/tasks/d192b25d-d66f-4860-a80a-25b618431c27

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/116767/
Detection(s):
SecuriteInfo.com.Generic.mg.1b09de36dfe5850d.24204.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Unauthorized injection to a recently created process
Creating a file
Enabling autorun by creating a file
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
BitRAT Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/605633
Signature
.NET source code contains potential unpacker
Contains functionality to hide a thread from the debugger
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM_3
Yara detected BitRAT
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 351856 Sample: zZl3d5daef.exe Startdate: 11/02/2021 Architecture: WINDOWS Score: 100 75 Multi AV Scanner detection for dropped file 2->75 77 Sigma detected: Scheduled temp file as task from temp location 2->77 79 Multi AV Scanner detection for submitted file 2->79 81 8 other signatures 2->81 10 zZl3d5daef.exe 7 2->10         started        process3 file4 65 C:\Users\user\AppData\...\gCZElEeyCymyju.exe, PE32 10->65 dropped 67 C:\...\gCZElEeyCymyju.exe:Zone.Identifier, ASCII 10->67 dropped 69 C:\Users\user\AppData\Local\...\tmp8D61.tmp, XML 10->69 dropped 71 C:\Users\user\AppData\...\zZl3d5daef.exe.log, ASCII 10->71 dropped 85 Contains functionality to hide a thread from the debugger 10->85 14 zZl3d5daef.exe 3 1 10->14         started        18 schtasks.exe 1 10->18         started        signatures5 process6 dnsIp7 73 51.81.241.89, 49728, 49729, 49730 OVHFR United States 14->73 87 Hides threads from debuggers 14->87 20 fodhelper.exe 1 15 14->20         started        22 fodhelper.exe 12 14->22         started        24 fodhelper.exe 14->24         started        26 fodhelper.exe 14->26         started        28 conhost.exe 18->28         started        signatures8 process9 process10 30 zZl3d5daef.exe 4 20->30         started        32 zZl3d5daef.exe 22->32         started        34 zZl3d5daef.exe 24->34         started        36 zZl3d5daef.exe 26->36         started        process11 38 zZl3d5daef.exe 30->38         started        41 schtasks.exe 30->41         started        51 3 other processes 30->51 43 zZl3d5daef.exe 32->43         started        45 schtasks.exe 32->45         started        53 2 other processes 32->53 47 zZl3d5daef.exe 34->47         started        49 schtasks.exe 34->49         started        55 4 other processes 36->55 signatures12 57 conhost.exe 41->57         started        83 Hides threads from debuggers 43->83 59 conhost.exe 45->59         started        61 conhost.exe 49->61         started        63 conhost.exe 55->63         started        process13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6c2a2251861a6d2701814843fadac940cf4d34db9f446f0698352fd866b31739/
Threat name:
ByteCode-MSIL.Backdoor.Androm
Create hunting rule
Status:
Malicious
First seen:
2021-02-11 08:05:23 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=nqvceumgdjwsoambjbb7vwwjidhu2ng3t5cg6buygux5qzvtc44q._file
Verdict:
malicious
Similar samples:
533aa4375a4eac85feb6d0ab962c38a68775ed412d056ed12535605fd5c1f415
BitRAT
56d0c7b288fe323703e31519f296d7a1ed4811bc8eb7cf87c56082499aaff297
BitRAT
6c212901b861bddfecd68559ceecc3a35898d965b4e56aeb67febbfa65dc9d52
BitRAT
76e5467f267a4bca00af800094c3a92f6bd51de54737f07c533d091e2f219b40
BitRAT
79e6d1b262a31a2619284f38b059e266d0fa27109c9b1f4fc9100aa6bb619e05
BitRAT
83665f8cf0fc798b6dbeca777554aeaeb9d9cc53e27674c36e67294729d118f0
BitRAT
8fdc007dd13e7c0c5bbe426da723499db81518697eb84d2fd2a0181996d276fa
BitRAT
a294e980bb7b7e74981a67379dd4c589803d0d5c17946b3b00ce561791ecfc63
BitRAT
a52ed9486d2ccdf0a9e29fe70ea7df8ddcb8bc06f9329664a310ae32d1308d6f
BitRAT
b895fbf7b60e9534de3a12e5e6c3b5dbe8a5f6149be49e50beae19e0a9006999
BitRAT
+ 1'446 additional samples on MalwareBazaar
Result
Malware family:
bitrat
Create hunting rule
Score:
  10/10
Tags:
family:bitrat trojan
Link:
https://tria.ge/reports/210211-4bn7etvkza/
Behaviour
Creates scheduled task(s)
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
BitRAT
BitRAT Payload
Unpacked files
SH256 hash:
bd6e5a5c4b82b4888f7f22ac2cd34e1fbd970d1144da1d850feb51febbe0130a
MD5 hash:
81051978b17c6d9028dbab8f98ad6519
SHA1 hash:
3a06943829159c70666df1fcdb8a9b2293aca3e3
Link:
https://www.unpac.me/results/733aa378-6de1-4475-adc4-f6911f28e2b3/
SH256 hash:
2b2bcf851c2b87033fd24c890c2a1de3642564f7cec7282982d96b8280baa849
MD5 hash:
befb0470c71d676cc891cba16088975d
SHA1 hash:
5b7143f97d1d656fd1cacf70949048c1951b639a
Link:
https://www.unpac.me/results/733aa378-6de1-4475-adc4-f6911f28e2b3/
SH256 hash:
f5a1663636a6cff9a0b7035b44dc01fad12a396487cfeb9b61ebd441bec75c91
MD5 hash:
6ff6cfa05cc9e6396c79db9d52c02ee4
SHA1 hash:
cd8fc75d389da09be30e36c413312a05e1c15fac
Link:
https://www.unpac.me/results/733aa378-6de1-4475-adc4-f6911f28e2b3/
SH256 hash:
6c2a2251861a6d2701814843fadac940cf4d34db9f446f0698352fd866b31739
MD5 hash:
1b09de36dfe5850d7e3fbd6b39c89a43
SHA1 hash:
a2915c1be9e6134b7bf3ca5ca00eeb0c969bedab
Link:
https://www.unpac.me/results/733aa378-6de1-4475-adc4-f6911f28e2b3/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6c2a2251861a6d2701814843fadac940cf4d34db9f446f0698352fd866b31739

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Email_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Email in files like avemaria
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:MALWARE_Win_BitRAT
Create hunting rule
Author:ditekSHen
Description:Detects BitRAT RAT

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

BitRAT

Executable exe 6c2a2251861a6d2701814843fadac940cf4d34db9f446f0698352fd866b31739

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1000522/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/116767/

Comments