MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6d7fac5d7bfe833eb0756a174ceb9ea8280cd3f9858215924284af1b559bd81f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BitRAT


Vendor detections: 10


Intelligence 10 IOCs 1 YARA 3 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6d7fac5d7bfe833eb0756a174ceb9ea8280cd3f9858215924284af1b559bd81f
SHA3-384 hash: da2c6d0768c7ad7c7cd3943649affbcf15b97b2ef91fbe8b976060cf004247562ac32eddc750f07f57da7bdf358c2a80
SHA1 hash: a9d34d4ef62afbeed8f74c18c212e2c1d4c3f7cb
MD5 hash: 537d313f3dfe75d7a9d4f36f80cce049
humanhash: tennessee-cold-missouri-lithium
File name:537d313f3dfe75d7a9d4f36f80cce049
Download: download sample
Signature BitRAT
Create hunting rule
File size:1'846'784 bytes
First seen:2021-08-11 06:01:05 UTC
Last seen:2021-08-11 07:11:25 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 49152:pAESWFubG04k1ImcRlJtquEwR/r28SJ4tIMBegTbV:MZGXk12nt5Fr28Sqt7UgTbV
Threatray 367 similar samples on MalwareBazaar
TLSH T1268533C59B4C5826E08A0EBCC8E37DF507625B517032D72F087DBEAE396AB05A9D7053
dhash icon b168eae46c39d928 (9 x AgentTesla, 8 x SnakeKeylogger, 6 x BitRAT)
Reporter zbetcheckin
Tags:32 BitRAT exe

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
79.134.225.71:3050 https://threatfox.abuse.ch/ioc/171074/

Intelligence

File Origin
# of uploads :
2
# of downloads :
115
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
sample.exe
Verdict:
Malicious activity
Analysis date:
2021-08-11 01:49:20 UTC
Tags:
trojan bitrat rat
Link:
https://app.any.run/tasks/815fd138-5034-4aa9-85ce-afb375f4a1f5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
BitRAT
Create hunting rule
Link:
https://www.capesandbox.com/analysis/178094/
Detection(s):
SecuriteInfo.com.generic.ml.22951.32540.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a process with a hidden window
Sending a UDP request
Using the Windows Management Instrumentation requests
DNS request
Creating a file in the %temp% directory
Creating a process from a recently created file
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d7d306e5-bc5c-4a0c-8525-d5793d53ef47
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/830626
Signature
.NET source code contains potential unpacker
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Microsoft Office Product Spawning Windows Shell
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 463056 Sample: yoBEjyCH4F Startdate: 11/08/2021 Architecture: WINDOWS Score: 96 41 eter102.dvrlists.com 2->41 43 dns.google 2->43 45 8.8.8.8.in-addr.arpa 2->45 57 Multi AV Scanner detection for submitted file 2->57 59 .NET source code contains potential unpacker 2->59 61 Machine Learning detection for sample 2->61 63 3 other signatures 2->63 9 yoBEjyCH4F.exe 4 9 2->9         started        13 outlook.exe 2->13         started        signatures3 process4 file5 33 C:\Users\user\AppData\Roaming\outlook.exe, PE32 9->33 dropped 35 C:\Users\user\AppData\...\yoBEjyCH4F.exe, PE32 9->35 dropped 37 C:\Users\user\...\outlook.exe:Zone.Identifier, ASCII 9->37 dropped 39 3 other malicious files 9->39 dropped 65 Writes to foreign memory regions 9->65 67 Injects a PE file into a foreign processes 9->67 15 yoBEjyCH4F.exe 9->15         started        18 wscript.exe 1 9->18         started        20 yoBEjyCH4F.exe 9->20         started        23 2 other processes 9->23 69 Multi AV Scanner detection for dropped file 13->69 71 Machine Learning detection for dropped file 13->71 signatures6 process7 dnsIp8 73 Multi AV Scanner detection for dropped file 15->73 75 Machine Learning detection for dropped file 15->75 77 Wscript starts Powershell (via cmd or directly) 18->77 25 powershell.exe 24 18->25         started        47 eter102.dvrlists.com 79.134.225.71, 3050, 49735, 49736 FINK-TELECOM-SERVICESCH Switzerland 20->47 49 dns.google 20->49 79 Hides threads from debuggers 20->79 51 192.168.2.1 unknown unknown 23->51 53 dns.google 23->53 55 3 other IPs or domains 23->55 27 conhost.exe 23->27         started        29 conhost.exe 23->29         started        signatures9 process10 process11 31 conhost.exe 25->31         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6d7fac5d7bfe833eb0756a174ceb9ea8280cd3f9858215924284af1b559bd81f/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-08-11 05:10:39 UTC
AV detection:
14 of 47 (29.79%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=nv72yxl372bt5mdvniluz246vauazu7zqwbblescqsxrwvm33apq._file
Verdict:
malicious
Similar samples:
09df08b715bf11a0bc6cb5cdc5cd724927ba6c6a18ca2896f153d9b424196767
BitRAT
0a9f7e6ef8592c3807d409340f351188d49da9b7cbe210b875995d85921a5e91
BitRAT
127a77aec69d301ec0eff62153eb160c7a195df26de7ac8617572b2433be6528
BitRAT
18b96a50da281d031e2ce58c2143a9c1bf4868c710bbcc61b7d147038b449e2b
BitRAT
b610d1ae855f79028cabdbd3c1160bc330ef68a7f30ab5544d00b09af341cc68
BitRAT
dcb73a0ea23548167bd5724418377fe1e8c88f1be3125c0df6cc89722bb26f33
BitRAT
f1041f8beb103e1f63fa8d5234ed3b5a55a37d1c675755040dbb08836c210a90
BitRAT
+ 357 additional samples on MalwareBazaar
Result
Malware family:
xenarmor
Create hunting rule
Score:
  10/10
Tags:
family:bitrat family:xenarmor password persistence recovery spyware stealer suricata trojan upx
Link:
https://tria.ge/reports/210811-zm9wdg8tg2/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Reads data files stored by FTP clients
Reads local data of messenger clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Executes dropped EXE
UPX packed file
ACProtect 1.3x - 1.4x DLL software
BitRAT
BitRAT Payload
XenArmor Suite
suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)
Unpacked files
SH256 hash:
c28f4f3ec90a848f3ca0d9ebf14a615500a1501bd6391a1693fb46d813e4ef0c
MD5 hash:
e8ce0064b4690b2ff3bd61a7ae0b609b
SHA1 hash:
b0d38214d65b8d529f185bc2fb6e01a0860fc189
Link:
https://www.unpac.me/results/847aabea-1b29-494d-8471-40ce4ac2e5d1/
SH256 hash:
531520e5afbd5a9fdd9e5df118292a1f82e05d963b485a0c0b8c7c5b4f935457
MD5 hash:
64993e5950d66d3b7fbcbafd596d586d
SHA1 hash:
ffbc1dafb135f197ceaf469e92b715ccdb13bed8
Link:
https://www.unpac.me/results/847aabea-1b29-494d-8471-40ce4ac2e5d1/
SH256 hash:
5a671048eb4c1e2af6963972eb953cf431bcd2761327e6fa96e492f393d30de3
MD5 hash:
d3c7de6f10fb3c92f3f2d99c4a5d32e5
SHA1 hash:
a0430bdabe270814e024cd04eb7fae540d383fcc
Link:
https://www.unpac.me/results/847aabea-1b29-494d-8471-40ce4ac2e5d1/
SH256 hash:
6d7fac5d7bfe833eb0756a174ceb9ea8280cd3f9858215924284af1b559bd81f
MD5 hash:
537d313f3dfe75d7a9d4f36f80cce049
SHA1 hash:
a9d34d4ef62afbeed8f74c18c212e2c1d4c3f7cb
Link:
https://www.unpac.me/results/847aabea-1b29-494d-8471-40ce4ac2e5d1/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6d7fac5d7bfe833eb0756a174ceb9ea8280cd3f9858215924284af1b559bd81f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

BitRAT

Executable exe 6d7fac5d7bfe833eb0756a174ceb9ea8280cd3f9858215924284af1b559bd81f

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1523982/
Cape
Cape
https://www.capesandbox.com/analysis/178094/

Comments


Avatar
zbet commented on 2021-08-11 06:01:06 UTC

url : hxxp://augustair.com/Resources/eft/edi.exe