MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6e82176449396ea6b244923e666e2147d5f0d5a64b969e2cbbbe983012f5ac90. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

BitRAT

Vendor detections: 12

Intelligence 12 IOCs 1 YARA 1 File information Comments

SHA256 hash:	6e82176449396ea6b244923e666e2147d5f0d5a64b969e2cbbbe983012f5ac90
SHA3-384 hash:	1afc74ed2fe4639b9af13b40c086426ce75eecb68b98d6a72143d6aa6688585e94a838546eaa30f0cccd571b9925989f
SHA1 hash:	2f9b8bda7e6e348e444af9b06ec25f190d787476
MD5 hash:	9273fd041c614dcc2258b7e77b783985
humanhash:	coffee-don-echo-lamp
File name:	03082021POSVCT885.pif.exe
Download:	download sample
Signature	BitRAT Create hunting rule
File size:	1'593'195 bytes
First seen:	2021-08-03 08:51:32 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	47132e7294d9df76f8ee6d6805dd5e2d (5 x Loki, 4 x Formbook, 1 x BitRAT)
ssdeep	24576:IyWIZgw76clTM6eX6yR3AlO6Qz1dWCvObbE179BxOfpeICljWmNvOC+QElbya1vD:gIyMi6eXf3AXQaCO47XO4bjWRQElnlD
Threatray	345 similar samples on MalwareBazaar
TLSH	T18F753317B4F0D83AF3775E3A6434E022119FFE1B148ACD779B4606668B32491D62EE87
Reporter	abuse_ch
Tags:	BitRAT exe RAT

abuse_ch

BitRAT C2:
45.137.22.58:1780

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
45.137.22.58:1780	https://threatfox.abuse.ch/ioc/165512/

Intelligence

File Origin

# of uploads :

# of downloads :

137

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

03082021POSVCT885.pif.exe

Verdict:

Malicious activity

Analysis date:

2021-08-03 08:53:17 UTC

Tags:

trojan bitrat rat

Link:

https://app.any.run/tasks/0ebd944a-bff3-43bb-be15-8da4e0284e4d

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

BitRAT

Link:

https://www.capesandbox.com/analysis/175989/

Detection(s):

SecuriteInfo.com.Generic.Cryptor.X.6285D7FF.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Unauthorized injection to a recently created process

DNS request

Sending a UDP request

Creating a window

Setting a global event handler

Setting a global event handler for the keyboard

Connection attempt to an infection source

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/d596b67f-5e35-49ba-9ce8-f54824171281

Result

Threat name:

BitRAT

Detection:

malicious

Classification:

troj.evad

Score:

68 / 100

Link:

https://www.joesandbox.com/analysis/826004

Signature

Hides threads from debuggers

Machine Learning detection for sample

Maps a DLL or memory area into another process

Multi AV Scanner detection for submitted file

Yara detected BitRAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/6e82176449396ea6b244923e666e2147d5f0d5a64b969e2cbbbe983012f5ac90/

Threat name:

Win32.Ransomware.Cryptor

Status:

Malicious

First seen:

2021-08-03 08:11:58 UTC

AV detection:

13 of 46 (28.26%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=n2bbozcjhfxknmsesi7gm3rbi7k7bvngjolj4lf3x2mdaexvvsia._file

Verdict:

malicious

BitRAT

09df08b715bf11a0bc6cb5cdc5cd724927ba6c6a18ca2896f153d9b424196767

BitRAT

0a9f7e6ef8592c3807d409340f351188d49da9b7cbe210b875995d85921a5e91

BitRAT

127a77aec69d301ec0eff62153eb160c7a195df26de7ac8617572b2433be6528

BitRAT

142a30f9ba3c2e1efbdf15241721da3b20d7b6436761d3eaafdcc095dc681fc4

BitRAT

18b96a50da281d031e2ce58c2143a9c1bf4868c710bbcc61b7d147038b449e2b

BitRAT

f1041f8beb103e1f63fa8d5234ed3b5a55a37d1c675755040dbb08836c210a90

BitRAT

+ 335 additional samples on MalwareBazaar

Result

Malware family:

bitrat

Score:

10/10

Tags:

family:bitrat suricata trojan upx

Link:

https://tria.ge/reports/210803-n5dldcx37s/

Behaviour

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

UPX packed file

BitRAT

BitRAT Payload

suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)

Unpacked files

SH256 hash:

14fda81012602f23b370d85ac572bc21fe5b7c5b27dd7a069e8d5223bfac2b55

MD5 hash:

671384f8b9a06c44375b8d6d368c9fc1

SHA1 hash:

e1dc2a098235ce1b8e943c0a0a64f372fbdd12c0

Link:

https://www.unpac.me/results/a84c4567-9896-41c3-8893-c6ef0f9b0b86/

SH256 hash:

6e82176449396ea6b244923e666e2147d5f0d5a64b969e2cbbbe983012f5ac90

MD5 hash:

9273fd041c614dcc2258b7e77b783985

SHA1 hash:

2f9b8bda7e6e348e444af9b06ec25f190d787476

Link:

https://www.unpac.me/results/a84c4567-9896-41c3-8893-c6ef0f9b0b86/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/6e82176449396ea6b244923e666e2147d5f0d5a64b969e2cbbbe983012f5ac90

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MALWARE_Win_BitRAT Create hunting rule
Author:	ditekSHen
Description:	Detects BitRAT RAT

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/175989/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample