MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 722ab2f8e85854d3b7c16fdc14449d0d2f4e3391eb3b8577f7d20c83fa4e073f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BitRAT


Vendor detections: 13


Intelligence 13 IOCs 1 YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 722ab2f8e85854d3b7c16fdc14449d0d2f4e3391eb3b8577f7d20c83fa4e073f
SHA3-384 hash: e47500769e5c4a7a7970c452d596467a81fc46c52307c3301c6adae2f35f466617f80d4167520bea0bbc88084953ef41
SHA1 hash: db8cdd31c1aa5d9125bea8bd406f282b640019b0
MD5 hash: 5b0aae39e6b24c078cf98de1bcb27da2
humanhash: charlie-angel-triple-chicken
File name:Standard PO1721 IMPXpdf.exe
Download: download sample
Signature BitRAT
Create hunting rule
File size:2'222'984 bytes
First seen:2021-09-17 09:30:41 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'609 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 49152:MLbtmPyyhtvl0OBc1so0/mC89HQ4d11ZqTMjVHzoQELBgWUB2AkeJ:SfyLvlb8f0+9w4Xq4jVMhLWWe
Threatray 501 similar samples on MalwareBazaar
TLSH T116A5F10073EC8624EAEF2774E474468502F7FC9AA63DE78D5905A9AD1DA3B418C217F3
dhash icon e0e4a3a6a4b8b8a8 (37 x Formbook, 9 x AZORult, 9 x Loki)
Reporter abuse_ch
Tags:BitRAT exe RAT


Avatar
abuse_ch
BitRAT C2:
195.206.105.10:3988

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
195.206.105.10:3988 https://threatfox.abuse.ch/ioc/222958/

Intelligence

File Origin
# of uploads :
1
# of downloads :
173
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Standard PO1721 IMPXpdf.exe
Verdict:
Malicious activity
Analysis date:
2021-09-17 09:44:25 UTC
Tags:
trojan bitrat rat
Link:
https://app.any.run/tasks/ea57a536-d01e-4c11-a51d-5ce85cd9ded3

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
BitRAT
Create hunting rule
Link:
https://www.capesandbox.com/analysis/188591/
Detection(s):
SecuriteInfo.com.Malware.AI.1767554360.29023.9314.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Creating a window
Launching a service
DNS request
Connection attempt
Sending an HTTP GET request
Launching a process
Creating a file in the %temp% directory
Delayed writing of the file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
monero obfuscated overlay packed
Link:
https://www.filescan.io/uploads/61752944db358dd15ed92ad6/reports/c663f68a-7000-4a44-add9-00f57b0e5a25/overview
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2d1c896c-8a3c-4160-8fea-39c607761066
Result
Threat name:
BitRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/852725
Signature
C2 URLs / IPs found in malware configuration
Creates an undocumented autostart registry key
Encrypted powershell cmdline option found
Found malware configuration
Hides threads from debuggers
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Encoded PowerShell Command Line
Yara detected BitRAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/722ab2f8e85854d3b7c16fdc14449d0d2f4e3391eb3b8577f7d20c83fa4e073f/
Threat name:
ByteCode-MSIL.Downloader.Seraph
Create hunting rule
Status:
Malicious
First seen:
2021-09-17 03:13:15 UTC
AV detection:
10 of 45 (22.22%)
Threat level:
  3/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=oivlf6hilbknhn6bn7obire5buxu4m4r5m5yk57x2igih6soa47q._file
Verdict:
malicious
Similar samples:
18b96a50da281d031e2ce58c2143a9c1bf4868c710bbcc61b7d147038b449e2b
BitRAT
3a3ff370dac609a17ea67e35e81a3b82702afe6660bb3439a489ff8f4350d607
BitRAT
51af4d4e1af93fd32fd240a7ec9df52e2af9f7d7567c7f7dff776ce0b4852323
BitRAT
704e26dbdebc8b3ad1391f5b9d671f8b9550609455821540151ff70e17bed798
BitRAT
8d3637cd959d0ea44c713b76b6ad46614b8f91a58398cad0f5929cf179cf9e80
BitRAT
b4a79b7fac8b571454b8d2373623a9fa825c1bc2ef6d1370b831782237d24984
BitRAT
b610d1ae855f79028cabdbd3c1160bc330ef68a7f30ab5544d00b09af341cc68
BitRAT
d9f858f28cab427ea59133d06469903d937cd10334a0fdd5f77fe529e3d0ece1
BitRAT
+ 491 additional samples on MalwareBazaar
Result
Malware family:
bitrat
Create hunting rule
Score:
  10/10
Tags:
family:bitrat trojan upx
Link:
https://tria.ge/reports/210917-lg3qysfbc7/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
UPX packed file
BitRAT
BitRAT Payload
Unpacked files
SH256 hash:
958c2978a70eab0826545176172cd23d0e8e86d784aa1f64d3184172157b572e
MD5 hash:
9f2a3063e7a184e6e10acd00774d0f6c
SHA1 hash:
272271e607cebbbf92141029ad8725389043311f
Link:
https://www.unpac.me/results/831f915c-9cbb-4d0b-836a-b988c2e37679/
SH256 hash:
722ab2f8e85854d3b7c16fdc14449d0d2f4e3391eb3b8577f7d20c83fa4e073f
MD5 hash:
5b0aae39e6b24c078cf98de1bcb27da2
SHA1 hash:
db8cdd31c1aa5d9125bea8bd406f282b640019b0
Detections:
win_karkoff_auto
Create hunting rule
Link:
https://www.unpac.me/results/831f915c-9cbb-4d0b-836a-b988c2e37679/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/722ab2f8e858/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/722ab2f8e85854d3b7c16fdc14449d0d2f4e3391eb3b8577f7d20c83fa4e073f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_BitRAT
Create hunting rule
Author:ditekSHen
Description:Detects BitRAT RAT
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Sectigo_Code_Signed
Create hunting rule
Description:Detects code signed by the Sectigo RSA Code Signing CA
Reference:https://bazaar.abuse.ch/export/csv/cscb/
Rule name:Sectigo_Code_Signed
Create hunting rule
Description:Detects code signed by the Sectigo RSA Code Signing CA
Reference:https://bazaar.abuse.ch/export/csv/cscb/
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_karkoff_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/188591/

Comments