MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 725422976036f66aadde06633c41bc88fa4f55020051b22a644ee6668a3f7c31. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BitRAT


Vendor detections: 10


Intelligence 10 IOCs 1 YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 725422976036f66aadde06633c41bc88fa4f55020051b22a644ee6668a3f7c31
SHA3-384 hash: c1a48cc2b2bece2f6476c3b415e8396ad3c48a84cb7f802759ae41fdf711fe1b18dc3ce5bf354bfc95973c2b12f55d69
SHA1 hash: 70799d33a13e77b0ed4708f610b948402f042805
MD5 hash: 0a3408b4eb840ecd8db1239304ea35c3
humanhash: happy-hotel-comet-gee
File name:0a3408b4eb840ecd8db1239304ea35c3.exe
Download: download sample
Signature BitRAT
Create hunting rule
File size:76'456 bytes
First seen:2021-03-29 18:30:59 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 1536:KW8dpdtldNBtJ5NCwppBTVX3xzzhFX0h1Y/LPrw1:KW8dpdtldNBtJ5NCwpptVX39zhFX00PG
Threatray 75 similar samples on MalwareBazaar
TLSH 2273CAE8DD5904FBF5FCFA748787250E6A71AC379611892B8986C1C3C8CE7426CD096E
Reporter abuse_ch
Tags:BitRAT exe RAT signed

Code Signing Certificate

Organisation:zPfPJHDCzusZRYQYJZGZoFfZmvYtSlFXDPQKtoQzc
Issuer:zPfPJHDCzusZRYQYJZGZoFfZmvYtSlFXDPQKtoQzc
Algorithm:sha256WithRSAEncryption
Valid from:2021-03-25T14:14:16Z
Valid to:2022-03-25T14:14:16Z
Serial number: df7139e106dbb68dfe4de97d862af708
Thumbprint Algorithm:SHA256
Thumbprint: cbf3557dce6ea8ba5fa87daa402b868ed86ec659b376c2677bd88966d8b89f7c
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
abuse_ch
BitRAT C2:
201.219.204.73:1881

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
201.219.204.73:1881 https://threatfox.abuse.ch/ioc/5898/

Intelligence

File Origin
# of uploads :
1
# of downloads :
152
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
0a3408b4eb840ecd8db1239304ea35c3.exe
Verdict:
Malicious activity
Analysis date:
2021-03-29 18:40:40 UTC
Tags:
trojan bitrat rat
Link:
https://app.any.run/tasks/7b35cf1d-de70-4655-ae2f-e070989b8611

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/127789/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending an HTTP GET request
Sending a UDP request
Creating a file
Moving a recently created file
Launching a process
Creating a process with a hidden window
Creating a window
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Launching a service
Deleting a recently created file
Setting a single autorun event
Moving of the original file
Adding exclusions to Windows Defender
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7b39a618-3bc2-402d-90b7-f3853d4acd28
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/657421
Signature
Adds a directory exclusion to Windows Defender
Changes security center settings (notifications, updates, antivirus, firewall)
Creates files in alternative data streams (ADS)
Creates multiple autostart registry keys
Drops PE files with benign system names
Hides threads from debuggers
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Tries to delay execution (extensive OutputDebugStringW loop)
Uses dynamic DNS services
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 377637 Sample: DGszkk90Jh.exe Startdate: 29/03/2021 Architecture: WINDOWS Score: 96 54 fabihenrihenao990.duckdns.org 2->54 66 Multi AV Scanner detection for submitted file 2->66 68 Uses dynamic DNS services 2->68 8 DGszkk90Jh.exe 23 15 2->8         started        13 svchost.exe 2->13         started        15 svchost.exe 2->15         started        17 9 other processes 2->17 signatures3 process4 dnsIp5 60 198.98.51.197, 49708, 80 PONYNETUS United States 8->60 62 fabihenrihenao990.duckdns.org 8->62 46 C:\Users\Public\Documents\...\svchost.exe, PE32 8->46 dropped 48 C:\Users\user\AppData\...\low3z3au.newcfg, XML 8->48 dropped 50 C:\Users\user\AppData\...\DGszkk90Jh.exe.log, ASCII 8->50 dropped 52 2 other files (1 malicious) 8->52 dropped 76 Creates multiple autostart registry keys 8->76 78 Adds a directory exclusion to Windows Defender 8->78 80 Tries to delay execution (extensive OutputDebugStringW loop) 8->80 82 Drops PE files with benign system names 8->82 19 DGszkk90Jh.exe 8->19         started        24 AdvancedRun.exe 1 8->24         started        26 powershell.exe 23 8->26         started        30 5 other processes 8->30 84 Changes security center settings (notifications, updates, antivirus, firewall) 13->84 28 MpCmdRun.exe 13->28         started        86 Multi AV Scanner detection for dropped file 15->86 64 127.0.0.1 unknown unknown 17->64 88 System process connects to network (likely due to code injection or exploit) 17->88 file6 signatures7 process8 dnsIp9 56 fabihenrihenao990.duckdns.org 201.219.204.73 ITELKOMCO Colombia 19->56 44 C:\Users\user\AppData\Local:29-03-2021, HTML 19->44 dropped 70 Creates files in alternative data streams (ADS) 19->70 72 Creates multiple autostart registry keys 19->72 74 Hides threads from debuggers 19->74 58 192.168.2.1 unknown unknown 24->58 32 AdvancedRun.exe 24->32         started        34 conhost.exe 26->34         started        36 conhost.exe 28->36         started        38 conhost.exe 30->38         started        40 conhost.exe 30->40         started        42 conhost.exe 30->42         started        file10 signatures11 process12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/725422976036f66aadde06633c41bc88fa4f55020051b22a644ee6668a3f7c31/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-03-25 21:29:43 UTC
File Type:
PE (.Net Exe)
Extracted files:
2
AV detection:
18 of 29 (62.07%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ojkcff3ag33gvlo6azrtyqn4rd5e6vicabi3ektej3tgncr7pqyq._file
Verdict:
suspicious
Similar samples:
0456c33539c62c09bfd8ea53b3848e63a7d62b5ddc05ec1e806e1db12adf8f7b
BitRAT
0aa78fcf891612119beba462082e6518d47b37b8b58529591ad44dc6277f95ab
BitRAT
29aac75fe6ce6d6cce9620a8c96588c392dc95c84e0df7407ca9bb14ac46550a
BitRAT
4c93d956b0cdc6f2e4f93ae8a805f53b11f00e81a34bac3f749e447c630c0329
BitRAT
52a0451136f10436c0c03139d900855a141880389ca57e9a1472a01dc28c2c47
BitRAT
6687134582d1dd1a69b086546e77e014fb38c67ed6190b8b629579ecd534b051
BitRAT
878c680864cd95fc8be624b36d702a2ce4e0d9c7a5ce127c5b4d3cbbb7d6407d
BitRAT
a2d7c993d034b1c4375a091a08f5373e1c78c2672bbe7a65465fb18f6a71c834
BitRAT
dc57b25386126d38dbd10e32002d109251e559fb967d47bca3f37e3768ef5c0c
BitRAT
fd52b7c2b69a57bfa5bfb3ca6414665be1ff6f17d4d7ab061a8df45721fb3307
BitRAT
+ 65 additional samples on MalwareBazaar
Result
Malware family:
bitrat
Create hunting rule
Score:
  10/10
Tags:
family:bitrat evasion persistence trojan
Link:
https://tria.ge/reports/210329-r5gysgzczn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Modifies system certificate store
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Windows security modification
Executes dropped EXE
Nirsoft
BitRAT
BitRAT Payload
Modifies Windows Defender Real-time Protection settings
Turns off Windows Defender SpyNet reporting
Windows security bypass
Unpacked files
SH256 hash:
725422976036f66aadde06633c41bc88fa4f55020051b22a644ee6668a3f7c31
MD5 hash:
0a3408b4eb840ecd8db1239304ea35c3
SHA1 hash:
70799d33a13e77b0ed4708f610b948402f042805
Link:
https://www.unpac.me/results/750dc723-c55d-40bd-bc18-bee52f612bc8/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
BitRat
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/725422976036f66aadde06633c41bc88fa4f55020051b22a644ee6668a3f7c31

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Email_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Email in files like avemaria
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MALWARE_Win_BitRAT
Create hunting rule
Author:ditekSHen
Description:Detects BitRAT RAT

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/127789/

Comments