MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7277f1d3ddf844d18b2b0f95b620c8617736ad6703234fee2cb46299590180fe. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

BitRAT

Vendor detections: 7

Intelligence 7 IOCs YARA 4 File information Comments

SHA256 hash:	7277f1d3ddf844d18b2b0f95b620c8617736ad6703234fee2cb46299590180fe
SHA3-384 hash:	748929f78f6d7f0ca947fd00c8dad7b32bd5de34bb1bbcb7f916d813a780143a6c9bc1e110462f49cfaf92585fd809ff
SHA1 hash:	8f0fce3f465aa5e3699599cbfb3ff94f49ce181e
MD5 hash:	2dbe8acd23d12f9f1fbeeaeead8c667a
humanhash:	nebraska-angel-artist-finch
File name:	2dbe8acd23d12f9f1fbeeaeead8c667a.exe
Download:	download sample
Signature	BitRAT Create hunting rule
File size:	4'406'784 bytes
First seen:	2021-02-15 07:35:01 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	98304:XcrwuJxGYegQbB5DAowDOA3wRbVZ3oG3zmQH0QRK5fl0Ax:jAEYiyvwRbVSGDmESdb
Threatray	99 similar samples on MalwareBazaar
TLSH	C416112290D2A619E4ED76F74B20C11C3663FDCE7DB5A02428C336B7997B61443B89E7
Reporter	abuse_ch
Tags:	BitRAT exe RAT

Intelligence

File Origin

# of uploads :

# of downloads :

130

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Inquiry Bulgaria.xls

Verdict:

Malicious activity

Analysis date:

2021-02-15 07:25:01 UTC

Tags:

macros macros40 loader

Link:

https://app.any.run/tasks/cbb7194c-5a0a-4b7e-bdd4-56117ef07321

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/117131/

Detection(s):

SecuriteInfo.com.Trojan.Packed2.42845.UNOFFICIAL

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

BitRAT Xmrig

Detection:

malicious

Classification:

troj.evad.mine

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/607819

Signature

Binary contains a suspicious time stamp

Contains functionality to hide a thread from the debugger

Contains functionality to inject code into remote processes

Hides threads from debuggers

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected BitRAT

Yara detected Xmrig cryptocurrency miner

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/7277f1d3ddf844d18b2b0f95b620c8617736ad6703234fee2cb46299590180fe/

Threat name:

Win32.Trojan.Injuke

Status:

Malicious

First seen:

2021-02-15 07:34:57 UTC

AV detection:

6 of 47 (12.77%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=oj37du657bcndczlb6k3migimf3tnllhamru73rmwrrjswibqd7a._file

Verdict:

malicious

Result

Malware family:

n/a

Score:

1/10

Tags:

n/a

Link:

https://tria.ge/reports/210215-cabywl2b46/

Unpacked files

SH256 hash:

40b7475db4f1c82233631f01e4f7542614b6d6593fef1ac5c5ea78cb78fb154a

MD5 hash:

5441ef0043c0e0cf3bc33d3fa3f2c133

SHA1 hash:

ee51a629bbeb8da20b0584f6a2c45cbb899b298d

Link:

https://www.unpac.me/results/49352ce2-63bb-4b22-a857-34c17251c4cc/

SH256 hash:

2ec41720b412f91f91daaefea38007449491b2c016238aa8f23b6866c89bc788

MD5 hash:

987ce346069cf47535e5ac57265c7228

SHA1 hash:

d0085325ed78fcac6d1f605753237abd1c40db22

Link:

https://www.unpac.me/results/49352ce2-63bb-4b22-a857-34c17251c4cc/

SH256 hash:

7277f1d3ddf844d18b2b0f95b620c8617736ad6703234fee2cb46299590180fe

MD5 hash:

2dbe8acd23d12f9f1fbeeaeead8c667a

SHA1 hash:

8f0fce3f465aa5e3699599cbfb3ff94f49ce181e

Link:

https://www.unpac.me/results/49352ce2-63bb-4b22-a857-34c17251c4cc/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Trojan

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/7277f1d3ddf844d18b2b0f95b620c8617736ad6703234fee2cb46299590180fe

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Email_stealer_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Email in files like avemaria

Rule name:	INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu Create hunting rule
Author:	ditekSHen
Description:	Detect executables with stomped PE compilation timestamp that is greater than local current time

Rule name:	Keylog_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Contains Keylog

Rule name:	MALWARE_Win_BitRAT Create hunting rule
Author:	ditekSHen
Description:	Detects BitRAT RAT

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

BitRAT

exe 7277f1d3ddf844d18b2b0f95b620c8617736ad6703234fee2cb46299590180fe

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/1010797/

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/117131/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample