MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 736cb846af9e2de5730d5b788603d49374fee0e309d2681392456aa41ec3eda1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BitRAT


Vendor detections: 6


Intelligence 6 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 736cb846af9e2de5730d5b788603d49374fee0e309d2681392456aa41ec3eda1
SHA3-384 hash: c7c0bb7e454aeaf398e2079a9c6d1801114cd8778521eada286d588a7069d93b686b18791e964dde6cb9d82383f00c03
SHA1 hash: 4e66afa1fc9649a09580d38ec80263a484ab2eba
MD5 hash: 1830fe928264f27169970b452da74d24
humanhash: blue-november-cold-mexico
File name:Xerox_14.10.2020.scr
Download: download sample
Signature BitRAT
Create hunting rule
File size:2'380'288 bytes
First seen:2020-10-15 10:38:41 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'747 x AgentTesla, 19'633 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 49152:pRVyalZ9jAbLuoJAfYPH6wBvf8j1O0dmEuMgLm/WorbADX7:pRVxljAbLuWAfYP9vfOe5jo4D
Threatray 12 similar samples on MalwareBazaar
TLSH 26B512987100719FE837C9328A641C20B7103CE65BEBDA0B9087366DB6BD9D7DE505EB
Reporter abuse_ch
Tags:BitRAT DEU DeutscheBank geo nVpn RAT scr


Avatar
abuse_ch
Malspam distributing BitRAT:

HELO: hosty.zagirova.design
Sending IP: 51.81.109.122
From: Deutsche Kredit Bank <Commercial@deutsche-bank.de>
Subject: Zahlungsaviso
Attachment: Xerox_14.10.2020.Pdf.jpg.img (contains "Xerox_14.10.2020.scr")

BitRAT C2:
jegebit.duckdns.org:43360 (79.134.225.15)

Pointing to nVpn:

% Information related to '79.134.225.0 - 79.134.225.127'

% Abuse contact for '79.134.225.0 - 79.134.225.127' is 'abuse@privacyfirst.sh'

inetnum: 79.134.225.0 - 79.134.225.127
netname: PRIVACYFIRST-EU
country: EU
remarks: This prefix is assigned to The PRIVACYFIRST Project, which
remarks: operates infrastructure jointly used by various VPN service
remarks: providers. We have a very strong focus on privacy and freedom.
remarks: In case of abuse, we encourage all international law enforcement
remarks: agencies to get in touch with our abuse contact. Due to the fact
remarks: that we keep no logs of user activities and only share data when
remarks: it is legally required under our jurisdiction, it is very unlikely
remarks: for a demand of user information to be successful. Still, that
remarks: should not deter you from reaching out.
admin-c: TPP15-RIPE
tech-c: TPP15-RIPE
status: ASSIGNED PA
mnt-by: AF15-MNT
org: ORG-TPP6-RIPE
created: 2020-07-14T15:26:02Z
last-modified: 2020-07-14T15:31:06Z
source: RIPE

Intelligence

File Origin
# of uploads :
1
# of downloads :
102
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/71247/
Detection(s):
SecuriteInfo.com.Trojan.Packed2.42621.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file in the %AppData% directory
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Unauthorized injection to a recently created process
Creating a file
Setting a global event handler
DNS request
Setting a global event handler for the keyboard
Sending a TCP request to an infection source
Enabling autorun by creating a file
Result
Threat name:
BitRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/492120
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
Binary contains a suspicious time stamp
Contains functionality to hide a thread from the debugger
Contains functionality to inject code into remote processes
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected BitRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 298507 Sample: Xerox_14.10.2020.scr Startdate: 15/10/2020 Architecture: WINDOWS Score: 100 42 jegebit.duckdns.org 2->42 46 Antivirus detection for dropped file 2->46 48 Multi AV Scanner detection for dropped file 2->48 50 Sigma detected: Scheduled temp file as task from temp location 2->50 52 8 other signatures 2->52 9 Xerox_14.10.2020.exe 6 2->9         started        signatures3 process4 file5 36 C:\Users\user\AppData\Roaming\jDnRHlci.exe, PE32 9->36 dropped 38 C:\Users\user\AppData\Local\...\tmpD1BE.tmp, XML 9->38 dropped 40 C:\Users\user\...\Xerox_14.10.2020.exe.log, ASCII 9->40 dropped 54 Contains functionality to inject code into remote processes 9->54 56 Tries to detect virtualization through RDTSC time measurements 9->56 58 Injects a PE file into a foreign processes 9->58 60 Contains functionality to hide a thread from the debugger 9->60 13 Xerox_14.10.2020.exe 1 3 9->13         started        17 schtasks.exe 1 9->17         started        signatures6 process7 dnsIp8 44 jegebit.duckdns.org 79.134.225.15, 43360, 49738 FINK-TELECOM-SERVICESCH Switzerland 13->44 62 Writes to foreign memory regions 13->62 64 Allocates memory in foreign processes 13->64 66 Hides threads from debuggers 13->66 68 Injects a PE file into a foreign processes 13->68 19 Xerox_14.10.2020.exe 24 13->19         started        22 BackgroundTransferHost.exe 13 13->22         started        24 conhost.exe 17->24         started        signatures9 process10 file11 28 C:\Users\user\Desktop\Unknown.dll, PE32 19->28 dropped 30 C:\Users\user\Desktop\...\vcruntime140.dll, PE32 19->30 dropped 32 C:\Users\user\Desktop\...\softokn3.dll, PE32 19->32 dropped 34 17 other files (none is malicious) 19->34 dropped 26 Xerox_14.10.2020.exe 22->26         started        process12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/736cb846af9e2de5730d5b788603d49374fee0e309d2681392456aa41ec3eda1/
Threat name:
ByteCode-MSIL.Infostealer.Stelega
Create hunting rule
Status:
Malicious
First seen:
2020-10-14 18:06:01 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=onwlqrvptyw6k4ynln4ima6usn2p5yhdbhjgqe4sivvkihwd5wqq._file
Verdict:
unknown
Similar samples:
04c27b0ff1c12b58c1520db0ffc14e7ced2f5adae24e08a3ff66fcc1723676cf
BitRAT
1a198ecee66fc8ec13774ac287557d82678d9b2a2f0192f9b180cc046840a36a
BitRAT
38a36c357a50c0f3d6ba6cbaa600507d485271ac452212850dff78f1a430f9e1
BitRAT
3a53fc0060de3daa43eda52ecb4348ede9d1d95ba89e81906c19da1afd9376b5
BitRAT
4a09bedcd448deaaaff205dabbc19a34f5b47a9714ac85a5a827c0aabeb2db7f
BitRAT
52f5e7a9a44771795325822713ff8c37f4efa674bbbb375523c3982ab79a52dd
BitRAT
7eed0a7abb529f2d7208babe7ab96ea673878fad3fcd7779340b4d6dc3d8468e
BitRAT
ad8e44c480c85fe9c5562da973bebfa09d729044c83eef7017760da5602910ac
BitRAT
ba318072fe85e168c5fd55a30760ac306f75fa76c2d5ec40533b0505cda1c26d
BitRAT
ef67b30b7ae1fd2b27a17f1e0172954912c78c541f7cb162ff003a9b42f128c4
BitRAT
+ 2 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
upx spyware
Link:
https://tria.ge/reports/201015-zsfbe8jras/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
UPX packed file
Executes dropped EXE
Unpacked files
SH256 hash:
736cb846af9e2de5730d5b788603d49374fee0e309d2681392456aa41ec3eda1
MD5 hash:
1830fe928264f27169970b452da74d24
SHA1 hash:
4e66afa1fc9649a09580d38ec80263a484ab2eba
Link:
https://www.unpac.me/results/df1b2cd8-e22e-4ef9-8165-c43d498b3b75/
SH256 hash:
607f04646c9f16f7c23fa69d4b8f660fc7c44d40e4f73a0c70a2b315debdaa8b
MD5 hash:
a90baadadf904455325f7bc787185c7b
SHA1 hash:
7d833bb819d638008c98be469b05db2feaf201cd
Link:
https://www.unpac.me/results/df1b2cd8-e22e-4ef9-8165-c43d498b3b75/
SH256 hash:
79a6295c0d1df3c1bd79cf349ed2df8453130de8ca8d0ae2d7bcf5584e8e1b9d
MD5 hash:
b63331fddc29b2e4b62f765dbf747862
SHA1 hash:
8b3c127fa9f9da9cfa9e12138d34f86ded578d1d
Link:
https://www.unpac.me/results/df1b2cd8-e22e-4ef9-8165-c43d498b3b75/
SH256 hash:
eab7e32b558b18b47617927278e6958d77abe79b13781433c2b1d59289efc9ba
MD5 hash:
4d2a8de1bb096eab901fc4e0d3903534
SHA1 hash:
84f3f424648afe34bfff8d1121f4ff2dcc5a3272
Detections:
win_bit_rat_w0
Create hunting rule
Link:
https://www.unpac.me/results/df1b2cd8-e22e-4ef9-8165-c43d498b3b75/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.45
Link:
https://yomi.yoroi.company/submissions/736cb846af9e2de5730d5b788603d49374fee0e309d2681392456aa41ec3eda1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/
Rule name:win_bit_rat_w0
Create hunting rule
Author:KrabsOnSecurity
Description:String-based rule for detecting BitRAT malware payload

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

BitRAT

img 1d8a9a91fa698f6f1ec0adb5e6e7a7ebeeb86f73752f9e1926ebc46abb2691a0

BitRAT

Executable exe 736cb846af9e2de5730d5b788603d49374fee0e309d2681392456aa41ec3eda1

(this sample)

  
Dropped by
MD5 2b85b26a7434a3aae55b1ec7f930c480
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/71247/
  
Dropped by
SHA256 1d8a9a91fa698f6f1ec0adb5e6e7a7ebeeb86f73752f9e1926ebc46abb2691a0

Comments