MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 73bb9cf10cc0d2f992dc90e75ad0be20992f9f7bf4c0a68dc71924469a1106ba. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BitRAT


Vendor detections: 8


Intelligence 8 IOCs 1 YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 73bb9cf10cc0d2f992dc90e75ad0be20992f9f7bf4c0a68dc71924469a1106ba
SHA3-384 hash: 9b52b8d290f49b919257ffc61fb80b5e82552af7e21cea30bcc752fbcd762c061a315135368892f5653d714fbe1ae3ce
SHA1 hash: 7bb006c26ab589815fc6d41eb990edd8255999dc
MD5 hash: 1977beda35df8c516242011c46da0180
humanhash: fanta-crazy-fourteen-minnesota
File name:INV-10I1718277.exe
Download: download sample
Signature BitRAT
Create hunting rule
File size:1'963'008 bytes
First seen:2021-06-07 12:42:00 UTC
Last seen:2021-06-07 13:53:06 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'662 x AgentTesla, 19'476 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 49152:5LVVxgS9wn4CVK0+Frl0xLdgoubWRL2b1IeWX2R:P3AntK0+FrCxLlEk6q5X
Threatray 201 similar samples on MalwareBazaar
TLSH F195232B394CB867E8020ABD695BAF01052E5C4094D193F4AAED770EC9F7375CC39E62
Reporter abuse_ch
Tags:BitRAT exe RAT


Avatar
abuse_ch
BitRAT C2:
185.206.144.26:5505

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
185.206.144.26:5505 https://threatfox.abuse.ch/ioc/72427/

Intelligence

File Origin
# of uploads :
2
# of downloads :
179
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
INV-10I1718277.exe
Verdict:
Suspicious activity
Analysis date:
2021-06-07 12:42:56 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/c8626aa5-9405-42fd-8c3d-4f35446126b7

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/165011/
Detection(s):
SecuriteInfo.com.Artemis1977BEDA35DF.11635.4624.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
BitRAT Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.evad.mine
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/798087
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Contains functionality to hide a thread from the debugger
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Uses dynamic DNS services
Writes to foreign memory regions
Yara detected BitRAT
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/73bb9cf10cc0d2f992dc90e75ad0be20992f9f7bf4c0a68dc71924469a1106ba/
Threat name:
ByteCode-MSIL.Downloader.Seraph
Create hunting rule
Status:
Malicious
First seen:
2021-06-07 12:42:12 UTC
AV detection:
13 of 29 (44.83%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=oo5zz4imydjptew4sdtvvuf6ecms7h336takndohdesengqra25a._file
Verdict:
malicious
Similar samples:
19f17d84c67985de677ea0f746955f709106d8833311d3b8c9b67491d0498ff0
BitRAT
2d008c3033f4c5dbfe78d0ad678568b4bc06526e53b7a811fb86ca9e89a9d844
BitRAT
2efad23e5eb0e9a7ba2cbe0cc79d97e242047ec89baefe08568c447d17fe8bb1
BitRAT
3884a46ac64617d3f1638402e99118aeeee8ea3e18bf3c6f768d43cce3267f4b
BitRAT
68e1c3cd1953f50cf97c15396e47257cedb6d67d5833ea589f1260b61638823f
BitRAT
7841409513d50a3f415b158310103776d996400fb9e1e13c6bc49f6b740e1645
BitRAT
84a40d0820ae9248a654b7d462fa3127d376792e16cf52b4621ca29add8fe0e5
BitRAT
ac84f24af4ee7638d9ee6c5d4b080130a7e1055e5f9bfbc1991dc889a03f664c
BitRAT
cab2c0c7d8cb30d77bcd469e52357f584077fbd35517f7c6a6886f42e729cc47
BitRAT
e655b06ea5b0dad25ad463a66bff53789b15763a87ddd17336aab9ebd5b2eb87
BitRAT
+ 191 additional samples on MalwareBazaar
Result
Malware family:
xenarmor
Create hunting rule
Score:
  10/10
Tags:
family:bitrat family:xenarmor password recovery spyware stealer trojan upx
Link:
https://tria.ge/reports/210607-jqwfasasze/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Loads dropped DLL
Reads data files stored by FTP clients
Reads local data of messenger clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Executes dropped EXE
UPX packed file
ACProtect 1.3x - 1.4x DLL software
BitRAT
BitRAT Payload
XenArmor Suite
Unpacked files
SH256 hash:
357b8100158bb4783be6aae493f1ae2201928c9672aef44e02f5adce20dbb730
MD5 hash:
424a37314c2918f11ce99fb43371b4b1
SHA1 hash:
b9f93c833174e98aedcc709a377aea824b2273c0
Link:
https://www.unpac.me/results/2cc1cc60-4f3f-4321-a760-32569ec40c96/
SH256 hash:
d23031c8ddd00490483c4c38a8290e6310264f4f7cdcb3ef8ccd813ae718d9cd
MD5 hash:
9d23fe6ecbec13706e062840512dbd7b
SHA1 hash:
d201eda4c0eb3857351e9f39bb712cd5859f0751
Link:
https://www.unpac.me/results/2cc1cc60-4f3f-4321-a760-32569ec40c96/
SH256 hash:
38b79e8554a1571cf2eb93452d8c38b90a40ec88f6957b6d3849b23d154d0017
MD5 hash:
95936b64ff92c5cefe0a02672687c9ca
SHA1 hash:
9d18ec8e96c003922b05d06df789ede5e24c22c1
Link:
https://www.unpac.me/results/2cc1cc60-4f3f-4321-a760-32569ec40c96/
SH256 hash:
73bb9cf10cc0d2f992dc90e75ad0be20992f9f7bf4c0a68dc71924469a1106ba
MD5 hash:
1977beda35df8c516242011c46da0180
SHA1 hash:
7bb006c26ab589815fc6d41eb990edd8255999dc
Link:
https://www.unpac.me/results/2cc1cc60-4f3f-4321-a760-32569ec40c96/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/73bb9cf10cc0d2f992dc90e75ad0be20992f9f7bf4c0a68dc71924469a1106ba

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/165011/

Comments