MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 74dd16abbd36832a2e5a60a163b4930a51e0bb6c2a5e32a2f3a4c902e9bfaa99. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

BitRAT

Vendor detections: 10

Intelligence 10 IOCs 1 YARA 7 File information Comments

SHA256 hash:	74dd16abbd36832a2e5a60a163b4930a51e0bb6c2a5e32a2f3a4c902e9bfaa99
SHA3-384 hash:	e6ff49c13a18dac9120bc84440d825efa770c15fd69e493d2bd1e3cce8315e878f12ff0f83fceeed91f6249cbaf2dbe4
SHA1 hash:	665883f1265c0b8e6f225314cd7dd45cf862c070
MD5 hash:	d6465e673cda94185828f9e7757ac841
humanhash:	early-xray-mango-wolfram
File name:	from-isoDOCUMENT.EXE1.exe
Download:	download sample
Signature	BitRAT Create hunting rule
File size:	303'104 bytes
First seen:	2021-11-22 17:46:18 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'749 x AgentTesla, 19'653 x Formbook, 12'246 x SnakeKeylogger)
ssdeep	6144:US1XeNJ/4YvSaC7htM8Rjuc4aZTs/jiZ5Y2xwvm/5Ul:iLqTtM8RqcabEO25
Threatray	571 similar samples on MalwareBazaar
TLSH	T16A54CF2036FD6B47F67587F50AB1A41457BA7D2B3968D22C2CC221DE1932F428B91F27
Reporter	abuse_ch
Tags:	BitRAT exe RAT

abuse_ch

BitRAT C2:
152.89.162.59:9090

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
152.89.162.59:9090	https://threatfox.abuse.ch/ioc/253214/

Intelligence

File Origin

# of uploads :

# of downloads :

179

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

from-isoDOCUMENT.EXE1.exe

Verdict:

Malicious activity

Analysis date:

2021-11-22 17:51:41 UTC

Tags:

trojan loader

Link:

https://app.any.run/tasks/01d4217d-91ba-4829-88c6-6aab76ad4c4a

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Gathering data

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Searching for synchronization primitives

Creating a window

DNS request

Sending a custom TCP request

Sending an HTTP GET request

Unauthorized injection to a recently created process

Creating a file

Setting a global event handler

Setting a global event handler for the keyboard

Verdict:

Suspicious

Threat level:

5/10

Confidence:

40%

Tags:

obfuscated packed

Link:

https://www.filescan.io/uploads/619bd79994a88037d2fecdca/reports/b8eb5e0a-b32a-46b5-9b70-d362160209df/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/0cda300c-8844-4c94-a984-5b21c2f0b8c2

Result

Threat name:

Unknown

Detection:

malicious

Classification:

evad

Score:

64 / 100

Link:

https://www.joesandbox.com/analysis/894086

Signature

.NET source code contains potential unpacker

Executable has a suspicious name (potential lure to open the executable)

Hides threads from debuggers

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for sample

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/74dd16abbd36832a2e5a60a163b4930a51e0bb6c2a5e32a2f3a4c902e9bfaa99/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2021-11-22 17:47:11 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

20 of 45 (44.44%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=otornk55g2bsuls2mcqwhnetbji6bo3mfjpdfixtuteqf2n7vkmq._file

Verdict:

malicious

BitRAT

29dd2b13f081a0c7f8312c4b4c433ccdcc3b3a83b91a16a88393370dda44f60b

BitRAT

3a3ff370dac609a17ea67e35e81a3b82702afe6660bb3439a489ff8f4350d607

BitRAT

8d3637cd959d0ea44c713b76b6ad46614b8f91a58398cad0f5929cf179cf9e80

BitRAT

a8130d6e0367f83f68640720c35d12b339c1a84e371cff73524fcaa0fc62f44c

BitRAT

b4a79b7fac8b571454b8d2373623a9fa825c1bc2ef6d1370b831782237d24984

BitRAT

b610d1ae855f79028cabdbd3c1160bc330ef68a7f30ab5544d00b09af341cc68

BitRAT

c1dfcbaabdd34ccb5257c2856121211485293a7a11a23f61c50440fb27eb2b4f

BitRAT

fd1dfd46f65c7c958e81931c7a47de00166f9ac5527ebd6b7742cf6e8b6de2de

BitRAT

+ 561 additional samples on MalwareBazaar

Result

Malware family:

bitrat

Score:

10/10

Tags:

family:bitrat suricata trojan upx

Link:

https://tria.ge/reports/211122-wcwf7agefn/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Downloads MZ/PE file

UPX packed file

BitRAT

BitRAT Payload

suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)

Unpacked files

SH256 hash:

74dd16abbd36832a2e5a60a163b4930a51e0bb6c2a5e32a2f3a4c902e9bfaa99

MD5 hash:

d6465e673cda94185828f9e7757ac841

SHA1 hash:

665883f1265c0b8e6f225314cd7dd45cf862c070

Link:

https://www.unpac.me/results/72dde82d-0e54-4957-a569-aa371be18323/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.85

Link:

https://yomi.yoroi.company/submissions/74dd16abbd36832a2e5a60a163b4930a51e0bb6c2a5e32a2f3a4c902e9bfaa99

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	BitcoinAddress Create hunting rule
Author:	Didier Stevens (@DidierStevens)
Description:	Contains a valid Bitcoin address

Rule name:	INDICATOR_SUSPICIOUS_EXE_DiscordURL Create hunting rule
Author:	ditekSHen
Description:	Detects executables Discord URL observed in first stage droppers

Rule name:	MALWARE_Win_BitRAT Create hunting rule
Author:	ditekSHen
Description:	Detects BitRAT RAT

Rule name:	pe_imphash Create hunting rule

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	SUSP_Encoded_Discord_Attachment_Oct21_1 Create hunting rule
Author:	Florian Roth
Description:	Detects suspicious encoded URL to a Discord attachment (often used for malware hosting on a legitimate FQDN)
Reference:	Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/208311/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample