MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 76e5467f267a4bca00af800094c3a92f6bd51de54737f07c533d091e2f219b40. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BitRAT


Vendor detections: 7


Intelligence 7 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 76e5467f267a4bca00af800094c3a92f6bd51de54737f07c533d091e2f219b40
SHA3-384 hash: 076302660926159d03b133500395d172ee7269491b173ef1aee002c179c0b612af161be3980191a569d9157e30627084
SHA1 hash: 5890091bacde4d9d62ed76d32dfaefcaa5b988a4
MD5 hash: 13e0f258cfbe3aece8a7e6d29ceb5697
humanhash: lemon-zebra-robert-paris
File name:Payment Confirmation Paper - Customer Copy_pdf.exe
Download: download sample
Signature BitRAT
Create hunting rule
File size:4'607'488 bytes
First seen:2021-01-19 13:04:07 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 98304:1Unj6PEASk4gI/UqE2mCAc1XdZ2aRmPCBvfq:1U+PEZkFIMX2mbcrFBC
Threatray 80 similar samples on MalwareBazaar
TLSH 462623817E44EE41D12D67B8C42AA9F472FEED45DA11D41FAC91FEBA3333946810E632
Reporter abuse_ch
Tags:BitRAT exe RAT


Avatar
abuse_ch
Malspam distributing BitRAT:

HELO: mxout.fullmarket-4.vautronserver.de
Sending IP: 151.252.48.227
From: Accounts Payable - Rinaldi <finance@chalet-almhuette.at>
Reply-To: z0ais@newpacifis.com
Subject: Re:Re:Re: Payment processed (Overdues)
Attachment: Payment_receipt.img (contains "Payment Confirmation Paper - Customer Copy_pdf.exe")

BitRAT C2:
195.206.105.10:3988

Intelligence

File Origin
# of uploads :
1
# of downloads :
174
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Payment Confirmation Paper - Customer Copy_pdf.exe
Verdict:
No threats detected
Analysis date:
2021-01-19 12:16:56 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/ee462b5a-0ea5-4af1-ac77-46df4349f85e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/112891/
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Threat name:
BitRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/585091
Signature
.NET source code contains potential unpacker
Contains functionality to hide a thread from the debugger
Contains functionality to inject code into remote processes
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
Yara detected AntiVM_3
Yara detected BitRAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/76e5467f267a4bca00af800094c3a92f6bd51de54737f07c533d091e2f219b40/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-01-19 13:04:19 UTC
AV detection:
12 of 28 (42.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=o3sum7zgpjf4uafpqaajjq5jf5v5khpfi437a7cthuer4lzbtnaa._file
Verdict:
malicious
Similar samples:
1c1b2595e6838a1ee24e806ff60b80a40ad7166caaaaf65080deda57c7292c53
BitRAT
22dbe6172d32b9b90d66036688e440a9026524f8c4c61b1c05f45dbd63919483
BitRAT
243e8ba43bcdb6634c77835df678964743893a30f4d2abe9596f2add2882e074
BitRAT
2ddd796e9b53ab3d7eaf4093529077f637f182a934a851af24da8c8f189aeed3
BitRAT
3cf331e46b6f16ef2a591637b64865d81b19e016ad3f4f3280aa1a872f1261ab
BitRAT
56d0c7b288fe323703e31519f296d7a1ed4811bc8eb7cf87c56082499aaff297
BitRAT
80104e0ad490b44a632a15e5875e7626db7f35fa94d7aadf19c45a621d75c7e0
BitRAT
8fdc007dd13e7c0c5bbe426da723499db81518697eb84d2fd2a0181996d276fa
BitRAT
9ffa16b91dc10936865d1d9849940c9d27276fd6acd6ab947d31e7f80322eea2
BitRAT
ef3436a1198e62ccb908d35b3dea6cfed17414f2e59ab62686277d978f5fd73c
BitRAT
+ 70 additional samples on MalwareBazaar
Result
Malware family:
bitrat
Create hunting rule
Score:
  10/10
Tags:
family:bitrat evasion trojan
Link:
https://tria.ge/reports/210119-3fabg3s77j/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Maps connected drives based on registry
Looks up external IP address via web service
Checks BIOS information in registry
Looks for VMWare Tools registry key
Looks for VirtualBox Guest Additions in registry
BitRAT
BitRAT Payload
Unpacked files
SH256 hash:
f9347971c8c448843822adba3ed3740cdf29ec6693c65be8955380e61f5a0ec9
MD5 hash:
ef122fa4832b21dfccb9885ed605bdaa
SHA1 hash:
e021012fd332f5a0640d4d446244afa657513a4b
Link:
https://www.unpac.me/results/dfb915ec-497e-49e0-a3a7-96a257593ddb/
SH256 hash:
52d35fabfc97d3e903b5d9eb253e8f84d1dfee2967fa9dde6d6ca37cc61951c5
MD5 hash:
b5a7f2596efe4c5fc5f5d2c733d49259
SHA1 hash:
c121578124375dc293e4daf12fac22442a8131b6
Link:
https://www.unpac.me/results/dfb915ec-497e-49e0-a3a7-96a257593ddb/
SH256 hash:
af8ba92960be257e3fc25b03d06b2025338bb5c19fc438cb09ad7bf6d6bc7f93
MD5 hash:
0d6585092325c28570494f937c1fe6a3
SHA1 hash:
757e658550ab85a0806f37d8ba3076b37cd0ea46
Link:
https://www.unpac.me/results/dfb915ec-497e-49e0-a3a7-96a257593ddb/
SH256 hash:
76e5467f267a4bca00af800094c3a92f6bd51de54737f07c533d091e2f219b40
MD5 hash:
13e0f258cfbe3aece8a7e6d29ceb5697
SHA1 hash:
5890091bacde4d9d62ed76d32dfaefcaa5b988a4
Link:
https://www.unpac.me/results/dfb915ec-497e-49e0-a3a7-96a257593ddb/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/76e5467f267a4bca00af800094c3a92f6bd51de54737f07c533d091e2f219b40

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Email_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Email in files like avemaria
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

BitRAT

img c25d82bf6f681d61e79ed7d875b2b8f6d3145997e58699deb5f418e952c1f0ad

BitRAT

Executable exe 76e5467f267a4bca00af800094c3a92f6bd51de54737f07c533d091e2f219b40

(this sample)

  
Dropped by
MD5 d7cd1c459267520060490d0ab5162142
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 c25d82bf6f681d61e79ed7d875b2b8f6d3145997e58699deb5f418e952c1f0ad
Cape
Cape
https://www.capesandbox.com/analysis/112891/

Comments