MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7841409513d50a3f415b158310103776d996400fb9e1e13c6bc49f6b740e1645. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BitRAT


Vendor detections: 10


Intelligence 10 IOCs 1 YARA 3 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7841409513d50a3f415b158310103776d996400fb9e1e13c6bc49f6b740e1645
SHA3-384 hash: f723f476203d9898769123c32b61a50b64fa9b23fe43583781ce888b09e521faf17f939107d48907f0cbdcbde0bbf416
SHA1 hash: 05150b79fd924b822a2b35aef8541540e783943f
MD5 hash: f5693e47d55bc9e5dad0afe25865b3ae
humanhash: carbon-sodium-maryland-king
File name:f5693e47d55bc9e5dad0afe25865b3ae.exe
Download: download sample
Signature BitRAT
Create hunting rule
File size:1'510'912 bytes
First seen:2021-04-28 09:16:06 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 6ed4f5f04d62b18d96b26d6db7c18840 (261 x SalatStealer, 78 x BitRAT, 42 x RedLineStealer)
ssdeep 24576:fJmQ3QWWrDXNmFyC2SadnEHgeJhDIZyHvoUdEdNH4Nh564YI63PJWOhdi6DPse:fqrD9TC2SVACoUe91JxxbiMPs
Threatray 1'634 similar samples on MalwareBazaar
TLSH 496533F542115123FA1CD6B8B9526F3A2621879362BD73E23D8E91174E3C316BD42C77
Reporter abuse_ch
Tags:BitRAT exe RAT


Avatar
abuse_ch
BitRAT C2:
136.244.96.52:1234

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
136.244.96.52:1234 https://threatfox.abuse.ch/ioc/19641/

Intelligence

File Origin
# of uploads :
1
# of downloads :
128
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
f5693e47d55bc9e5dad0afe25865b3ae.exe
Verdict:
Malicious activity
Analysis date:
2021-04-28 09:21:21 UTC
Tags:
trojan bitrat rat
Link:
https://app.any.run/tasks/5b91ffbf-de26-4a00-b140-c6d6950acb0e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
BitRAT
Create hunting rule
Link:
https://www.capesandbox.com/analysis/144902/
Detection(s):
PUA.Win.Packer.Upolyx-12
Create hunting rule

Win.Malware.Mikey-9819889-0
Create hunting rule

ditekSHen.MALWARE.Win.Trojan.BitRAT.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Setting a global event handler
Sending a custom TCP request
Sending a UDP request
Setting a global event handler for the keyboard
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
BitRAT Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.evad.mine
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/700305
Signature
Antivirus / Scanner detection for submitted sample
Contains functionality to hide a thread from the debugger
Contains functionality to inject code into remote processes
Hides threads from debuggers
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Yara detected BitRAT
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7841409513d50a3f415b158310103776d996400fb9e1e13c6bc49f6b740e1645/
Threat name:
Win32.Backdoor.ParalaxRat
Create hunting rule
Status:
Malicious
First seen:
2021-04-28 03:05:14 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
35 of 47 (74.47%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=pbaubfit2ufd6qk3cwbraebxo3mzmqapxhq6cpdlyspww5aoczcq._file
Verdict:
malicious
Similar samples:
2d008c3033f4c5dbfe78d0ad678568b4bc06526e53b7a811fb86ca9e89a9d844
BitRAT
2d5a9858f39c976a0e10ce4b8f1d05ad7bd1fe0872151ef43df402ebce15b46b
BitRAT
352079b5516356dae554a0373e989019253b4ccc75975ddf7962e6ce17d47f4e
BitRAT
3884a46ac64617d3f1638402e99118aeeee8ea3e18bf3c6f768d43cce3267f4b
BitRAT
68e1c3cd1953f50cf97c15396e47257cedb6d67d5833ea589f1260b61638823f
BitRAT
84a40d0820ae9248a654b7d462fa3127d376792e16cf52b4621ca29add8fe0e5
BitRAT
a9133df8b9feede980d560c44b754298fc751da2ea00909ed2375f396ed3e813
BitRAT
a9c5029521e6d748545aabc303731f7df321976c956a43c971428b123e3c849f
BitRAT
ad49dea56c095979c172d844522d5f97458e41d03e8e97e647b6ee35f244c6ae
BitRAT
d6ec5d9dbff79fbd96cf26d533feabb9c77087fc59be1d7b6f74d196b26d19cd
BitRAT
+ 1'624 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
upx
Link:
https://tria.ge/reports/210428-mmnbm8zeqj/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of NtSetInformationThreadHideFromDebugger
Unpacked files
SH256 hash:
892cb5575bfbdee97610e378d22c13d3d87b93a12c1e9e0a4dede64c97351c91
MD5 hash:
289f36cc8386c9c029ae0136aa3e8d12
SHA1 hash:
365c98bf123de956b71474d1f50b566dc796e9eb
Link:
https://www.unpac.me/results/608dbbbf-45f1-46d9-adab-25ab0336362b/
SH256 hash:
7841409513d50a3f415b158310103776d996400fb9e1e13c6bc49f6b740e1645
MD5 hash:
f5693e47d55bc9e5dad0afe25865b3ae
SHA1 hash:
05150b79fd924b822a2b35aef8541540e783943f
Link:
https://www.unpac.me/results/608dbbbf-45f1-46d9-adab-25ab0336362b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Cryptor
Score:
0.80
Link:
https://yomi.yoroi.company/submissions/7841409513d50a3f415b158310103776d996400fb9e1e13c6bc49f6b740e1645

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Email_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Email in files like avemaria
Rule name:MALWARE_Win_BitRAT
Create hunting rule
Author:ditekSHen
Description:Detects BitRAT RAT
Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

BitRAT

Executable exe 7841409513d50a3f415b158310103776d996400fb9e1e13c6bc49f6b740e1645

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1178563/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/144902/

Comments


Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-04-28 10:00:40 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [F0001.008] Anti-Behavioral Analysis::UPX