MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7911f1a67c2580f0390dd9eea76d879801c77cb2e114a307e28cb3d31b23f340. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BitRAT


Vendor detections: 8


Intelligence 8 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7911f1a67c2580f0390dd9eea76d879801c77cb2e114a307e28cb3d31b23f340
SHA3-384 hash: 5e071703911232ead77892a31d17ef2199df89808c5f3335bb92379456cca25e205ce38945a98d2c13cf8a9f28c3607f
SHA1 hash: 86f046bab6a953fe8323e347b1a0f45730870589
MD5 hash: fc8dc8736cbc013863b77c8f9963c8d6
humanhash: black-summer-happy-maryland
File name:order-1812896543124646423.exe
Download: download sample
Signature BitRAT
Create hunting rule
File size:4'674'560 bytes
First seen:2020-12-28 10:37:32 UTC
Last seen:2020-12-28 12:37:03 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'746 x AgentTesla, 19'624 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 98304:f/PYnDs4dp5dT53amcOI3D79aTBzVn5SX478AEBMFYBotFvNHI:fXYDBp5dAOGa9zVn5SIAvKG81H
Threatray 165 similar samples on MalwareBazaar
TLSH 972622122544AE16C6F877786F64C43013E5BD1A9A21E5B87DEC3D8F7BBE9430932A31
Reporter abuse_ch
Tags:BitRAT exe RAT


Avatar
abuse_ch
Malspam distributing BitRAT:

HELO: 191-101-130-44-hostedby.bcr.host
Sending IP: 191.101.130.44
From: Ronald Rina <rrina@smediasys.com>
Reply-To: rrina-smediasys@post.com
Subject: Request For QUOTE (INNOVATION PROJECT)
Attachment: order-1812896543124646423.zip (contains "order-1812896543124646423.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
307
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
50404868-c352-422f-a608-7fd64b335eec
Verdict:
Malicious activity
Analysis date:
2020-12-28 08:42:42 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/7a6d4f73-2f28-413f-8fc2-638856dc5810

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.Inject4.6378.27625.3950.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Creating a file
DNS request
Setting a global event handler
Connection attempt
Setting a global event handler for the keyboard
Enabling autorun by creating a file
Unauthorized injection to a system process
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/570626
Signature
Contains functionality to hide a thread from the debugger
Contains functionality to inject code into remote processes
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7911f1a67c2580f0390dd9eea76d879801c77cb2e114a307e28cb3d31b23f340/
Threat name:
ByteCode-MSIL.Trojan.Taskun
Create hunting rule
Status:
Malicious
First seen:
2020-12-28 08:07:27 UTC
AV detection:
20 of 28 (71.43%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=pei7djt4ewapaoin3hxko3mhtaa4o7fs4ekkgb7crsz5ggzd6naa._file
Verdict:
malicious
Similar samples:
0b45301c562af6da8c63164d1f13b38a6147202d16503ae2cbe99948e842ff33
BitRAT
22ba4198dd80989673a5db96ec9a50b4bbd45931c98636aba17443d638ef937c
BitRAT
243e8ba43bcdb6634c77835df678964743893a30f4d2abe9596f2add2882e074
BitRAT
3b0674528185c1927af4b44cb1a04cac22137140ba78e74095e816b25d2fca97
BitRAT
616c28fcce50820b53f2e7489697ceec0526c0e6005c25c4a2f312b2cc8822a3
BitRAT
6c6cd6b0e9f9804b7c28b3ee1d24d339680578067d05b285a9da38d780b8ea59
BitRAT
cd3afb904bdbe5aa145aca40398017b76ef22f9fa85556c728f38744d57a3352
BitRAT
d6964f92949edac5e3f2b740a6c2fa121eb1539f5a291ee7d4cc5cd55cadd49d
BitRAT
f9a5216358a5932d7ea34c38f7d5e3bb0f3e6001a4a990a0b1af4d151aba2104
BitRAT
fda9bc94b5b0819fb153117c4a037262264d7d22d2610eafd45c7fbfd4765c7b
BitRAT
+ 155 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/201228-ys7knqangs/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Uses the VBS compiler for execution
Unpacked files
SH256 hash:
44106a7753790a12c522849b3f7da238337bd0342e5664021e25f79b2705ae9a
MD5 hash:
d43e8dcc8f8b23c144f820eaa9bdbee4
SHA1 hash:
41faa61eb543ac1386e59ef1e3c485a19458ff68
Link:
https://www.unpac.me/results/e40f8987-93ca-4c7b-9ef9-747e55003bd6/
SH256 hash:
7a2bd55bbd68d66e0a1e43d702271eb57dfe8c6e17d908a2ed2247d19a2b65df
MD5 hash:
342477386b565c7a54b32c0c27c14a22
SHA1 hash:
66ecab37d5dc3322e6f574c03a1c438350240cdb
Link:
https://www.unpac.me/results/e40f8987-93ca-4c7b-9ef9-747e55003bd6/
SH256 hash:
196b7dc712f4e505e27b2a926c3d2e9ea6fe8bd4370c773e9822a3a68cdf9eb5
MD5 hash:
fbe4d7c385452c70e8a53d63e9dbc1e9
SHA1 hash:
8c2756122a78e088821a0d2c36630c7d76ac47c3
Link:
https://www.unpac.me/results/e40f8987-93ca-4c7b-9ef9-747e55003bd6/
SH256 hash:
82514ada65a4087fc0c6ba0963f0d1cfcb3ab0a1d6ec8d720ca4a5c599c3e33c
MD5 hash:
e18572133448c8e2ff6b30364630c0ae
SHA1 hash:
d9f5bf2f77d72af0a6039b5c8f18dbcfa7cc2dcb
Link:
https://www.unpac.me/results/e40f8987-93ca-4c7b-9ef9-747e55003bd6/
SH256 hash:
7911f1a67c2580f0390dd9eea76d879801c77cb2e114a307e28cb3d31b23f340
MD5 hash:
fc8dc8736cbc013863b77c8f9963c8d6
SHA1 hash:
86f046bab6a953fe8323e347b1a0f45730870589
Link:
https://www.unpac.me/results/e40f8987-93ca-4c7b-9ef9-747e55003bd6/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7911f1a67c2580f0390dd9eea76d879801c77cb2e114a307e28cb3d31b23f340

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Email_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Email in files like avemaria

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

BitRAT

zip 9abbf2bb150707d74440e7fe3e91ee8504028b2d112511681a51baa83a9c4351

BitRAT

Executable exe 7911f1a67c2580f0390dd9eea76d879801c77cb2e114a307e28cb3d31b23f340

(this sample)

  
Dropped by
MD5 de37cb1bf2227d412a83bf934936f0da
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 9abbf2bb150707d74440e7fe3e91ee8504028b2d112511681a51baa83a9c4351

Comments