MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7a92342da6840a0bc0901205b44b91ab861f05c91a9f920fb856d676c6a7fc96. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BitRAT


Vendor detections: 8


Intelligence 8 IOCs 1 YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7a92342da6840a0bc0901205b44b91ab861f05c91a9f920fb856d676c6a7fc96
SHA3-384 hash: a0986feb8063912d61f3979ccb406e7ece8826984247b2d52949ee8ce092ea56c27fb0fdcbb9e9e40ec68d56ff0638ed
SHA1 hash: b8efd69fabf3c7b1a421725e0e79b473e2d93bc6
MD5 hash: 63c173c494e79d63ef61a432fed6a7dd
humanhash: spring-mango-fourteen-finch
File name:63c173c494e79d63ef61a432fed6a7dd
Download: download sample
Signature BitRAT
Create hunting rule
File size:3'961'856 bytes
First seen:2021-06-24 06:21:16 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'658 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 98304:pPUXmPlJ8b5Fl1u1p2a6ZPirXOCtwA/i2KeobSSin3253C6fM2Z:psX48V26PireC7i2roin325y6x
Threatray 63 similar samples on MalwareBazaar
TLSH 890633E660B99F34D54C8071B9D93F5D9C35C6268AEFA88A2B153CDFB0849C02359CB7
Reporter zbetcheckin
Tags:32 BitRAT exe

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
31.7.63.14:38294 https://threatfox.abuse.ch/ioc/153105/

Intelligence

File Origin
# of uploads :
1
# of downloads :
108
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
63c173c494e79d63ef61a432fed6a7dd
Verdict:
Suspicious activity
Analysis date:
2021-06-24 06:27:30 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/bbc5210b-d519-4d2f-ada2-f5218841b5bd

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/167856/
Detection(s):
Win.Packed.Razy-7334624-0
Create hunting rule

ditekSHen.INDICATOR.Packed.NyanXCAT-CSharpLoader.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
CobaltStrike
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c2f87a73-3617-4fa2-9d4a-8dbcfa76ad0d
Result
Threat name:
BitRAT Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/807188
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Connects to many ports of the same IP (likely port scanning)
Contains functionality to hide a thread from the debugger
Contains functionality to inject code into remote processes
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Process Start Without DLL
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected BitRAT
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 439600 Sample: NE2vUTya7N Startdate: 24/06/2021 Architecture: WINDOWS Score: 100 34 sadasdasd.re 2->34 36 clientconfig.passport.net 2->36 42 Antivirus / Scanner detection for submitted sample 2->42 44 Multi AV Scanner detection for submitted file 2->44 46 Yara detected BitRAT 2->46 48 4 other signatures 2->48 8 NE2vUTya7N.exe 5 2->8         started        12 Update.exe 2 2->12         started        signatures3 process4 file5 30 C:\Users\user\AppData\Roaming\...\Update.exe, PE32 8->30 dropped 32 C:\Users\user\AppData\...32E2vUTya7N.exe.log, ASCII 8->32 dropped 50 Uses schtasks.exe or at.exe to add and modify task schedules 8->50 14 RegAsm.exe 1 2 8->14         started        18 schtasks.exe 1 8->18         started        52 Antivirus detection for dropped file 12->52 54 Multi AV Scanner detection for dropped file 12->54 56 Machine Learning detection for dropped file 12->56 20 schtasks.exe 1 12->20         started        22 RegAsm.exe 12->22         started        24 RegAsm.exe 12->24         started        signatures6 process7 dnsIp8 38 sadasdasd.re 31.7.63.14, 38294, 49717, 49724 PLI-ASCH Switzerland 14->38 40 192.168.2.1 unknown unknown 14->40 58 Contains functionality to inject code into remote processes 14->58 60 Hides threads from debuggers 14->60 62 Contains functionality to hide a thread from the debugger 14->62 26 conhost.exe 18->26         started        28 conhost.exe 20->28         started        signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7a92342da6840a0bc0901205b44b91ab861f05c91a9f920fb856d676c6a7fc96/
Threat name:
ByteCode-MSIL.Backdoor.Bladabhindi
Create hunting rule
Status:
Malicious
First seen:
2021-06-18 18:52:20 UTC
AV detection:
26 of 29 (89.66%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=pkjdilngqqfaxqeqcic3is4rvodb6bojdkpzed5yk3lhnrvh7sla._file
Verdict:
unknown
Similar samples:
2204e08dcb82575e4ed439ef30ad7367084ef50f4132118c8658ae2f9a4e9ad6
BitRAT
4bdcab6e5a078fb21d0ce208f9b9b025fc7a3baa049c359d7664c7a00ac83d30
BitRAT
56e710ea1f70626aee844269cb7197e2142908b70082908436a77e1ee4d9fce7
BitRAT
7ec599424a161fe942345c2336dd0cfb8c7d64e6e72b8e90efd999328b06cc04
BitRAT
a0df7e343a6140e92c41f30829a904d3e87e02936b38b25f764fd050bc8ce97c
BitRAT
a2f938bc8150112d96a0ce206fd2bc9eaf65d296dbc56d55345b120ae943f363
BitRAT
ae380a8d4305031f7dba4fe2c7f4ce47784f5cb6b65aaa150388f3422c70b685
BitRAT
b79d5a2f5f011eb02665057aec937277f09aa936e15f0d4e44fae931f89d2c59
BitRAT
d14649ed26723ca7525ddadcf587794a3906ba9ebb090c83499f269ba2fd6ab8
BitRAT
e50cf3f7139ac7f4924b835334a98f7c426b66d0d19e986d885bd4080433d7bd
BitRAT
+ 53 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/210624-j1tv2eysg2/
Unpacked files
SH256 hash:
7a92342da6840a0bc0901205b44b91ab861f05c91a9f920fb856d676c6a7fc96
MD5 hash:
63c173c494e79d63ef61a432fed6a7dd
SHA1 hash:
b8efd69fabf3c7b1a421725e0e79b473e2d93bc6
Link:
https://www.unpac.me/results/9fd24b1a-8e15-4199-82b7-890c8cd6c1af/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7a92342da6840a0bc0901205b44b91ab861f05c91a9f920fb856d676c6a7fc96

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Email_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Email in files like avemaria
Rule name:INDICATOR_EXE_Packed_NyanXCat_CSharpLoader
Create hunting rule
Author:ditekSHen
Description:Detects .NET executables utilizing NyanX-CAT C# Loader
Rule name:MALWARE_Win_BitRAT
Create hunting rule
Author:ditekSHen
Description:Detects BitRAT RAT
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

BitRAT

Executable exe 7a92342da6840a0bc0901205b44b91ab861f05c91a9f920fb856d676c6a7fc96

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1393808/
Cape
Cape
https://www.capesandbox.com/analysis/167856/

Comments