MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7c4b4872ed76f3ca1b6241b682b38e64d6b7ba1eb0ea2c9893cf16c3719c48cb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BitRAT


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7c4b4872ed76f3ca1b6241b682b38e64d6b7ba1eb0ea2c9893cf16c3719c48cb
SHA3-384 hash: c81f1304e4693e7ab51a46581f8f2586840dcef791d53a9da7cb4f5a167fa85fa9dbcc46a4ed645f668a6b65ecfba090
SHA1 hash: f986d28f8c631f07246547389e28be34975b4df2
MD5 hash: 71c085131fc413fa18480971805a06c3
humanhash: pip-golf-comet-uniform
File name:71c085131fc413fa18480971805a06c3
Download: download sample
Signature BitRAT
Create hunting rule
File size:1'899'808 bytes
First seen:2021-06-24 14:42:12 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'602 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 49152:RB/ur7pdnDYzgpIXIt/D8wMIl/Cjm5IEBOY/n:RFurPlA+rTIjSW6
Threatray 239 similar samples on MalwareBazaar
TLSH 3795016BE244D869D673D1399013EA7A7D230DF35EA0411A53983FFA8A321756DF2B03
Reporter zbetcheckin
Tags:32 BitRAT exe signed

Code Signing Certificate

Organisation:Iriun Oy
Issuer:Certum Extended Validation Code Signing CA SHA2
Algorithm:sha256WithRSAEncryption
Valid from:2020-08-18T05:27:14Z
Valid to:2021-08-18T05:27:14Z
Serial number: 0ba952d4d57166a3ebe17cfc02e0959b
Thumbprint Algorithm:SHA256
Thumbprint: cefa29111e733c4e3b42766105c607d92eef479c518f4920ce93e950ecbe6b03
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
137
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
71c085131fc413fa18480971805a06c3
Verdict:
Suspicious activity
Analysis date:
2021-06-24 14:44:43 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/f5828975-8fe2-4545-8d3c-45edfcb823e3

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/168060/
Detection(s):
SecuriteInfo.com.Trojan.Inject4.13079.30354.31611.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e4bb47e3-926f-46d4-9140-24af11362c27
Result
Threat name:
BitRAT Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/807559
Signature
Adds a directory exclusion to Windows Defender
Contains functionality to hide a thread from the debugger
Contains functionality to inject code into remote processes
Creates an undocumented autostart registry key
Hides threads from debuggers
Injects a PE file into a foreign processes
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: WScript or CScript Dropper
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected BitRAT
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 439970 Sample: 1ZqCzD1pRd Startdate: 24/06/2021 Architecture: WINDOWS Score: 100 33 qays.mine.nu 2->33 39 Multi AV Scanner detection for dropped file 2->39 41 Multi AV Scanner detection for submitted file 2->41 43 Yara detected BitRAT 2->43 45 3 other signatures 2->45 9 1ZqCzD1pRd.exe 4 8 2->9         started        signatures3 process4 file5 25 C:\Users\user\AppData\Roaming\ware.exe, PE32 9->25 dropped 27 C:\Users\user\AppData\...\InstallUtil.exe, PE32 9->27 dropped 29 C:\Users\user\AppData\...\_Sfxgturopkyp.vbs, ASCII 9->29 dropped 31 C:\Users\user\AppData\...\1ZqCzD1pRd.exe.log, ASCII 9->31 dropped 47 Creates an undocumented autostart registry key 9->47 49 Writes to foreign memory regions 9->49 51 Injects a PE file into a foreign processes 9->51 13 wscript.exe 1 9->13         started        16 InstallUtil.exe 9->16         started        18 InstallUtil.exe 1 9->18         started        signatures6 process7 dnsIp8 53 Wscript starts Powershell (via cmd or directly) 13->53 55 Adds a directory exclusion to Windows Defender 13->55 21 powershell.exe 24 13->21         started        57 Contains functionality to inject code into remote processes 16->57 59 Contains functionality to hide a thread from the debugger 16->59 35 qays.mine.nu 95.141.215.167, 49741, 49743, 49744 XOLJO Jordan 18->35 37 192.168.2.1 unknown unknown 18->37 61 Hides threads from debuggers 18->61 signatures9 process10 process11 23 conhost.exe 21->23         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7c4b4872ed76f3ca1b6241b682b38e64d6b7ba1eb0ea2c9893cf16c3719c48cb/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-06-21 13:26:46 UTC
File Type:
PE (.Net Exe)
Extracted files:
31
AV detection:
22 of 28 (78.57%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=prfuq4xno3z4ug3cig3ifm4omtllpoq6wdvczgetz4lmg4m4jdfq._file
Verdict:
malicious
Similar samples:
14ea0d3828549bfd5d7d3733bc1e3495aa86b21333daeabd4d9408b53f707933
BitRAT
278fbae6952f9d802509d29d6033e824a92e467a22adc87d0a8231d6e6175fc5
BitRAT
2efad23e5eb0e9a7ba2cbe0cc79d97e242047ec89baefe08568c447d17fe8bb1
BitRAT
5ee3f639bb7e4a7bc91f9ead0035fb6665f4d55ea7ca0f5c726ae44de4235bea
BitRAT
68e1c3cd1953f50cf97c15396e47257cedb6d67d5833ea589f1260b61638823f
BitRAT
7841409513d50a3f415b158310103776d996400fb9e1e13c6bc49f6b740e1645
BitRAT
929ea8cb5bdef95c8f6b1b7f98ce1a27565fb40af90be41cc4aa70044f53ea31
BitRAT
cab2c0c7d8cb30d77bcd469e52357f584077fbd35517f7c6a6886f42e729cc47
BitRAT
cbcadf05dbd77ff66668dd965e7f3cfc96ded00d9dce31aaa91fa47602138c1c
BitRAT
e4fae47c8647fc72fb1bbcadc0df6814c22298b3040938f81cbe0b83fec8b8b3
BitRAT
+ 229 additional samples on MalwareBazaar
Result
Malware family:
bitrat
Create hunting rule
Score:
  10/10
Tags:
family:bitrat persistence trojan upx
Link:
https://tria.ge/reports/210624-effkp5d9vx/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Loads dropped DLL
Executes dropped EXE
UPX packed file
BitRAT
BitRAT Payload
Modifies WinLogon for persistence
Unpacked files
SH256 hash:
0910a7f88c47b825ad94a76aa56667e877f92db517e6b58cd8f8a7997f582eb2
MD5 hash:
420a452ec382b4c66f7c745458ff817d
SHA1 hash:
3e0e34c794f90770da155d93f074abf31b154357
Link:
https://www.unpac.me/results/e279fd4c-fdeb-494f-be82-b876c751e0e7/
SH256 hash:
2023cc47ea53e429f04dbba3a00d3f54ecea645068c92cdbc31221684dee3afd
MD5 hash:
31a98790b96d1f528f66b6cb0135030d
SHA1 hash:
abc7a3b4473054888e802c8bb4ab56dfad16e0f6
Link:
https://www.unpac.me/results/e279fd4c-fdeb-494f-be82-b876c751e0e7/
SH256 hash:
4cc09b5b1be59db69305d34c422ad28b01e04ed6cc722d250f306c7bb2203fce
MD5 hash:
7cbff1992c6e85ef8f0e0a0253bbe16a
SHA1 hash:
4fd41fb333b975e262073102c6d780b992af0122
Link:
https://www.unpac.me/results/e279fd4c-fdeb-494f-be82-b876c751e0e7/
SH256 hash:
7c4b4872ed76f3ca1b6241b682b38e64d6b7ba1eb0ea2c9893cf16c3719c48cb
MD5 hash:
71c085131fc413fa18480971805a06c3
SHA1 hash:
f986d28f8c631f07246547389e28be34975b4df2
Link:
https://www.unpac.me/results/e279fd4c-fdeb-494f-be82-b876c751e0e7/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7c4b4872ed76f3ca1b6241b682b38e64d6b7ba1eb0ea2c9893cf16c3719c48cb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

BitRAT

Executable exe 7c4b4872ed76f3ca1b6241b682b38e64d6b7ba1eb0ea2c9893cf16c3719c48cb

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1394873/
Cape
Cape
https://www.capesandbox.com/analysis/168060/

Comments