MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7e91804516bd4803c7334e8bb593aa9d3f5f2b5d0160161ba4a81a4bb2556e00. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BitRAT


Vendor detections: 8


Intelligence 8 IOCs 1 YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7e91804516bd4803c7334e8bb593aa9d3f5f2b5d0160161ba4a81a4bb2556e00
SHA3-384 hash: a169b6bac32875d8246ade088bd67df498edcd984fea9501e930dd0df2f315b0063be4689995e2b696ad36cd01b0b1f5
SHA1 hash: 17f73433351cdd58e7da809942e7d239a6df3184
MD5 hash: 691132fd9fe387cdb570edfe18b84e19
humanhash: skylark-cardinal-lion-steak
File name:691132fd9fe387cdb570edfe18b84e19.exe
Download: download sample
Signature BitRAT
Create hunting rule
File size:2'158'344 bytes
First seen:2021-08-27 07:05:57 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'648 x AgentTesla, 19'452 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 49152:HIK1xxlFP7qVwP1+VOlWrDG1SLg9e5kVwddd07wctnHrSmGoNFAV:HtPP7qVwPcSgLg9lwiwc5emBAV
Threatray 438 similar samples on MalwareBazaar
TLSH T137A53355A44B4FD1C26F1AF2E920835D9E6B2F957CE3DBEFE988EC803D11102D9419A3
dhash icon 4db292f2d88cb40b (15 x RemcosRAT, 13 x AgentTesla, 7 x NanoCore)
Reporter abuse_ch
Tags:BitRAT exe RAT


Avatar
abuse_ch
BitRAT C2:
79.134.225.103:443

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
79.134.225.103:443 https://threatfox.abuse.ch/ioc/200468/

Intelligence

File Origin
# of uploads :
1
# of downloads :
144
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
691132fd9fe387cdb570edfe18b84e19.exe
Verdict:
Malicious activity
Analysis date:
2021-08-27 07:08:56 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/67b8e150-f736-4015-8125-0fe0bedfe7db

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
BitRAT
Create hunting rule
Link:
https://www.capesandbox.com/analysis/182815/
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/96d8dbc9-55f4-46f5-9600-be50f8827432
Result
Threat name:
BitRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/840224
Signature
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Contains functionality to hide a thread from the debugger
Contains functionality to inject code into remote processes
Creates files in alternative data streams (ADS)
Found malware configuration
Hides threads from debuggers
Injects a PE file into a foreign processes
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Sigma detected: Suspicious Process Start Without DLL
Writes to foreign memory regions
Yara detected BitRAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7e91804516bd4803c7334e8bb593aa9d3f5f2b5d0160161ba4a81a4bb2556e00/
Threat name:
ByteCode-MSIL.Downloader.Seraph
Create hunting rule
Status:
Malicious
First seen:
2021-08-27 07:06:12 UTC
AV detection:
11 of 42 (26.19%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=p2iyariwxveahrztj2f3le5ktu7v6k25afqbmg5evanexmsvnyaa._file
Verdict:
malicious
Similar samples:
03957e1a76e380308206465031a99a1db9e7afce4b82e021f0f8f94888b791b2
BitRAT
0b6efdd0f3f4dddee58af21631051999c5e9d7968a3ba2e7a34388c42375a457
BitRAT
0eaeab189b978e9babdb4324c22d4bb708e3b33c0016f52e37aa66efae4a310e
BitRAT
185d25898a718d3e3ff6d12a3ad18f12734c73859ed4ff1993ce1e4a011485f2
BitRAT
4bddc1b65b7a24af3d24bddcd3722811775f3f98a65fbc433c762e1615af28c1
BitRAT
b4f128cdd69eb21d1de98b00303e01258993fe7fba7467aa8ab642df03ffd890
BitRAT
c2e1450509092251b7376c9d4acd0636b41c19060591c0ef6c3bb58ab7e49ee0
BitRAT
c3e53e28198dfe92caa7b46355f543dd18c0353ef42f2e28862682a79e863735
BitRAT
e386c831df697e516fedcab1ad8a879ae057a5f4f321a873dcd31e9c6760009e
BitRAT
+ 428 additional samples on MalwareBazaar
Result
Malware family:
bitrat
Create hunting rule
Score:
  10/10
Tags:
family:bitrat persistence trojan
Link:
https://tria.ge/reports/210827-k4vlyygev2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
BitRAT
BitRAT Payload
Unpacked files
SH256 hash:
ccb33ce74cc2bbd3b2a449ad2e5b9d4770310dc2b9a7f63b856460b1ded0487a
MD5 hash:
70e6a3d5e126a9608a091f1954f66616
SHA1 hash:
fc1a8591eba268068dd7d36e52beb46b30641db4
Link:
https://www.unpac.me/results/db3a0e12-c0be-4d05-9d03-36916e461e25/
SH256 hash:
d9b11d7b514bdd4d48724c0629c1951ef94f4a32a8a5d33abdcf0c84a04ef947
MD5 hash:
b45ab290cf845de8a0c0126e6d9b6217
SHA1 hash:
ba48258c06abb72b6a018146cc9dfecd1fa14ae3
Link:
https://www.unpac.me/results/db3a0e12-c0be-4d05-9d03-36916e461e25/
SH256 hash:
b2704a38fe81d83e9a2eda12772460b02a606c319f9ef3c7e5eb47d2254ad33d
MD5 hash:
c45bf767c860f32bf8b40e9d06abb2c2
SHA1 hash:
371b8614c16abafa1782556374425f80457f413b
Link:
https://www.unpac.me/results/db3a0e12-c0be-4d05-9d03-36916e461e25/
SH256 hash:
7e91804516bd4803c7334e8bb593aa9d3f5f2b5d0160161ba4a81a4bb2556e00
MD5 hash:
691132fd9fe387cdb570edfe18b84e19
SHA1 hash:
17f73433351cdd58e7da809942e7d239a6df3184
Link:
https://www.unpac.me/results/db3a0e12-c0be-4d05-9d03-36916e461e25/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.13
Link:
https://yomi.yoroi.company/submissions/7e91804516bd4803c7334e8bb593aa9d3f5f2b5d0160161ba4a81a4bb2556e00

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

BitRAT

Executable exe 7e91804516bd4803c7334e8bb593aa9d3f5f2b5d0160161ba4a81a4bb2556e00

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/182815/
  
URLhaus
https://urlhaus.abuse.ch/url/1568740/
  
Delivery method
Distributed via web download

Comments