MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7ea33c91dc1a98b9ab5229455e951d38f4d4563130f87d3fa290b9b01b2337dd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BitRAT


Vendor detections: 11


Intelligence 11 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7ea33c91dc1a98b9ab5229455e951d38f4d4563130f87d3fa290b9b01b2337dd
SHA3-384 hash: 9cf75adfc500010f7d9b1dd7778fc74717bf5363ff20802928404601d2d08c3a58253b4e7fbe168ebb871703b8060173
SHA1 hash: 2978b88682f86b3a76aaad68add2b8e40d3972fd
MD5 hash: 07fec7939865e6cb719f2b2fbe48091d
humanhash: nebraska-lithium-sodium-utah
File name:Halkbank_Ekstre_20191102_073809_405251-PDF.exe
Download: download sample
Signature BitRAT
Create hunting rule
File size:27'136 bytes
First seen:2021-12-03 09:52:27 UTC
Last seen:2021-12-06 07:03:25 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 384:LiXRfhJcJ7LtLUqMPAJUbLNLad65TI3ooc3qR5WuDhO4+I9y/CMzqTLwzfWntw+d:wJcBRARxad+WHcXfVz
Threatray 592 similar samples on MalwareBazaar
TLSH T134C2C535BFD90C53C8FB493A0CC2BD744D7A79CF619186BF9988E23D7B4029409A5B91
File icon (PE):PE icon
dhash icon f0b07090cb6468e2 (5 x AgentTesla, 4 x NanoCore, 3 x BitRAT)
Reporter abuse_ch
Tags:BitRAT exe geo Halkbank TUR

Intelligence

File Origin
# of uploads :
2
# of downloads :
211
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Halkbank_Ekstre_20191102_073809_405251-PDF.exe
Verdict:
Malicious activity
Analysis date:
2021-12-03 10:28:09 UTC
Tags:
trojan rat azorult bitrat stealer
Link:
https://app.any.run/tasks/329fbb2b-6da5-4046-8c2c-0afbfa096d0f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/210989/
Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Creating a window
DNS request
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Sending a custom TCP request
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
75%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/61a9e9034d8e6f3a5e0ce232/reports/982bffe6-1906-43b8-aeb3-0931c81e7977/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a9d465d9-5d1a-41c3-a71c-ca564e49417a
Result
Threat name:
BitRAT Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/900751
Signature
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Found malware configuration
Machine Learning detection for dropped file
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Performs DNS queries to domains with low reputation
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Uses ping.exe to check the status of other devices and networks
Yara detected BitRAT
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 533228 Sample: Halkbank_Ekstre_20191102_07... Startdate: 03/12/2021 Architecture: WINDOWS Score: 100 39 sparrowxx.xyz 2->39 47 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->47 49 Multi AV Scanner detection for domain / URL 2->49 51 Found malware configuration 2->51 53 6 other signatures 2->53 8 Halkbank_Ekstre_20191102_073809_405251-PDF.exe 19 9 2->8         started        signatures3 process4 dnsIp5 45 www.uplooder.net 144.76.120.25, 443, 49784 HETZNER-ASDE Germany 8->45 31 C:\Users\...\Utcgnfemtevpedzdjlnmarbitr.exe, PE32 8->31 dropped 33 C:\Users\user\...\Tuediqfjiqpwpfwuobjlz.vbs, ASCII 8->33 dropped 35 C:\Users\user\AppData\Roaming\...\Chrome.exe, PE32 8->35 dropped 37 Halkbank_Ekstre_20...3809_405251-PDF.exe, PE32 8->37 dropped 12 wscript.exe 1 8->12         started        14 powershell.exe 9 8->14         started        17 powershell.exe 8 8->17         started        file6 process7 signatures8 19 Utcgnfemtevpedzdjlnmarbitr.exe 12->19         started        63 Uses ping.exe to check the status of other devices and networks 14->63 22 PING.EXE 1 14->22         started        25 conhost.exe 14->25         started        27 PING.EXE 1 17->27         started        29 conhost.exe 17->29         started        process9 dnsIp10 55 Antivirus detection for dropped file 19->55 57 Multi AV Scanner detection for dropped file 19->57 59 Machine Learning detection for dropped file 19->59 61 Contains functionality to inject code into remote processes 19->61 41 yahoo.com 74.6.143.25 YAHOO-3US United States 22->41 43 google.com 216.58.215.238 GOOGLEUS United States 27->43 signatures11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7ea33c91dc1a98b9ab5229455e951d38f4d4563130f87d3fa290b9b01b2337dd/
Threat name:
ByteCode-MSIL.Trojan.Xenarmor
Create hunting rule
Status:
Malicious
First seen:
2021-12-03 09:53:08 UTC
File Type:
PE (.Net Exe)
Extracted files:
9
AV detection:
18 of 28 (64.29%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=p2rtzeo4dkmltk2sffcv5fi5hd2nivrrgd4h2p5csc43agzdg7oq._file
Verdict:
malicious
Label(s):
azorult
Create hunting rule
trickbot
Create hunting rule
Similar samples:
15c2c10245cefd160439ac103fe27981519904fe88ea614d8b900fe37120759b
BitRAT
2b9e8dc39755d37c2a78fd00f6fa57414205648e65ae6a6c76c102c7d78e2e86
BitRAT
3936db5f71715f5ef3c4807c9fe0913943ae3b0aa3f000f40ec95558789a2450
BitRAT
57962424bffff920ffddd397bb18ea1dcb43b641ff8a8d72c73c8e6db3d9b63d
BitRAT
6173a7ce15143ef14d5109785782e3e2aadd6108535eff03e765d50a5f586c17
BitRAT
6eee4427f95eee176f7b71c9af116801d55fd7c3057f57320d1dab15369fecd4
BitRAT
7840f0892f2762590368de7091d31be8ace3a3ca1982dd5efd22c938a1552a47
BitRAT
99e4750c775bb7e8406a3ee86e62af83c36139a8090bb621b167d2b224a872be
BitRAT
be06f303ae133e36f87ef001dc369f0212f76b26ad53ec171fd2dcdde9463cea
BitRAT
ed89efa7c8159a2158076d37effc5f0f12bba88955ee9345cf67210ec0a6e43c
BitRAT
+ 582 additional samples on MalwareBazaar
Result
Malware family:
xenarmor
Create hunting rule
Score:
  10/10
Tags:
family:azorult family:xenarmor collection discovery infostealer password persistence recovery spyware stealer suricata trojan upx
Link:
https://tria.ge/reports/211203-lwmy2sgadq/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Modifies registry class
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses Microsoft Outlook accounts
Accesses Microsoft Outlook profiles
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Deletes itself
Loads dropped DLL
Reads data files stored by FTP clients
Reads local data of messenger clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Executes dropped EXE
UPX packed file
ACProtect 1.3x - 1.4x DLL software
Azorult
XenArmor Suite
suricata: ET MALWARE AZORult v3.3 Server Response M3
suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)
suricata: ET MALWARE Win32/AZORult V3.3 Client Checkin M18
suricata: ET MALWARE Win32/AZORult V3.3 Client Checkin M6
Malware Config
C2 Extraction:
http://sparrowxx.xyz/az2/index.php
Unpacked files
SH256 hash:
7ea33c91dc1a98b9ab5229455e951d38f4d4563130f87d3fa290b9b01b2337dd
MD5 hash:
07fec7939865e6cb719f2b2fbe48091d
SHA1 hash:
2978b88682f86b3a76aaad68add2b8e40d3972fd
Link:
https://www.unpac.me/results/49a28dac-b22a-4bf4-b7c5-f91f32dbf150/
Malware family:
AZORult v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/7ea33c91dc1a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7ea33c91dc1a98b9ab5229455e951d38f4d4563130f87d3fa290b9b01b2337dd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/210989/

Comments