MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7f38a7aaa38b085cb58239af935b98c38ea41acd4d489c57dea812a99792da02. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BitRAT


Vendor detections: 9


Intelligence 9 IOCs 1 YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7f38a7aaa38b085cb58239af935b98c38ea41acd4d489c57dea812a99792da02
SHA3-384 hash: 3d3cf1f4fa7b70eff97b3f753d97b32cc4c3902317d8747f28798352f2ac16a836eaf8a480b96588231ddefe1eda002c
SHA1 hash: 02af51382d6e3b91e132bc657269c293da7a5c34
MD5 hash: 1b0b83981dd569c9537571c5171a80c3
humanhash: early-delta-diet-bacon
File name:1B0B83981DD569C9537571C5171A80C3.exe
Download: download sample
Signature BitRAT
Create hunting rule
File size:11'397'120 bytes
First seen:2021-06-18 00:42:46 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash aad05474bfee082c9529c0427d51edae (4 x BitRAT)
ssdeep 196608:6Zd5iA62TzZune18PWFPt+uwoGADQHOSHC7cuGljyqX:wvZv6PW2ut0uSHC7cuGljy
Threatray 216 similar samples on MalwareBazaar
TLSH 5DB6233F7268643EC5AF0A3109B3A320593BB762656A8C5F17F4091DCF765602F3B626
Reporter abuse_ch
Tags:BitRAT exe RAT


Avatar
abuse_ch
BitRAT C2:
115.78.134.34:6606

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
115.78.134.34:6606 https://threatfox.abuse.ch/ioc/131317/

Intelligence

File Origin
# of uploads :
1
# of downloads :
141
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
setupdns.exe
Verdict:
Malicious activity
Analysis date:
2021-06-14 02:19:18 UTC
Tags:
installer
Link:
https://app.any.run/tasks/52559dba-dca0-4fee-b2d1-c10f54101186

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/166686/
Detection(s):
PUA.Win.Packer.Exe-6
Create hunting rule

PUA.Win.Packer.Upolyx-12
Create hunting rule

Win.Packed.Genkryptik-9869489-0
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
BitRAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2db29a1b-f2e9-4810-8982-2f7f6eb504e2
Result
Threat name:
BitRAT Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.evad.mine
Score:
48 / 100
Link:
https://www.joesandbox.com/analysis/804030
Signature
Antivirus / Scanner detection for submitted sample
Contains functionality to hide a thread from the debugger
Contains functionality to inject code into remote processes
Creates files in alternative data streams (ADS)
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Yara detected BitRAT
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 436440 Sample: jvRdW38Wvd.exe Startdate: 18/06/2021 Architecture: WINDOWS Score: 48 62 Antivirus / Scanner detection for submitted sample 2->62 64 Multi AV Scanner detection for submitted file 2->64 66 Yara detected BitRAT 2->66 68 2 other signatures 2->68 9 jvRdW38Wvd.exe 2 2->9         started        13 YogaDNS.exe 9 12 2->13         started        16 YogaDNS.exe 2->16         started        process3 dnsIp4 44 C:\Users\user\...\knKKtKW1SbJHnI7Q.exe, PE32 9->44 dropped 74 Contains functionality to inject code into remote processes 9->74 76 Injects a PE file into a foreign processes 9->76 78 Contains functionality to hide a thread from the debugger 9->78 18 jvRdW38Wvd.exe 1 1 9->18         started        23 knKKtKW1SbJHnI7Q.exe 2 9->23         started        25 jvRdW38Wvd.exe 9->25         started        27 jvRdW38Wvd.exe 9->27         started        56 yogadns.com 172.104.9.252, 443, 49737 LINODE-APLinodeLLCUS United States 13->56 58 192.168.2.1 unknown unknown 13->58 60 www.yogadns.com 13->60 file5 signatures6 process7 dnsIp8 54 115.78.134.34, 49722, 49726, 49727 VIETEL-AS-APViettelGroupVN Viet Nam 18->54 40 C:\Users\user\AppData\Local:18-06-2021, HTML 18->40 dropped 70 Creates files in alternative data streams (ADS) 18->70 72 Hides threads from debuggers 18->72 42 C:\Users\user\...\knKKtKW1SbJHnI7Q.tmp, PE32 23->42 dropped 29 knKKtKW1SbJHnI7Q.tmp 28 32 23->29         started        file9 signatures10 process11 file12 46 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 29->46 dropped 48 C:\Program Files (x86)\YogaDNS\is-KAG9V.tmp, PE32 29->48 dropped 50 C:\Program Files (x86)\YogaDNS\is-BO8FU.tmp, PE32 29->50 dropped 52 4 other files (none is malicious) 29->52 dropped 32 net.exe 1 29->32         started        34 YogaDNS.exe 29->34         started        process13 process14 36 conhost.exe 32->36         started        38 net1.exe 1 32->38         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7f38a7aaa38b085cb58239af935b98c38ea41acd4d489c57dea812a99792da02/
Threat name:
Win32.Backdoor.ParalaxRat
Create hunting rule
Status:
Malicious
First seen:
2021-06-15 03:06:00 UTC
AV detection:
26 of 29 (89.66%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=p44kpkvdrmefznmchgxzgw4yyohkigwnjvejyv66vajktf4s3iba._file
Verdict:
malicious
Similar samples:
19f17d84c67985de677ea0f746955f709106d8833311d3b8c9b67491d0498ff0
BitRAT
1a1a7812131f7c1bb63f441d7e0ad05e8918035b8975ddc3486daeab4f1b9d21
BitRAT
2d008c3033f4c5dbfe78d0ad678568b4bc06526e53b7a811fb86ca9e89a9d844
BitRAT
2efad23e5eb0e9a7ba2cbe0cc79d97e242047ec89baefe08568c447d17fe8bb1
BitRAT
3884a46ac64617d3f1638402e99118aeeee8ea3e18bf3c6f768d43cce3267f4b
BitRAT
43490b0471bb7e28b432a908893b2e7df5036f3ee939c930c45fe158e66f5e33
BitRAT
73bb9cf10cc0d2f992dc90e75ad0be20992f9f7bf4c0a68dc71924469a1106ba
BitRAT
84a40d0820ae9248a654b7d462fa3127d376792e16cf52b4621ca29add8fe0e5
BitRAT
ac84f24af4ee7638d9ee6c5d4b080130a7e1055e5f9bfbc1991dc889a03f664c
BitRAT
cab2c0c7d8cb30d77bcd469e52357f584077fbd35517f7c6a6886f42e729cc47
BitRAT
+ 206 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
n/a
Link:
https://tria.ge/reports/210618-6819sgvxy2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Loads dropped DLL
Executes dropped EXE
Suspicious use of NtCreateProcessExOtherParentProcess
Unpacked files
SH256 hash:
ede5d3ecfa584b5370b337f84977ec64006eebcd9f69332d22a177f6ee6e1151
MD5 hash:
2e972131164f8bb89e74424afa5373e4
SHA1 hash:
724ad988beab4979a88a23814ebc556fdbebfc0b
Link:
https://www.unpac.me/results/253a7d9a-663e-4fea-bc54-314bba64ab28/
SH256 hash:
bc905151c0e18ecf1ba8ddc5cee617ef65230e915ea26ed692d561b08afc60fa
MD5 hash:
74aa8cdffe3695afebd478caf0353451
SHA1 hash:
68d66be3b5c494b416f8fd614bdcdc076807e69e
Link:
https://www.unpac.me/results/253a7d9a-663e-4fea-bc54-314bba64ab28/
SH256 hash:
fd3802363d4075a81bb7ffa41d67b0dd740bb5cd1b0a502fd0fce8768e2ee516
MD5 hash:
72a064e58f797900a980b03ede8daed8
SHA1 hash:
3a45ceae0b497f993cd1298f8ae378bf4c8758b1
Link:
https://www.unpac.me/results/253a7d9a-663e-4fea-bc54-314bba64ab28/
SH256 hash:
8dcd8fc054278f749fa17f94da46354992f4fd67b918e69f6b6b3e82c98b0bda
MD5 hash:
1e8f9118d3209876e4f90f2ce3ef6f28
SHA1 hash:
e7df57c21a317284628628800d849d3b0f8848bf
Link:
https://www.unpac.me/results/253a7d9a-663e-4fea-bc54-314bba64ab28/
SH256 hash:
7f40c11832aad13f4937f49f5426d716478cb8e253ee42a45806e7aa7097c6a1
MD5 hash:
aa9f35ea9ae943bd0d76042268d6235e
SHA1 hash:
0c31064994a8daeecef55460f6d0420f097a1dff
Link:
https://www.unpac.me/results/253a7d9a-663e-4fea-bc54-314bba64ab28/
SH256 hash:
dae198f263d2422e3a26b0928e0f5a7f79f9b575e0693514b875ea2954ca756d
MD5 hash:
ed6d29d71bad71b459f7b6a59a7a2c20
SHA1 hash:
06d7765d42549514e7c6df8d076e78c34ab31902
Link:
https://www.unpac.me/results/253a7d9a-663e-4fea-bc54-314bba64ab28/
SH256 hash:
7f38a7aaa38b085cb58239af935b98c38ea41acd4d489c57dea812a99792da02
MD5 hash:
1b0b83981dd569c9537571c5171a80c3
SHA1 hash:
02af51382d6e3b91e132bc657269c293da7a5c34
Link:
https://www.unpac.me/results/253a7d9a-663e-4fea-bc54-314bba64ab28/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7f38a7aaa38b085cb58239af935b98c38ea41acd4d489c57dea812a99792da02

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Email_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Email in files like avemaria
Rule name:MALWARE_Win_BitRAT
Create hunting rule
Author:ditekSHen
Description:Detects BitRAT RAT
Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/166686/

Comments