MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8345596543d01456fa89f6dfc1f2abcf11130fd0251c39990e39794e5f69b6fb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BitRAT


Vendor detections: 12


Maldoc score: 23


Intelligence 12 IOCs 2 YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8345596543d01456fa89f6dfc1f2abcf11130fd0251c39990e39794e5f69b6fb
SHA3-384 hash: 506218757e7baa8243e0b4a7c461968b85ba4dd31db67f617a0fe90678c7cadc7b394c5265ce3e5ea175e7ade8d37b2b
SHA1 hash: d62d964792f49d68f8ef29bc6dd07197143f5c66
MD5 hash: ff96bd13f7d654b6a5f358b904f34e94
humanhash: comet-august-fillet-lithium
File name:Budget.xlsm
Download: download sample
Signature BitRAT
Create hunting rule
File size:738'283 bytes
First seen:2022-09-22 13:46:34 UTC
Last seen:Never
File type:Excel file xlsm
MIME type:application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
ssdeep 12288:9t0RejzbjuesaVisJIFTSqng5pOrWVbKzT/95MWEE24ohSKrtfonZsxf2yWR7O/t:9kG/uePgTdnypOqbKzR5MooRxfu0uRKt
TLSH T129F41240E354D0B3F2ACA4303154AC9B19143E3AB446EE056AE774DF6B93F385D78E96
TrID 50.4% (.XLSM) Excel Microsoft Office Open XML Format document (with Macro) (57500/1/12)
29.8% (.XLSX) Excel Microsoft Office Open XML Format document (34000/1/7)
15.3% (.ZIP) Open Packaging Conventions container (17500/1/4)
3.5% (.ZIP) ZIP compressed archive (4000/1)
0.8% (.PG/BIN) PrintFox/Pagefox bitmap (640x800) (1000/1)
Reporter abuse_ch
Tags:BitRAT RAT xlsm


Avatar
abuse_ch
BitRAT C2:
159.223.57.212:4110

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
159.223.57.212:4110 https://threatfox.abuse.ch/ioc/851109/
159.223.57.212:8471 https://threatfox.abuse.ch/ioc/851110/

Office OLE Information

This malware samples appears to be an Office document. The following table provides more information about this document using oletools and oledump.

OLE id
Maldoc score: 23
OLE dump

MalwareBazaar was able to identify 8 sections in this file using oledump:

Section IDSection sizeSection name
A1467 bytesPROJECT
A286 bytesPROJECTwm
A31866 bytesVBA/Module1
A4977 bytesVBA/Sheet1
A5985 bytesVBA/ThisWorkbook
A62693 bytesVBA/_VBA_PROJECT
A7569 bytesVBA/dir
OLE vba

MalwareBazaar was able to extract and deobfuscate VBA script(s) the following information from OLE objects embedded in this file using olevba:

TypeKeywordDescription
AutoExecAuto_OpenRuns when the Excel Workbook is opened
IOCBudget.exeExecutable file name
SuspiciousOpenMay open a file
SuspiciouswriteMay write to a file (if combined with Open)
SuspiciousbinaryMay read or write a binary file (if combined with Open)
SuspiciousAdodb.StreamMay create a text file
SuspicioussavetofileMay create a text file
SuspiciousShellMay run an executable file or a system command
SuspiciousShellExecuteMay run an executable file or a system command
SuspiciousCreateObjectMay create an OLE object
SuspiciousShell.ApplicationMay run an application (if combined with CreateObject)
SuspiciousMicrosoft.XMLHTTPMay download files from the Internet
SuspiciousHex StringsHex-encoded strings were detected, may be used to obfuscate strings (option --decode to see all)

Intelligence

File Origin
# of uploads :
1
# of downloads :
327
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Budget.xlsm
Verdict:
Suspicious activity
Analysis date:
2022-09-22 13:49:50 UTC
Tags:
macros macros-on-open
Link:
https://app.any.run/tasks/00724bf9-2814-4aaf-b45f-ccd3e6588936

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/312357/
Detection(s):
Sanesecurity.Malware.24501.DocHeur.UNOFFICIAL
Create hunting rule

Doc.Dropper.Agent-6412232-1
Create hunting rule

SecuriteInfo.com.Office.Macro-11.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Office.Macro-13.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Office.Macro-14.UNOFFICIAL
Create hunting rule

Sanesecurity.Badmacro.Doc.wshellco.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
DNS request
Creating a file
Creating a file in the %temp% subdirectories
Launching a process
Creating a process with a hidden window
Sending an HTTP GET request
Creating a process from a recently created file
Result
Verdict:
Malicious
File Type:
Excel File with Macro
Link:
https://app.docguard.net/8345596543d01456fa89f6dfc1f2abcf11130fd0251c39990e39794e5f69b6fb/results/dashboard
Payload URLs
URL
File name
http://sheet.duckdns.org:9000/Budget.exe
vbaProject.bin
Behaviour
BlacklistAPI detected
Document image
Image:
Download PNG
Document image
Verdict:
Malicious
Threat level:
  10/10
Confidence:
80%
Tags:
macros macros-on-open
Link:
https://www.filescan.io/uploads/632c67a736ba812561ad14c3/reports/7a1b5d2a-abfa-4837-9b52-0ea86d8d039a/overview
Label:
Malicious
Suspicious Score:
9.9/10
Score Malicious:
99%
Score Benign:
0%
Link:
https://www.malware.ai/gui/files/?id=bca8c9cf-19af-4ec5-bec1-e04ae6c66e72
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/8345596543d01456fa89f6dfc1f2abcf11130fd0251c39990e39794e5f69b6fb
Details
Macro with Startup Hook
Detected macro logic that will automatically execute on document open. Most malware contains some execution hook.
Macro with File System Write
Detected macro logic that can write data to the file system.
Shell.Application Object
Detected the instantiation of Shell Application object within the macro.
Macro Contains Suspicious String
Detected a macro with a suspicious string. Suspicious strings include privileged function calls, obfuscations, odd registry keys, etc...
Document With No Content
Document contains little or no semantic information.
Result
Threat name:
AveMaria, BitRAT, UACMe
Create hunting rule
Detection:
malicious
Classification:
troj.expl.phis.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1075317
Signature
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Contains functionality to hide user accounts
Creates files in alternative data streams (ADS)
Creates multiple autostart registry keys
Document contains an embedded VBA macro which may execute processes
Document contains an embedded VBA macro with suspicious strings
Document contains an embedded VBA with functions possibly related to ADO stream file operations
Document contains an embedded VBA with functions possibly related to HTTP operations
Document exploit detected (creates forbidden files)
Document exploit detected (drops PE files)
Document exploit detected (process start blacklist hit)
Drops PE files to the document folder of the user
Drops PE files with benign system names
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Increases the number of concurrent connection per server for Internet Explorer
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Office process drops PE file
Sigma detected: Office product drops executable at suspicious location
Uses dynamic DNS services
Uses known network protocols on non-standard ports
Yara detected AveMaria stealer
Yara detected BitRAT
Yara detected UACMe UAC Bypass tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 707859 Sample: Budget.xlsm Startdate: 22/09/2022 Architecture: WINDOWS Score: 100 77 sheet.duckdns.org 2->77 103 Malicious sample detected (through community Yara rule) 2->103 105 Antivirus detection for dropped file 2->105 107 Antivirus / Scanner detection for submitted sample 2->107 109 19 other signatures 2->109 11 EXCEL.EXE 28 41 2->11         started        16 rundll32.exe 2->16         started        18 OpenWith.exe 2->18         started        20 OpenWith.exe 2->20         started        signatures3 process4 dnsIp5 85 sheet.duckdns.org 159.223.57.212, 49704, 9000 CELANESE-US United States 11->85 71 C:\Users\user\Documents\Budget.exe, PE32+ 11->71 dropped 73 C:\Users\user\AppData\Local\...\Budget[1].exe, PE32+ 11->73 dropped 75 C:\Users\user\Desktop\~$Budget.xlsm, data 11->75 dropped 123 Document exploit detected (creates forbidden files) 11->123 22 Budget.exe 1 3 11->22         started        file6 signatures7 process8 file9 63 C:\Users\user\AppData\Local\...\sheeter.exe, PE32 22->63 dropped 111 Antivirus detection for dropped file 22->111 113 Creates multiple autostart registry keys 22->113 26 sheeter.exe 8 5 22->26         started        30 powershell.exe 14 16 22->30         started        signatures10 process11 dnsIp12 65 C:\Users\user\AppData\Local\...\updater.exe, PE32 26->65 dropped 67 C:\Users\user\AppData\Local\...\explorer.exe, PE32 26->67 dropped 69 C:\Users\user\AppData\Local\Temp\XRCCYX.exe, PE32 26->69 dropped 115 Antivirus detection for dropped file 26->115 117 Drops PE files with benign system names 26->117 33 explorer.exe 4 4 26->33         started        37 updater.exe 1 2 26->37         started        40 XRCCYX.exe 1 3 26->40         started        87 sheet.duckdns.org 30->87 42 conhost.exe 30->42         started        file13 signatures14 process15 dnsIp16 53 C:\Users\user\Documents\explorer.exe, PE32 33->53 dropped 89 Antivirus detection for dropped file 33->89 91 Drops PE files to the document folder of the user 33->91 93 Machine Learning detection for dropped file 33->93 101 4 other signatures 33->101 44 explorer.exe 33->44         started        47 powershell.exe 19 33->47         started        79 sheet.duckdns.org 37->79 81 192.168.2.1 unknown unknown 37->81 55 C:\Users\user\AppData\Local:22-09-2022, HTML 37->55 dropped 57 C:\Users\user\AppData\...\Install name (copy), PE32 37->57 dropped 95 Creates files in alternative data streams (ADS) 37->95 97 Creates multiple autostart registry keys 37->97 99 Hides threads from debuggers 37->99 83 sheet.duckdns.org 40->83 59 C:\Users\user\AppData\Roaming\...\browser.exe, PE32 40->59 dropped 61 C:\Users\user\AppData\Local\Temp\CUVZTV.vbs, ASCII 40->61 dropped 49 wscript.exe 40->49         started        file17 signatures18 process19 signatures20 119 Antivirus detection for dropped file 44->119 121 Machine Learning detection for dropped file 44->121 51 conhost.exe 47->51         started        process21
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8345596543d01456fa89f6dfc1f2abcf11130fd0251c39990e39794e5f69b6fb/
Threat name:
Script-Macro.Downloader.SLoad
Create hunting rule
Status:
Malicious
First seen:
2022-09-22 13:47:07 UTC
File Type:
Document
Extracted files:
24
AV detection:
12 of 39 (30.77%)
Threat level:
  3/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=qncvszkd2akfn6uj63p4d4vlz4irgd6qeuodtgiohf4u4x3jw35q._file
Result
Malware family:
n/a
Score:
  8/10
Tags:
macro
Link:
https://tria.ge/reports/220922-q3h1wsfdbr/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies Internet Explorer settings
Suspicious behavior: AddClipboardFormatListener
Suspicious use of SetWindowsHookEx
Office loads VBA resources, possible macro or embedded object present
Malware family:
Warzone
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/8345596543d0/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8345596543d01456fa89f6dfc1f2abcf11130fd0251c39990e39794e5f69b6fb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:malware_shellcode_hash
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect shellcode api hash value
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:RansomwareTest2
Create hunting rule
Author:Daoyuan Wu
Description:Test Ransomware YARA rules
Rule name:RansomwareTest3
Create hunting rule
Author:Daoyuan Wu
Description:Test Ransomware YARA rules
Rule name:RansomwareTest4
Create hunting rule
Author:Daoyuan Wu
Description:Test Ransomware YARA rules
Rule name:vbaproject_bin
Create hunting rule
Author:CD_R0M_
Description:{76 62 61 50 72 6f 6a 65 63 74 2e 62 69 6e} is hex for vbaproject.bin. Macros are often used by threat actors. Work in progress - Ran out of time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/312357/

Comments