MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 83b3a04479c4310f0ac695041b3c1d60c144be650d4b8838a395ca5a46e722e2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BitRAT


Vendor detections: 9


Intelligence 9 IOCs 3 YARA 11 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 83b3a04479c4310f0ac695041b3c1d60c144be650d4b8838a395ca5a46e722e2
SHA3-384 hash: f2a57d9d9e9708caff69308bacb63c940d7a877b889938a22af7c989b4c6237dcc05c39107f66b24abacf0be62989457
SHA1 hash: 5ae4d24619ae3ca6948c54df5966cfc551ea1b4a
MD5 hash: ad31b1ae880cacf5792155c485a35c84
humanhash: grey-april-oscar-sink
File name:AD31B1AE880CACF5792155C485A35C84.exe
Download: download sample
Signature BitRAT
Create hunting rule
File size:3'385'837 bytes
First seen:2021-07-03 07:05:38 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fcf1390e9ce472c7270447fc5c61a0c1 (863 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep 49152:UbA309mWzO3LaotiFKbNszqjpYAwBWsmIEeYcdCNbHs415cpjsZacq+g5i8UFKHV:UbZC1z+z8prTCY8eIsZX05izE4v4V
TLSH 0AF53301BDC2D4B1E973297A46287A11582EBD205B74CAFF63E8150E9E722C1FB34767
Reporter abuse_ch
Tags:BitRAT exe RAT


Avatar
abuse_ch
BitRAT C2:
http://morksu06.top/index.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://morksu06.top/index.php https://threatfox.abuse.ch/ioc/157365/
5.189.188.138:4898 https://threatfox.abuse.ch/ioc/157366/
http://xeidor62.top/index.php https://threatfox.abuse.ch/ioc/157400/

Intelligence

File Origin
# of uploads :
1
# of downloads :
228
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
AD31B1AE880CACF5792155C485A35C84.exe
Verdict:
Malicious activity
Analysis date:
2021-07-03 07:11:31 UTC
Tags:
evasion autoit trojan stealer vidar loader rat redline phishing
Link:
https://app.any.run/tasks/3609230d-4f1b-4614-9538-ef38d6d0cd35

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/169503/
Detection(s):
Win.Malware.Generic-9866235-0
Create hunting rule

Win.Malware.Nymeria-9873414-0
Create hunting rule

Win.Malware.SmokeLoader-9874090-1
Create hunting rule

Win.Malware.Generic-9874384-0
Create hunting rule

SecuriteInfo.com.Trojan.Rasftuby.Gen.14.10239.27368.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Mimikatz
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f0b14d76-e0a8-4065-b201-d565f66fa6f7
Result
Threat name:
Backstage Stealer SmokeLoader Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/811382
Signature
.NET source code contains method to dynamically call methods (often used by packers)
Allocates memory in foreign processes
Antivirus detection for dropped file
Binary is likely a compiled AutoIt script file
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Detected VMProtect packer
DLL reload attack detected
Drops PE files to the document folder of the user
Drops PE files to the user root directory
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Query firmware table information (likely to detect VMs)
Renames NTDLL to bypass HIPS
Sample is protected by VMProtect
Sample uses process hollowing technique
Sets debug register (to hijack the execution of another thread)
Sigma detected: Execution from Suspicious Folder
Sigma detected: Suspicious Svchost Process
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected Backstage Stealer
Yara detected SmokeLoader
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 443797 Sample: 75cagiv8km.exe Startdate: 03/07/2021 Architecture: WINDOWS Score: 100 104 104.21.76.97 CLOUDFLARENETUS United States 2->104 136 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->136 138 Found malware configuration 2->138 140 Antivirus detection for dropped file 2->140 142 16 other signatures 2->142 10 75cagiv8km.exe 1 13 2->10         started        13 iexplore.exe 1 78 2->13         started        signatures3 process4 file5 70 C:\Users\user\Desktop\pub2.exe, PE32 10->70 dropped 72 C:\Users\user\Desktop\jg3_3uag.exe, PE32 10->72 dropped 74 C:\Users\user\Desktop\Install.exe, PE32 10->74 dropped 76 4 other files (none is malicious) 10->76 dropped 15 Files.exe 10 10->15         started        18 Folder.exe 10->18         started        20 Install.exe 10->20         started        28 4 other processes 10->28 24 iexplore.exe 37 13->24         started        26 iexplore.exe 13->26         started        process6 dnsIp7 78 C:\Users\user\AppData\Local\Temp\...\File.exe, PE32 15->78 dropped 30 File.exe 3 20 15->30         started        80 C:\Users\user\AppData\Local\Temp\axhub.dll, PE32 18->80 dropped 35 rundll32.exe 18->35         started        37 conhost.exe 18->37         started        106 g-partners.top 159.65.63.164, 49711, 49712, 49713 DIGITALOCEAN-ASNUS United States 20->106 108 47.243.129.23 CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC United States 20->108 110 8.208.79.65 CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC Singapore 20->110 82 C:\Users\user\AppData\Local\...\setup[2].exe, PE32 20->82 dropped 84 C:\Users\user\AppData\...\infostati2[1].exe, PE32 20->84 dropped 86 C:\Users\user\AppData\Local\...\null[1], PE32 20->86 dropped 92 10 other files (2 malicious) 20->92 dropped 162 Detected unpacking (changes PE section rights) 20->162 164 Detected unpacking (overwrites its own PE header) 20->164 39 cmd.exe 20->39         started        112 iplogger.org 88.99.66.31, 443, 49698, 49699 HETZNER-ASDE Germany 24->112 114 101.36.107.74, 49701, 80 UHGL-AS-APUCloudHKHoldingsGroupLimitedHK China 28->114 116 ip-api.com 208.95.112.1, 49704, 80 TUT-ASUS United States 28->116 118 5 other IPs or domains 28->118 88 C:\Users\user\Documents\...\jg3_3uag.exe, PE32 28->88 dropped 90 C:\Users\user\AppData\...\jfiag3g_gg.exe, PE32 28->90 dropped 94 6 other files (none is malicious) 28->94 dropped 166 DLL reload attack detected 28->166 168 Drops PE files to the document folder of the user 28->168 170 Tries to harvest and steal browser information (history, passwords, etc) 28->170 172 3 other signatures 28->172 41 jfiag3g_gg.exe 28->41         started        43 jfiag3g_gg.exe 28->43         started        45 explorer.exe 28->45 injected 47 jfiag3g_gg.exe 28->47         started        file8 signatures9 process10 dnsIp11 122 newja.webtm.ru 92.53.96.150, 49697, 80 TIMEWEB-ASRU Russian Federation 30->122 96 C:\Users\Public\run2.exe, PE32 30->96 dropped 98 C:\Users\Public\run.exe, PE32 30->98 dropped 124 Binary is likely a compiled AutoIt script file 30->124 126 Drops PE files to the user root directory 30->126 49 run2.exe 30->49         started        54 run.exe 30->54         started        128 Writes to foreign memory regions 35->128 130 Allocates memory in foreign processes 35->130 132 Creates a thread in another existing process (thread injection) 35->132 56 svchost.exe 35->56 injected 134 Tries to harvest and steal browser information (history, passwords, etc) 41->134 file12 signatures13 process14 dnsIp15 100 157.90.127.76, 49710, 80 REDIRISRedIRISAutonomousSystemES United States 49->100 102 sergeevih43.tumblr.com 74.114.154.22, 443, 49709 AUTOMATTICUS Canada 49->102 62 C:\Users\user\AppData\...\vcruntime140[1].dll, PE32 49->62 dropped 64 C:\Users\user\AppData\...\msvcp140[1].dll, PE32 49->64 dropped 66 C:\Users\user\AppData\Local\...\nss3[1].dll, PE32 49->66 dropped 68 9 other files (none is malicious) 49->68 dropped 144 Multi AV Scanner detection for dropped file 49->144 146 Detected unpacking (changes PE section rights) 49->146 148 Detected unpacking (overwrites its own PE header) 49->148 160 4 other signatures 49->160 150 Sample uses process hollowing technique 54->150 152 Injects a PE file into a foreign processes 54->152 154 System process connects to network (likely due to code injection or exploit) 56->154 156 Sets debug register (to hijack the execution of another thread) 56->156 158 Modifies the context of a thread in another process (thread injection) 56->158 58 svchost.exe 56->58         started        file16 signatures17 process18 dnsIp19 120 email.yg9.me 198.13.62.186 AS-CHOOPAUS United States 58->120 174 Query firmware table information (likely to detect VMs) 58->174 signatures20
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/83b3a04479c4310f0ac695041b3c1d60c144be650d4b8838a395ca5a46e722e2/
Threat name:
Win32.Ransomware.Stupid
Create hunting rule
Status:
Malicious
First seen:
2021-06-30 06:45:13 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qoz2ardzyqyq6cwgsucbwpa5mdaujptfbvfyqofdsxffurxhelra._file
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:cryptbot family:elysiumstealer family:raccoon family:redline family:smokeloader family:vidar botnet:18_6_bl_84s7 backdoor bootkit discovery evasion infostealer persistence spyware stealer trojan upx vmprotect
Link:
https://tria.ge/reports/210703-n3s2tpdwma/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Delays execution with timeout.exe
Kills process with taskkill
Modifies Internet Explorer settings
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
NTFS ADS
Opens file in notepad (likely ransom note)
Runs ping.exe
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
autoit_exe
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Writes to the Master Boot Record (MBR)
Checks computer location settings
Drops startup file
Loads dropped DLL
Modifies file permissions
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
UPX packed file
VMProtect packed file
NirSoft MailPassView
NirSoft WebBrowserPassView
Nirsoft
Vidar Stealer
CryptBot
CryptBot Payload
ElysiumStealer
Raccoon
RedLine
RedLine Payload
SmokeLoader
Suspicious use of NtCreateUserProcessOtherParentProcess
Vidar
Malware Config
C2 Extraction:
http://ppcspb.com/upload/
http://mebbing.com/upload/
http://twcamel.com/upload/
http://howdycash.com/upload/
http://lahuertasonora.com/upload/
http://kpotiques.com/upload/
qitoshalan.xyz:80
xeidor62.top
morksu06.top
Unpacked files
SH256 hash:
8ac07124315f36db78c157ed5d2c3d7ed75120ecc4d0d4a6622de2a98f587c16
MD5 hash:
2f1ae78cae116a020760f54479c3e9b3
SHA1 hash:
433fe2252e21043a302af27a6a0741499cefd4ed
Link:
https://www.unpac.me/results/6444a542-2947-4830-a83b-a38863a49001/
SH256 hash:
55361941ab12c7edd987c706d25423d868f756fab1028d99eeffacdabf3da4ca
MD5 hash:
4de4b7bc0a92902422c4204fcfa58150
SHA1 hash:
587e0299ea32cc836281998941daa60f471e3480
Link:
https://www.unpac.me/results/6444a542-2947-4830-a83b-a38863a49001/
SH256 hash:
40ca14be87ccee1c66cce8ce07d7ed9b94a0f7b46d84f9147c4bbf6ddab75a67
MD5 hash:
7165e9d7456520d1f1644aa26da7c423
SHA1 hash:
177f9116229a021e24f80c4059999c4c52f9e830
Link:
https://www.unpac.me/results/6444a542-2947-4830-a83b-a38863a49001/
SH256 hash:
10a122bd647c88aa23f96687e26b251862e83be9dbb89532f4a578689547972d
MD5 hash:
89c739ae3bbee8c40a52090ad0641d31
SHA1 hash:
d0f7dc9a0a3e52af0f9f9736f26e401636c420a1
Link:
https://www.unpac.me/results/6444a542-2947-4830-a83b-a38863a49001/
SH256 hash:
12b2a34db1f822c089218f1b46c1870462a0afb65ff0364e0f0ba043e93c1e5a
MD5 hash:
a7732204d9c883a4373c8b615c97de43
SHA1 hash:
017de30fc0647908eb8dd532982ce6644fb13e59
Link:
https://www.unpac.me/results/6444a542-2947-4830-a83b-a38863a49001/
SH256 hash:
a2db70fb07c0aea35d8d48674bc5f80e7d2fb415886893580fea097776784052
MD5 hash:
68143662cdcbd5aa7d3cdba39952e0d2
SHA1 hash:
9881a6b13c71034f950225cee4c5ccbae949fc52
Link:
https://www.unpac.me/results/6444a542-2947-4830-a83b-a38863a49001/
SH256 hash:
46997855112c380a5dfb1fc6561b33a30b9f50ca8737610aa22e4b2ce5c0849f
MD5 hash:
466239aa9febe639b13685784e77847f
SHA1 hash:
73e268377b4c518db5176f3b3c4b6d6c053ba1a0
Link:
https://www.unpac.me/results/6444a542-2947-4830-a83b-a38863a49001/
SH256 hash:
574a1e8093a8a16ebc96234701b1b14851f0c3bd2d5d5f687be59ac09b6554f3
MD5 hash:
08ff8f4643d75e0e160dfe7d9c9c006a
SHA1 hash:
890c655b9b28e0ac6bac1c8666b5b4be47011867
Link:
https://www.unpac.me/results/6444a542-2947-4830-a83b-a38863a49001/
SH256 hash:
a8a0c5d0f47f5eea6f4a1bd6af0e4a250786d5ea46d1c6db7da29c4d793dfb11
MD5 hash:
acd384e6d663667bb8fda7b16377915b
SHA1 hash:
934a53773639e9b2ec7a1cb7bd7d9cf5f280cc34
Link:
https://www.unpac.me/results/6444a542-2947-4830-a83b-a38863a49001/
SH256 hash:
3c5748b3274a1f7fe73e45737a358f63bc7b380e00b05a9f8e0a1439e5f73b79
MD5 hash:
a1380115e3c2bacdf64f3362e49ae060
SHA1 hash:
c1b275ba10c45b2c7eb7c17cd8f631dd67d9b78c
Link:
https://www.unpac.me/results/6444a542-2947-4830-a83b-a38863a49001/
SH256 hash:
bb8b6c2c5b9a709d541162453227a221775ee0169c4b98d34dcd826933acbab3
MD5 hash:
8d52d110ec716efdb40e49f42859ba43
SHA1 hash:
82f8427e230606e1108a4eb29073fb71d2458206
Link:
https://www.unpac.me/results/6444a542-2947-4830-a83b-a38863a49001/
SH256 hash:
55cdb9054f66ed88b8215d9f981efd7421c6f50dc9285140ec5ff591e34121bd
MD5 hash:
5631522a0758055c133e7966c1948802
SHA1 hash:
90caf8180bf43727fc490ffa34b1d578833aad7f
Link:
https://www.unpac.me/results/6444a542-2947-4830-a83b-a38863a49001/
SH256 hash:
83b3a04479c4310f0ac695041b3c1d60c144be650d4b8838a395ca5a46e722e2
MD5 hash:
ad31b1ae880cacf5792155c485a35c84
SHA1 hash:
5ae4d24619ae3ca6948c54df5966cfc551ea1b4a
Link:
https://www.unpac.me/results/6444a542-2947-4830-a83b-a38863a49001/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/83b3a04479c4310f0ac695041b3c1d60c144be650d4b8838a395ca5a46e722e2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Glasses
Create hunting rule
Author:Seth Hardy
Description:Glasses family
Rule name:GlassesCode
Create hunting rule
Author:Seth Hardy
Description:Glasses code features
Rule name:INDICATOR_EXE_Packed_VMProtect
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with VMProtect.
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MALWARE_Win_HyperBro03
Create hunting rule
Author:ditekSHen
Description:Hunt HyperBro IronTiger / LuckyMouse / APT27 malware
Rule name:Ping_Del_method_bin_mem
Create hunting rule
Author:James_inthe_box
Description:cmd ping IP nul del
Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/
Rule name:SUSP_XORed_Mozilla
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed keyword - Mozilla/5.0
Reference:Internal Research
Rule name:SUSP_XORed_MSDOS_Stub_Message
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed MSDOS stub message
Reference:https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
Rule name:UAC_bypass_bin_mem
Create hunting rule
Author:James_inthe_box
Description:UAC bypass in files like avemaria
Rule name:with_sqlite
Create hunting rule
Author:Julian J. Gonzalez <info@seguridadparatodos.es>
Description:Rule to detect the presence of SQLite data in raw image
Reference:http://www.st2labs.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/169503/

Comments