MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 84c32cb403361a5d8d8117cf941b89c6c819ac453a0e1f411eb5c2952cc35e7c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

BitRAT

Vendor detections: 11

Intelligence 11 IOCs 1 YARA 1 File information Comments

SHA256 hash:	84c32cb403361a5d8d8117cf941b89c6c819ac453a0e1f411eb5c2952cc35e7c
SHA3-384 hash:	cbbc11ec2a5d023f474ed07d015e1ce51ba18ca3a9791ab8508df2e3fa12d37f65877c8caf1d22a8522e0bef0a270090
SHA1 hash:	8b168865e07098254456c4bde49f0892e42ae2b1
MD5 hash:	a76da3ab31bd142881d3cc05b3903dba
humanhash:	pasta-berlin-gee-delaware
File name:	A76DA3AB31BD142881D3CC05B3903DBA.exe
Download:	download sample
Signature	BitRAT Create hunting rule
File size:	1'978'880 bytes
First seen:	2021-08-11 23:26:51 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	aad05474bfee082c9529c0427d51edae (4 x BitRAT)
ssdeep	24576:CjmjQcndRKZCy2BrhCeU2i2cJijFbCBTPmiY05tJMSQp5ysA7Yg1nLkziEmTxp+x:vQmXDFBU2iIBb0xY/6sUYYRLDIP
Threatray	371 similar samples on MalwareBazaar
TLSH	T1ED95121039928433D1721938D8FB6A31197FBF601D359A0B7B9CBE7D7B7A1D22121B62
Reporter	abuse_ch
Tags:	BitRAT exe RAT

abuse_ch

BitRAT C2:
79.134.225.90:4898

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
79.134.225.90:4898	https://threatfox.abuse.ch/ioc/172158/

Intelligence

File Origin

# of uploads :

# of downloads :

150

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

A76DA3AB31BD142881D3CC05B3903DBA.exe

Verdict:

Malicious activity

Analysis date:

2021-08-11 23:29:07 UTC

Tags:

trojan bitrat rat

Link:

https://app.any.run/tasks/15b2e8da-7f09-49d7-84cc-fa5e378618bd

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

BitRAT

Link:

https://www.capesandbox.com/analysis/178412/

Detection(s):

PUA.Win.Packer.Upolyx-12

Win.Packed.Genkryptik-9869489-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% directory

Creating a process from a recently created file

Creating a window

Setting a global event handler

Sending a UDP request

Setting a global event handler for the keyboard

Connection attempt to an infection source

Sending a TCP request to an infection source

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

BitRAT

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/22a38ef4-eb6a-46c1-ac81-c7a0ea56dba0

Result

Threat name:

BitRAT

Detection:

malicious

Classification:

troj.evad

Score:

96 / 100

Link:

https://www.joesandbox.com/analysis/831305

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Contains functionality to inject code into remote processes

Hides threads from debuggers

Machine Learning detection for dropped file

Machine Learning detection for sample

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected BitRAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/84c32cb403361a5d8d8117cf941b89c6c819ac453a0e1f411eb5c2952cc35e7c/

Threat name:

Win32.Backdoor.ParalaxRat

Status:

Malicious

First seen:

2021-08-09 11:50:13 UTC

AV detection:

24 of 28 (85.71%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=qtbsznadgynf3dmbc7hzig4jy3ebtlcfhihb6qi6wxbjklgdlz6a._file

Verdict:

malicious

Result

Malware family:

n/a

Score:

10/10

Tags:

suricata upx

Link:

https://tria.ge/reports/210811-rn6m32jkkj/

Behaviour

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Enumerates physical storage devices

Suspicious use of NtSetInformationThreadHideFromDebugger

Loads dropped DLL

Executes dropped EXE

UPX packed file

suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)

Unpacked files

SH256 hash:

84a2f787d62fd39c331fe8862b214a4e202c81e10c7d76c1e48162f0f4bb9520

MD5 hash:

44f356b996a4e3e1a23433c8f6df1a03

SHA1 hash:

18eb2d2a389421b51e8bcba3c2ae319437e6a4e7

Link:

https://www.unpac.me/results/0595313b-ecf6-474a-8747-44337d47f9cc/

SH256 hash:

175fdacc1bf745a3fc9274648cb152b0c15127f1a4441ca0346b9bc66d4acff5

MD5 hash:

60ab706a84ebcef719682d1426e04474

SHA1 hash:

6911676b3324624935f5717a4243167d61c937d3

Link:

https://www.unpac.me/results/0595313b-ecf6-474a-8747-44337d47f9cc/

SH256 hash:

84c32cb403361a5d8d8117cf941b89c6c819ac453a0e1f411eb5c2952cc35e7c

MD5 hash:

a76da3ab31bd142881d3cc05b3903dba

SHA1 hash:

8b168865e07098254456c4bde49f0892e42ae2b1

Link:

https://www.unpac.me/results/0595313b-ecf6-474a-8747-44337d47f9cc/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/84c32cb403361a5d8d8117cf941b89c6c819ac453a0e1f411eb5c2952cc35e7c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MALWARE_Win_BitRAT Create hunting rule
Author:	ditekSHen
Description:	Detects BitRAT RAT

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/178412/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample