MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 85ba34242c6c231c5cad5de3996e443148da47505a9fd3a6f41af32fcfc22652. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BitRAT


Vendor detections: 7


Intelligence 7 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 85ba34242c6c231c5cad5de3996e443148da47505a9fd3a6f41af32fcfc22652
SHA3-384 hash: 15110acd593b2d676e8e36559fdfd2515e72d4f383956dcb80d0cf4a1454bb99aa90c51de54b6efebe2925036b4b7585
SHA1 hash: df0bba081e2fcd8b45bcf206632823a8da273a1c
MD5 hash: d28580366ee2bb9ae81eaa67f7482182
humanhash: friend-sodium-double-football
File name:Booking Confirmation 645476578686879 -copy- PDF.exe
Download: download sample
Signature BitRAT
Create hunting rule
File size:2'586'624 bytes
First seen:2021-06-01 09:13:27 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'609 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 49152:QWHp7bBGRPpaif65XFH6hLufnSAq58PUYY0D:QWJ7bBGRP0SYFHILq5q0
Threatray 80 similar samples on MalwareBazaar
TLSH 71C5F0B2B3545217C1A91A3BB711B51066A3FCFE61F9A309E71E72B6FCBE7029410253
Reporter TeamDreier
Tags:BitRAT exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
145
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Booking Confirmation 645476578686879 -copy- PDF.exe
Verdict:
No threats detected
Analysis date:
2021-06-01 09:14:28 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/3c7cfe58-b1ea-43a9-9a05-4b8665aa8886

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/163760/
Detection(s):
Win.Packed.Seraph-9864880-0
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a UDP request
Launching the default Windows debugger (dwwin.exe)
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
BitRAT Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/795151
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to hide a thread from the debugger
Contains functionality to inject code into remote processes
Creates an undocumented autostart registry key
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Sigma detected: WScript or CScript Dropper
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected BitRAT
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 427547 Sample: Booking Confirmation 645476... Startdate: 01/06/2021 Architecture: WINDOWS Score: 100 39 spotlesbitrt26052021.awsmppl.com 2->39 41 Multi AV Scanner detection for dropped file 2->41 43 Yara detected BitRAT 2->43 45 Yara detected Xmrig cryptocurrency miner 2->45 47 9 other signatures 2->47 9 Booking Confirmation 645476578686879 -copy- PDF.exe 3 10 2->9         started        signatures3 process4 file5 27 C:\Users\user\AppData\...\chrome.net.exe, PE32 9->27 dropped 29 Booking Confirmati...6879 -copy- PDF.exe, PE32 9->29 dropped 31 C:\Users\...\chrome.net.exe:Zone.Identifier, ASCII 9->31 dropped 33 3 other malicious files 9->33 dropped 49 Creates an undocumented autostart registry key 9->49 51 Writes to foreign memory regions 9->51 53 Allocates memory in foreign processes 9->53 55 Injects a PE file into a foreign processes 9->55 13 wscript.exe 1 9->13         started        16 Booking Confirmation 645476578686879 -copy- PDF.exe 1 9->16         started        19 Booking Confirmation 645476578686879 -copy- PDF.exe 9->19         started        21 2 other processes 9->21 signatures6 process7 dnsIp8 57 Wscript starts Powershell (via cmd or directly) 13->57 59 Adds a directory exclusion to Windows Defender 13->59 23 powershell.exe 24 13->23         started        35 spotlesbitrt26052021.awsmppl.com 79.137.109.121, 49722, 49723, 49724 OVHFR France 16->35 37 192.168.2.1 unknown unknown 16->37 61 Hides threads from debuggers 16->61 signatures9 process10 process11 25 conhost.exe 23->25         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/85ba34242c6c231c5cad5de3996e443148da47505a9fd3a6f41af32fcfc22652/
Threat name:
ByteCode-MSIL.Downloader.Seraph
Create hunting rule
Status:
Malicious
First seen:
2021-06-01 09:14:10 UTC
AV detection:
4 of 44 (9.09%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qw5dijbmnqrryxfnlxrzs3segfenur2qlkp5hjxudlzs7t6cezja._file
Verdict:
unknown
Similar samples:
19f17d84c67985de677ea0f746955f709106d8833311d3b8c9b67491d0498ff0
BitRAT
5391a6ed1fe458685e02c04cad045a5148d4f01e4d45b9dd70927c46b5e6420f
BitRAT
588692919a751e9852cf32e0b1da42c347f2ff99a2afd2378c6a7573d7a532fc
BitRAT
62dfec4ae1b54d763d3ae01d9a0458c6ebf2e35f898bcaebac5e10d5ff477c7c
BitRAT
751b3fa113056b20cd9b3c6a2f2c06d0b8fa0ecd23696feb27adeb0f53d73b36
BitRAT
b4b15f7787006e9757865b66a747135ac7452d8bafbbad777fd9491742eba06a
BitRAT
c52477b06f41b4e78b419e5843c6e14545e7add486185373a66c8de3865f44c0
BitRAT
cf8994976d58b8778246f5c5908ec64a0fdfebfe2bd80ecaa96ed27baf9d1ed2
BitRAT
e4a364bc4301da3e0a1280d627bb19810e94828e4d2c44b477a9cd576039c664
BitRAT
f27c6d23143bb1c0ea77515c806ee7d75889c31262c7c26a5868989fef41e466
BitRAT
+ 70 additional samples on MalwareBazaar
Result
Malware family:
bitrat
Create hunting rule
Score:
  10/10
Tags:
family:bitrat trojan
Link:
https://tria.ge/reports/210601-5vjc1shybj/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
BitRAT
BitRAT Payload
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/85ba34242c6c231c5cad5de3996e443148da47505a9fd3a6f41af32fcfc22652

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Email_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Email in files like avemaria
Rule name:INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with SmartAssembly
Rule name:MALWARE_Win_BitRAT
Create hunting rule
Author:ditekSHen
Description:Detects BitRAT RAT
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/163760/

Comments