MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 87fbd9577039b209cd0ce825d1c79aad0def611625b737fa3abe70802da4d6f4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BitRAT


Vendor detections: 10


Intelligence 10 IOCs 1 YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 87fbd9577039b209cd0ce825d1c79aad0def611625b737fa3abe70802da4d6f4
SHA3-384 hash: 0219330464c7e321e06ccc36d758b176d368a2f72c3608ca809e04153c6f517f9310961cbc8ace23934c7e9febf2c84d
SHA1 hash: d77bf018b1fa76215f2ca680e4cf25ad034eb271
MD5 hash: 04436c72506d84210a597c57880dbe3e
humanhash: ack-crazy-skylark-three
File name:04436C72506D84210A597C57880DBE3E.exe
Download: download sample
Signature BitRAT
Create hunting rule
File size:1'511'424 bytes
First seen:2021-07-24 14:30:48 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 6ed4f5f04d62b18d96b26d6db7c18840 (239 x SalatStealer, 78 x BitRAT, 42 x RedLineStealer)
ssdeep 24576:wndRKZCy2BrhCeU2i2cJijFbCBTPmiY05tJMSQp5ysA7Yg1nLkzommfL1fyWsiw:yXDFBU2iIBb0xY/6sUYY+wpI
Threatray 310 similar samples on MalwareBazaar
TLSH T1A56533E15B6AE77AFA9BCC3C75A70D02CD78C262656B44113F6CC5BE70BF9521844C22
Reporter abuse_ch
Tags:BitRAT exe RAT


Avatar
abuse_ch
BitRAT C2:
80.209.229.141:4898

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
80.209.229.141:4898 https://threatfox.abuse.ch/ioc/162763/

Intelligence

File Origin
# of uploads :
1
# of downloads :
140
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
04436C72506D84210A597C57880DBE3E.exe
Verdict:
Suspicious activity
Analysis date:
2021-07-24 14:32:11 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/66115b4d-8e54-46db-852b-11454d962744

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
BitRAT
Create hunting rule
Link:
https://www.capesandbox.com/analysis/173891/
Detection(s):
PUA.Win.Packer.Upolyx-12
Create hunting rule

Win.Malware.Mikey-9819889-0
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
BitRAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/dd7d4d22-7595-46c2-9171-2f576c3c4b91
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/821227
Signature
Antivirus / Scanner detection for submitted sample
Contains functionality to hide a thread from the debugger
Contains functionality to inject code into remote processes
Disable Windows Defender real time protection (registry)
Disables Windows Defender (deletes autostart)
Hides threads from debuggers
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Sigma detected: Bypass UAC via Fodhelper.exe
Uses cmd line tools excessively to alter registry or file data
Uses schtasks.exe or at.exe to add and modify task schedules
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 453638 Sample: vMAjf3xZSp.exe Startdate: 24/07/2021 Architecture: WINDOWS Score: 92 50 Antivirus / Scanner detection for submitted sample 2->50 52 Multi AV Scanner detection for submitted file 2->52 54 Machine Learning detection for sample 2->54 56 Sigma detected: Bypass UAC via Fodhelper.exe 2->56 10 vMAjf3xZSp.exe 3 1 2->10         started        process3 dnsIp4 46 80.209.229.141, 4898, 49723, 49731 RACKRAYUABRakrejusLT Lithuania 10->46 62 Uses cmd line tools excessively to alter registry or file data 10->62 64 Contains functionality to inject code into remote processes 10->64 66 Uses schtasks.exe or at.exe to add and modify task schedules 10->66 68 2 other signatures 10->68 14 fodhelper.exe 12 10->14         started        signatures5 process6 process7 16 vMAjf3xZSp.exe 14->16         started        signatures8 48 Uses cmd line tools excessively to alter registry or file data 16->48 19 reg.exe 1 1 16->19         started        22 reg.exe 1 1 16->22         started        24 reg.exe 1 1 16->24         started        26 30 other processes 16->26 process9 signatures10 58 Disables Windows Defender (deletes autostart) 19->58 28 conhost.exe 19->28         started        60 Disable Windows Defender real time protection (registry) 22->60 30 conhost.exe 22->30         started        32 conhost.exe 24->32         started        34 conhost.exe 26->34         started        36 conhost.exe 26->36         started        38 conhost.exe 26->38         started        40 24 other processes 26->40 process11 process12 42 conhost.exe 32->42         started        44 conhost.exe 34->44         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/87fbd9577039b209cd0ce825d1c79aad0def611625b737fa3abe70802da4d6f4/
Threat name:
Win32.Backdoor.ParalaxRat
Create hunting rule
Status:
Malicious
First seen:
2021-07-22 04:43:13 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
31 of 46 (67.39%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=q755sv3qhgzattim5as5dr42vug66yiwew3tp6r2xzyialne232a._file
Verdict:
malicious
Similar samples:
259c654cdd235de9942f23bc7465252d50f2edf6e0b2dc320658fc00bc054ac4
BitRAT
3d63c22ce814418819c6a1783e542bd75a23ca4321f49208391f18dd781b27e7
BitRAT
4a820b04406f4c710b08b1675a7ffa778c806285dd115404fb415a8096baadda
BitRAT
52dbaf7435516b388d60abebda89615a4c2286a663de889a15b45be3b71b0def
BitRAT
60b1e21007ef93c3ac0bb8fcb0d063f2429aae47b4715d0324096887aeb165f8
BitRAT
8c584a322deb7e0731b90ae30dbdfe4821d13ad8ae7ade8fffd28ebbf0ca2504
BitRAT
befaecfa9c1207b951dcf8e72b803cb32d237f16d9e49df1c6c29fcf690b4ec3
BitRAT
f69b86e22b03881dc837afc9a2c0d4f6555e1e9eb19f7c826b3eb695feaa76bb
BitRAT
+ 300 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion trojan upx
Link:
https://tria.ge/reports/210724-4cqz9n5m8x/
Behaviour
Modifies registry class
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Enumerates connected drives
Modifies Windows Defender Real-time Protection settings
Unpacked files
SH256 hash:
3dc477c663c3dd49496a4fcf7f0448b372d854e12c64067e5f289a1b5063d020
MD5 hash:
1e72db56197eb1a502a0af1f0648d1bf
SHA1 hash:
7f8f1108dd48724d0026c748e1a0958e449573fa
Link:
https://www.unpac.me/results/108e0e84-12b8-46af-9e60-d9f6f7efd7a8/
SH256 hash:
87fbd9577039b209cd0ce825d1c79aad0def611625b737fa3abe70802da4d6f4
MD5 hash:
04436c72506d84210a597c57880dbe3e
SHA1 hash:
d77bf018b1fa76215f2ca680e4cf25ad034eb271
Link:
https://www.unpac.me/results/108e0e84-12b8-46af-9e60-d9f6f7efd7a8/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.89
Link:
https://yomi.yoroi.company/submissions/87fbd9577039b209cd0ce825d1c79aad0def611625b737fa3abe70802da4d6f4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_BitRAT
Create hunting rule
Author:ditekSHen
Description:Detects BitRAT RAT

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/173891/

Comments