MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8c584a322deb7e0731b90ae30dbdfe4821d13ad8ae7ade8fffd28ebbf0ca2504. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BitRAT


Vendor detections: 9


Intelligence 9 IOCs 1 YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8c584a322deb7e0731b90ae30dbdfe4821d13ad8ae7ade8fffd28ebbf0ca2504
SHA3-384 hash: 4f734ca46bf4ec692b803d7d9b8205f30c0e0580daf92813d9b031918c4bddf8e69e94ac45e43a5482f22996bd08a206
SHA1 hash: 20526abdf9cf80cae80a82e5fc715d5322da4eb1
MD5 hash: 159756a1c855579a9446282137a82e9f
humanhash: beer-island-nebraska-alaska
File name:159756A1C855579A9446282137A82E9F.exe
Download: download sample
Signature BitRAT
Create hunting rule
File size:1'782'784 bytes
First seen:2021-07-13 18:55:56 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 49152:wZEHdgktpvWcpjRlJslcCHiNmWW0tY+pAN1umAu:wZgTtBLpl6cpNjk++1ul
Threatray 278 similar samples on MalwareBazaar
TLSH T19E8523012145D583E9D2CAB6D55606F600A48C27EF52C93B7C9E3EB273FFBA54E92831
Reporter abuse_ch
Tags:BitRAT exe RAT


Avatar
abuse_ch
BitRAT C2:
134.255.30.252:11115

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
134.255.30.252:11115 https://threatfox.abuse.ch/ioc/160133/

Intelligence

File Origin
# of uploads :
1
# of downloads :
158
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
159756A1C855579A9446282137A82E9F.exe
Verdict:
Suspicious activity
Analysis date:
2021-07-13 18:59:49 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/69ef45af-1fc7-4759-82a5-4fcae237cc4a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/171500/
Detection(s):
Win.Trojan.Generic-9878081-0
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/74f59353-dd61-4148-a814-607334155517
Result
Threat name:
BitRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/815846
Signature
Creates an undocumented autostart registry key
Hides threads from debuggers
Injects a PE file into a foreign processes
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Writes to foreign memory regions
Yara detected BitRAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8c584a322deb7e0731b90ae30dbdfe4821d13ad8ae7ade8fffd28ebbf0ca2504/
Threat name:
ByteCode-MSIL.Downloader.Seraph
Create hunting rule
Status:
Malicious
First seen:
2021-07-10 22:57:47 UTC
AV detection:
11 of 46 (23.91%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rrmeumrn5n7aomnzblrq3pp6jaq5cowyvz5n5d772khlx4gkeuca._file
Verdict:
malicious
Similar samples:
3d63c22ce814418819c6a1783e542bd75a23ca4321f49208391f18dd781b27e7
BitRAT
4a820b04406f4c710b08b1675a7ffa778c806285dd115404fb415a8096baadda
BitRAT
52dbaf7435516b388d60abebda89615a4c2286a663de889a15b45be3b71b0def
BitRAT
60b1e21007ef93c3ac0bb8fcb0d063f2429aae47b4715d0324096887aeb165f8
BitRAT
9438c974f3cdefd5a097e55bde4734a2db9438be7c8012fa455d4d8bceb537ca
BitRAT
befaecfa9c1207b951dcf8e72b803cb32d237f16d9e49df1c6c29fcf690b4ec3
BitRAT
d2b6ad926987074e93a769eaf34598a4df8bbb839208c57d4fc1516f9ed1eaa6
BitRAT
+ 268 additional samples on MalwareBazaar
Result
Malware family:
bitrat
Create hunting rule
Score:
  10/10
Tags:
family:bitrat persistence trojan upx
Link:
https://tria.ge/reports/210713-cceq6kvpza/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
UPX packed file
BitRAT
BitRAT Payload
Modifies WinLogon for persistence
Unpacked files
SH256 hash:
5cfcadc0271e7ba22fd388c202e6fc5a5239a5bce7e9a1147f4c3cc89a70ded4
MD5 hash:
96241933d524500180808c08e29eefe9
SHA1 hash:
8f90d04f6ba9dee01e2a7895c961e9f25a1ef171
Link:
https://www.unpac.me/results/fa7506c0-e474-4d8f-91a2-78e4e30c3099/
SH256 hash:
007992391a5a75f9a530c0ad2d6cf65b8d415701f50e5a24dbcddb22cdebbe68
MD5 hash:
7e2fcb71bac577b2bb753e78b1421da2
SHA1 hash:
5372ba96d7bef6ab9db88e427f1a3ce88eed3736
Link:
https://www.unpac.me/results/fa7506c0-e474-4d8f-91a2-78e4e30c3099/
SH256 hash:
19929d9ee88c2920dce3a9af91c8861889e745882a705aa66715574dc43cce1a
MD5 hash:
db9ae96a15e54af5d399e66f3ae5b2dc
SHA1 hash:
1398c9c1074e984a08b09fe718d176926b1ddfca
Link:
https://www.unpac.me/results/fa7506c0-e474-4d8f-91a2-78e4e30c3099/
SH256 hash:
8c584a322deb7e0731b90ae30dbdfe4821d13ad8ae7ade8fffd28ebbf0ca2504
MD5 hash:
159756a1c855579a9446282137a82e9f
SHA1 hash:
20526abdf9cf80cae80a82e5fc715d5322da4eb1
Link:
https://www.unpac.me/results/fa7506c0-e474-4d8f-91a2-78e4e30c3099/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8c584a322deb7e0731b90ae30dbdfe4821d13ad8ae7ade8fffd28ebbf0ca2504

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MALWARE_Win_BitRAT
Create hunting rule
Author:ditekSHen
Description:Detects BitRAT RAT
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/171500/

Comments