MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8dca2819e4395eb497f4246dc808a5efb1cd805a70825bda636240facd8dd66c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BitRAT


Vendor detections: 11


Intelligence 11 IOCs 1 YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8dca2819e4395eb497f4246dc808a5efb1cd805a70825bda636240facd8dd66c
SHA3-384 hash: dc7089e45caaeb6531a6752c4c58ec70f6b0344f3829df38784f74fd255ce2a2da22b275c8369a2e0893e1cdad83a3cb
SHA1 hash: a7987fab49ee81b9a86965bd6dbd14bc0140a27c
MD5 hash: f88c058646225de6e3cddc39ea0c9ff7
humanhash: failed-nuts-stream-failed
File name:f88c058646225de6e3cddc39ea0c9ff7
Download: download sample
Signature BitRAT
Create hunting rule
File size:1'448'859 bytes
First seen:2021-10-25 18:05:07 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 4688138aa56f51df0a1bf9af39c02fc8 (4 x Formbook, 2 x BitRAT, 1 x SpectreRAT)
ssdeep 24576:N/7Xota4g42SAQExHGz4yjERgvN00n6WoNrn:OfExHGz4yj+gvN00n6WoNrn
Threatray 3'948 similar samples on MalwareBazaar
TLSH T1EB653A03BFC63851D2822870061BE9747465182A141E9F5FFB6EFE1169B2B8395FC3DA
File icon (PE):PE icon
dhash icon 00bceece968eaeb2 (1 x BitRAT)
Reporter zbetcheckin
Tags:32 BitRAT exe

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://voltaire-overproduction-bordering.cc/v4/api_t.php https://threatfox.abuse.ch/ioc/237766/

Intelligence

File Origin
# of uploads :
1
# of downloads :
363
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Voltron
Create hunting rule
Link:
https://www.capesandbox.com/analysis/199985/
Detection(s):
SecuriteInfo.com.Trojan.VbCrypt.250.21935.30269.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm overlay packed
Link:
https://www.filescan.io/uploads/6176f20ddb358dd15ed9fbf0/reports/02c693f2-beec-4f4a-bfe0-fdf5448fbf7e/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Spectre
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/05572822-1568-41e1-a7c0-a61e947b8279
Result
Threat name:
BitRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/876516
Signature
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Hides threads from debuggers
Installs a global keyboard hook
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected BitRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 508949 Sample: zOn6g6DP8U Startdate: 25/10/2021 Architecture: WINDOWS Score: 96 68 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->68 70 Multi AV Scanner detection for submitted file 2->70 72 Yara detected BitRAT 2->72 74 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 2->74 8 zOn6g6DP8U.exe 2->8         started        process3 signatures4 76 Detected unpacking (changes PE section rights) 8->76 78 Detected unpacking (overwrites its own PE header) 8->78 11 zOn6g6DP8U.exe 28 8->11         started        process5 dnsIp6 62 voltaire-overproduction-bordering.cc 45.9.150.80, 49750, 49755, 80 NICEITNL Netherlands 11->62 44 C:\Users\user\AppData\...\svbservices.exe, PE32 11->44 dropped 46 C:\Users\user\AppData\Roaming\...\unzip.exe, PE32 11->46 dropped 48 C:\Users\user\AppData\Local\...\unzip[1].exe, PE32 11->48 dropped 50 C:\Users\user\AppData\...\svbservices[1].exe, PE32 11->50 dropped 82 Tries to harvest and steal browser information (history, passwords, etc) 11->82 84 Installs a global keyboard hook 11->84 16 svbservices.exe 11->16         started        19 cmd.exe 1 11->19         started        21 cmd.exe 2 11->21         started        23 2 other processes 11->23 file7 signatures8 process9 signatures10 64 Detected unpacking (changes PE section rights) 16->64 66 Detected unpacking (overwrites its own PE header) 16->66 25 svbservices.exe 1 16->25         started        29 unzip.exe 13 19->29         started        32 conhost.exe 19->32         started        34 PsInfo64.exe 1 1 21->34         started        36 conhost.exe 21->36         started        38 7za.exe 502 23->38         started        40 conhost.exe 23->40         started        42 conhost.exe 23->42         started        process11 dnsIp12 60 34.121.150.14 GOOGLEUS United States 25->60 80 Hides threads from debuggers 25->80 52 C:\Users\user\AppData\...\vcruntime140.dll, PE32 29->52 dropped 54 C:\Users\user\AppData\Roaming\...\sqlite3.dll, PE32 29->54 dropped 56 C:\Users\user\AppData\...\softokn3.dll, PE32 29->56 dropped 58 9 other files (none is malicious) 29->58 dropped file13 signatures14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8dca2819e4395eb497f4246dc808a5efb1cd805a70825bda636240facd8dd66c/
Threat name:
Win32.Trojan.Bsymem
Create hunting rule
Status:
Malicious
First seen:
2021-10-25 18:06:06 UTC
AV detection:
16 of 43 (37.21%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rxfcqgpehfpljf7uerw4qcff56y43ac2ocbfxwtdmjapvtmn2zwa._file
Verdict:
malicious
Similar samples:
0eaeab189b978e9babdb4324c22d4bb708e3b33c0016f52e37aa66efae4a310e
BitRAT
503041104422bfb5194b6e599f77e984c3ded0d00dcedc69e4e8ab5e9c024b4a
BitRAT
584c144d09b76173e49dcdf517526d26ef26959e447734612343d03d25145f5e
BitRAT
7184ecf9db3c6c15ab1b97ebe8b9124c9eb5b4f9f63e9da59f6b8c63d2ff5aef
BitRAT
b4f128cdd69eb21d1de98b00303e01258993fe7fba7467aa8ab642df03ffd890
BitRAT
c3e53e28198dfe92caa7b46355f543dd18c0353ef42f2e28862682a79e863735
BitRAT
e139a350242af220a379940c1a667891161ff92bdcdbb5acd024076a27ddbf56
BitRAT
+ 3'938 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
spyware stealer suricata
Link:
https://tria.ge/reports/211025-wpq28shdck/
Behaviour
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
suricata: ET MALWARE Win32/Voltron/Spectre Stealer Checkin Activity (GET)
suricata: ET MALWARE Win32/Voltron/Spectre Stealer CnC Activity (POST)
suricata: ET MALWARE Win32/Voltron/Spectre Stealer Download Activity (GET)
suricata: ET MALWARE Win32/Voltron/Spectre Stealer Sending OS Information (POST)
Unpacked files
SH256 hash:
eb3868f0f69b075c6de41ee46cade729c9d339f539c82b1c4292d57791032e89
MD5 hash:
898a809074f64bbf17084490c15dd31c
SHA1 hash:
99a00cbee31434662261c5af9c998da3edb3cc79
Link:
https://www.unpac.me/results/e1bdbd7c-32c2-4f8f-a2ac-63a003200f99/
SH256 hash:
8dca2819e4395eb497f4246dc808a5efb1cd805a70825bda636240facd8dd66c
MD5 hash:
f88c058646225de6e3cddc39ea0c9ff7
SHA1 hash:
a7987fab49ee81b9a86965bd6dbd14bc0140a27c
Link:
https://www.unpac.me/results/e1bdbd7c-32c2-4f8f-a2ac-63a003200f99/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/8dca2819e439/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8dca2819e4395eb497f4246dc808a5efb1cd805a70825bda636240facd8dd66c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

BitRAT

Executable exe 8dca2819e4395eb497f4246dc808a5efb1cd805a70825bda636240facd8dd66c

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/199985/
  
URLhaus
https://urlhaus.abuse.ch/url/1713355/

Comments


Avatar
zbet commented on 2021-10-25 18:05:09 UTC

url : hxxp://37.221.64.37/files/dwm.exe