MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8e09a7c18a858ec70aaa9c69788e8b9e7dffa134cf3bb868c28229e7bf4b9e9e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

BitRAT

Vendor detections: 12

Intelligence 12 IOCs YARA 1 File information Comments

SHA256 hash:	8e09a7c18a858ec70aaa9c69788e8b9e7dffa134cf3bb868c28229e7bf4b9e9e
SHA3-384 hash:	b2d64bd73011ca1b16e77c0d5c354c3ab089b5e7c8fba1f0f41e732bf95e7494d02caaa95efba8790a772564def0eeef
SHA1 hash:	33a097621828dfc287753aa33d954ef755978c3d
MD5 hash:	d7ad4cf42e2f520b0ef1ef910eb9186b
humanhash:	oregon-queen-diet-lion
File name:	8e09a7c18a858ec70aaa9c69788e8b9e7dffa134cf3bb868c28229e7bf4b9e9e
Download:	download sample
Signature	BitRAT Create hunting rule
File size:	4'221'440 bytes
First seen:	2021-08-06 07:17:35 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	71955ccbbcbb24efa9f89785e7cce225 (57 x BitRAT)
ssdeep	49152:HXUIEeZzdeh/c7p1rNdd+JNEj0ykdj21x1YhFlX4bA/Hg/11VzeLG/7wqNKB2VIg:HXrEeZzdhjuV/gd1VzsGUqNKTHvQeeJ
Threatray	353 similar samples on MalwareBazaar
TLSH	T1A616CF02FA41C562D2670130EA6E77BA017CF5F14B3085C3B3946A6859B66D17A3BF3B
Reporter	JAMESWT_WT
Tags:	185.157.162.100 BitRAT exe express-gus52.duckdns.org

Intelligence

File Origin

# of uploads :

# of downloads :

150

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

8e09a7c18a858ec70aaa9c69788e8b9e7dffa134cf3bb868c28229e7bf4b9e9e

Verdict:

Malicious activity

Analysis date:

2021-08-06 07:19:47 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/f9c6ef78-dbb6-4184-a17d-0df7dc9bd1cd

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

BitRAT

Link:

https://www.capesandbox.com/analysis/176925/

Detection(s):

PUA.Win.Packer.Upolyx-12

Win.Malware.Mikey-9819889-0

ditekSHen.MALWARE.Win.Trojan.BitRAT.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Connection attempt

Replacing executable files

Sending a UDP request

Creating a window

Setting a global event handler

Moving of the original file

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Setting a global event handler for the keyboard

Deleting of the original file

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

BitRAT

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/6d711eb3-0de0-4bfd-a9a8-01a9b3bb6f92

Result

Threat name:

BitRAT Xmrig

Detection:

malicious

Classification:

troj.evad.mine

Score:

84 / 100

Link:

https://www.joesandbox.com/analysis/828154

Signature

Antivirus / Scanner detection for submitted sample

Creates files in alternative data streams (ADS)

Hides threads from debuggers

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Yara detected BitRAT

Yara detected Xmrig cryptocurrency miner

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/8e09a7c18a858ec70aaa9c69788e8b9e7dffa134cf3bb868c28229e7bf4b9e9e/

Threat name:

Win32.Backdoor.ParalaxRat

Status:

Malicious

First seen:

2021-05-22 00:05:44 UTC

File Type:

PE (Exe)

AV detection:

27 of 29 (93.10%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=rye2pqmkqwhmocvktruxrdultz677ijuz453q2gcqiu6pp2lt2pa._file

Verdict:

malicious

BitRAT

317b32811ef46a4dec52e650315c82b5a5f867f49e5844bb11ed4e1f5281e6d9

BitRAT

417b25bebecf3656ce6da37ed282b5f8c5a092a50097b77a84a312af7ab901e1

BitRAT

62f52a24585647cf00de8fb6fb58bca17c3290b8c3ec2f86e4f22e488caa488a

BitRAT

8458809792ef932a851fd186808634fc27074d692cf851cdaf8f1f6a6cb98f0b

BitRAT

be0dc158152fc2de2e3552779884f45e7ac9cb1a62456d23d0a6ee78e357c757

BitRAT

bf75b72b9457bce40981ecf5bd09b8ef3416d0bc3169ee72f40e5a70a024d811

BitRAT

c3ddf55e53888193522a7b619370b746cb0a79502c5157a98754a9009f644a11

BitRAT

e4fae47c8647fc72fb1bbcadc0df6814c22298b3040938f81cbe0b83fec8b8b3

BitRAT

+ 343 additional samples on MalwareBazaar

Result

Malware family:

bitrat

Score:

10/10

Tags:

family:bitrat persistence upx

Link:

https://tria.ge/reports/210806-851nq1h97n/

Behaviour

Suspicious behavior: RenamesItself

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of NtSetInformationThreadHideFromDebugger

Adds Run key to start application

Unpacked files

SH256 hash:

8e09a7c18a858ec70aaa9c69788e8b9e7dffa134cf3bb868c28229e7bf4b9e9e

MD5 hash:

d7ad4cf42e2f520b0ef1ef910eb9186b

SHA1 hash:

33a097621828dfc287753aa33d954ef755978c3d

Link:

https://www.unpac.me/results/48f40a15-5f7e-41c3-8fdc-6a5299bd9e2d/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/8e09a7c18a858ec70aaa9c69788e8b9e7dffa134cf3bb868c28229e7bf4b9e9e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MALWARE_Win_BitRAT Create hunting rule
Author:	ditekSHen
Description:	Detects BitRAT RAT

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/176925/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample