MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8e3c9001f9377d8c55aabd93e84e71e5b0eaa73bf783e880ef70476b442348b7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BitRAT


Vendor detections: 7


Intelligence 7 IOCs 1 YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8e3c9001f9377d8c55aabd93e84e71e5b0eaa73bf783e880ef70476b442348b7
SHA3-384 hash: 3a818b6db0f97238bbd0e89f792657cc7c7f121e92dada6256ea709ec69c6ac647f26067dc0a305dad6cc3808a380d90
SHA1 hash: 34767b07934098788f11026855a8d0bc1abf3e73
MD5 hash: c50bc2313eaa275d4293293d83705751
humanhash: burger-twenty-ten-comet
File name:c50bc2313eaa275d4293293d83705751.exe
Download: download sample
Signature BitRAT
Create hunting rule
File size:84'992 bytes
First seen:2021-06-20 09:35:55 UTC
Last seen:2021-06-20 10:34:13 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 1536:rx6RLzqfcr+W9yrotsXFRxzuLb0Fu7OtUBm2tAEgeOZD:rx4r+laig7OtU42rXGD
Threatray 179 similar samples on MalwareBazaar
TLSH 2A838C01B2A96B6AD7B827FB2474512167F2709F68A1F31C4EC660EA6F73F014681F17
Reporter abuse_ch
Tags:BitRAT exe RAT


Avatar
abuse_ch
BitRAT C2:
217.64.151.123:65431

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
217.64.151.123:65431 https://threatfox.abuse.ch/ioc/137599/

Intelligence

File Origin
# of uploads :
2
# of downloads :
224
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
c50bc2313eaa275d4293293d83705751.exe
Verdict:
Malicious activity
Analysis date:
2021-06-20 09:39:29 UTC
Tags:
opendir trojan bitrat rat
Link:
https://app.any.run/tasks/c58e39b5-a9a4-42b8-be01-28950decf872

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/167175/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.37065685.9908.5955.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f8eded9d-4df1-4e19-9bb1-88e065f6b17e
Result
Threat name:
BitRAT Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/804901
Signature
Connects to many ports of the same IP (likely port scanning)
Contains functionality to hide a thread from the debugger
Contains functionality to inject code into remote processes
Drops PE files to the startup folder
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Sigma detected: WScript or CScript Dropper
Suspicious powershell command line found
Yara detected BitRAT
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 437312 Sample: U2Wuzm8Azc.exe Startdate: 20/06/2021 Architecture: WINDOWS Score: 100 66 Multi AV Scanner detection for dropped file 2->66 68 Multi AV Scanner detection for submitted file 2->68 70 Yara detected BitRAT 2->70 72 8 other signatures 2->72 9 U2Wuzm8Azc.exe 15 4 2->9         started        12 U2Wuzm8Azc.exe 3 2->12         started        process3 dnsIp4 56 23.95.122.31, 49733, 49748, 49767 AS-COLOCROSSINGUS United States 9->56 16 cmd.exe 1 9->16         started        19 cmd.exe 3 9->19         started        46 C:\Users\user\AppData\...\U2Wuzm8Azc.exe.log, ASCII 12->46 dropped 78 Injects a PE file into a foreign processes 12->78 22 U2Wuzm8Azc.exe 1 12->22         started        file5 signatures6 process7 dnsIp8 58 Suspicious powershell command line found 16->58 25 powershell.exe 18 16->25         started        27 wscript.exe 16->27         started        29 conhost.exe 16->29         started        31 timeout.exe 1 16->31         started        42 C:\Users\user\AppData\...\U2Wuzm8Azc.exe, PE32 19->42 dropped 44 C:\Users\...\U2Wuzm8Azc.exe:Zone.Identifier, ASCII 19->44 dropped 60 Drops PE files to the startup folder 19->60 33 conhost.exe 19->33         started        48 mondaysthurs.xyz 22->48 50 mondaysthurs.xyz 217.64.151.123, 49752, 49760, 49762 OBE-EUROPEObenetworkEuropeSE Sweden 22->50 52 192.168.2.1 unknown unknown 22->52 62 Hides threads from debuggers 22->62 file9 64 Performs DNS queries to domains with low reputation 48->64 signatures10 process11 process12 35 U2Wuzm8Azc.exe 2 25->35         started        signatures13 74 Injects a PE file into a foreign processes 35->74 38 U2Wuzm8Azc.exe 35->38         started        process14 dnsIp15 54 mondaysthurs.xyz 38->54 76 Hides threads from debuggers 38->76 signatures16
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8e3c9001f9377d8c55aabd93e84e71e5b0eaa73bf783e880ef70476b442348b7/
Threat name:
ByteCode-MSIL.Packed.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-06-09 01:39:23 UTC
AV detection:
16 of 28 (57.14%)
Threat level:
  1/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ry6jaapzg56yyvnkxwj6qttr4wyovjz366b6rahpobdwwrbdjc3q._file
Verdict:
unknown
Similar samples:
0ba7d87707e5cd53958cb9afd59f1c70b76bad4ba28341e8bdee3d32bf417edb
BitRAT
21ba0bed0b05a2ce68496e73a5c103fb5b815ac2c77e997f46e5d09666c1c978
BitRAT
32560ccc4af2d37c587bbc551e1dd8127b8efaafb199f74c18ec111a812a7f30
BitRAT
507cd77f0000cc2af40601e9121683769ea55d389a1df1c7832a103785711fb4
BitRAT
8b0d6717a7d98595e7727f5309e19a1f3dae7986d1809f14f8de4edfb2810a3e
BitRAT
a342e3327fc258c1634ffd9e27f0635bd2dc8aeada903d2cac0c5e1ab2e00811
BitRAT
a3c961a0fe00bc7bcfa3b0e34baa03d8c3b1d03889cb150e270f5e33f15a8007
BitRAT
aab01704c3cce6d9a75418e3ba4a905ebe215eed1d8d010096638b7f849a4f87
BitRAT
bdc5cb40d2d655865ed182688f4cb623c545dd9875c6198bf16d616e53c52eb0
BitRAT
f4fd51e6e0684d722cfacceb9a3abb8e4c449e96dce19b1f8b47fc8b09abf9df
BitRAT
+ 169 additional samples on MalwareBazaar
Result
Malware family:
bitrat
Create hunting rule
Score:
  10/10
Tags:
family:bitrat trojan
Link:
https://tria.ge/reports/210620-nyp1sc39fn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Drops startup file
BitRAT
BitRAT Payload
Unpacked files
SH256 hash:
8e3c9001f9377d8c55aabd93e84e71e5b0eaa73bf783e880ef70476b442348b7
MD5 hash:
c50bc2313eaa275d4293293d83705751
SHA1 hash:
34767b07934098788f11026855a8d0bc1abf3e73
Link:
https://www.unpac.me/results/3ec64bae-540c-496e-b1bb-ed1cd0256de1/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/8e3c9001f9377d8c55aabd93e84e71e5b0eaa73bf783e880ef70476b442348b7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Email_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Email in files like avemaria
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MALWARE_Win_BitRAT
Create hunting rule
Author:ditekSHen
Description:Detects BitRAT RAT
Rule name:pe_imphash
Create hunting rule
Rule name:Ping_Del_method_bin_mem
Create hunting rule
Author:James_inthe_box
Description:cmd ping IP nul del
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/167175/

Comments