MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 902db07687a97742aa5aee6a87347a01d451939de8f022420438c73e86f96ad1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BitRAT


Vendor detections: 13


Intelligence 13 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 902db07687a97742aa5aee6a87347a01d451939de8f022420438c73e86f96ad1
SHA3-384 hash: 6da62dd7afa9d964d9ec8b58dd8d60efa96d64ee79cd9bd95e90dd9c4f9fec0d9d68651a90fc82ac15024630c4c81c40
SHA1 hash: 75934147c72f8f3ff4db06607b153689fd76f90b
MD5 hash: ee321094b8da5433e4006e9630c7db9e
humanhash: hydrogen-romeo-whiskey-alabama
File name:ee321094b8da5433e4006e9630c7db9e.exe
Download: download sample
Signature BitRAT
Create hunting rule
File size:8'177'152 bytes
First seen:2022-07-22 20:13:58 UTC
Last seen:2022-07-23 06:38:34 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 2b817dc1b1849c6a436f0647be7673e0 (15 x BitRAT)
ssdeep 196608:LIRcbH4jSteTGvgxwhzav1yo31CPwDv3uFZjeg2EeJUO9WLQkDxtw3iFFrS6XOfA:LdHsfugxwZ6v1CPwDv3uFteg2EeJUO9E
Threatray 714 similar samples on MalwareBazaar
TLSH T16286D011B5958C6BD5565238CAEFB33B223CF6600B23C7C367506A394E73AC13E66B16
TrID 72.0% (.CPL) Windows Control Panel Item (generic) (197083/11/60)
9.9% (.EXE) UPX compressed Win32 Executable (27066/9/6)
6.0% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
3.8% (.EXE) Win64 Executable (generic) (10523/12/4)
2.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
Reporter abuse_ch
Tags:BitRAT exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
380
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/293480/
Detection(s):
PUA.Win.Packer.Upx-49
Create hunting rule

PUA.Win.Packer.UpxProtector-1
Create hunting rule

Win.Malware.Mikey-9819889-0
Create hunting rule

Win.Dropper.BitRAT-9908151-1
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Creating a file
Creating a process from a recently created file
Creating a process with a hidden window
Moving a recently created file
Setting a global event handler
Sending a custom TCP request
Delayed writing of the file
Setting a global event handler for the keyboard
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/27072/overview
Behaviour
MalwareBazaar
MeasuringTime
CheckCmdLine
EvasionQueryPerformanceCounter
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-debug anti-vm anti-vm greyware packed rat spyeye
Link:
https://www.filescan.io/uploads/62db051f8fbcdde360676805/reports/0a273d4b-c92d-4764-8592-a8164eaa8822/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
BitRAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8ebb8443-772b-4cb4-b834-74c0892eafa2
Result
Threat name:
BitRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1039454
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Hides threads from debuggers
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May use the Tor software to hide its network traffic
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected BitRAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/902db07687a97742aa5aee6a87347a01d451939de8f022420438c73e86f96ad1/
Threat name:
Win32.Trojan.Phonzy
Create hunting rule
Status:
Malicious
First seen:
2022-07-22 20:15:33 UTC
File Type:
PE (Exe)
Extracted files:
16
AV detection:
24 of 39 (61.54%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=saw3a5uhvf3ufks25zviond2ahkfde455dyceqqehddt5bxznliq._file
Verdict:
malicious
Similar samples:
36b93ea2fe4b15383747d65a7b8b030b8e0416f3bb8ce8f9afb8af983846be87
BitRAT
5548b857ac6b402388302ea82b0fda3ad06783a217b91e731559736bd5734685
BitRAT
5667180956271f2f540ecaa2cc350ac3c51b5468315c8e6e5f94fa4dca91cb4f
BitRAT
7faef4d80d1100c3a233548473d4dd7d5bb570dd83e8d6e5faff509d6726baf2
BitRAT
895be5d5816339f3f7100cfa36463d9652048babe690920fc195e4a39d7ab6c5
BitRAT
93ac463d55f59133067b2b6d985a077b45924421db0293da03cf15ac2a933b92
BitRAT
9de62b6a25946e88979452c0d81b0d91e3d8e6427e9c25f11890c2aa1fe05f01
BitRAT
b2cda7b8c8214e29b01cc8915de2535db62546e158f7f29b4f5cfa292b66b9a8
BitRAT
c829aa312e2ea1c043566e26517b2bf90e9c12ed68e9d7d24577ebc13f2cf3b1
BitRAT
+ 704 additional samples on MalwareBazaar
Result
Malware family:
bitrat
Create hunting rule
Score:
  10/10
Tags:
family:bitrat upx
Link:
https://tria.ge/reports/220722-yzzs8shgal/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Looks up external IP address via web service
Uses Tor communications
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
UPX packed file
ACProtect 1.3x - 1.4x DLL software
Malware Config
C2 Extraction:
tcki6mrrcnrt33qy52viv7m64y6hepkv646nnzglrkbgytyt6b2hdrid.onion:80
Unpacked files
SH256 hash:
bf17144d079649dcf2f770f4527ddb27dab66a51a77d5725d5fb358c847fa88a
MD5 hash:
bbcb4489c483ca0ac14336cda6f941b3
SHA1 hash:
3b5bc6b21f5dce2d6c400b7f5793b909ee771d66
Link:
https://www.unpac.me/results/d70b0e00-7dbf-4f93-adf5-dc419ba74cee/
SH256 hash:
902db07687a97742aa5aee6a87347a01d451939de8f022420438c73e86f96ad1
MD5 hash:
ee321094b8da5433e4006e9630c7db9e
SHA1 hash:
75934147c72f8f3ff4db06607b153689fd76f90b
Detections:
win_bit_rat_auto
Create hunting rule
Link:
https://www.unpac.me/results/d70b0e00-7dbf-4f93-adf5-dc419ba74cee/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/902db07687a97742aa5aee6a87347a01d451939de8f022420438c73e86f96ad1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:bitrat_unpacked
Create hunting rule
Author:jeFF0Falltrades
Description:Experimental rule to detect unpacked BitRat payloads on disk or in memory, looking for a combination of strings and decryption/decoding patterns
Reference:https://krabsonsecurity.com/2020/08/22/bitrat-the-latest-in-copy-pasted-malware-by-incompetent-developers/
Rule name:MALWARE_Win_BitRAT
Create hunting rule
Author:ditekSHen
Description:Detects BitRAT RAT
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:win_bit_rat_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.bit_rat.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

BitRAT

Executable exe 902db07687a97742aa5aee6a87347a01d451939de8f022420438c73e86f96ad1

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2260250/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/293480/

Comments