MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 91bc7e071b37cdf14220e978ad547daf9015e3a7ca24d220c2255d114cd7da1b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BitRAT


Vendor detections: 13


Intelligence 13 IOCs 1 YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 91bc7e071b37cdf14220e978ad547daf9015e3a7ca24d220c2255d114cd7da1b
SHA3-384 hash: f38dd95fbab3803b7fb73ddec62b3d8d75744738a65d06801d706158ae8bb05f14324b407857ee59402b0168667a945e
SHA1 hash: 116e39cbb69edf8e2ca85dbc31cd962bcdad1f30
MD5 hash: bf8f6b36e82b6d885966498c42654d27
humanhash: fillet-table-texas-washington
File name:91bc7e071b37cdf14220e978ad547daf9015e3a7ca24d.exe
Download: download sample
Signature BitRAT
Create hunting rule
File size:1'511'424 bytes
First seen:2022-08-10 11:15:36 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 6ed4f5f04d62b18d96b26d6db7c18840 (225 x SalatStealer, 78 x BitRAT, 42 x RedLineStealer)
ssdeep 24576:3ndRKZCy2BrhCeU2i2cJijFbCBTPmiY05tJMSQp5ysA7Yg1nLkz2Ylttxp+J:XXDFBU2iIBb0xY/6sUYYRY1
TLSH T1FB6533E12A1FD73AF65BC83CB9771E13C839D262207B15457E6CC5BD60FE9A11884CA2
TrID 63.4% (.EXE) UPX compressed Win32 Executable (27066/9/6)
11.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
10.5% (.EXE) Win32 Executable (generic) (4505/5/1)
4.7% (.EXE) OS/2 Executable (generic) (2029/13)
4.6% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter abuse_ch
Tags:BitRAT exe RAT


Avatar
abuse_ch
BitRAT C2:
45.137.22.189:7744

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
45.137.22.189:7744 https://threatfox.abuse.ch/ioc/842319/

Intelligence

File Origin
# of uploads :
1
# of downloads :
300
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
bitrat
Create hunting rule
ID:
1
File name:
invoice.exe
Verdict:
Malicious activity
Analysis date:
2022-08-10 11:20:46 UTC
Tags:
opendir loader trojan bitrat rat
Link:
https://app.any.run/tasks/43ddfc03-9d1e-4854-85fe-80ec5b84a77a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
BitRAT
Create hunting rule
Link:
https://www.capesandbox.com/analysis/297602/
Detection(s):
Win.Malware.Mikey-9819889-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
DNS request
Setting a global event handler
Sending a custom TCP request
Setting a global event handler for the keyboard
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-debug packed
Link:
https://www.filescan.io/uploads/62f393bc7a5eee504806943d/reports/c8ca5e8a-7cf1-418c-804b-eca275c9c511/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/73167763-dd6e-43f9-9a5c-9948fbf35ef8
Result
Threat name:
BitRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/1049133
Signature
Antivirus / Scanner detection for submitted sample
Contains functionality to hide a thread from the debugger
Hides threads from debuggers
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Uses dynamic DNS services
Yara detected BitRAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/91bc7e071b37cdf14220e978ad547daf9015e3a7ca24d220c2255d114cd7da1b/
Threat name:
Win32.Backdoor.ParalaxRat
Create hunting rule
Status:
Malicious
First seen:
2022-08-10 01:48:15 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
26 of 26 (100.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=sg6h4by3g7g7cqra5f4k2vd5v6ibly5hzisneigcevorctgx3inq._file
Result
Malware family:
bitrat
Create hunting rule
Score:
  10/10
Tags:
family:bitrat trojan upx
Link:
https://tria.ge/reports/220810-nc5qvshefl/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of NtSetInformationThreadHideFromDebugger
UPX packed file
BitRAT
Malware Config
C2 Extraction:
eichelberger.duckdns.org:7744
Unpacked files
SH256 hash:
9543b47351f3bfdabb3624b8b6181df168421d4026886098bbb96f67d63100f8
MD5 hash:
22075e402ec70c203a85f27c746dd2c5
SHA1 hash:
e5c56485dae15a12fd229da71f5e7d053bc0fc5a
Detections:
win_bit_rat_auto
Create hunting rule
Link:
https://www.unpac.me/results/ad72db82-bb63-4f7e-a981-9573f4eec2cd/
SH256 hash:
91bc7e071b37cdf14220e978ad547daf9015e3a7ca24d220c2255d114cd7da1b
MD5 hash:
bf8f6b36e82b6d885966498c42654d27
SHA1 hash:
116e39cbb69edf8e2ca85dbc31cd962bcdad1f30
Link:
https://www.unpac.me/results/ad72db82-bb63-4f7e-a981-9573f4eec2cd/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/91bc7e071b37/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/91bc7e071b37cdf14220e978ad547daf9015e3a7ca24d220c2255d114cd7da1b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:bitrat_unpacked
Create hunting rule
Author:jeFF0Falltrades
Description:Experimental rule to detect unpacked BitRat payloads on disk or in memory, looking for a combination of strings and decryption/decoding patterns
Reference:https://krabsonsecurity.com/2020/08/22/bitrat-the-latest-in-copy-pasted-malware-by-incompetent-developers/
Rule name:MALWARE_Win_BitRAT
Create hunting rule
Author:ditekSHen
Description:Detects BitRAT RAT
Rule name:win_bit_rat_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.bit_rat.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

BitRAT

Executable exe 91bc7e071b37cdf14220e978ad547daf9015e3a7ca24d220c2255d114cd7da1b

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/297602/
  
URLhaus
https://urlhaus.abuse.ch/url/2271102/
  
Delivery method
Distributed via web download

Comments