MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 92b0b62b54de5df1078d0172524f4d4f891c947dd16551c97b1e7ec609901150. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BitRAT


Vendor detections: 11


Intelligence 11 IOCs 1 YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 92b0b62b54de5df1078d0172524f4d4f891c947dd16551c97b1e7ec609901150
SHA3-384 hash: 524b04d41790cb21cba431713c68ac9ceecbdd73661563b81dc18fbb6e4a594492ea44b6990ca5e493fa515ef21ea55d
SHA1 hash: 3daa4925cacf7f7a4bec67fe2f2ca138dbb67105
MD5 hash: 2f16da6c5771c26ea00d0a79eea2bfe9
humanhash: network-undress-friend-angel
File name:3daa4925cacf7f7a4bec67fe2f2ca138dbb67105.exe
Download: download sample
Signature BitRAT
Create hunting rule
File size:3'286'528 bytes
First seen:2021-09-04 19:35:43 UTC
Last seen:2021-09-04 21:25:37 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 49152:qRfLDUVfevKddzoSlg4ICJyuwHSl0AOBaxv7uv73sEC/1TNMTyh:OXUVGSjlmCJytHM0Agovk0tpMuh
Threatray 549 similar samples on MalwareBazaar
TLSH T120E5CE7F19BDA2279175C6F58BE38827F0008B6F3110696476D347264322A7AB5F336E
Reporter abuse_ch
Tags:BitRAT exe RAT


Avatar
abuse_ch
BitRAT C2:
84.38.129.115:43147

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
84.38.129.115:43147 https://threatfox.abuse.ch/ioc/215794/

Intelligence

File Origin
# of uploads :
2
# of downloads :
210
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
PO20213108.xlsx
Verdict:
Malicious activity
Analysis date:
2021-08-31 06:40:43 UTC
Tags:
exploit CVE-2017-11882 loader
Link:
https://app.any.run/tasks/f23685e4-5420-4fdc-a3a6-ec460fff83be

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
BitRAT
Create hunting rule
Link:
https://www.capesandbox.com/analysis/185346/
Detection(s):
SecuriteInfo.com.Trojan.DownLoader41.53008.18041.19095.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file
DNS request
Setting a global event handler
Connection attempt
Sending a custom TCP request
Setting a global event handler for the keyboard
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5703c81d-423f-4a05-a855-3b2b99ff51d4
Result
Threat name:
BitRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/845347
Signature
.NET source code contains potential unpacker
.NET source code contains very large strings
C2 URLs / IPs found in malware configuration
Found malware configuration
Hides threads from debuggers
Injects a PE file into a foreign processes
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Yara detected AntiVM3
Yara detected BitRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 477778 Sample: xQfw60Goxy.exe Startdate: 04/09/2021 Architecture: WINDOWS Score: 100 23 0b1n4.duckdns.org 2->23 31 Found malware configuration 2->31 33 Multi AV Scanner detection for submitted file 2->33 35 Yara detected BitRAT 2->35 37 6 other signatures 2->37 7 xQfw60Goxy.exe 3 2->7         started        signatures3 process4 file5 21 C:\Users\user\AppData\...\xQfw60Goxy.exe.log, ASCII 7->21 dropped 39 Injects a PE file into a foreign processes 7->39 11 xQfw60Goxy.exe 1 7->11         started        15 xQfw60Goxy.exe 7->15         started        17 xQfw60Goxy.exe 7->17         started        19 xQfw60Goxy.exe 7->19         started        signatures6 process7 dnsIp8 25 0b1n4.duckdns.org 84.38.129.115, 43147, 49735, 49736 DATACLUB-NL Latvia 11->25 27 192.168.2.1 unknown unknown 11->27 29 192.168.2.3 unknown unknown 11->29 41 Hides threads from debuggers 11->41 signatures9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/92b0b62b54de5df1078d0172524f4d4f891c947dd16551c97b1e7ec609901150/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-08-31 08:13:39 UTC
AV detection:
21 of 27 (77.78%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=skylmk2u3zo7cb4nafzfet2nj6erzfd52fsvdsl3dz7mmcmqcfia._file
Verdict:
malicious
Similar samples:
1b4d3e69b4e2e533522d48f27a0137e34b92b01e36d348c12f0df4371ed7d573
BitRAT
4bddc1b65b7a24af3d24bddcd3722811775f3f98a65fbc433c762e1615af28c1
BitRAT
80a5971229dd01d3b78272dae553361c8f9d875b8e274ddbd00753c0e50dd65e
BitRAT
8c415f3280483beadb4a6a4639221da3a1a16cc2bd74b6fd484a17ed4b83775e
BitRAT
b196d74012b2af1b9e67fc11dd4b85d3010bc7ef892c7232fa9228bb0d38972c
BitRAT
c69aa221ec1df4acc67aac0fd7a1e7dcefa181f496b21839576343fd7fa8fb8d
BitRAT
c85ab5bd7344f3677a769235b13aa14bd7b0d93a61684266abf6596243f9728d
BitRAT
d6b99294abd7ed56399d7670f2f5c5d7dbad4a13f8dcb02997d36799925e3209
BitRAT
e71703a89fb65868f5daf7517bdd13d16ad09fc7f9a7b3bf4a65fa67844c4b1b
BitRAT
fab0db0c780f0c6699b1acd564580dded6fb1857c61093d732da3bde480cd655
BitRAT
+ 539 additional samples on MalwareBazaar
Result
Malware family:
bitrat
Create hunting rule
Score:
  10/10
Tags:
family:bitrat trojan
Link:
https://tria.ge/reports/210904-ya81lsedg3/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
BitRAT
BitRAT Payload
Unpacked files
SH256 hash:
c0ee1071e444f415f8b62856a0896f3b22e563f1bb4f03d14142583efe49a565
MD5 hash:
29db2e114b88ae1f6a00c9aa71690043
SHA1 hash:
ec82db71443556a5b320357b0b8b09e70ec1db9c
Link:
https://www.unpac.me/results/fbaad427-a42d-46ee-a966-5862eed40179/
SH256 hash:
c12780d3a89b3bb461a7930e689f0086de71a0fde6784f759bab67643df28f6d
MD5 hash:
cff1a5392a08b793a1f9bcc20e0a2ed7
SHA1 hash:
e2a9f5999d6456a4f4c32781f3ee124129e48aa8
Link:
https://www.unpac.me/results/fbaad427-a42d-46ee-a966-5862eed40179/
SH256 hash:
dc7fd1246e107727488c8b36e5e5f3faa89af0c5aff8f7d760f9974e8443b686
MD5 hash:
7323735b1a35c994f715e59174f5db64
SHA1 hash:
2cbe6ea6b293e7d2427231580064102666e69648
Link:
https://www.unpac.me/results/fbaad427-a42d-46ee-a966-5862eed40179/
SH256 hash:
92b0b62b54de5df1078d0172524f4d4f891c947dd16551c97b1e7ec609901150
MD5 hash:
2f16da6c5771c26ea00d0a79eea2bfe9
SHA1 hash:
3daa4925cacf7f7a4bec67fe2f2ca138dbb67105
Link:
https://www.unpac.me/results/fbaad427-a42d-46ee-a966-5862eed40179/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/92b0b62b54de5df1078d0172524f4d4f891c947dd16551c97b1e7ec609901150

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_BitRAT
Create hunting rule
Author:ditekSHen
Description:Detects BitRAT RAT
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/185346/

Comments