MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 939b9ae2b1804b707eafe1a369b98096d9c3eb33de5554906c5a5f64d750d4d5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BitRAT


Vendor detections: 12


Intelligence 12 IOCs 1 YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 939b9ae2b1804b707eafe1a369b98096d9c3eb33de5554906c5a5f64d750d4d5
SHA3-384 hash: 4a2c637afae46b94c57b9b53a76f68f31c3fed0babe01d75dedfb71caef5d7f118e2ece12a512c6c1abac4b4e2a4f657
SHA1 hash: cd82bdb5b4d9520ecc1b0c4e99d19937a29cbfdd
MD5 hash: 20ed11e944ee0625399cb7762aa60255
humanhash: lion-golf-mississippi-minnesota
File name:20ed11e944ee0625399cb7762aa60255.exe
Download: download sample
Signature BitRAT
Create hunting rule
File size:1'974'272 bytes
First seen:2021-10-05 10:27:02 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f74a0f3da1e112835a6ac32552c0a4d2 (9 x RedLineStealer, 5 x ArkeiStealer, 4 x RaccoonStealer)
ssdeep 49152:f1u8kdhQrsovCSc1I0A6dF+7VWICS4CGHnN3I2W3RfG:f1lkdumSceX4I7gw2NyfG
Threatray 2'254 similar samples on MalwareBazaar
TLSH T1E295231077F0C035FAB315F969BA92B8643ABCB15B3492CF62D05AEA4764AD0DC31393
File icon (PE):PE icon
dhash icon c4bada9ae8cca448 (1 x BitRAT)
Reporter abuse_ch
Tags:BitRAT exe RAT


Avatar
abuse_ch
BitRAT C2:
147.124.208.212:3389

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
147.124.208.212:3389 https://threatfox.abuse.ch/ioc/230515/

Intelligence

File Origin
# of uploads :
1
# of downloads :
182
Origin country :
n/a
Vendor Threat Intelligence
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/194981/
Detection(s):
Win.Packed.Generic-9896112-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching the default Windows debugger (dwwin.exe)
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/615c2ba8e3d213d202b77146/reports/450ac29b-a702-453d-8a37-5bbc03653de3/overview
Malware family:
BitRAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/bd9b2c1b-c225-4ac8-b767-5b267092a10f
Result
Threat name:
BitRAT RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/864680
Signature
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Contains functionality to hide a thread from the debugger
Creates files in alternative data streams (ADS)
Found malware configuration
Hides threads from debuggers
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected BitRAT
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 497108 Sample: kjfbagd11E.exe Startdate: 05/10/2021 Architecture: WINDOWS Score: 100 56 Found malware configuration 2->56 58 Multi AV Scanner detection for dropped file 2->58 60 Icon mismatch, binary includes an icon from a different legit application in order to fool users 2->60 62 5 other signatures 2->62 7 kjfbagd11E.exe 3 2->7         started        10 logging.exe 2->10         started        13 logging.exe 2->13         started        process3 file4 42 C:\Users\user\...\kZcAcgkNNZRhYVas.exe, PE32 7->42 dropped 44 C:\Users\user\...\1QakD7tdogDjXJC3.exe, PE32 7->44 dropped 15 kZcAcgkNNZRhYVas.exe 2 2 7->15         started        20 1QakD7tdogDjXJC3.exe 7->20         started        22 WerFault.exe 9 7->22         started        24 8 other processes 7->24 64 Hides threads from debuggers 10->64 signatures5 process6 dnsIp7 46 147.124.208.212, 11172, 3389, 49800 AC-AS-1US United States 15->46 28 C:\Users\user\AppData\...\logging.exe (copy), PE32 15->28 dropped 30 C:\Users\user\AppData\Local:05-10-2021, HTML 15->30 dropped 48 Antivirus detection for dropped file 15->48 50 Multi AV Scanner detection for dropped file 15->50 52 Creates files in alternative data streams (ADS) 15->52 54 3 other signatures 15->54 26 conhost.exe 20->26         started        32 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 22->32 dropped 34 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 24->34 dropped 36 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 24->36 dropped 38 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 24->38 dropped 40 5 other malicious files 24->40 dropped file8 signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/939b9ae2b1804b707eafe1a369b98096d9c3eb33de5554906c5a5f64d750d4d5/
Threat name:
Win32.Ransomware.StopCrypt
Create hunting rule
Status:
Malicious
First seen:
2021-09-23 00:27:54 UTC
AV detection:
27 of 28 (96.43%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=sonzvyvrqbfxa7vp4grwtomas3m4h2zt3zkvjedmljpwjv2q2tkq._file
Verdict:
malicious
Similar samples:
11adb6fd4fbcb8fe68033ff2bc3b8cc45b980c573f7c58be291383d5b95d6e41
BitRAT
2cc931d9ba95d8bd2daea724ffd7cdeb239f298336f32c4640465b8982cf5874
BitRAT
2db5b8398fe40439d40336311f84437499781d8659a4557b76ff7db71fa4e05e
BitRAT
52c8b2a76e11b6fab2913cde02aca252462f61a89e0436815e272fc74f0137ec
BitRAT
5b742d7fc7f00ec13442daf22ff2bb2b856e5083eee18fffc267185bfbb7720b
BitRAT
7151dc894be6ab81d6a5ac2fb22812821fb28c2bccea1d01a54eac55ca11da2e
BitRAT
9ea4469f78d2953c8061672f6c7630a9728b42944e37be3e30bc6774812af88a
BitRAT
bf90ed75f44fab1eb49a9bc8ee12c56923a9766bf03794b9a293024be4b0369b
BitRAT
+ 2'244 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:workin infostealer persistence upx
Link:
https://tria.ge/reports/211005-mg5e8ahhem/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
UPX packed file
RedLine
RedLine Payload
Suspicious use of NtCreateProcessExOtherParentProcess
Malware Config
C2 Extraction:
147.124.208.212:11172
Unpacked files
SH256 hash:
d698fe3d52ab520e9c635fb0e461958ddb664fd7f9cc393793b4490a38e2f0ad
MD5 hash:
79dd1e403ecdb390e121eca852e70341
SHA1 hash:
b748dc87ebaedba60b432855da1982c6d25d583d
Link:
https://www.unpac.me/results/9c2314cd-c69d-469a-bfef-1ef99d7ba491/
SH256 hash:
0148674ea5cee708aacf3abd2b32c529d1ebd4a0efc2f83211cfdc7f6b34609a
MD5 hash:
19003e31b7d1b0c5579fc7c744a79f3c
SHA1 hash:
b1a0eeccd841d39a29bb5100249213dbdf6b4b03
Link:
https://www.unpac.me/results/9c2314cd-c69d-469a-bfef-1ef99d7ba491/
SH256 hash:
939b9ae2b1804b707eafe1a369b98096d9c3eb33de5554906c5a5f64d750d4d5
MD5 hash:
20ed11e944ee0625399cb7762aa60255
SHA1 hash:
cd82bdb5b4d9520ecc1b0c4e99d19937a29cbfdd
Link:
https://www.unpac.me/results/9c2314cd-c69d-469a-bfef-1ef99d7ba491/
Malware family:
RedLine.A
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/939b9ae2b180/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/939b9ae2b1804b707eafe1a369b98096d9c3eb33de5554906c5a5f64d750d4d5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_BitRAT
Create hunting rule
Author:ditekSHen
Description:Detects BitRAT RAT

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/194981/

Comments