MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 93ac463d55f59133067b2b6d985a077b45924421db0293da03cf15ac2a933b92. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BitRAT


Vendor detections: 7


Intelligence 7 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 93ac463d55f59133067b2b6d985a077b45924421db0293da03cf15ac2a933b92
SHA3-384 hash: ddc66341b97575443eea99f08636fae006891ff6cff959784d456755fef1034339cf28503c6451cb55e51a19860b9770
SHA1 hash: 798073d9dd742ccc3174f20d61dd306ab2f62967
MD5 hash: 81e693224a7c162f37436524936fd803
humanhash: fish-maryland-carpet-ink
File name:PAYMENT_ADVICE.exe
Download: download sample
Signature BitRAT
Create hunting rule
File size:729'088 bytes
First seen:2021-09-28 17:50:35 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'205 x SnakeKeylogger)
ssdeep 12288:czjzNNi+hBr7IUAVs6GctxQPCb4UytyfWUR/hNtHWimCF2DDedIezu/oq:chNi+hBr8UAVs6HtxbEUGyO+COnIQuw
Threatray 528 similar samples on MalwareBazaar
TLSH T169F4AEDA2EB453CBFB0E01F8F5752B98137A9C24A99BF7C2DA45B0B350327A44910DD6
File icon (PE):PE icon
dhash icon 7cf6b6aa8ed0e8b4 (18 x Formbook, 3 x SnakeKeylogger, 2 x NanoCore)
Reporter Anonymous
Tags:BitRAT exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
115
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/192699/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.1048-1.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Scr.Malcodegdn30.14006.UNOFFICIAL
Create hunting rule

Win.Dropper.Jacard-9878052-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a file in the %temp% directory
Delayed writing of the file
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d5b232b3-1d77-4c98-a608-f06b0bb15cf8
Result
Threat name:
BitRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/860142
Signature
.NET source code contains potential unpacker
.NET source code contains very large strings
Adds a directory exclusion to Windows Defender
Antivirus detection for dropped file
Contains functionality to inject code into remote processes
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
May check the online IP address of the machine
May use the Tor software to hide its network traffic
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Powershell Defender Exclusion
Sigma detected: System File Execution Location Anomaly
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected BitRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 492576 Sample: PAYMENT_ADVICE.exe Startdate: 28/09/2021 Architecture: WINDOWS Score: 100 54 46.4.66.178 HETZNER-ASDE Germany 2->54 66 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->66 68 Antivirus detection for dropped file 2->68 70 Multi AV Scanner detection for submitted file 2->70 72 10 other signatures 2->72 9 PAYMENT_ADVICE.exe 7 2->9         started        signatures3 process4 file5 44 C:\Users\user\AppData\Local\...\tmp4F9F.tmp, XML 9->44 dropped 46 C:\Users\user\...\PAYMENT_ADVICE.exe.log, ASCII 9->46 dropped 48 C:\Users\user\AppData\Roaming\KUstQqwQA.exe, PE32 9->48 dropped 82 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 9->82 84 Contains functionality to inject code into remote processes 9->84 86 Uses schtasks.exe or at.exe to add and modify task schedules 9->86 88 2 other signatures 9->88 13 PAYMENT_ADVICE.exe 15 9->13         started        17 powershell.exe 24 9->17         started        19 schtasks.exe 1 9->19         started        signatures6 process7 dnsIp8 58 cobhamplasteringservices.co.uk 95.131.65.73, 49744, 80 GD-EMEA-DC-LD5GB United Kingdom 13->58 50 C:\Users\user\...\a5anJjSIyKkoX9k8.exe, PE32 13->50 dropped 52 C:\Users\user\AppData\Local\...\1[1].exe, PE32 13->52 dropped 21 a5anJjSIyKkoX9k8.exe 1 19 13->21         started        26 conhost.exe 17->26         started        28 conhost.exe 19->28         started        file9 process10 dnsIp11 56 myexternalip.com 34.117.59.81 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 21->56 36 C:\Users\user\AppData\Local\...\dllhost.exe, PE32 21->36 dropped 38 C:\Users\user\AppData\Local\...\zlib1.dll, PE32 21->38 dropped 40 C:\Users\user\AppData\...\libwinpthread-1.dll, PE32 21->40 dropped 42 5 other files (none is malicious) 21->42 dropped 74 Antivirus detection for dropped file 21->74 76 May check the online IP address of the machine 21->76 78 Machine Learning detection for dropped file 21->78 80 Hides threads from debuggers 21->80 30 dllhost.exe 8 21->30         started        34 dllhost.exe 21->34         started        file12 signatures13 process14 dnsIp15 60 62.210.244.146, 49753, 9001 OnlineSASFR France 30->60 62 54.38.92.43, 49752, 9001 OVHFR France 30->62 64 4 other IPs or domains 30->64 90 Antivirus detection for dropped file 30->90 92 System process connects to network (likely due to code injection or exploit) 30->92 94 Multi AV Scanner detection for dropped file 30->94 signatures16
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/93ac463d55f59133067b2b6d985a077b45924421db0293da03cf15ac2a933b92/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-09-28 03:43:57 UTC
AV detection:
21 of 28 (75.00%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
0c32d3b8dc349aac990a76c405f39b973ed2664847602f4100200ae12ccabd6d
BitRAT
38a36c357a50c0f3d6ba6cbaa600507d485271ac452212850dff78f1a430f9e1
BitRAT
4e4cd19c835a2fafb63df3429c6db21507e34fcb33c3072c93f28fb4fc32967b
BitRAT
6e2405887d0bea5bc4d9ec04e362a7c9f2ed0ae5ee486ba0d473636197874884
BitRAT
723e6b54cd996205412396bbfba18171a8e4e7297dd2492b35ec198e122849cb
BitRAT
7faef4d80d1100c3a233548473d4dd7d5bb570dd83e8d6e5faff509d6726baf2
BitRAT
9de62b6a25946e88979452c0d81b0d91e3d8e6427e9c25f11890c2aa1fe05f01
BitRAT
c074b02a7c31f653ce16773fe3d97884a5d4cefed346918b79db7f060661f9f0
BitRAT
c829aa312e2ea1c043566e26517b2bf90e9c12ed68e9d7d24577ebc13f2cf3b1
BitRAT
de1ed5da43cf003b1d30009c1601a722ba1c904e412b95ad1dfdd2ca5cef3021
BitRAT
+ 518 additional samples on MalwareBazaar
Result
Malware family:
bitrat
Create hunting rule
Score:
  10/10
Tags:
family:bitrat evasion suricata trojan upx
Link:
https://tria.ge/reports/210928-we5smsceen/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Looks up external IP address via web service
Maps connected drives based on registry
Uses Tor communications
Checks BIOS information in registry
Loads dropped DLL
Downloads MZ/PE file
Executes dropped EXE
Looks for VMWare Tools registry key
UPX packed file
ACProtect 1.3x - 1.4x DLL software
Looks for VirtualBox Guest Additions in registry
BitRAT
BitRAT Payload
suricata: ET MALWARE Possible Malicious Macro DL EXE Feb 2016
suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
Unpacked files
SH256 hash:
b2811fec7917275a71e52bb23867f02efe2629868c886ac78a6142a3dd202c6d
MD5 hash:
cd2817f08304a436b55a7ff3d7cb0b16
SHA1 hash:
cff6db630367fc2fb548be58bd3ab5eaf5a4f971
Link:
https://www.unpac.me/results/f1b77503-3dfe-4dd0-900f-24ec6c0aa504/
SH256 hash:
8fc3575da09d4b76a829ec7b1f3361cf1382cb76127272972b2a74ecd50baa75
MD5 hash:
01f9fda9a443a4280f3d350a401bd5b7
SHA1 hash:
747fdc388c709925e3b96bc6da4a1f66258610ef
Link:
https://www.unpac.me/results/f1b77503-3dfe-4dd0-900f-24ec6c0aa504/
SH256 hash:
e48f34169189a5aa69e002bee0a6d9575434dc6724936008bf433b0b9b9e1fc5
MD5 hash:
e1f0de5c38dc586c5a97448a71f8a46d
SHA1 hash:
39435bf04cc9e2b6e14890e2757d154403ce38dc
Link:
https://www.unpac.me/results/f1b77503-3dfe-4dd0-900f-24ec6c0aa504/
SH256 hash:
6a671abf66304301602b4afd0902840bc3915455cffc58d8916eaa693abe33ec
MD5 hash:
681eca96e4e7b513317178dc7065ef39
SHA1 hash:
24af82015bc57d125f1ccb759840118b2283d1dc
Link:
https://www.unpac.me/results/f1b77503-3dfe-4dd0-900f-24ec6c0aa504/
SH256 hash:
93ac463d55f59133067b2b6d985a077b45924421db0293da03cf15ac2a933b92
MD5 hash:
81e693224a7c162f37436524936fd803
SHA1 hash:
798073d9dd742ccc3174f20d61dd306ab2f62967
Link:
https://www.unpac.me/results/f1b77503-3dfe-4dd0-900f-24ec6c0aa504/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/93ac463d55f59133067b2b6d985a077b45924421db0293da03cf15ac2a933b92

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Distributed via e-mail link
Cape
Cape
https://www.capesandbox.com/analysis/192699/

Comments