MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9463fd33646ba1e72825b00914cc2d5dfef3e31a584cc717e634fe1f685ba6da. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BitRAT


Vendor detections: 9


Intelligence 9 IOCs 1 YARA 3 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9463fd33646ba1e72825b00914cc2d5dfef3e31a584cc717e634fe1f685ba6da
SHA3-384 hash: 228e80702f3a9b5334f5f1a6231de281ba3087177d8055bd8cf907be80bb1bec0d56b3734afa9ff784f1a6a69b8f7a6d
SHA1 hash: d806e6beefb351868060a89ccacb425bc9ef812b
MD5 hash: 376e3a7dd22601e3d4cf96f294a9b29e
humanhash: kentucky-burger-december-london
File name:376E3A7DD22601E3D4CF96F294A9B29E.exe
Download: download sample
Signature BitRAT
Create hunting rule
File size:2'093'568 bytes
First seen:2021-04-27 22:15:39 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 49152:meSng863bBGRPpaif65XFH6hLufnSAq58PUYY01XA:eng8GbBGRP0SYFHILq5q0BA
Threatray 15 similar samples on MalwareBazaar
TLSH 2EA5220EF62099C0F55943BF98765A292F22FE37FCBB9599708972070C22653845BEC7
Reporter abuse_ch
Tags:BitRAT exe RAT


Avatar
abuse_ch
BitRAT C2:
139.99.21.207:1900

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
139.99.21.207:1900 https://threatfox.abuse.ch/ioc/18172/

Intelligence

File Origin
# of uploads :
1
# of downloads :
162
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
376E3A7DD22601E3D4CF96F294A9B29E.exe
Verdict:
Malicious activity
Analysis date:
2021-04-27 22:18:12 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/74a1d148-1766-4803-aa9d-acca9aad8c64

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/144717/
Detection(s):
Win.Packed.Bulz-9854729-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file
Launching a process
Creating a process from a recently created file
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
BitRAT Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/699725
Signature
.NET source code contains potential unpacker
Contains functionality to hide a thread from the debugger
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Writes to foreign memory regions
Yara detected BitRAT
Yara detected Costura Assembly Loader
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9463fd33646ba1e72825b00914cc2d5dfef3e31a584cc717e634fe1f685ba6da/
Threat name:
ByteCode-MSIL.Spyware.Solmyr
Create hunting rule
Status:
Malicious
First seen:
2021-04-25 00:08:14 UTC
File Type:
PE (.Net Exe)
Extracted files:
55
AV detection:
25 of 47 (53.19%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=srr72m3enoq6okbfwaerjtbnlx7phyy2lbgmof7ggt7b62c3u3na._file
Verdict:
malicious
Similar samples:
30303b663e0b7b9824cc59298b36f824b607b4fb85de53af6aac3a023d895513
BitRAT
3b019e395d076e03b3b4a2d9468d3acb36df69115e059119194fbd8dd6d1dd6b
BitRAT
4f450fcf02d7006fd4fbea8c2cad999397672d44864f1e8c504633ce53c3d53d
BitRAT
55f1a2084fd1c1d5477519f06b02aa4fa4d917aaceffd116fc45820dc49a7795
BitRAT
79e2a3311700e87e6d5e4d5f8e23f8f6b5500aa9e25e71afb016df130f21bae0
BitRAT
82a4d8eb8b002755e42621fe0a3370f7356c1116c4e6d977e4b853bcff32898b
BitRAT
87763547e91a17c7070d90ab3619415a470e8bf4397a57ad38d0b3dd43fc45c7
BitRAT
be06f303ae133e36f87ef001dc369f0212f76b26ad53ec171fd2dcdde9463cea
BitRAT
d431d6c234dfb75c3fad9cfe53c800e68eec1df826aeee43cc02d802a234e0c2
BitRAT
da1fba1d66a44b77440ec136dec09f921d932d5ece0d35030e7c22d50f73bc8a
BitRAT
+ 5 additional samples on MalwareBazaar
Result
Malware family:
bitrat
Create hunting rule
Score:
  10/10
Tags:
family:bitrat trojan
Link:
https://tria.ge/reports/210427-gn9efpxyk6/
Behaviour
Modifies registry class
Opens file in notepad (likely ransom note)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Loads dropped DLL
Executes dropped EXE
BitRAT
BitRAT Payload
Unpacked files
SH256 hash:
e736ca41aaac02f2a8de7cb2cb40c36c87618ec2be8d03f188c825400c2fc312
MD5 hash:
4f87e48e2b041f380b9c42360f082ac3
SHA1 hash:
f2bd8ab14deafd4ae69b3ee1accbcf1a72cd4f6a
Link:
https://www.unpac.me/results/964274bd-e2c3-4677-8504-d5baf65521e2/
SH256 hash:
726f6f5dff7f2434b33136bde2d2883d8ff85e25cb8b7061675ea3b169135d10
MD5 hash:
f34e59a1f5cdcf25d6e93a956e28e4e3
SHA1 hash:
96095a3670517457d396c3e9f02d64a6a5ec6bd7
Link:
https://www.unpac.me/results/964274bd-e2c3-4677-8504-d5baf65521e2/
SH256 hash:
f9a1f165036cd1fda8b7850f283a9a3d280b63e01a1c730ec19703853f7f54ca
MD5 hash:
3c8b82c8cd41f98b552fc2b9a4392fd9
SHA1 hash:
20bcd991d41604efcd0ccbda3cc8533a66fe6a7b
Link:
https://www.unpac.me/results/964274bd-e2c3-4677-8504-d5baf65521e2/
SH256 hash:
e0fe9f8bd65d5a1ffcca6994e9883143c4cb4f51ec33fab4105c30bec01cea69
MD5 hash:
8124771b232070e27afa79d448414372
SHA1 hash:
c03561a621b16b1fffddd6021bc2620372f6750e
Link:
https://www.unpac.me/results/964274bd-e2c3-4677-8504-d5baf65521e2/
SH256 hash:
9463fd33646ba1e72825b00914cc2d5dfef3e31a584cc717e634fe1f685ba6da
MD5 hash:
376e3a7dd22601e3d4cf96f294a9b29e
SHA1 hash:
d806e6beefb351868060a89ccacb425bc9ef812b
Link:
https://www.unpac.me/results/964274bd-e2c3-4677-8504-d5baf65521e2/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/9463fd33646ba1e72825b00914cc2d5dfef3e31a584cc717e634fe1f685ba6da

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Email_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Email in files like avemaria
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MALWARE_Win_BitRAT
Create hunting rule
Author:ditekSHen
Description:Detects BitRAT RAT

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/144717/

Comments


Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-04-27 23:00:06 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [B0023] Execution::Install Additional Program