MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 969182320bfbad6534c5180717656b2bc2f09e8180c4b6f826ee2e63b9210027. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BitRAT


Vendor detections: 18


Intelligence 18 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 969182320bfbad6534c5180717656b2bc2f09e8180c4b6f826ee2e63b9210027
SHA3-384 hash: ca27e27052a4e49a5da9aefbfc7252e3d5f53d4ea325b7c5090067a56304877bbb546a0818b1af2feeff996f730ba252
SHA1 hash: 5f6c18308a96a1c750d6f4e8b22dd7bec701f105
MD5 hash: e43f5a6b060e95078d1bbab95dbf7a67
humanhash: mobile-tennis-coffee-edward
File name:luxurioux.exe
Download: download sample
Signature BitRAT
Create hunting rule
File size:6'860'288 bytes
First seen:2023-03-21 02:45:27 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash a9c887a4f18a3fede2cc29ceea138ed3 (33 x CoinMiner, 17 x AsyncRAT, 15 x BlankGrabber)
ssdeep 98304:gXc4No+9i3kwuwmX2qaaDvcrOobV1023br5I5S0fmw0NKg0yMgiPNIy6Ygl3qjZB:A/7+uSqa2dQBV+0ATPNO3EZ/zEM
Threatray 753 similar samples on MalwareBazaar
TLSH T1D766232B9583C81BE62DB4B7F94A88064AD0A6DCE0F587D3472CC5CB17DAAC432E7715
TrID 38.5% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
15.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
11.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
10.5% (.EXE) Win32 Executable (generic) (4505/5/1)
4.8% (.EXE) Win16/32 Executable Delphi generic (2072/23)
File icon (PE):PE icon
dhash icon c082d064384d82e0 (1 x BitRAT)
Reporter Chainskilabs
Tags:BitRAT exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
350
Origin country :
US US
Vendor Threat Intelligence
Malware family:
asyncrat
Create hunting rule
ID:
1
File name:
luxurioux.exe
Verdict:
Malicious activity
Analysis date:
2023-03-20 19:29:57 UTC
Tags:
evasion stealerium stealer blackguard asyncrat bitrat
Link:
https://app.any.run/tasks/afc9e3a9-6958-4f0b-94ba-9890120e6370

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
BitRAT
Create hunting rule
Link:
https://www.capesandbox.com/analysis/376082/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file
Using the Windows Management Instrumentation requests
Sending an HTTP GET request
Moving a recently created file
Reading critical registry keys
Setting a global event handler
Sending a custom TCP request
Running batch commands
Launching the process to change network settings
Unauthorized injection to a recently created process
Stealing user critical data
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Setting a global event handler for the keyboard
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/74381/overview
Behaviour
MalwareBazaar
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
asyncrat dcrat nitol packed shell32.dll tiny
Link:
https://www.filescan.io/uploads/64191a6c109d4db51669ebd1/reports/cbf12017-d1f6-4183-ac5b-1b9fb0e2a486/overview
Verdict:
Malicious
Labled as:
FakeAlert.Generic
Link:
https://www.hybrid-analysis.com/sample/969182320bfbad6534c5180717656b2bc2f09e8180c4b6f826ee2e63b9210027
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
BitRAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/69b28cf2-49d8-4559-a3ae-7beb780f0f76
Result
Threat name:
AsyncRAT, BitRAT, StormKitty, WorldWind
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1198214
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Creates files in alternative data streams (ADS)
Encrypted powershell cmdline option found
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Malicious sample detected (through community Yara rule)
Modifies existing user documents (likely ransomware behavior)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Capture Wi-Fi password
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal WLAN passwords
Uses netsh to modify the Windows network and firewall settings
Uses the Telegram API (likely for C&C communication)
Yara detected AsyncRAT
Yara detected BitRAT
Yara detected Generic Downloader
Yara detected StormKitty Stealer
Yara detected Telegram RAT
Yara detected Telegram Recon
Yara detected WorldWind Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 831115 Sample: luxurioux.exe Startdate: 21/03/2023 Architecture: WINDOWS Score: 100 119 Malicious sample detected (through community Yara rule) 2->119 121 Antivirus detection for URL or domain 2->121 123 Antivirus / Scanner detection for submitted sample 2->123 125 14 other signatures 2->125 8 luxurioux.exe 3 2->8         started        12 Chrome.exe 2->12         started        14 Chrome.exe 2->14         started        process3 file4 75 C:\Users\user\AppData\Local\Temp\server.exe, PE32 8->75 dropped 77 C:\Users\user\AppData\Local\...\luxurious.exe, PE32 8->77 dropped 127 Encrypted powershell cmdline option found 8->127 16 luxurious.exe 6 8->16         started        20 server.exe 15 165 8->20         started        23 powershell.exe 5 8->23         started        25 powershell.exe 5 8->25         started        129 Hides threads from debuggers 12->129 27 tor.exe 12->27         started        29 tor.exe 14->29         started        signatures5 process6 dnsIp7 63 C:\Users\user\AppData\Local\Temp\Xmvxr.exe, PE32 16->63 dropped 65 C:\Users\user\AppData\Local\Temp\Feyfwn.exe, PE32 16->65 dropped 109 Multi AV Scanner detection for dropped file 16->109 31 Xmvxr.exe 16->31         started        35 Feyfwn.exe 16->35         started        87 49.39.14.0.in-addr.arpa 20->87 89 api.telegram.org 149.154.167.220, 443, 49697, 49698 TELEGRAMRU United Kingdom 20->89 91 3 other IPs or domains 20->91 67 C:\Users\user\AppData\...\ZIPXYXWIOY.docx, ASCII 20->67 dropped 69 C:\Users\user\AppData\...\VWDFPKGDUF.png, ASCII 20->69 dropped 71 C:\Users\user\AppData\...71WCXBPIUYI.xlsx, ASCII 20->71 dropped 73 2 other malicious files 20->73 dropped 111 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 20->111 113 Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines) 20->113 115 Tries to harvest and steal browser information (history, passwords, etc) 20->115 117 2 other signatures 20->117 37 cmd.exe 20->37         started        39 cmd.exe 20->39         started        41 conhost.exe 23->41         started        43 conhost.exe 25->43         started        file8 signatures9 process10 file11 79 C:\Users\user\AppData\Local\...\zlib1.dll, PE32 31->79 dropped 81 C:\Users\user\AppData\Local\...\tor.exe, PE32 31->81 dropped 83 C:\Users\user\AppData\...\libwinpthread-1.dll, PE32 31->83 dropped 85 7 other malicious files 31->85 dropped 99 Multi AV Scanner detection for dropped file 31->99 101 Creates files in alternative data streams (ADS) 31->101 103 Hides threads from debuggers 31->103 45 tor.exe 31->45         started        105 Uses netsh to modify the Windows network and firewall settings 37->105 107 Tries to harvest and steal WLAN passwords 37->107 49 conhost.exe 37->49         started        51 chcp.com 37->51         started        53 netsh.exe 37->53         started        55 findstr.exe 37->55         started        57 conhost.exe 39->57         started        59 chcp.com 39->59         started        61 netsh.exe 39->61         started        signatures12 process13 dnsIp14 93 31.31.78.49, 443, 49705, 49719 WEDOSCZ Czech Republic 45->93 95 149.56.141.138, 49703, 9001 OVHFR Canada 45->95 97 3 other IPs or domains 45->97 131 Multi AV Scanner detection for dropped file 45->131 signatures15
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/969182320bfbad6534c5180717656b2bc2f09e8180c4b6f826ee2e63b9210027/
Threat name:
Win32.Backdoor.AsyncRAT
Create hunting rule
Status:
Malicious
First seen:
2023-03-20 22:28:27 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
27 of 37 (72.97%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=s2iyemql7owwkngfdadrozllfpbpbhubqdcln6bg5yxghojbaatq._file
Verdict:
malicious
Similar samples:
296cb7c456c55688de080e9940722307f1ee92acbfec61696e21ec985794a3ff
BitRAT
36b93ea2fe4b15383747d65a7b8b030b8e0416f3bb8ce8f9afb8af983846be87
BitRAT
5548b857ac6b402388302ea82b0fda3ad06783a217b91e731559736bd5734685
BitRAT
6225733d751641ed48c78e200c761961aa6f01947e5c7fef79729fb7a1b3795b
BitRAT
902db07687a97742aa5aee6a87347a01d451939de8f022420438c73e86f96ad1
BitRAT
93ac463d55f59133067b2b6d985a077b45924421db0293da03cf15ac2a933b92
BitRAT
9a6e4a0945252684df6638c58bcc3f0eeb38923ab8b56972585692d43ecc532b
BitRAT
+ 743 additional samples on MalwareBazaar
Result
Malware family:
stormkitty
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat family:bitrat family:stormkitty botnet:default persistence rat spyware stealer trojan upx
Link:
https://tria.ge/reports/230321-c9a2zage94/
Behaviour
Checks processor information in registry
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Adds Run key to start application
Drops desktop.ini file(s)
Looks up external IP address via web service
Looks up geolocation information via web service
ACProtect 1.3x - 1.4x DLL software
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
UPX packed file
Async RAT payload
AsyncRat
BitRAT
StormKitty
StormKitty payload
Malware Config
C2 Extraction:
127.0.0.1:6606
127.0.0.1:7707
127.0.0.1:8808
https://api.telegram.org/bot5357505299:AAHKETAZ8bMFX4K83NsGaVH64EMVnQ3AS5U/sendMessage?chat_id=1725860085
4napo6g3cp6av4hmxmwzi5lyojpfk3i2kl2tpssb2wvidqsa3kzo6eyd.onion:80
Unpacked files
SH256 hash:
bf17144d079649dcf2f770f4527ddb27dab66a51a77d5725d5fb358c847fa88a
MD5 hash:
bbcb4489c483ca0ac14336cda6f941b3
SHA1 hash:
3b5bc6b21f5dce2d6c400b7f5793b909ee771d66
Link:
https://www.unpac.me/results/8b0cc43a-3251-4b4a-b4ad-26052bb3c014/
SH256 hash:
4df1042820906066e208f879f274e5c222f4003e1ddd4aa99526469b305f9f1c
MD5 hash:
0c612c59011315df253798939f1d1cc1
SHA1 hash:
0e4973c719df405659cc05afbdb1a171dc6c76f4
Link:
https://www.unpac.me/results/8b0cc43a-3251-4b4a-b4ad-26052bb3c014/
SH256 hash:
65042380ce216a24adb86812ca4e49957cd683b76ab07590ad335edbf5e21589
MD5 hash:
e3286231ff166eaad0d44d4159ab069e
SHA1 hash:
454e3d63906361fe4189d9075cbcbde48bf03928
Detections:
win_bit_rat_auto
Create hunting rule
Link:
https://www.unpac.me/results/8b0cc43a-3251-4b4a-b4ad-26052bb3c014/
SH256 hash:
484f1006c1f1aa3bc2dcba86f219d8ad9d1108169321a294fc230d492b65614c
MD5 hash:
e753abd29f85bcf767a0f3c8074372cc
SHA1 hash:
d4e5bf6663dd898077cf7ea1fa2e5d214ffc0a1f
Link:
https://www.unpac.me/results/8b0cc43a-3251-4b4a-b4ad-26052bb3c014/
SH256 hash:
4bb8e5a319eed3b80edc398f94bc2802fd4e9c1f7b3ec7f16683fdd4d4c20e56
MD5 hash:
06df4a3a2d5a9b32d0a20f26bacd679f
SHA1 hash:
5f534d3361f496031c26c131d100d233df479bc3
Detections:
AsyncRAT
Create hunting rule
win_asyncrat_w0
Create hunting rule
Link:
https://www.unpac.me/results/8b0cc43a-3251-4b4a-b4ad-26052bb3c014/
SH256 hash:
b9c922c9c3d121ca1463e4ee905b22a8983c2de4079a1df2fb6765f4d65b6521
MD5 hash:
848d54ef2ecd75699697f3f26dac5de1
SHA1 hash:
23774a46cfa33630cf6cb84da946c3daaa3432ba
Link:
https://www.unpac.me/results/8b0cc43a-3251-4b4a-b4ad-26052bb3c014/
SH256 hash:
969182320bfbad6534c5180717656b2bc2f09e8180c4b6f826ee2e63b9210027
MD5 hash:
e43f5a6b060e95078d1bbab95dbf7a67
SHA1 hash:
5f6c18308a96a1c750d6f4e8b22dd7bec701f105
Link:
https://www.unpac.me/results/8b0cc43a-3251-4b4a-b4ad-26052bb3c014/
Malware family:
AsyncRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/969182320bfb/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/969182320bfbad6534c5180717656b2bc2f09e8180c4b6f826ee2e63b9210027

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:bitrat_3_mem
Create hunting rule
Author:James_inthe_box
Description:BitRAT
Reference:7b03ad29559118bb36b1400b4865f82a90fd389031ccebd228836cfd09d63e9b
Rule name:bitrat_unpacked
Create hunting rule
Author:jeFF0Falltrades
Description:Experimental rule to detect unpacked BitRat payloads on disk or in memory, looking for a combination of strings and decryption/decoding patterns
Reference:https://krabsonsecurity.com/2020/08/22/bitrat-the-latest-in-copy-pasted-malware-by-incompetent-developers/
Rule name:MALWARE_Win_BitRAT
Create hunting rule
Author:ditekSHen
Description:Detects BitRAT RAT
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:QbotStuff
Create hunting rule
Author:anonymous
Rule name:win_bit_rat_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.bit_rat.
Rule name:yara_template
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

anyrun
any.run
https://app.any.run/tasks/afc9e3a9-6958-4f0b-94ba-9890120e6370/#
Cape
Cape
https://www.capesandbox.com/analysis/376082/

Comments