MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 986909ccdc258f70bdb98363576fce9dc101142c6528d588f1308edceafb9ab5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BitRAT


Vendor detections: 8


Intelligence 8 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 986909ccdc258f70bdb98363576fce9dc101142c6528d588f1308edceafb9ab5
SHA3-384 hash: 179a6b1f2ba8c1e50225340c39bb74a0e7f71ea8b83c3120f0d4ff9c18ffcbde4d8ecfc6413f3b776c6d5fede610711c
SHA1 hash: f7a061b33866185f317e954b31bf9d8607568ec5
MD5 hash: c974bffe4c0caa1106335a643f4aeee6
humanhash: delta-mobile-uranus-pasta
File name:edi.exe
Download: download sample
Signature BitRAT
Create hunting rule
File size:2'674'176 bytes
First seen:2021-06-28 13:59:20 UTC
Last seen:2021-06-28 14:51:43 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'658 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 49152:0uEH9nnoJ2DyFmM9Rub4+UYwjR3TjDVt4XHTC2gnwCwTIfC:0uQO2/M9R5L9DjDLiHTDrrKC
Threatray 105 similar samples on MalwareBazaar
TLSH 40C5F12E36F3AAFDE906C1761185CD301EA39DD1A88AE90EB7DE1D673FE0014A90157D
Reporter James_inthe_box
Tags:BitRAT exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
177
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
edi.exe
Verdict:
Suspicious activity
Analysis date:
2021-06-28 14:28:19 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/2b193ddf-1790-42f1-b3c2-20ed3c46521a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/168595/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.46542415.1574.20965.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/574140d8-3036-4d33-ba9d-b7593ac29bac
Result
Threat name:
BitRAT Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/808854
Signature
Contains functionality to hide a thread from the debugger
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected BitRAT
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/986909ccdc258f70bdb98363576fce9dc101142c6528d588f1308edceafb9ab5/
Threat name:
Win32.Downloader.Seraph
Create hunting rule
Status:
Malicious
First seen:
2021-06-24 03:12:45 UTC
File Type:
PE (.Net Exe)
Extracted files:
22
AV detection:
22 of 46 (47.83%)
Threat level:
  3/5
Verdict:
unknown
Similar samples:
12e2fade9c6f17595717385e99c97a448e87bbbb6a7a30ea2c31062983f4c065
BitRAT
19f17d84c67985de677ea0f746955f709106d8833311d3b8c9b67491d0498ff0
BitRAT
6deceb88f30de5953a4a9de2fd70415302205f306cdf62e14c922fee23ea721e
BitRAT
74f108a1e08fa3ebc3ff8e54f4950e5fa1e75a6e4a9a9968e226b31064fe8d2b
BitRAT
8cdbdc48eeff6dbd8b3cf2bcbf91b4c58c5479e8c3779f36debdd3856f17b185
BitRAT
8d66edd777191f1972fee3bbd11950bca3af608a2e3f3392c4c778a1ab991ec3
BitRAT
b78c057366525777ab931d9a4a2962a2df499a6690aae1f3e215097d5adbb458
BitRAT
c98f7393639b690d4b1b4a1e9af7ba01ce943ee361a9b230dd1181a3f947a6f3
BitRAT
e95d8b2d7c80f9b47d7c3fb368256962c357404e85f45701a473b6354ca18133
BitRAT
fed274cef763ebf2558db00b7e25a4a9e51c986d55ea6c089d32893d666fe29d
BitRAT
+ 95 additional samples on MalwareBazaar
Result
Malware family:
bitrat
Create hunting rule
Score:
  10/10
Tags:
family:bitrat trojan
Link:
https://tria.ge/reports/210628-8wyat2k42x/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
BitRAT
BitRAT Payload
Unpacked files
SH256 hash:
31d24386bf7f4d8b9a787c8f34c27a5e05906254580294602d1468b81dd4b6d1
MD5 hash:
e618e9170df094c7fd96f8e5d3b5439e
SHA1 hash:
f64685ca0c23162fce0abfd1b4672896157feac1
Link:
https://www.unpac.me/results/f73598c1-8020-42aa-a05c-8a2c74727c43/
SH256 hash:
5ba919dab09107317e438c98e9c90f147879cd70f7a437482a2520790257276d
MD5 hash:
f5288f15f4c202e0db7178bf55622f01
SHA1 hash:
dd708d86ef5f9151989dde750188d64875fa1793
Link:
https://www.unpac.me/results/f73598c1-8020-42aa-a05c-8a2c74727c43/
SH256 hash:
2259fef63ddb379fd020660fd05c35fcef91c2059ae497e02430f702494176b5
MD5 hash:
7f9ec44ee08aa3cf683e75db0536c77d
SHA1 hash:
1e6a47c1309225b8dcab73b662db66714500ea6b
Link:
https://www.unpac.me/results/f73598c1-8020-42aa-a05c-8a2c74727c43/
SH256 hash:
dc8af225c1e66f7487f1f1e21785134b25ac2586a61b984089c7a21776535d7d
MD5 hash:
d216a3f1477ab02bcd0c6ea48a1ca45c
SHA1 hash:
1d129a977723a3d17b1f5d085149d4a06e05bbe1
Link:
https://www.unpac.me/results/f73598c1-8020-42aa-a05c-8a2c74727c43/
SH256 hash:
986909ccdc258f70bdb98363576fce9dc101142c6528d588f1308edceafb9ab5
MD5 hash:
c974bffe4c0caa1106335a643f4aeee6
SHA1 hash:
f7a061b33866185f317e954b31bf9d8607568ec5
Link:
https://www.unpac.me/results/f73598c1-8020-42aa-a05c-8a2c74727c43/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/986909ccdc258f70bdb98363576fce9dc101142c6528d588f1308edceafb9ab5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/168595/

Comments