MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 98f10643b82275794bc9708dbffdb248e5f715a7207e1c4a4a453cd7cfa7a059. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BitRAT


Vendor detections: 12


Intelligence 12 IOCs 1 YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 98f10643b82275794bc9708dbffdb248e5f715a7207e1c4a4a453cd7cfa7a059
SHA3-384 hash: df7729473ed169a8ba0bcd73c6d43e3086e49f8eb5f187485b80cbbdcb88c17e9e04aa00ad720acf7b09ab24a513bab0
SHA1 hash: f4be2dc8d02e05c656cb3e90b89f6ff39e9f47c5
MD5 hash: a8d2022b7ec6bf909bf08b9762747ad5
humanhash: robert-sink-oscar-lake
File name:A8D2022B7EC6BF909BF08B9762747AD5.exe
Download: download sample
Signature BitRAT
Create hunting rule
File size:9'498'624 bytes
First seen:2021-03-29 00:50:41 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'654 x AgentTesla, 19'464 x Formbook, 12'205 x SnakeKeylogger)
ssdeep 196608:AOPP4XkAhs/zpA4xv0Q4InlElYdFSQp5yTI/sj+Zzlgccpf:TxZlaYdIQ+j+ZzUd
Threatray 127 similar samples on MalwareBazaar
TLSH F6A69B32FBC3C761D357013CA97D7E7B0328A5E407D04583628B1E585AA5FB16A27A3E
Reporter abuse_ch
Tags:BitRAT exe RAT


Avatar
abuse_ch
BitRAT C2:
203.159.80.155:4444

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
203.159.80.155:4444 https://threatfox.abuse.ch/ioc/5701/

Intelligence

File Origin
# of uploads :
1
# of downloads :
137
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
A8D2022B7EC6BF909BF08B9762747AD5.exe
Verdict:
Malicious activity
Analysis date:
2021-03-29 00:54:07 UTC
Tags:
installer trojan bitrat rat
Link:
https://app.any.run/tasks/4fb17209-18f4-4cb4-806f-793fb46ea833

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
BitRAT
Create hunting rule
Link:
https://www.capesandbox.com/analysis/127424/
Detection(s):
Win.Malware.Mikey-9819889-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the Windows subdirectories
Launching a process
Creating a process from a recently created file
Creating a file
Creating a window
Setting a global event handler
Sending a custom TCP request
Creating a process with a hidden window
Sending a UDP request
Setting a global event handler for the keyboard
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
BitRAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/961e4688-2ffc-4be8-a8f6-bfe28725c664
Result
Threat name:
BitRAT Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/656319
Signature
Antivirus / Scanner detection for submitted sample
Contains functionality to hide a thread from the debugger
Contains functionality to inject code into remote processes
Disable Windows Defender real time protection (registry)
Disables Windows Defender (deletes autostart)
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Uses cmd line tools excessively to alter registry or file data
Yara detected BitRAT
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 377092 Sample: HunpuKMHQt.exe Startdate: 29/03/2021 Architecture: WINDOWS Score: 100 71 Antivirus / Scanner detection for submitted sample 2->71 73 Multi AV Scanner detection for submitted file 2->73 75 Yara detected BitRAT 2->75 77 2 other signatures 2->77 10 HunpuKMHQt.exe 3 4 2->10         started        process3 file4 61 C:\Windows\Temp\r2dyr3ai.exe, PE32 10->61 dropped 63 C:\Users\user\AppData\...\HunpuKMHQt.exe.log, ASCII 10->63 dropped 13 r2dyr3ai.exe 3 1 10->13         started        17 AcroRd32.exe 37 10->17         started        process5 dnsIp6 67 203.159.80.155, 4444, 49711, 49714 LOVESERVERSGB Netherlands 13->67 85 Multi AV Scanner detection for dropped file 13->85 87 Machine Learning detection for dropped file 13->87 89 Uses cmd line tools excessively to alter registry or file data 13->89 91 3 other signatures 13->91 19 fodhelper.exe 13->19         started        21 RdrCEF.exe 73 17->21         started        24 AcroRd32.exe 8 6 17->24         started        signatures7 process8 dnsIp9 26 r2dyr3ai.exe 19->26         started        65 192.168.2.1 unknown unknown 21->65 29 RdrCEF.exe 21->29         started        32 RdrCEF.exe 21->32         started        34 RdrCEF.exe 21->34         started        36 2 other processes 21->36 process10 dnsIp11 83 Uses cmd line tools excessively to alter registry or file data 26->83 38 reg.exe 26->38         started        41 reg.exe 26->41         started        43 reg.exe 26->43         started        45 11 other processes 26->45 69 80.0.0.0 NTLGB United Kingdom 29->69 signatures12 process13 signatures14 79 Disables Windows Defender (deletes autostart) 38->79 47 conhost.exe 38->47         started        81 Disable Windows Defender real time protection (registry) 41->81 49 conhost.exe 41->49         started        51 conhost.exe 43->51         started        53 conhost.exe 45->53         started        55 conhost.exe 45->55         started        57 conhost.exe 45->57         started        59 7 other processes 45->59 process15
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/98f10643b82275794bc9708dbffdb248e5f715a7207e1c4a4a453cd7cfa7a059/
Threat name:
Win32.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2021-03-25 03:34:10 UTC
File Type:
PE (.Net Exe)
Extracted files:
149
AV detection:
21 of 29 (72.41%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=tdyqmq5yej2xss6jocg377nsjds7ofnheb7bysskiu6npt5hubmq._file
Verdict:
malicious
Similar samples:
0bc2a5a5f41749cfba076f97404885868975ceab944455666c0d35342cd72219
BitRAT
15c2c10245cefd160439ac103fe27981519904fe88ea614d8b900fe37120759b
BitRAT
57962424bffff920ffddd397bb18ea1dcb43b641ff8a8d72c73c8e6db3d9b63d
BitRAT
6173a7ce15143ef14d5109785782e3e2aadd6108535eff03e765d50a5f586c17
BitRAT
7840f0892f2762590368de7091d31be8ace3a3ca1982dd5efd22c938a1552a47
BitRAT
b895fbf7b60e9534de3a12e5e6c3b5dbe8a5f6149be49e50beae19e0a9006999
BitRAT
be06f303ae133e36f87ef001dc369f0212f76b26ad53ec171fd2dcdde9463cea
BitRAT
c18ee8f785af2b2aef01668ea83662281cb236af6b6405c65e01281635b20696
BitRAT
ed89efa7c8159a2158076d37effc5f0f12bba88955ee9345cf67210ec0a6e43c
BitRAT
fe0a8d4538509b238f96d42c57d73ffb49d1967c4b6dc8b397a4684446a04460
BitRAT
+ 117 additional samples on MalwareBazaar
Result
Malware family:
bitrat
Create hunting rule
Score:
  10/10
Tags:
family:bitrat evasion trojan
Link:
https://tria.ge/reports/210329-9azx6azvps/
Behaviour
Checks processor information in registry
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Loads dropped DLL
Executes dropped EXE
BitRAT
BitRAT Payload
Modifies Windows Defender Real-time Protection settings
Unpacked files
SH256 hash:
6b2ef97c2e380a23e8f15315a0b310f884836c44925f89b58325eb4195fc9e1a
MD5 hash:
3ccca764f89875bb46d9a787f8da24ca
SHA1 hash:
0a873f4df0be0dd6d550dc9f0da29d07e37a04bd
Link:
https://www.unpac.me/results/e60bce5b-b0c6-4f17-acee-8fca4849fc7f/
SH256 hash:
98f10643b82275794bc9708dbffdb248e5f715a7207e1c4a4a453cd7cfa7a059
MD5 hash:
a8d2022b7ec6bf909bf08b9762747ad5
SHA1 hash:
f4be2dc8d02e05c656cb3e90b89f6ff39e9f47c5
Link:
https://www.unpac.me/results/e60bce5b-b0c6-4f17-acee-8fca4849fc7f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
BitRat
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/98f10643b82275794bc9708dbffdb248e5f715a7207e1c4a4a453cd7cfa7a059

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Email_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Email in files like avemaria
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MALWARE_Win_BitRAT
Create hunting rule
Author:ditekSHen
Description:Detects BitRAT RAT
Rule name:quakbot_halo_generated
Create hunting rule
Author:Halogen Generated Rule, Corsin Camichel
Rule name:silentbuilder_halo_generated
Create hunting rule
Author:Halogen Generated Rule, Corsin Camichel
Rule name:ta505_halo_generated
Create hunting rule
Author:Halogen Generated Rule, Corsin Camichel

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/127424/

Comments