MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9bfd468b402317eb1dc711af78f4340d855cbf234a4736188283a6fa6f8d3cb2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BitRAT


Vendor detections: 11


Intelligence 11 IOCs 1 YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9bfd468b402317eb1dc711af78f4340d855cbf234a4736188283a6fa6f8d3cb2
SHA3-384 hash: 1e3142d44852d2e35ecc857605f622321c1846294e194bda0d2eaf49e75273b59b6515951ee643225d2c4e73abbf94c2
SHA1 hash: c1e42ad6521b9c5a4f464f83b85a23024075e952
MD5 hash: 2b0eee70b8aa1f50f397502b29921f8e
humanhash: don-speaker-iowa-delaware
File name:Ozmxatmtnyjmmnespgaqcxwhfqpufmkzto.exe
Download: download sample
Signature BitRAT
Create hunting rule
File size:727'552 bytes
First seen:2021-11-23 09:07:21 UTC
Last seen:2021-11-23 11:06:48 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash eb3e9d8cf19100c077e1fdd127bcd369 (3 x Formbook, 1 x BitRAT)
ssdeep 12288:g6Hvy5le1KrvnEWkPpgiVymUqmCRb3seJ1B8oDfwUCm0gRS+:g6PWleMvnEW0pgiJUUx3zJ1Bp7cH
Threatray 538 similar samples on MalwareBazaar
TLSH T197F49D53F68E9576E2B91A7CCD07939DEB357E103E299C4A29F02E08DF39588713A113
File icon (PE):PE icon
dhash icon 342c6c9c97cc6493 (3 x Formbook, 1 x BitRAT)
Reporter abuse_ch
Tags:BitRAT exe RAT


Avatar
abuse_ch
BitRAT C2:
20.124.111.166:2223

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
20.124.111.166:2223 https://threatfox.abuse.ch/ioc/253430/

Intelligence

File Origin
# of uploads :
2
# of downloads :
184
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Ozmxatmtnyjmmnespgaqcxwhfqpufmkzto.exe
Verdict:
Malicious activity
Analysis date:
2021-11-23 09:31:06 UTC
Tags:
trojan bitrat rat
Link:
https://app.any.run/tasks/40a9aba6-c69c-4f11-bfe1-6edc8a54f88f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Gathering data
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware2.26951.25491.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a window
DNS request
Sending a custom TCP request
Creating a file
Launching a process
Running batch commands
Creating a process with a hidden window
Launching cmd.exe command interpreter
Setting a global event handler
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Setting a global event handler for the keyboard
Unauthorized injection to a system process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
keylogger packed
Link:
https://www.filescan.io/uploads/619caf75f36138de3f36bd8d/reports/6b45377f-1f88-4d59-a07c-7173b09b5aad/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/c350c593-48b9-43b6-95f0-d767a66c6ee0
Result
Threat name:
BitRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad.phis.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/894536
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
Creates a thread in another existing process (thread injection)
Detected unpacking (changes PE section rights)
Hides threads from debuggers
Injects a PE file into a foreign processes
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has nameless sections
Sample uses process hollowing technique
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Uses cmd line tools excessively to alter registry or file data
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected BitRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 527015 Sample: Ozmxatmtnyjmmnespgaqcxwhfqp... Startdate: 23/11/2021 Architecture: WINDOWS Score: 100 97 Antivirus detection for dropped file 2->97 99 Multi AV Scanner detection for submitted file 2->99 101 Yara detected BitRAT 2->101 103 PE file has nameless sections 2->103 9 Ozmxatmtnyjmmnespgaqcxwhfqpufmkzto.exe 1 24 2->9         started        14 Ozmxatmt.exe 13 2->14         started        16 Ozmxatmt.exe 14 2->16         started        process3 dnsIp4 93 cdn.discordapp.com 162.159.129.233, 443, 49758, 49759 CLOUDFLARENETUS United States 9->93 81 C:\Users\Public\Libraries\...\Ozmxatmt.exe, PE32 9->81 dropped 83 C:\Users\...\Ozmxatmt.exe:Zone.Identifier, ASCII 9->83 dropped 127 Writes to foreign memory regions 9->127 129 Creates a thread in another existing process (thread injection) 9->129 131 Injects a PE file into a foreign processes 9->131 18 logagent.exe 1 5 9->18         started        23 cmd.exe 1 9->23         started        25 cmd.exe 1 9->25         started        133 Multi AV Scanner detection for dropped file 14->133 27 logagent.exe 14->27         started        95 162.159.133.233, 443, 49781 CLOUDFLARENETUS United States 16->95 29 mobsync.exe 16->29         started        file5 signatures6 process7 dnsIp8 91 oka.nerdpol.ovh 20.124.111.166, 2223, 49773, 49782 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 18->91 77 C:\Users\user\AppData\Local\...\nXG1sNba.exe, MS-DOS 18->77 dropped 79 C:\Users\user\AppData\Local\...79PH8XFdP.exe, MS-DOS 18->79 dropped 113 Writes to foreign memory regions 18->113 115 Allocates memory in foreign processes 18->115 117 Sample uses process hollowing technique 18->117 119 Injects a PE file into a foreign processes 18->119 31 nXG1sNba.exe 18->31         started        34 NPH8XFdP.exe 18->34         started        37 logagent.exe 18->37         started        39 logagent.exe 18->39         started        121 Uses cmd line tools excessively to alter registry or file data 23->121 123 Uses schtasks.exe or at.exe to add and modify task schedules 23->123 41 cmd.exe 1 23->41         started        43 conhost.exe 23->43         started        45 reg.exe 1 25->45         started        47 conhost.exe 25->47         started        125 Hides threads from debuggers 27->125 file9 signatures10 process11 file12 135 Detected unpacking (changes PE section rights) 31->135 137 Injects a PE file into a foreign processes 31->137 49 nXG1sNba.exe 31->49         started        69 C:\Users\user\AppData\Local\...\Unknown.dll, PE32 34->69 dropped 71 C:\Users\user\AppData\...\vcruntime140.dll, PE32 34->71 dropped 73 C:\Users\user\AppData\Local\...\softokn3.dll, PE32 34->73 dropped 75 17 other files (none is malicious) 34->75 dropped 53 NPH8XFdP.exe 34->53         started        139 Uses cmd line tools excessively to alter registry or file data 41->139 55 conhost.exe 41->55         started        57 reg.exe 1 1 41->57         started        59 schtasks.exe 1 41->59         started        61 reg.exe 1 41->61         started        63 conhost.exe 45->63         started        signatures13 process14 dnsIp15 85 www.xenarmor.com 49->85 105 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 49->105 107 Tries to steal Instant Messenger accounts or passwords 49->107 109 Tries to steal Mail credentials (via file / registry access) 49->109 111 2 other signatures 49->111 65 conhost.exe 49->65         started        87 xenarmor.com 69.64.94.128 CODERO-DFWUS United States 53->87 89 www.xenarmor.com 53->89 67 conhost.exe 53->67         started        signatures16 process17
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9bfd468b402317eb1dc711af78f4340d855cbf234a4736188283a6fa6f8d3cb2/
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2021-11-23 09:08:13 UTC
File Type:
PE (Exe)
Extracted files:
41
AV detection:
25 of 45 (55.56%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=tp6unc2aeml6whohcgxxr5bubwcvzpzdjjdtmgecqotpu34nhsza._file
Verdict:
malicious
Similar samples:
1fbca7154111316e9d34ac02beb2377d20ca8426cc83669c89313a4a83358503
BitRAT
48667ddc42d9eadc23dddc65f60f0de6e58afb6857953f282f7b02c115e9eed4
BitRAT
4b376277cce9c1e365afb51b78046354176a443b45bb6bc123a3ea69710c6c65
BitRAT
51cf8bad7a9dfffdab43a17761c29b9d1bd1004675a4e9fa6965e5430a6e371b
BitRAT
62f36cc4ec3591ca9db78a063f6f215746f453f1181c64c0adda032ea86c53fd
BitRAT
76e7e27f4fcf15610764d121949f84e3b415376bfc5e88c08d85b613013ba87f
BitRAT
8968808899b3e810e675fc87e6ff0f61c82b444183fd7f8febdb276eee05e683
BitRAT
d0d6952f4459c50159f7a9142da641df17cae7dc758c9a34bdcd19765bea37bc
BitRAT
fd74ae5599070fa447bf1f0451a88673f3b0a6285dbc69ecae11d6ec7cedbdf4
BitRAT
+ 528 additional samples on MalwareBazaar
Result
Malware family:
bitrat
Create hunting rule
Score:
  10/10
Tags:
family:bitrat persistence trojan upx
Link:
https://tria.ge/reports/211123-k3xldscgd9/
Behaviour
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Adds Run key to start application
UPX packed file
BitRAT
BitRAT Payload
Unpacked files
SH256 hash:
c0d655ca0862ee8f069564e3e7fcb17d930e0c877a31e749f4ad1b73a38e855a
MD5 hash:
7f01373693adbbd15ca15fff811a2c1a
SHA1 hash:
bf4ef40f0feaf42aeac4767ff93bfe83e1f0c89d
Detections:
win_temple_loader_w0
Create hunting rule
Link:
https://www.unpac.me/results/46d2d2fc-a2e2-4a80-8516-3abc724d8385/
Parent samples :
bfbe11d6ffb3c82c59ac2cf85176583ff2ea5449d926584a59181286611f48f3
22e4c6c1d3eb1e8a93d2b36b152ef39cff53bc933ff80153057788fadf6615db
839d28f4d38455750ddf9ddffdd57d0cc6ee009714f407a8698e65e96eb9fa71
9bfd468b402317eb1dc711af78f4340d855cbf234a4736188283a6fa6f8d3cb2
2863a8690acd578ea41d8ef458f493c7bab50c34d8d6fd668f8ef56d429094de
41469a749da51e8aa7e1ea159041bf74f712dd4f23f076188f547ee0c0f7933f
413e8df7f149aa643aaa1ef70e953ab2112827b652f1cf05b6420ed6a119962d
34443c2f4cf165f96c3eaffb93f2a7b3628ebed8ed119b3ef2ad3e5dc450e0a0
fe367e5f3b5894117d3b699784bc5da3cb4083608c94879895b279b2bc2f32a4
SH256 hash:
9bfd468b402317eb1dc711af78f4340d855cbf234a4736188283a6fa6f8d3cb2
MD5 hash:
2b0eee70b8aa1f50f397502b29921f8e
SHA1 hash:
c1e42ad6521b9c5a4f464f83b85a23024075e952
Link:
https://www.unpac.me/results/46d2d2fc-a2e2-4a80-8516-3abc724d8385/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9bfd468b402317eb1dc711af78f4340d855cbf234a4736188283a6fa6f8d3cb2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_EnvVarScheduledTasks
Create hunting rule
Author:ditekSHen
Description:detects Windows exceutables potentially bypassing UAC (ab)using Environment Variables in Scheduled Tasks
Rule name:MALWARE_Win_BitRAT
Create hunting rule
Author:ditekSHen
Description:Detects BitRAT RAT

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/208616/

Comments