MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9d2ebaf8bfad87755256c2eb157012c48451a4b2e000e9b220466c37481f81b7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BitRAT


Vendor detections: 15


Intelligence 15 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9d2ebaf8bfad87755256c2eb157012c48451a4b2e000e9b220466c37481f81b7
SHA3-384 hash: c6c20202570ec36df7b4fbb32e9ea4c52380792a979fd5b184646aafcbb64bb9fd5f15965f3f68cb38c00fd5e632873a
SHA1 hash: c8cf2033452aad5b005f61ce794779bbffd11884
MD5 hash: 58057bc14bb02355b92eef89f09a98d1
humanhash: bakerloo-north-leopard-helium
File name:9D2EBAF8BFAD87755256C2EB157012C48451A4B2E000E.exe
Download: download sample
Signature BitRAT
Create hunting rule
File size:1'511'424 bytes
First seen:2022-11-23 20:45:33 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 6ed4f5f04d62b18d96b26d6db7c18840 (235 x SalatStealer, 78 x BitRAT, 42 x RedLineStealer)
ssdeep 24576:8ndRKZCy2BrhCeU2i2cJijFbCBTPmiY05tJMSQp5ysA7Yg1nLkz/H52udi:GXDFBU2iIBb0xY/6sUYYoHD
Threatray 828 similar samples on MalwareBazaar
TLSH T1F76533E19B1FE779F56BCC3C78661D03CC69C662257B09067E2CC8BE60BEA911584C63
TrID 63.4% (.EXE) UPX compressed Win32 Executable (27066/9/6)
11.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
10.5% (.EXE) Win32 Executable (generic) (4505/5/1)
4.7% (.EXE) OS/2 Executable (generic) (2029/13)
4.6% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter abuse_ch
Tags:BitRAT exe RAT


Avatar
abuse_ch
BitRAT C2:
91.109.178.8:4777

Intelligence

File Origin
# of uploads :
1
# of downloads :
232
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
bitrat
Create hunting rule
ID:
1
File name:
9D2EBAF8BFAD87755256C2EB157012C48451A4B2E000E.exe
Verdict:
Malicious activity
Analysis date:
2022-11-23 20:46:49 UTC
Tags:
trojan bitrat rat evasion
Link:
https://app.any.run/tasks/32d5e497-e200-4597-a6ab-64150fa32c6d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
BitRAT
Create hunting rule
Link:
https://www.capesandbox.com/analysis/337831/
Detection(s):
Win.Malware.Mikey-9819889-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Setting a global event handler
Modifying an executable file
Creating a file in the %temp% directory
Running batch commands
Creating a process with a hidden window
Launching a process
Creating a file
Sending a custom TCP request
Query of malicious DNS domain
Moving of the original file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Setting a global event handler for the keyboard
Sending a TCP request to an infection source
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug graftor mikey packed
Link:
https://www.filescan.io/uploads/637e868c559d07a06f47148e/reports/f5c2ac91-6862-47c7-8191-f53398177345/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
BitRAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8329fa72-894f-47b7-a623-058254e4b3bf
Result
Threat name:
BitRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1120118
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to hide a thread from the debugger
Creates files in alternative data streams (ADS)
Hides threads from debuggers
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Yara detected BitRAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9d2ebaf8bfad87755256c2eb157012c48451a4b2e000e9b220466c37481f81b7/
Threat name:
Win32.Backdoor.ParalaxRat
Create hunting rule
Status:
Malicious
First seen:
2022-11-20 11:31:56 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
26 of 26 (100.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=tuxlv6f7vwdxkuswylvrk4asyscfdjfs4aaotmraizwdosa7qg3q._file
Verdict:
malicious
Similar samples:
39d1c62236097f35dbcb91310c722882def7fe38bf1d7803b15b879580e44d22
BitRAT
4de2cc756df96a38b545b8ca2d3961878b08fe4439c102c339c2fc16596c5423
BitRAT
59a818fb1f5c0edafb3c7b99fc43b652ae310ff25f22d4e35947207a28c4a3a8
BitRAT
67dc36b32a718de5d05b8ccf59d8a0415a76c8c42729065145f7f9da83726b7b
BitRAT
935195b8b2fc62b32c1fe86d02ce9cf5f97dd367ba476d72a5b49bf0953f4df2
BitRAT
bb6d55aab2282e95e85afa000473a6df2f1a4b4c46f177c14cfbf3e8e48b430d
BitRAT
+ 818 additional samples on MalwareBazaar
Result
Malware family:
bitrat
Create hunting rule
Score:
  10/10
Tags:
family:bitrat persistence trojan upx
Link:
https://tria.ge/reports/221123-zkaq8sda62/
Behaviour
Delays execution with timeout.exe
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Adds Run key to start application
Checks computer location settings
UPX packed file
BitRAT
Malware Config
C2 Extraction:
omglunie.hopto.org:4777
Unpacked files
SH256 hash:
6eb933a6ceef5f88e1f0f75003282e9681a895043ef87e89b4cc7fec9a672b74
MD5 hash:
bf10650a6ca833f4fd04a5dcfbd1535a
SHA1 hash:
e574ed190399e0e386c49545e9cf955be12d2af3
Detections:
BitRat
Create hunting rule
win_bit_rat_auto
Create hunting rule
Link:
https://www.unpac.me/results/968f467e-3eb0-4e73-b119-cf7d02c3c351/
SH256 hash:
9d2ebaf8bfad87755256c2eb157012c48451a4b2e000e9b220466c37481f81b7
MD5 hash:
58057bc14bb02355b92eef89f09a98d1
SHA1 hash:
c8cf2033452aad5b005f61ce794779bbffd11884
Link:
https://www.unpac.me/results/968f467e-3eb0-4e73-b119-cf7d02c3c351/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/9d2ebaf8bfad/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9d2ebaf8bfad87755256c2eb157012c48451a4b2e000e9b220466c37481f81b7

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/337831/

Comments