MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9eaf84474a458ff7b9847687ed30ab6533a54c5ae028a2ec14885884440975f7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BitRAT


Vendor detections: 10


Intelligence 10 IOCs 1 YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9eaf84474a458ff7b9847687ed30ab6533a54c5ae028a2ec14885884440975f7
SHA3-384 hash: 0ec8cdfd05c47ecbd112402deb99c8e12cee0056366805a50e72ed0faaf4e0bef3227a1b970651046ae1625625fc3417
SHA1 hash: e1dd6f6ce6f458526eba7a732bca41fb3099ee27
MD5 hash: a57293f2f2f9632646efd3b9386944aa
humanhash: maryland-three-apart-mobile
File name:DmtxjmmsiwawliehhrzxcpwdxtexpegwgoSigned.exe
Download: download sample
Signature BitRAT
Create hunting rule
File size:942'080 bytes
First seen:2021-06-22 17:21:16 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 7d2a11b688659c9baad015ccd9f8c122 (2 x BitRAT)
ssdeep 12288:7dJDIO4I7RsW6/gWwwNAloZDtG0LMpQOlyoSJTpVnb7x3b/wrHJ8:7dJ8OvC/gUNMozDROQfTppb7x3ErH
Threatray 483 similar samples on MalwareBazaar
TLSH D1158ED2666548B3E1B31A39DD1A7689E52D7E803F189C8663F0BD496F343F13DA9083
Reporter abuse_ch
Tags:BitRAT exe RAT


Avatar
abuse_ch
BitRAT C2:
20.98.18.253:2222

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
20.98.18.253:2222 https://threatfox.abuse.ch/ioc/142004/

Intelligence

File Origin
# of uploads :
1
# of downloads :
139
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
DmtxjmmsiwawliehhrzxcpwdxtexpegwgoSigned.exe
Verdict:
Malicious activity
Analysis date:
2021-06-22 17:22:39 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/1dba380d-cd35-4038-b6b4-376ab34e8ebd

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
BitRAT
Create hunting rule
Link:
https://www.capesandbox.com/analysis/167654/
Detection(s):
Win.Malware.Fhrt-9863084-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0af00dfc-437c-455d-9614-b3b1e3eb6d65
Result
Threat name:
BitRAT Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.evad.mine
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/806164
Signature
Creates a thread in another existing process (thread injection)
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Writes to foreign memory regions
Yara detected BitRAT
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9eaf84474a458ff7b9847687ed30ab6533a54c5ae028a2ec14885884440975f7/
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2021-06-22 17:22:11 UTC
AV detection:
14 of 46 (30.43%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=t2xyir2kiwh7pomeo2d62mflmuz2ktc24aukf3aurbmiirajox3q._file
Verdict:
malicious
Similar samples:
0d182038f62a038b380a4d3c3769d5eb389b08b194b7dce13606252e7e1aff1c
BitRAT
321e7fea6ceb5255c592162c7781c524b7569c3f1244274a247f5f0c97702c49
BitRAT
5a4f75c16948eb90210b50a2af901dad431a231d5a4406ce55dad0cd943d5cd0
BitRAT
6eee5d1c67a8e34e6d03d64fca1195bf26ceac2a68f454cc37e743ace0483a9f
BitRAT
7666f3d19250bc9b6d75e1b081407ea6a71c81f22a2c027d85b6445a65a0f247
BitRAT
9ef305091f40e275d536c509669d30ca345e09cf887bb77ba01099e7f6de3ec5
BitRAT
a9b0173e087fa0c22544734ea476afba2ac75d32b22d88abcfea206517dded8e
BitRAT
aa9570887695577e03ee3b6dc119e2776ad158e0b9654505cd59d9ed86b61cb0
BitRAT
b3d6d97ed4c74d16ab89046ee019d874b8cc1a8ca257e132b3d2cbd146a48545
BitRAT
ebe3a8a66db805806dd55d6b4dca64e24d9f7dd6d7dae730c514c5c4e58caa39
BitRAT
+ 473 additional samples on MalwareBazaar
Result
Malware family:
modiloader
Create hunting rule
Score:
  10/10
Tags:
family:modiloader persistence trojan upx
Link:
https://tria.ge/reports/210622-3er9x5md3a/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of NtSetInformationThreadHideFromDebugger
Adds Run key to start application
UPX packed file
ModiLoader, DBatLoader
Unpacked files
SH256 hash:
a962b300b10f701e3a3c8b4691a11161dd919a542e3ee79b890bfef413c15aa8
MD5 hash:
78c33a69fd2a9e77abcd07eed8b13cf7
SHA1 hash:
dc698bff43357d0e1b5e9c8ccfdf28e2a190aa02
Link:
https://www.unpac.me/results/3edf7c28-a1f5-4024-baf3-626a86007316/
SH256 hash:
9eaf84474a458ff7b9847687ed30ab6533a54c5ae028a2ec14885884440975f7
MD5 hash:
a57293f2f2f9632646efd3b9386944aa
SHA1 hash:
e1dd6f6ce6f458526eba7a732bca41fb3099ee27
Link:
https://www.unpac.me/results/3edf7c28-a1f5-4024-baf3-626a86007316/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.70
Link:
https://yomi.yoroi.company/submissions/9eaf84474a458ff7b9847687ed30ab6533a54c5ae028a2ec14885884440975f7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Email_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Email in files like avemaria
Rule name:MALWARE_Win_BitRAT
Create hunting rule
Author:ditekSHen
Description:Detects BitRAT RAT
Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/167654/

Comments