MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9ffa16b91dc10936865d1d9849940c9d27276fd6acd6ab947d31e7f80322eea2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BitRAT


Vendor detections: 9


Intelligence 9 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9ffa16b91dc10936865d1d9849940c9d27276fd6acd6ab947d31e7f80322eea2
SHA3-384 hash: 0fa2e5404aba6b218a4773502802ae42d69630d39118fe8ddf084e650dc933ed0cd6fd16cc2ff3a941c4217951139b32
SHA1 hash: fb8e3a2c73b96e5d7fa1f7a8c40b18fd61d4e9a9
MD5 hash: cfae6ddf82347d7f7b8b2ec75aeb4307
humanhash: cold-batman-yankee-emma
File name:cfae6ddf82347d7f7b8b2ec75aeb4307.exe
Download: download sample
Signature BitRAT
Create hunting rule
File size:4'586'496 bytes
First seen:2021-01-08 08:06:28 UTC
Last seen:2021-01-08 10:43:47 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 98304:31btsywPNfx7bxMFTy4+feD1Fx0XNQBB5P/12y70zekSoF+B27CtxJOY:31btsdVfJbSFTF/DF0XNQL5Pt372SoF2
Threatray 77 similar samples on MalwareBazaar
TLSH 6C26335AB2A4DB7ADA7C67F8112878000376740A1A79E36FCDD734FE2976B814B90D07
Reporter abuse_ch
Tags:BitRAT exe RAT


Avatar
abuse_ch
BitRAT C2:
92.185.183.6:14444

Intelligence

File Origin
# of uploads :
3
# of downloads :
169
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
cfae6ddf82347d7f7b8b2ec75aeb4307.exe
Verdict:
Malicious activity
Analysis date:
2021-01-08 08:07:58 UTC
Tags:
trojan bitrat rat
Link:
https://app.any.run/tasks/81193594-cc42-419e-ae91-9e4b054f15d4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/110925/
Detection(s):
SecuriteInfo.com.Variant.Kryptik.164.25655.31275.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
BitRAT BlackNET LimeRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/576542
Signature
.NET source code contains potential unpacker
Changes security center settings (notifications, updates, antivirus, firewall)
Connects to a pastebin service (likely for C&C)
Contains functionality to hide a thread from the debugger
Contains functionality to inject code into remote processes
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Protects its processes via BreakOnTermination flag
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Sample uses process hollowing technique
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Uses netstat to query active network connections and open ports
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM_3
Yara detected BitRAT
Yara detected BlackNET
Yara detected LimeRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 337322 Sample: 0IO1Or2045.exe Startdate: 08/01/2021 Architecture: WINDOWS Score: 100 91 v13cracker.ddns.net 2->91 93 avatars3.githubusercontent.com 2->93 95 5 other IPs or domains 2->95 129 Sigma detected: Scheduled temp file as task from temp location 2->129 131 Multi AV Scanner detection for submitted file 2->131 133 Yara detected BitRAT 2->133 135 11 other signatures 2->135 10 0IO1Or2045.exe 15 7 2->10         started        15 svchost.exe 2->15         started        17 svchost.exe 9 1 2->17         started        19 8 other processes 2->19 signatures3 process4 dnsIp5 115 cdn.discordapp.com 162.159.129.233, 443, 49728 CLOUDFLARENETUS United States 10->115 117 192.168.2.1 unknown unknown 10->117 83 C:\Users\user\AppData\Roaming\hXFOBYsgg.exe, PE32 10->83 dropped 85 C:\Users\user\AppData\Local\...\srchost.exe, PE32 10->85 dropped 87 C:\Users\user\AppData\Local\...\tmpE35E.tmp, XML 10->87 dropped 89 C:\Users\user\AppData\...\0IO1Or2045.exe.log, ASCII 10->89 dropped 159 Detected unpacking (creates a PE file in dynamic memory) 10->159 161 Contains functionality to inject code into remote processes 10->161 163 Injects a PE file into a foreign processes 10->163 165 Contains functionality to hide a thread from the debugger 10->165 21 srchost.exe 14 7 10->21         started        26 0IO1Or2045.exe 1 27 10->26         started        28 schtasks.exe 1 10->28         started        30 0IO1Or2045.exe 10->30         started        167 Changes security center settings (notifications, updates, antivirus, firewall) 15->167 32 MpCmdRun.exe 15->32         started        119 127.0.0.1 unknown unknown 17->119 file6 signatures7 process8 dnsIp9 105 162.159.135.233, 443, 49742 CLOUDFLARENETUS United States 21->105 107 cdn.discordapp.com 21->107 71 C:\Users\user\AppData\Roaming\HVCqFD.exe, PE32 21->71 dropped 73 C:\Users\user\AppData\Local\...\netstat.exe, PE32 21->73 dropped 149 Multi AV Scanner detection for dropped file 21->149 151 Machine Learning detection for dropped file 21->151 153 Injects a PE file into a foreign processes 21->153 34 netstat.exe 21->34         started        39 srchost.exe 21->39         started        41 schtasks.exe 21->41         started        109 v13cracker.ddns.me 92.185.183.6, 14444, 49735, 49736 UNI2-ASES France 26->109 111 v13cracker.ddns.net 26->111 113 4 other IPs or domains 26->113 75 C:\Users\user\AppData\...\Microsoft[2].exe, PE32 26->75 dropped 77 C:\Users\user\AppData\...\Microsoft[1].exe, PE32 26->77 dropped 79 C:\Users\user\AppData\Local\...\oYfGv4jR.exe, MS-DOS 26->79 dropped 81 5 other files (3 malicious) 26->81 dropped 155 Sample uses process hollowing technique 26->155 157 Hides threads from debuggers 26->157 43 0IO1Or2045.exe 26->43         started        45 conhost.exe 28->45         started        47 conhost.exe 32->47         started        file10 signatures11 process12 dnsIp13 97 cdn.discordapp.com 34->97 63 C:\Users\user\AppData\...\ozNCROEwPpieT.exe, PE32 34->63 dropped 65 C:\Users\user\AppData\Local\...\svchosts.exe, PE32 34->65 dropped 137 Multi AV Scanner detection for dropped file 34->137 139 Detected unpacking (changes PE section rights) 34->139 141 Machine Learning detection for dropped file 34->141 143 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 34->143 49 svchosts.exe 34->49         started        52 netstat.exe 34->52         started        55 schtasks.exe 34->55         started        99 185.58.92.18 BA-TELEMACH-ASTelemachdooSarajevoBA Bosnia and Herzegowina 39->99 145 Hides threads from debuggers 39->145 57 conhost.exe 41->57         started        67 C:\Users\user\AppData\...\TvyZAIKojeO.exe, PE32 43->67 dropped 69 C:\Users\...\TvyZAIKojeO.exe:Zone.Identifier, ASCII 43->69 dropped 147 Injects a PE file into a foreign processes 43->147 file14 signatures15 process16 dnsIp17 121 Multi AV Scanner detection for dropped file 49->121 123 Machine Learning detection for dropped file 49->123 125 Injects a PE file into a foreign processes 49->125 59 svchosts.exe 49->59         started        101 88.198.24.185 HETZNER-ASDE Germany 52->101 103 pastebin.com 104.23.98.190 CLOUDFLARENETUS United States 52->103 127 Protects its processes via BreakOnTermination flag 52->127 61 conhost.exe 55->61         started        signatures18 process19
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9ffa16b91dc10936865d1d9849940c9d27276fd6acd6ab947d31e7f80322eea2/
Threat name:
Win32.Packed.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-01-08 08:07:23 UTC
AV detection:
8 of 46 (17.39%)
Threat level:
  1/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=t75bnoi5yeetnbs5dwmetfamtutso36wvtlkxfd5ght7qazc52ra._file
Verdict:
malicious
Similar samples:
10a2b667b6294c999ff6db8e6b89ac9272aaebb1c4fa526125c646ac5c7b6b28
BitRAT
1c1b2595e6838a1ee24e806ff60b80a40ad7166caaaaf65080deda57c7292c53
BitRAT
22dbe6172d32b9b90d66036688e440a9026524f8c4c61b1c05f45dbd63919483
BitRAT
243e8ba43bcdb6634c77835df678964743893a30f4d2abe9596f2add2882e074
BitRAT
2ddd796e9b53ab3d7eaf4093529077f637f182a934a851af24da8c8f189aeed3
BitRAT
3cf331e46b6f16ef2a591637b64865d81b19e016ad3f4f3280aa1a872f1261ab
BitRAT
446a57da424b148321083f32681f6394b8a8bf8cfe750054697922c091f30624
BitRAT
50e2c6aac34de9ed4e1b3fcfcd5aaa34892696f2681aa5e8c45a5dbe0915a43c
BitRAT
80104e0ad490b44a632a15e5875e7626db7f35fa94d7aadf19c45a621d75c7e0
BitRAT
8fdc007dd13e7c0c5bbe426da723499db81518697eb84d2fd2a0181996d276fa
BitRAT
+ 67 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
spyware upx
Link:
https://tria.ge/reports/210108-86qh1vs7f6/
Behaviour
Creates scheduled task(s)
Modifies system certificate store
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Executes dropped EXE
UPX packed file
Unpacked files
SH256 hash:
9ffa16b91dc10936865d1d9849940c9d27276fd6acd6ab947d31e7f80322eea2
MD5 hash:
cfae6ddf82347d7f7b8b2ec75aeb4307
SHA1 hash:
fb8e3a2c73b96e5d7fa1f7a8c40b18fd61d4e9a9
Link:
https://www.unpac.me/results/770040cb-e25b-42ab-87f4-f4f0be321e3d/
SH256 hash:
64a419709ad219ffc006bda776b650da486d55048d2fa34525f40227da0e5c86
MD5 hash:
88c0ec8398978fa2e4240f02765086ad
SHA1 hash:
5a5c4935b2d70e890c89ad9332365f4f4aa86f3c
Link:
https://www.unpac.me/results/770040cb-e25b-42ab-87f4-f4f0be321e3d/
SH256 hash:
0a4f76bddf1bada1045725bfa36a1ff913945570eb8b458194029faf4c60d25f
MD5 hash:
4af60b13c6468d260b5b7c63ddad91f8
SHA1 hash:
91a7247c00b66c0a422d3bef086578c95a1c710a
Link:
https://www.unpac.me/results/770040cb-e25b-42ab-87f4-f4f0be321e3d/
SH256 hash:
59607fc26d61de152441789975b59b28e6fe4952233e04dbdd0436bfb3f7f269
MD5 hash:
fb0888837e1ab1c543de68dc901db4e0
SHA1 hash:
d173f60bd1fa11fcb5dcb0bec264f4b2b70e7b88
Link:
https://www.unpac.me/results/770040cb-e25b-42ab-87f4-f4f0be321e3d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9ffa16b91dc10936865d1d9849940c9d27276fd6acd6ab947d31e7f80322eea2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Email_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Email in files like avemaria
Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

BitRAT

Executable exe 9ffa16b91dc10936865d1d9849940c9d27276fd6acd6ab947d31e7f80322eea2

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/950950/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/110925/

Comments