MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a13a0192437981f6d2c3fc19dfa0f0d4ce4ab2be96ffbccfec87c29bc2f200c7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BitRAT


Vendor detections: 7


Intelligence 7 IOCs 1 YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a13a0192437981f6d2c3fc19dfa0f0d4ce4ab2be96ffbccfec87c29bc2f200c7
SHA3-384 hash: a7e5b416898ce26d26ec7cceef59d59d1162e713a1c0b388e585a90ced5efe976a1941ca81c394f98d8d542ed3ad8b72
SHA1 hash: 52f1e20a91e73a1a12654321464e294dc957b801
MD5 hash: 095aa6b7f53f1ede045809fb62cfdc79
humanhash: finch-pip-montana-sierra
File name:095AA6B7F53F1EDE045809FB62CFDC79.exe
Download: download sample
Signature BitRAT
Create hunting rule
File size:10'872'924 bytes
First seen:2021-07-08 23:21:37 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c9adc83b45e363b21cd6b11b5da0501f (82 x ArkeiStealer, 60 x RecordBreaker, 46 x RedLineStealer)
ssdeep 196608:Uts0XFN3CWhD+8pWLcIIoZx2UEPNRjVVZ+wiuZ3jvGugkGjuNcfhpCRNxGfAod7K:Jmf3phvUZvEPNRVHrpZ3Nf+hpCRNxGfU
Threatray 4 similar samples on MalwareBazaar
TLSH T1E7B633362DDAAB77E5121636242BD673B858BA040D2824EFFFED56F018731C524391AB
Reporter abuse_ch
Tags:BitRAT exe RAT


Avatar
abuse_ch
BitRAT C2:
179.43.175.71:4444

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
179.43.175.71:4444 https://threatfox.abuse.ch/ioc/158745/

Intelligence

File Origin
# of uploads :
1
# of downloads :
157
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
095AA6B7F53F1EDE045809FB62CFDC79.exe
Verdict:
No threats detected
Analysis date:
2021-07-08 23:24:28 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/3b47397f-59dd-459a-a190-713d4f1e4e0e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/170575/
Detection(s):
Win.Malware.Crack-6988654-0
Create hunting rule

Win.Malware.Crack-6988655-0
Create hunting rule

SecuriteInfo.com.PSW.Generic8.ISF.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ad60da6e-fede-4958-96cf-47cc99f95b62
Result
Threat name:
BitRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/813800
Signature
Adds a directory exclusion to Windows Defender
Detected unpacking (changes PE section rights)
Hides threads from debuggers
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Yara detected BitRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 446211 Sample: zMb2EmbK6P.exe Startdate: 09/07/2021 Architecture: WINDOWS Score: 88 52 Multi AV Scanner detection for submitted file 2->52 54 Yara detected BitRAT 2->54 56 Machine Learning detection for sample 2->56 58 PE file has a writeable .text section 2->58 8 zMb2EmbK6P.exe 15 8 2->8         started        process3 file4 32 C:\...\Adobe.Photoshop.2021.PreActivation.exe, PE32 8->32 dropped 34 C:\Users\...\adobe.snr.patch.v2.0-painter.exe, MS-DOS 8->34 dropped 36 C:\Users\user\AppData\Roaming\Setup1.exe, PE32 8->36 dropped 11 Setup1.exe 14 183 8->11         started        14 Adobe.Photoshop.2021.PreActivation.exe 8 8->14         started        17 adobe.snr.patch.v2.0-painter.exe 3 8->17         started        process5 dnsIp6 38 C:\Users\user\AppData\...\sendgridmng.exe, PE32 11->38 dropped 40 C:\Users\user\AppData\...\ssleay32.dll, PE32 11->40 dropped 42 C:\Users\user\AppData\...\pthreadGC2.dll, PE32 11->42 dropped 46 17 other files (none is malicious) 11->46 dropped 20 sendgridmng.exe 2 11->20         started        64 Multi AV Scanner detection for dropped file 14->64 24 cmd.exe 1 14->24         started        26 conhost.exe 14->26         started        48 192.168.2.1 unknown unknown 17->48 44 C:\Users\user\AppData\...\vgm_player.dll, PE32 17->44 dropped 66 Detected unpacking (changes PE section rights) 17->66 file7 signatures8 process9 dnsIp10 50 179.43.175.71, 4444, 49738, 49739 PLI-ASCH Panama 20->50 60 Hides threads from debuggers 20->60 62 Adds a directory exclusion to Windows Defender 24->62 28 powershell.exe 23 24->28         started        30 cacls.exe 1 24->30         started        signatures11 process12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a13a0192437981f6d2c3fc19dfa0f0d4ce4ab2be96ffbccfec87c29bc2f200c7/
Threat name:
Win32.Dropper.Dapato
Create hunting rule
Status:
Malicious
First seen:
2021-07-05 13:26:45 UTC
AV detection:
14 of 29 (48.28%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ue5adesdpga7nuwd7qm57ihq2thevmv6s373zt7mq7bjxqxsaddq._file
Verdict:
malicious
Similar samples:
116af9afb2113fd96e35661df5def2728e169129bedd6b0bb76d12aaf88ba1ab
BitRAT
1e5559caf020549f18b27ca5dcb9087b2d1f922b3de747d82b5503b89a849b95
BitRAT
bd95c8709b9a82ab2af9d1454996fbdbd3a7da4e8335bf8481bd567430130184
BitRAT
da3e6a0d34e00cfd8f0ba76fb647ad9b4c8d3f7dbfef567b4db2127d83b076c9
BitRAT
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery
Link:
https://tria.ge/reports/210708-9dbv6jrlcn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks installed software on the system
Loads dropped DLL
Executes dropped EXE
Unpacked files
SH256 hash:
c5f76741a5b02c7373a05c13f44b47af60d130f2b2d1a510e7df270bd2e4d62a
MD5 hash:
47361f2e1ce562953c36c1e3e4509c06
SHA1 hash:
84031b61e761160040c0f02fcdbf5149afa4ce1c
Link:
https://www.unpac.me/results/aacdbec7-8c8f-41bc-911c-8f59d4524b91/
SH256 hash:
5e01011fcad10905b3d8a9e4da5c59ddf8a40b59a510b966e3707a87bc875dea
MD5 hash:
1eae28b71c54ca653c1760ae2a7ffa8e
SHA1 hash:
a8389666f5af953af736fc358a3400aed462b333
Link:
https://www.unpac.me/results/aacdbec7-8c8f-41bc-911c-8f59d4524b91/
SH256 hash:
e9a2728ad48da9ebb3ff605892487e5a9c8eb01f0eae8bd0c6950554fda9de95
MD5 hash:
0318db40b08ed98e163098322f648866
SHA1 hash:
5e582e84a4c56dee5b74dd5a8e1d5346a8d8366f
Link:
https://www.unpac.me/results/aacdbec7-8c8f-41bc-911c-8f59d4524b91/
SH256 hash:
e5f83bbc01bbc1173ce4359636fc9efd1042b8510ffed99e34c1e61a7910b32e
MD5 hash:
232d6d42995b8151a864a726dc1490c8
SHA1 hash:
258a890e5a439b972ed5b5001beaa1e055814aa3
Link:
https://www.unpac.me/results/aacdbec7-8c8f-41bc-911c-8f59d4524b91/
SH256 hash:
fc049a7e980aceb6b5fa4c17f9d3be85f20e59d7ed5651e1ee813a665370bf28
MD5 hash:
58d9c054c06ef231a8bbde3dfc38b364
SHA1 hash:
a22c1f3caccbbd447cdbd3a0a6606c933ca20160
Link:
https://www.unpac.me/results/aacdbec7-8c8f-41bc-911c-8f59d4524b91/
SH256 hash:
a13a0192437981f6d2c3fc19dfa0f0d4ce4ab2be96ffbccfec87c29bc2f200c7
MD5 hash:
095aa6b7f53f1ede045809fb62cfdc79
SHA1 hash:
52f1e20a91e73a1a12654321464e294dc957b801
Link:
https://www.unpac.me/results/aacdbec7-8c8f-41bc-911c-8f59d4524b91/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a13a0192437981f6d2c3fc19dfa0f0d4ce4ab2be96ffbccfec87c29bc2f200c7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:adonunix2
Create hunting rule
Author:Tim Brown @timb_machine
Description:AD on UNIX
Rule name:bitrat_3_mem
Create hunting rule
Author:James_inthe_box
Description:BitRAT
Reference:7b03ad29559118bb36b1400b4865f82a90fd389031ccebd228836cfd09d63e9b
Rule name:INDICATOR_EXE_Packed_MPress
Create hunting rule
Author:ditekSHen
Description:Detects executables built or packed with MPress PE compressor
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MALWARE_Win_BitRAT
Create hunting rule
Author:ditekSHen
Description:Detects BitRAT RAT
Rule name:pcshare_mem
Create hunting rule
Author:James_inthe_box
Description:PCShare Backdoor
Reference:https://blogs.blackberry.com/en/2019/09/pcshare-backdoor-attacks-targeting-windows-users-with-fakenarrator-malware
Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/170575/

Comments