MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a89639671659b81c5fcbdd2760590d6150fb4b1cd35ad0ac24ff6cdcf59bb079. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BitRAT


Vendor detections: 10


Intelligence 10 IOCs 1 YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a89639671659b81c5fcbdd2760590d6150fb4b1cd35ad0ac24ff6cdcf59bb079
SHA3-384 hash: c19ad89f4c53876c3ac9698b1802cd71e28017363436f57b94d15fd5a10484b15a20406a58300cdda22a6862d0d44b20
SHA1 hash: f17eb890b7563e30de2940c02c333628f4a862d6
MD5 hash: 008fa3f529f9182ff7ee2d7801dc4e7e
humanhash: minnesota-eight-arkansas-social
File name:Payment Confirmation wrt0412894526254 -copy- .exe
Download: download sample
Signature BitRAT
Create hunting rule
File size:2'267'304 bytes
First seen:2021-04-12 15:10:19 UTC
Last seen:2021-04-12 16:42:54 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'599 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 49152:xWHthbBGRPpaif65XFH6hLufnSAq58PUYY0VFZM:xWNhbBGRP0SYFHILq5q0PG
Threatray 10 similar samples on MalwareBazaar
TLSH D6A53356A811C206C2863D78FE6FB2F057F1FF57F49A119F4052BEE138B2A0686D16C2
Reporter abuse_ch
Tags:BitRAT exe RAT


Avatar
abuse_ch
BitRAT C2:
46.105.77.230:5200

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
46.105.77.230:5200 https://threatfox.abuse.ch/ioc/7817/

Intelligence

File Origin
# of uploads :
3
# of downloads :
214
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Payment Confirmation wrt0412894526254 -copy- .exe
Verdict:
Malicious activity
Analysis date:
2021-04-12 15:13:59 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/4ce5c38d-8f49-4202-9b0d-e930080c38a1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/133793/
Detection(s):
SecuriteInfo.com.Trojan.Win32.Wacatac.Bml.30110.24905.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Using the Windows Management Instrumentation requests
Launching a process
Creating a file in the %AppData% subdirectories
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
BitRAT Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/673221
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Contains functionality to hide a thread from the debugger
Contains functionality to inject code into remote processes
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected BitRAT
Yara detected Costura Assembly Loader
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 385563 Sample: Payment Confirmation wrt041... Startdate: 12/04/2021 Architecture: WINDOWS Score: 100 38 purespotless04092021.awsmppl.com 2->38 42 Multi AV Scanner detection for submitted file 2->42 44 Yara detected BitRAT 2->44 46 Yara detected Xmrig cryptocurrency miner 2->46 48 8 other signatures 2->48 8 Payment Confirmation wrt0412894526254 -copy- .exe 1 7 2->8         started        12 images.exe 2 2->12         started        14 images.exe 2 2->14         started        signatures3 process4 file5 26 C:\Users\user\AppData\Roaming\...\images.exe, PE32 8->26 dropped 28 Payment Confirmati...4526254 -copy- .exe, PE32 8->28 dropped 30 C:\Users\user\...\images.exe:Zone.Identifier, ASCII 8->30 dropped 32 2 other malicious files 8->32 dropped 50 Writes to foreign memory regions 8->50 52 Allocates memory in foreign processes 8->52 54 Adds a directory exclusion to Windows Defender 8->54 56 Injects a PE file into a foreign processes 8->56 16 Payment Confirmation wrt0412894526254 -copy- .exe 1 8->16         started        20 powershell.exe 25 8->20         started        22 Payment Confirmation wrt0412894526254 -copy- .exe 8->22         started        signatures6 process7 dnsIp8 34 purespotless04092021.awsmppl.com 46.105.77.230, 5200 OVHFR France 16->34 36 192.168.2.1 unknown unknown 16->36 40 Hides threads from debuggers 16->40 24 conhost.exe 20->24         started        signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a89639671659b81c5fcbdd2760590d6150fb4b1cd35ad0ac24ff6cdcf59bb079/
Threat name:
ByteCode-MSIL.Trojan.Vimditator
Create hunting rule
Status:
Malicious
First seen:
2021-04-12 15:10:40 UTC
AV detection:
3 of 48 (6.25%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=vcldszywlg4byx6l3utwawinmfipwsy42nnnblbe75wnz5m3wb4q._file
Verdict:
malicious
Similar samples:
002ec09931d23f0e66d86eda11ce72113d3e29a1cd0bd296b83ee567981610d8
BitRAT
0998d46172fe00c092cfcaa5326aa5354cda095e2dce37ac16b437cc147b6298
BitRAT
228d3b8dea2bd47cf98d69b89b5acdfa3a1425e201217882edc93de72fe0e37e
BitRAT
244a1abc92912383268d141128a0eafcdf2b4b2a57b9e0490169b8f233c9671a
BitRAT
3d13bbe7750e38414ba19fd51fe8a253d791edb6a923af31fe5d56ae17af0eec
BitRAT
9254faf90ebf9e32ea3f024c10a212c03d7c2bef3169bd0710b3e45e7d18e03f
BitRAT
a49e379153901b3cab3c699af90979848ec51fdd2d07790606b3ed2bedb74297
BitRAT
a717b5d3af3173ce9958a23f95269e2d8ccd8979445626342c32b398d4f08f8a
BitRAT
af65c9bd3daedaa3d1560018858eeb0919159baf90d59b55c3363a6fffef9d92
BitRAT
ca146513d9ec6ec60b81b20fd9aa2f262c54d447e8361417c3c4b7678e51e6a5
BitRAT
Result
Malware family:
bitrat
Create hunting rule
Score:
  10/10
Tags:
family:bitrat persistence trojan
Link:
https://tria.ge/reports/210412-31va2sntfn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
BitRAT
BitRAT Payload
Unpacked files
SH256 hash:
a9683c3db7843d65a50a045ba1ce7375b379521c8e5c9787c27d6505d1385ead
MD5 hash:
5429587fd4cfeb5b3a48201912d8fbfa
SHA1 hash:
9112103527efc80e80d322a6747e1c05bb8631f9
Link:
https://www.unpac.me/results/d305c3b7-456c-497f-af58-1436b87814fe/
SH256 hash:
58e17d21651c9682649f68acf84e438b56ca30efb4b1b412d083aa3336b52f4e
MD5 hash:
59aa53532aaf8c588635a71b94a98a6b
SHA1 hash:
4c152a8fc8bfe2734667c373e95327c1b819119f
Link:
https://www.unpac.me/results/d305c3b7-456c-497f-af58-1436b87814fe/
SH256 hash:
e88d0d6780b4b64c49a1f56424dd2f875a57b52b6ce0ac5c12c5c7f2bf6a7552
MD5 hash:
bb3ce3b624ae7f69fd38d7214d8853ba
SHA1 hash:
30754e3e8937a9fd9dcf472f601e34c1a20ee01e
Link:
https://www.unpac.me/results/d305c3b7-456c-497f-af58-1436b87814fe/
SH256 hash:
a89639671659b81c5fcbdd2760590d6150fb4b1cd35ad0ac24ff6cdcf59bb079
MD5 hash:
008fa3f529f9182ff7ee2d7801dc4e7e
SHA1 hash:
f17eb890b7563e30de2940c02c333628f4a862d6
Link:
https://www.unpac.me/results/d305c3b7-456c-497f-af58-1436b87814fe/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a89639671659b81c5fcbdd2760590d6150fb4b1cd35ad0ac24ff6cdcf59bb079

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Email_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Email in files like avemaria
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MALWARE_Win_BitRAT
Create hunting rule
Author:ditekSHen
Description:Detects BitRAT RAT

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/133793/

Comments