MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a8af3ee68f5904489ab23d6d73741cf67bc8e073f004bdd0822d077a8436d4b1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

BitRAT

Vendor detections: 6

Intelligence 6 IOCs YARA 3 File information Comments

SHA256 hash:	a8af3ee68f5904489ab23d6d73741cf67bc8e073f004bdd0822d077a8436d4b1
SHA3-384 hash:	84b0e786610353b0b589600a5c29ba69f26c9779599dbb9e25aa7baa1fd2d61d0006d140d15cd73541a3493748450683
SHA1 hash:	77b7831fe66142c3cdcadab1a7bce5dacbbac98f
MD5 hash:	a17b1a0f3f43aec48fea32694ccec235
humanhash:	finch-muppet-river-angel
File name:	SecuriteInfo.com.Trojan.PWS.Siggen2.60651.10494.30192
Download:	download sample
Signature	BitRAT Create hunting rule
File size:	5'728'768 bytes
First seen:	2020-12-11 09:55:21 UTC
Last seen:	2020-12-11 10:35:30 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep	98304:l3hvkF59XowzUwCQWFuw/70Jqjsjp2OLolmK57kaINDK3TJhkcC9Bs2v8nnGz:l3hvkNvUwCQWv0ild57ka2wkcmin
TLSH	1A4633FA224FAF9AF721157EF0E168451EB9ACE39450A01C3FDDB1DA1372BC195024E6
Reporter	SecuriteInfoCom
Tags:	BitRAT

Intelligence

File Origin

# of uploads :

# of downloads :

253

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/107737/

Detection(s):

SecuriteInfo.com.Trojan.PWS.Siggen2.60651.10494.30192.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Creating a window

Creating a file in the %AppData% directory

Creating a file in the %temp% directory

Launching a process

Creating a process with a hidden window

Deleting a recently created file

Unauthorized injection to a recently created process

Creating a file

Enabling autorun by creating a file

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

Unknown

Detection:

malicious

Classification:

evad

Score:

84 / 100

Link:

https://www.joesandbox.com/analysis/561530

Signature

.NET source code contains potential unpacker

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected AntiVM_3

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/a8af3ee68f5904489ab23d6d73741cf67bc8e073f004bdd0822d077a8436d4b1/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2020-12-01 12:14:09 UTC

AV detection:

25 of 28 (89.29%)

Threat level:

5/5

Result

Malware family:

n/a

Score:

1/10

Tags:

n/a

Link:

https://tria.ge/reports/201211-tqpd6tplr6/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Unpacked files

SH256 hash:

bf17144d079649dcf2f770f4527ddb27dab66a51a77d5725d5fb358c847fa88a

MD5 hash:

bbcb4489c483ca0ac14336cda6f941b3

SHA1 hash:

3b5bc6b21f5dce2d6c400b7f5793b909ee771d66

Link:

https://www.unpac.me/results/28b8f725-9c8a-495f-8743-eab383fd5c3c/

SH256 hash:

32cf148350b63eaaef2da3f9fce12721c01d88e09a24dd62e02c2f805b650cef

MD5 hash:

ea66e095c723810cf733c5fc4de0ca08

SHA1 hash:

4412450fb93570c2924261d5cc0f3594c0a5e97d

Link:

https://www.unpac.me/results/28b8f725-9c8a-495f-8743-eab383fd5c3c/

SH256 hash:

a8af3ee68f5904489ab23d6d73741cf67bc8e073f004bdd0822d077a8436d4b1

MD5 hash:

a17b1a0f3f43aec48fea32694ccec235

SHA1 hash:

77b7831fe66142c3cdcadab1a7bce5dacbbac98f

Link:

https://www.unpac.me/results/28b8f725-9c8a-495f-8743-eab383fd5c3c/

SH256 hash:

cb951f1d2b5460456aad0d89cef1216d9be5e51784d11a92447d43e96177bd5e

MD5 hash:

8cd5d2014866f4ef60802ff1826998a6

SHA1 hash:

8ff75946905d0b117080cc5a07e6e0bbea4e9bbd

Link:

https://www.unpac.me/results/28b8f725-9c8a-495f-8743-eab383fd5c3c/

SH256 hash:

cf790ab86fa0ab4537b1c0294fc0b13ee65c6e746bb4fdc540b67e6fef79618a

MD5 hash:

8525c0a8f3873103464a95e7f60050e3

SHA1 hash:

92cdb5a498098775845c83f195fa892879194dc5

Link:

https://www.unpac.me/results/28b8f725-9c8a-495f-8743-eab383fd5c3c/

SH256 hash:

4df1042820906066e208f879f274e5c222f4003e1ddd4aa99526469b305f9f1c

MD5 hash:

0c612c59011315df253798939f1d1cc1

SHA1 hash:

0e4973c719df405659cc05afbdb1a171dc6c76f4

Link:

https://www.unpac.me/results/28b8f725-9c8a-495f-8743-eab383fd5c3c/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Kryptik

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/a8af3ee68f5904489ab23d6d73741cf67bc8e073f004bdd0822d077a8436d4b1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Keylog_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Contains Keylog

Rule name:	MALWARE_Win_BitRAT Create hunting rule
Author:	ditekSHen
Description:	Detects BitRAT RAT

Rule name:	suspicious_packer_section Create hunting rule
Author:	@j0sm1
Description:	The packer/protector section names/keywords
Reference:	http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/