MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a92eb964d56ff8dccb926598aca597a6244d10334f264aafcba9752a30dbe9b3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BitRAT


Vendor detections: 9


Intelligence 9 IOCs 2 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a92eb964d56ff8dccb926598aca597a6244d10334f264aafcba9752a30dbe9b3
SHA3-384 hash: 9740228dc79077643ad73e33d9b408e4514e925f9bda7c98cf4b569210f33223e4b5dd457d3a54a386006eda3e6eea71
SHA1 hash: 5420b910b3230a670a79a6193fc76a7864a51967
MD5 hash: b8f76d9cd83557379f3fe8b5dd080f9a
humanhash: shade-nineteen-single-mirror
File name:b8f76d9cd83557379f3fe8b5dd080f9a.exe
Download: download sample
Signature BitRAT
Create hunting rule
File size:280'576 bytes
First seen:2021-08-28 21:05:46 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 4dcb3c3a3fe5e134dd41266130cc79d2 (6 x RaccoonStealer, 4 x RedLineStealer, 3 x Tofsee)
ssdeep 6144:4+684/smLIj3cTEmfkBxyueYSasa62jcNSDCa76gPp6o6RnQC9Tt:E8GsmoM4l5g52jASDXd6pnP5
Threatray 3'740 similar samples on MalwareBazaar
TLSH T169547C30AA91C034E1B712F855B683BCB93A7AB16B3590CF52E11AEE56346E5EC30747
dhash icon ead8ac9cc6e68ea0 (38 x RaccoonStealer, 18 x RedLineStealer, 12 x Smoke Loader)
Reporter abuse_ch
Tags:BitRAT exe RAT


Avatar
abuse_ch
BitRAT C2:
http://84.246.85.16/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://84.246.85.16/ https://threatfox.abuse.ch/ioc/201706/
37.0.10.63:6236 https://threatfox.abuse.ch/ioc/201740/

Intelligence

File Origin
# of uploads :
1
# of downloads :
208
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
b8f76d9cd83557379f3fe8b5dd080f9a.exe
Verdict:
Suspicious activity
Analysis date:
2021-08-28 21:12:26 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/070fea1a-f512-4212-8fc3-a08ecd55da1d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/183153/
Detection(s):
Win.Packed.Generic-9888451-0
Create hunting rule

Win.Packed.Generic-9888541-0
Create hunting rule

Win.Dropper.Fragtor-9888544-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
DNS request
Connection attempt
Sending an HTTP POST request
Sending an HTTP GET request
Creating a file in the %temp% directory
Creating a process from a recently created file
Running batch commands
Creating a process with a hidden window
Moving a file to the Windows subdirectory
Sending a custom TCP request
Launching a process
Creating a service
Launching the default Windows debugger (dwwin.exe)
Launching a service
Deleting a recently created file
Launching the process to change the firewall settings
Creating a file
Connection attempt to an infection source
Creating a file in the Windows subdirectories
Unauthorized injection to a recently created process
Enabling autorun for a service
Unauthorized injection to a recently created process by context flags manipulation
Query of malicious DNS domain
Sending a TCP request to an infection source
Deleting of the original file
Enabling autorun by creating a file
Unauthorized injection to a system process
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/243495b8-b72b-4a7c-9b7b-2397e9140e2f
Result
Threat name:
AsyncRAT Raccoon RedLine SmokeLoader Sto
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/840866
Signature
.NET source code contains potential unpacker
.NET source code contains very large strings
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to inject code into remote processes
Contains functionality to steal Internet Explorer form passwords
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Detected unpacking (changes PE section rights)
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Performs DNS queries to domains with low reputation
Query firmware table information (likely to detect VMs)
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Uses known network protocols on non-standard ports
Uses the Telegram API (likely for C&C communication)
Yara detected AntiVM3
Yara detected AsyncRAT
Yara detected Raccoon Stealer
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected StormKitty Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 473293 Sample: 2wETbdUIFc.exe Startdate: 28/08/2021 Architecture: WINDOWS Score: 100 72 readinglistforaugust7.xyz 2->72 74 geoiptool.com 2->74 76 8 other IPs or domains 2->76 84 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->84 86 Antivirus detection for URL or domain 2->86 88 Antivirus detection for dropped file 2->88 92 19 other signatures 2->92 10 2wETbdUIFc.exe 2->10         started        13 ddevfit 2->13         started        signatures3 90 May check the online IP address of the machine 74->90 process4 signatures5 124 Detected unpacking (changes PE section rights) 10->124 126 Contains functionality to inject code into remote processes 10->126 128 Injects a PE file into a foreign processes 10->128 15 2wETbdUIFc.exe 10->15         started        130 Machine Learning detection for dropped file 13->130 18 ddevfit 13->18         started        process6 signatures7 132 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 15->132 134 Maps a DLL or memory area into another process 15->134 136 Checks if the current machine is a virtual machine (disk enumeration) 15->136 20 explorer.exe 22 15->20 injected 138 Creates a thread in another existing process (thread injection) 18->138 process8 dnsIp9 78 185.49.70.90, 2080, 49706 LEASEWEB-DE-FRA-10DE United Kingdom 20->78 80 readinglistforaugust2.xyz 95.213.224.6, 49704, 80 SELECTELRU Russian Federation 20->80 82 9 other IPs or domains 20->82 48 C:\Users\user\AppData\Roaming\ddevfit, PE32 20->48 dropped 50 C:\Users\user\AppData\Local\Temp\96D5.exe, PE32 20->50 dropped 52 C:\Users\user\AppData\Local\Temp\8D7E.exe, PE32 20->52 dropped 54 8 other malicious files 20->54 dropped 94 System process connects to network (likely due to code injection or exploit) 20->94 96 Benign windows process drops PE files 20->96 98 Performs DNS queries to domains with low reputation 20->98 100 2 other signatures 20->100 25 60BE.exe 3 20->25         started        28 7698.exe 20->28         started        30 96D5.exe 20->30         started        33 6 other processes 20->33 file10 signatures11 process12 dnsIp13 102 Multi AV Scanner detection for dropped file 25->102 104 Detected unpacking (changes PE section rights) 25->104 106 Query firmware table information (likely to detect VMs) 25->106 108 Tries to detect sandboxes / dynamic malware analysis system (registry check) 25->108 36 conhost.exe 25->36         started        110 Tries to detect sandboxes and other dynamic analysis tools (window names) 28->110 112 Machine Learning detection for dropped file 28->112 114 Hides threads from debuggers 28->114 38 conhost.exe 28->38         started        56 C:\Users\user\AppData\...\PryntVirus.exe, PE32 30->56 dropped 58 C:\Users\user\AppData\Local\...\Fineeest_.exe, PE32 30->58 dropped 60 C:\Users\user\AppData\Local\...\1000 hq.exe, PE32 30->60 dropped 116 Antivirus detection for dropped file 30->116 66 telete.in 195.201.225.248, 443, 49747 HETZNER-ASDE Germany 33->66 68 84.246.85.16, 49757, 80 DFNVereinzurFoerderungeinesDeutschenForschungsnetzese unknown 33->68 70 2 other IPs or domains 33->70 62 C:\Users\user\AppData\...\AdvancedRun.exe, PE32 33->62 dropped 64 C:\Users\user\AppData\LocalLow\sqlite3.dll, PE32 33->64 dropped 118 Contains functionality to steal Internet Explorer form passwords 33->118 120 Sample uses process hollowing technique 33->120 122 Injects a PE file into a foreign processes 33->122 40 WerFault.exe 9 33->40         started        42 conhost.exe 33->42         started        44 458F.exe 33->44         started        46 7 other processes 33->46 file14 signatures15 process16
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a92eb964d56ff8dccb926598aca597a6244d10334f264aafcba9752a30dbe9b3/
Threat name:
Win32.Trojan.Fragtor
Create hunting rule
Status:
Malicious
First seen:
2021-08-23 22:46:36 UTC
AV detection:
29 of 38 (76.32%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=vexlszgvn74nzs4smwmkzjmxuyse2ebtj4tevl6lvf2sumg35gzq._file
Verdict:
suspicious
Similar samples:
08ed53a3a85b3f17d9b15fd7e5eaf5184ac569443e42abae9ae5f5bdbf6bec61
BitRAT
3f3fecd695146b28e051593aabcd535dc366932c08bf0011ae997ad6b7e39147
BitRAT
60ab0131b6fa420a6a8039b60ac948db87033e9a8db69b16344e3d9222859556
BitRAT
67ebaa4e613b155a8584614552de369a48d854f8b38e9c6f6319d71f287ea0f9
BitRAT
682ef52e3ab62fc62e75477915bf98a8da2ef787676c0d9dfb05de1875195885
BitRAT
9093d320baf890134c0fc716eaa10cf5027dd4e804570867506537b555fd5ea7
BitRAT
c55df5e9d0ea176321a29f8957c7a43188796ae0fc0ffe1ae94ad6092d30ba77
BitRAT
cfcb21c8c129c8c2c525ecfac8bd883260eda6038e3991210765e582007451dd
BitRAT
ecc608dedd0b55df6c75aeffcd51e11f3fd50d7422e4a1b26d4515a18419b9c4
BitRAT
f74c97d626730018ba9a8dd5e6fb806bfcc42d15a8b20ef328cc5f0d6a052ccc
BitRAT
+ 3'730 additional samples on MalwareBazaar
Result
Malware family:
stormkitty
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat family:buran family:raccoon family:redline family:smokeloader family:stormkitty botnet:1000 botnet:20d9c80657d1d0fda9625cbd629ba419b8a34404 botnet:nn botnet:sergey botnet:superstar75737 botnet:word1 backdoor discovery evasion infostealer persistence ransomware rat spyware stealer themida trojan
Link:
https://tria.ge/reports/210828-y33qc69azs/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Creates scheduled task(s)
Interacts with shadow copies
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
System policy modification
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Checks whether UAC is enabled
Drops desktop.ini file(s)
Enumerates connected drives
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Looks up geolocation information via web service
Checks BIOS information in registry
Deletes itself
Loads dropped DLL
Reads user/profile data of web browsers
Themida packer
Uses the VBS compiler for execution
Windows security modification
Downloads MZ/PE file
Executes dropped EXE
Async RAT payload
Deletes shadow copies
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Nirsoft
StormKitty
StormKitty Payload
Suspicious use of NtCreateProcessExOtherParentProcess
Turns off Windows Defender SpyNet reporting
UAC bypass
Windows security bypass
AsyncRat
Buran
Modifies Windows Defender Real-time Protection settings
Raccoon
RedLine
RedLine Payload
SmokeLoader
Malware Config
C2 Extraction:
http://readinglistforaugust1.xyz/
http://readinglistforaugust2.xyz/
http://readinglistforaugust3.xyz/
http://readinglistforaugust4.xyz/
http://readinglistforaugust5.xyz/
http://readinglistforaugust6.xyz/
http://readinglistforaugust7.xyz/
http://readinglistforaugust8.xyz/
http://readinglistforaugust9.xyz/
http://readinglistforaugust10.xyz/
http://readinglistforaugust1.site/
http://readinglistforaugust2.site/
http://readinglistforaugust3.site/
http://readinglistforaugust4.site/
http://readinglistforaugust5.site/
http://readinglistforaugust6.site/
http://readinglistforaugust7.site/
http://readinglistforaugust8.site/
http://readinglistforaugust9.site/
http://readinglistforaugust10.site/
http://readinglistforaugust1.club/
http://readinglistforaugust2.club/
http://readinglistforaugust3.club/
http://readinglistforaugust4.club/
http://readinglistforaugust5.club/
http://readinglistforaugust6.club/
http://readinglistforaugust7.club/
http://readinglistforaugust8.club/
http://readinglistforaugust9.club/
http://readinglistforaugust10.club/
51.254.68.139:15009
95.181.152.190:33007
94.26.249.88:1902
135.181.49.56:47634
94.103.9.138:80
Unpacked files
SH256 hash:
0a9a7acf77fe4f890fe2acf761fa7f369418bb1f733504acd0792f589ccc7b15
MD5 hash:
ad94a86355be2ad9348b88e8972e8320
SHA1 hash:
8c7ff71739a5194efc5c7bee9c37ad92a9e72646
Link:
https://www.unpac.me/results/00237244-1acd-4a52-985c-fa2ad3a9b5f1/
SH256 hash:
a92eb964d56ff8dccb926598aca597a6244d10334f264aafcba9752a30dbe9b3
MD5 hash:
b8f76d9cd83557379f3fe8b5dd080f9a
SHA1 hash:
5420b910b3230a670a79a6193fc76a7864a51967
Link:
https://www.unpac.me/results/00237244-1acd-4a52-985c-fa2ad3a9b5f1/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/a92eb964d56f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a92eb964d56ff8dccb926598aca597a6244d10334f264aafcba9752a30dbe9b3

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/183153/

Comments