MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a99a40d67018df27d1c4a0aad6b77a5985ab161480459060d5485976e70aae85. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BitRAT


Vendor detections: 9


Intelligence 9 IOCs 1 YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a99a40d67018df27d1c4a0aad6b77a5985ab161480459060d5485976e70aae85
SHA3-384 hash: 62f69fca6871698b110b941f833f5c745e1fa005ec1e59edd53c688e3b57872cf589df5a0a1b6d3807bffa4605cc7d34
SHA1 hash: c56086a017b7156ecbe2d7d1edc0defe74378bb5
MD5 hash: 279b01ec826eec272cdf1bc78cc78141
humanhash: double-high-bluebird-lactose
File name:Pedido de pedido Novo projeto maio 2021PDF.sc.exe
Download: download sample
Signature BitRAT
Create hunting rule
File size:930'968 bytes
First seen:2021-05-06 14:40:57 UTC
Last seen:2021-05-06 16:02:02 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash a4e462a199bd933bfcc2e6a6ed1e5792 (2 x Formbook, 1 x BitRAT)
ssdeep 12288:X85p/Fufy1iu51lf2ChJrScwHWZe7EimMU8/r3V2JKOdKU/Oy/2U:X8rdbV1J2qV4pEaLqKOdKUD/2
Threatray 206 similar samples on MalwareBazaar
TLSH 41159D21F2D10476D1AF1E38AC3BB7754D32BE121AE4518667F87D188F39BA03D3A295
Reporter abuse_ch
Tags:BitRAT exe RAT


Avatar
abuse_ch
BitRAT C2:
152.89.160.131:8973

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
152.89.160.131:8973 https://threatfox.abuse.ch/ioc/30408/

Intelligence

File Origin
# of uploads :
3
# of downloads :
130
Origin country :
n/a
Vendor Threat Intelligence
Detection:
BitRAT
Create hunting rule
Link:
https://www.capesandbox.com/analysis/151690/
Detection(s):
PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
DNS request
Sending a custom TCP request
Creating a file
Deleting a recently created file
Launching a process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
BitRAT Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.evad.mine
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/714207
Signature
Creates a thread in another existing process (thread injection)
Creates files in alternative data streams (ADS)
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Writes to foreign memory regions
Yara detected BitRAT
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 406025 Sample: Pedido de pedido Novo proje... Startdate: 06/05/2021 Architecture: WINDOWS Score: 84 38 storage.nsupdate.info 2->38 54 Yara detected BitRAT 2->54 56 Yara detected Xmrig cryptocurrency miner 2->56 58 Machine Learning detection for sample 2->58 8 Pedido de pedido Novo projeto maio 2021PDF.sc.exe 1 19 2->8         started        13 Suqulu.exe 16 2->13         started        15 Suqulu.exe 16 2->15         started        signatures3 process4 dnsIp5 40 onedrive.live.com 8->40 42 jl8jlq.dm.files.1drv.com 8->42 44 dm-files.fe.1drv.com 8->44 32 C:\Users\Public\Suqulu\Suqulu.exe, PE32 8->32 dropped 64 Writes to foreign memory regions 8->64 66 Creates a thread in another existing process (thread injection) 8->66 68 Injects a PE file into a foreign processes 8->68 17 ieinstal.exe 1 1 8->17         started        46 onedrive.live.com 13->46 50 2 other IPs or domains 13->50 70 Machine Learning detection for dropped file 13->70 22 logagent.exe 13->22         started        24 MpCmdRun.exe 1 13->24         started        48 onedrive.live.com 15->48 52 2 other IPs or domains 15->52 26 secinit.exe 15->26         started        file6 signatures7 process8 dnsIp9 34 storage.nsupdate.info 152.89.160.131, 49731, 49733, 49737 M247GB Romania 17->34 36 192.168.2.1 unknown unknown 17->36 30 C:\Users\user\AppData\Local:06-05-2021, ASCII 17->30 dropped 60 Creates files in alternative data streams (ADS) 17->60 62 Hides threads from debuggers 17->62 28 conhost.exe 24->28         started        file10 signatures11 process12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a99a40d67018df27d1c4a0aad6b77a5985ab161480459060d5485976e70aae85/
Threat name:
Win32.Backdoor.Remcos
Create hunting rule
Status:
Malicious
First seen:
2021-05-06 14:41:08 UTC
AV detection:
17 of 29 (58.62%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=vgnebvtqddpspuoeucvnnn32lgc2wfquqbczaygvjbmxnzykv2cq._file
Verdict:
malicious
Similar samples:
08c39e0ca34ceb7834c367901d68c40c0c5b7429f7636395e456415e1c5addc7
BitRAT
210d63272f04545a7b964c5712b0157a9e9801500e063a15ecee4b2de2c87254
BitRAT
2e928af33de11fedaf5d0c388e96ac67509b64bd445a3f4a576f46ec2a0d5374
BitRAT
3418e1333e9001927ecc9000abf19f6dfd97a2a48399c9769182a132df8b39dc
BitRAT
48d7ee8524b6c594ee30967ffa0b0c651ff0ea54162aa142e13fcd9c9a577125
BitRAT
64ec407029e6f62da7f2898dc4644c58f970546eb9679f5c540295debfa6006a
BitRAT
6c6dd45a923d7eb6fa1f114a5a4c20fab27bc03e44a5c8cb8627d43da93dfe48
BitRAT
9f2fc689de26cd7461adc91dad9e369d3250df1819466f565ff0623e3c874755
BitRAT
efe7085d016f39d6e180df2cf41e774b28e64b3e1847b5e69386ef068bea5f20
BitRAT
f3ad47ca842225f405e277f5f2b0521266fe65a90bf746ac39a67990835ddf14
BitRAT
+ 196 additional samples on MalwareBazaar
Result
Malware family:
modiloader
Create hunting rule
Score:
  10/10
Tags:
family:bitrat family:modiloader persistence trojan upx
Link:
https://tria.ge/reports/210506-9lq3zmrzzn/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of NtSetInformationThreadHideFromDebugger
Adds Run key to start application
UPX packed file
BitRAT
BitRAT Payload
ModiLoader, DBatLoader
Unpacked files
SH256 hash:
2eba4a140bee07f1efd9304c419767b789d97693da0141309254c42bf6648776
MD5 hash:
a057009f037d5e0ee55024fab2709922
SHA1 hash:
9aec50e631aac3028271f0c323132444c85a6339
Link:
https://www.unpac.me/results/6bba5b58-f93f-4227-b867-73e4f4060689/
SH256 hash:
8f63001a412f92b1e28e17cf0ca84b5d4fa126a661cdae11c5221b7344c26999
MD5 hash:
77fbc4c0b74cf1b87fa3804f3c4c0ff1
SHA1 hash:
721f7b2c9db79c8a34b8ad43f103b22df632d2dc
Link:
https://www.unpac.me/results/6bba5b58-f93f-4227-b867-73e4f4060689/
SH256 hash:
a99a40d67018df27d1c4a0aad6b77a5985ab161480459060d5485976e70aae85
MD5 hash:
279b01ec826eec272cdf1bc78cc78141
SHA1 hash:
c56086a017b7156ecbe2d7d1edc0defe74378bb5
Link:
https://www.unpac.me/results/6bba5b58-f93f-4227-b867-73e4f4060689/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a99a40d67018df27d1c4a0aad6b77a5985ab161480459060d5485976e70aae85

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_KB_CERT_0be3f393d1ef0272aed0e2319c1b5dd0
Create hunting rule
Author:ditekSHen
Description:Detects executables signed with stolen, revoked or invalid certificates
Rule name:MALWARE_Win_DLAgent07
Create hunting rule
Author:ditekSHen
Description:Detects delf downloader agent

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/151690/

Comments


Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-05-06 15:03:21 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [B0001.025] Anti-Behavioral Analysis::Software Breakpoints
1) [B0001.032] Anti-Behavioral Analysis::Timing/Delay Check GetTickCount
2) [B0009.029] Anti-Behavioral Analysis::Instruction Testing
3) [F0002.002] Collection::Polling
5) [C0021] Cryptography Micro-objective::Generate Pseudo-random Sequence
6) [C0026.002] Data Micro-objective::XOR::Encode Data
8) [C0051] File System Micro-objective::Read File
9) [C0052] File System Micro-objective::Writes File
10) [C0007] Memory Micro-objective::Allocate Memory
11) [C0036.004] Operating System Micro-objective::Create Registry Key::Registry
12) [C0036.003] Operating System Micro-objective::Open Registry Key::Registry
13) [C0036.006] Operating System Micro-objective::Query Registry Value::Registry
14) [C0038] Process Micro-objective::Create Thread
15) [C0041] Process Micro-objective::Set Thread Local Storage Value
16) [C0018] Process Micro-objective::Terminate Process