MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 aa79d46aa459af0d46da380af6481f51369da4c4080a009028e83857dcd844f2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BitRAT


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: aa79d46aa459af0d46da380af6481f51369da4c4080a009028e83857dcd844f2
SHA3-384 hash: a1b7068dba324ef600f3114616662b4c57f5bcd50b5133da9d8808959273f5ad3dfe4e69901578123187db1b6affaca8
SHA1 hash: c460ce1a3fd7c3c5af78ab01a18bc62bcf3a8c8b
MD5 hash: 21434ba1af9e80e0bb9d4e49e643d269
humanhash: delta-hot-happy-butter
File name:AmazonSetup.exe
Download: download sample
Signature BitRAT
Create hunting rule
File size:2'918'225 bytes
First seen:2021-02-15 06:53:04 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 29b61e5a552b3a9bc00953de1c93be41 (174 x Formbook, 82 x AgentTesla, 81 x Loki)
ssdeep 49152:AS4o6fCn0IO2N7Sb/h0vQV2vMHZYd6GZC+8qBBVRlEt73LfsL6kVOSo3dAf2doBn:AG0aw/8HWZY/A+8qvfli7fsLHgSw7G5P
Threatray 309 similar samples on MalwareBazaar
TLSH A4D53382538F95BBDD16D3F0881FEB6F69B6EC4A4D0120CB13E47F750AB46578A03692
Reporter abuse_ch
Tags:BitRAT exe RAT


Avatar
abuse_ch
Malspam distributing BitRAT:

HELO: kaveri.ewebguru.net
Sending IP: 103.117.180.5
From: no-reply@amazon.com
Reply-To: no-reply@amazon.com
Subject: Update Accounts
Attachment: AmazonSetup.zip (contains "AmazonSetup.exe")

BitRAT C2:
curtisusa.hopto.org:5215

Intelligence

File Origin
# of uploads :
1
# of downloads :
124
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/117119/
Detection(s):
PUA.Win.Downloader.Soft32downloader-6691270-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a window
DNS request
Creating a file
Sending a custom TCP request
Unauthorized injection to a recently created process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/607779
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Binary contains a suspicious time stamp
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Costura Assembly Loader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 352921 Sample: AmazonSetup.exe Startdate: 15/02/2021 Architecture: WINDOWS Score: 100 65 Antivirus / Scanner detection for submitted sample 2->65 67 Sigma detected: Scheduled temp file as task from temp location 2->67 69 Multi AV Scanner detection for submitted file 2->69 71 4 other signatures 2->71 8 AmazonSetup.exe 10 2->8         started        process3 file4 33 C:\Users\user\AppData\...\LIXVoWXPPCyc5Jy.exe, PE32 8->33 dropped 35 C:\Users\user\...\AmazonGamesSetup.exe, PE32 8->35 dropped 11 AmazonGamesSetup.exe 30 506 8->11         started        15 LIXVoWXPPCyc5Jy.exe 8 8->15         started        process5 dnsIp6 59 8.8.8.8 GOOGLEUS United States 11->59 61 143.204.15.196 AMAZON-02US United States 11->61 63 7 other IPs or domains 11->63 37 C:\Users\user\...\Amazon Game Remover.exe, PE32 11->37 dropped 39 C:\Users\user\...\Uninstall Amazon Games.exe, PE32 11->39 dropped 41 C:\Users\user\AppData\...\Amazon Games.exe, PE32 11->41 dropped 47 486 other files (none is malicious) 11->47 dropped 18 Amazon Games.exe 10 11->18         started        43 C:\Users\user\AppData\Local\...\tmpB775.tmp, XML 15->43 dropped 45 C:\Users\user\AppData\...\AGbGTkAzcl.exe, PE32 15->45 dropped 75 Writes to foreign memory regions 15->75 77 Allocates memory in foreign processes 15->77 79 Injects a PE file into a foreign processes 15->79 81 Found evasive API chain (trying to detect sleep duration tampering with parallel thread) 15->81 21 MSBuild.exe 15->21         started        24 schtasks.exe 15->24         started        file7 signatures8 process9 dnsIp10 49 143.204.15.221 AMAZON-02US United States 18->49 51 176.32.98.79 AMAZON-02US Ireland 18->51 26 Amazon Games Services.exe 19 7 18->26         started        29 Amazon Games UI.exe 18->29         started        53 45.145.185.40 DEDIPATH-LLCUS Netherlands 21->53 73 Hides threads from debuggers 21->73 31 conhost.exe 24->31         started        signatures11 process12 dnsIp13 55 13.226.163.199 AMAZON-02US United States 26->55 57 192.168.2.1 unknown unknown 26->57
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/aa79d46aa459af0d46da380af6481f51369da4c4080a009028e83857dcd844f2/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-02-15 06:53:09 UTC
AV detection:
19 of 47 (40.43%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vj45i2velgxq2rw2hafpmsa7ke3j3jgebafabebi5a4fpxgyitza._file
Verdict:
malicious
Similar samples:
09eeb09143bbbf344c4734827f855275ca47a9e6eea0964158ce00076d12ef86
BitRAT
50e2c6aac34de9ed4e1b3fcfcd5aaa34892696f2681aa5e8c45a5dbe0915a43c
BitRAT
533aa4375a4eac85feb6d0ab962c38a68775ed412d056ed12535605fd5c1f415
BitRAT
6c212901b861bddfecd68559ceecc3a35898d965b4e56aeb67febbfa65dc9d52
BitRAT
6c2a2251861a6d2701814843fadac940cf4d34db9f446f0698352fd866b31739
BitRAT
79e6d1b262a31a2619284f38b059e266d0fa27109c9b1f4fc9100aa6bb619e05
BitRAT
a294e980bb7b7e74981a67379dd4c589803d0d5c17946b3b00ce561791ecfc63
BitRAT
a52ed9486d2ccdf0a9e29fe70ea7df8ddcb8bc06f9329664a310ae32d1308d6f
BitRAT
b895fbf7b60e9534de3a12e5e6c3b5dbe8a5f6149be49e50beae19e0a9006999
BitRAT
db7619d7304cbb9c7ad4bf8c74836f241aecac1fda067f3ffadadf7ee6d44930
BitRAT
+ 299 additional samples on MalwareBazaar
Result
Malware family:
bitrat
Create hunting rule
Score:
  10/10
Tags:
family:bitrat discovery macro persistence trojan upx xlm
Link:
https://tria.ge/reports/210215-v6fdk4fmfx/
Behaviour
Creates scheduled task(s)
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Drops file in System32 directory
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Checks installed software on the system
Enumerates connected drives
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
Suspicious Office macro
UPX packed file
BitRAT
BitRAT Payload
Unpacked files
SH256 hash:
2ec41720b412f91f91daaefea38007449491b2c016238aa8f23b6866c89bc788
MD5 hash:
987ce346069cf47535e5ac57265c7228
SHA1 hash:
d0085325ed78fcac6d1f605753237abd1c40db22
Link:
https://www.unpac.me/results/4485731a-37dc-4e9b-99d1-3dea07e032e0/
SH256 hash:
ee91333ee206a2769d81a6d5657a84f94bfd781cad0bdd3f1aacd5b11a03c218
MD5 hash:
f3b922c40ed7e7052924003b3294c649
SHA1 hash:
b0667d3978282356f900a64e67d6e1c6a1d8b4ff
Link:
https://www.unpac.me/results/4485731a-37dc-4e9b-99d1-3dea07e032e0/
SH256 hash:
84fd5270a84503b816c47808a8eb5c6ef6051c5f489a35cc76e151349dd821ce
MD5 hash:
7f8f44f29c03a3c1f97155ad57083823
SHA1 hash:
baf4c43f47a5116c6c11b3b401a4de1a7b81afe9
Link:
https://www.unpac.me/results/4485731a-37dc-4e9b-99d1-3dea07e032e0/
SH256 hash:
aa79d46aa459af0d46da380af6481f51369da4c4080a009028e83857dcd844f2
MD5 hash:
21434ba1af9e80e0bb9d4e49e643d269
SHA1 hash:
c460ce1a3fd7c3c5af78ab01a18bc62bcf3a8c8b
Link:
https://www.unpac.me/results/4485731a-37dc-4e9b-99d1-3dea07e032e0/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/aa79d46aa459af0d46da380af6481f51369da4c4080a009028e83857dcd844f2

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

BitRAT

zip 18f501c16c958abd19fafa10b1fb5baac2387a51807eb9229fa1cbe4a663b9b6

BitRAT

Executable exe aa79d46aa459af0d46da380af6481f51369da4c4080a009028e83857dcd844f2

(this sample)

  
Dropped by
MD5 248950cf7a2d01e99e1e815c7dc5b28c
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 18f501c16c958abd19fafa10b1fb5baac2387a51807eb9229fa1cbe4a663b9b6
Cape
Cape
https://www.capesandbox.com/analysis/117119/

Comments