MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 adace11a1835d8b0b768bbb451dccf8507f5baf0c49925ff103ce1c88f0e1ba3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BitRAT


Vendor detections: 9


Intelligence 9 IOCs YARA 5 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: adace11a1835d8b0b768bbb451dccf8507f5baf0c49925ff103ce1c88f0e1ba3
SHA3-384 hash: 41304f31dee98e3bc433d019ce1891bf3a6ce981b8eebd7054484102ffdd5bae49f4e55f762c7244e42951f054d4ce4d
SHA1 hash: e476373920aba6e06ef71e4d5b77e5c7161b7398
MD5 hash: ce5df5626f2facc562ea61aad3d5d312
humanhash: salami-blossom-enemy-eighteen
File name:ce5df5626f2facc562ea61aad3d5d312
Download: download sample
Signature BitRAT
Create hunting rule
File size:2'307'704 bytes
First seen:2021-11-14 21:02:25 UTC
Last seen:2021-11-14 22:50:32 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'452 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 49152:96IxAXlCzf7JaTKTXFVf0qQDmtnWbiTtJ4ZV:Lq87JaTKDFVMqQK9WmJ4v
Threatray 562 similar samples on MalwareBazaar
TLSH T117B533A567EA8CA3ECF2973989611501EF2CFC154F86D38D6BE571B9008E0D87CCA356
Reporter zbetcheckin
Tags:32 BitRAT exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
119
Origin country :
n/a
Vendor Threat Intelligence
Detection:
BitRAT
Create hunting rule
Link:
https://www.capesandbox.com/analysis/205715/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.ADKD.7326.20797.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a process with a hidden window
Creating a file
Creating a window
Sending a UDP request
Setting a global event handler
Connection attempt
Sending a custom TCP request
Blocking the User Account Control
Setting a single autorun event
Moving of the original file
Setting a global event handler for the keyboard
Adding exclusions to Windows Defender
Unauthorized injection to a system process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/61917988a00afa9663a7998f/reports/63ac6e0e-49c3-4ef6-bc51-58a603d9e96d/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ff09e517-e8f9-4fa9-8372-77c86f00c4c2
Result
Threat name:
BitRAT
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/888992
Signature
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Changes security center settings (notifications, updates, antivirus, firewall)
Contains functionality to hide a thread from the debugger
Drops PE files with benign system names
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Moves itself to temp directory
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Powershell Defender Exclusion
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected BitRAT
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 521465 Sample: 5bjjbrMq5X Startdate: 14/11/2021 Architecture: WINDOWS Score: 100 66 Multi AV Scanner detection for dropped file 2->66 68 Multi AV Scanner detection for submitted file 2->68 70 Yara detected UAC Bypass using CMSTP 2->70 72 6 other signatures 2->72 7 5bjjbrMq5X.exe 4 7 2->7         started        11 svchost.exe 2->11         started        13 svchost.exe 2->13         started        15 5 other processes 2->15 process3 dnsIp4 54 C:\Users\Public\Documents\...\svchost.exe, PE32 7->54 dropped 56 C:\Users\user\AppData\...\5bjjbrMq5X.exe.log, ASCII 7->56 dropped 58 C:\Users\...\svchost.exe:Zone.Identifier, ASCII 7->58 dropped 78 Moves itself to temp directory 7->78 80 Writes to foreign memory regions 7->80 82 Allocates memory in foreign processes 7->82 92 2 other signatures 7->92 18 mscorsvw.exe 7->18         started        22 powershell.exe 24 7->22         started        24 powershell.exe 24 7->24         started        36 2 other processes 7->36 60 15f8a63260784c6ca5...60a29997.tmp (copy), PE32 11->60 dropped 84 Multi AV Scanner detection for dropped file 11->84 86 Machine Learning detection for dropped file 11->86 88 Adds a directory exclusion to Windows Defender 11->88 26 powershell.exe 11->26         started        28 powershell.exe 11->28         started        30 powershell.exe 11->30         started        32 powershell.exe 11->32         started        34 powershell.exe 13->34         started        64 127.0.0.1 unknown unknown 15->64 90 Changes security center settings (notifications, updates, antivirus, firewall) 15->90 file5 signatures6 process7 dnsIp8 62 195.93.173.31, 49762, 49766, 49768 UKRTELNETUA Ukraine 18->62 74 Hides threads from debuggers 18->74 76 Contains functionality to hide a thread from the debugger 18->76 38 conhost.exe 22->38         started        40 conhost.exe 24->40         started        42 conhost.exe 26->42         started        44 conhost.exe 28->44         started        46 conhost.exe 30->46         started        48 conhost.exe 32->48         started        50 conhost.exe 36->50         started        52 conhost.exe 36->52         started        signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/adace11a1835d8b0b768bbb451dccf8507f5baf0c49925ff103ce1c88f0e1ba3/
Threat name:
ByteCode-MSIL.Trojan.Vimditator
Create hunting rule
Status:
Malicious
First seen:
2021-11-14 21:03:09 UTC
AV detection:
24 of 28 (85.71%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vwwocgqygxmlbn3ixo2fdxgpqud7loxqysmsl7yqhtq4rdyodorq._file
Verdict:
malicious
Similar samples:
00f90cda9f514832ed2e3d6c232ad0677b2bad1550719cf2a02f1988980942ff
BitRAT
4959de8067a62478d5192edb0c7822484ea3f75c643100b4c73b0165eadd8911
BitRAT
4bddc1b65b7a24af3d24bddcd3722811775f3f98a65fbc433c762e1615af28c1
BitRAT
515f555c06db60243a892bbdf57704792956569387482f6a7a001a782bb6bcd1
BitRAT
7fcb98579512e3df028c8199b530d8e027d55a871d2afb81aeb5994adac814bf
BitRAT
92b0b62b54de5df1078d0172524f4d4f891c947dd16551c97b1e7ec609901150
BitRAT
c5072b4120ac9daa3dc0e000cce9e6d6e3a1ca01fed779e0b43d877a744409cd
BitRAT
e0b87ce9794fd9fa82debb17901f925113ea7d6f467412fef1630e292304eed6
BitRAT
fd0475cbced3d14930beca29f5c5266889d913c5464223015a2d0aec7eeafdb9
BitRAT
+ 552 additional samples on MalwareBazaar
Result
Malware family:
bitrat
Create hunting rule
Score:
  10/10
Tags:
family:bitrat evasion persistence suricata trojan
Link:
https://tria.ge/reports/211114-zv2mpsdgfm/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
System policy modification
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Checks whether UAC is enabled
Windows security modification
BitRAT
BitRAT Payload
UAC bypass
Windows security bypass
suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)
Unpacked files
SH256 hash:
fd43b492b6e9990901d234a9497e6f0b44b4bec4a37d3620a895740665803679
MD5 hash:
9043039824d34a79ce01f21f411c9598
SHA1 hash:
fbb65849cdfcfd0bdf4e08ba55b4ff235043cb71
Link:
https://www.unpac.me/results/12c901c3-5673-450c-b398-1cafa930ff33/
SH256 hash:
1d6b2e2e9f03ec336a878857b6e15ae8842109499c8c848777d4ac459d9fd676
MD5 hash:
d611c2d3afd9b912c1b8fc4bb69d11ef
SHA1 hash:
abcfbbc00f71f8108fa5f48c197f3e39c60e0c60
Link:
https://www.unpac.me/results/12c901c3-5673-450c-b398-1cafa930ff33/
SH256 hash:
4324ad4f862aff3abc2d1bf1b8c59a79ace01be48dd050b0ff9a800977f8b39f
MD5 hash:
d473335f81178f5683d729c3b4fc9c43
SHA1 hash:
9d30e92c7fad18207068eae1bb99184776c38faf
Link:
https://www.unpac.me/results/12c901c3-5673-450c-b398-1cafa930ff33/
SH256 hash:
8063623fd33585184e865ac1f8685446c819841d212bc6c848f8dc4a137960be
MD5 hash:
4abff34e351e4e95514aecb515e8aea3
SHA1 hash:
742702e8c78e7cf19f19e56a6cdb2d1811759710
Link:
https://www.unpac.me/results/12c901c3-5673-450c-b398-1cafa930ff33/
SH256 hash:
0ee634065f58efd64acae9ad62957344fb88a78fd2bffa2bfe702bb5cc3f537d
MD5 hash:
c475622da84ec5ef7c1363d9f5fad83d
SHA1 hash:
4553a0cd6f36464b2cf78353d276bf5e03187c4d
Link:
https://www.unpac.me/results/12c901c3-5673-450c-b398-1cafa930ff33/
SH256 hash:
70b785e5cb5b2e61c0f5da4a71ab0bbd14d9a0849387f037e0d75cc1ffe0a082
MD5 hash:
5951b52c9b4d11ca7f4f33e5a3fb2c31
SHA1 hash:
0bc54fd699fff7b93e5c447a141c0d904924ab0d
Link:
https://www.unpac.me/results/12c901c3-5673-450c-b398-1cafa930ff33/
SH256 hash:
adace11a1835d8b0b768bbb451dccf8507f5baf0c49925ff103ce1c88f0e1ba3
MD5 hash:
ce5df5626f2facc562ea61aad3d5d312
SHA1 hash:
e476373920aba6e06ef71e4d5b77e5c7161b7398
Link:
https://www.unpac.me/results/12c901c3-5673-450c-b398-1cafa930ff33/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/adace11a1835/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:MALWARE_Win_BitRAT
Create hunting rule
Author:ditekSHen
Description:Detects BitRAT RAT
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

BitRAT

Executable exe adace11a1835d8b0b768bbb451dccf8507f5baf0c49925ff103ce1c88f0e1ba3

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1786549/
Cape
Cape
https://www.capesandbox.com/analysis/205715/
  
URLhaus
https://urlhaus.abuse.ch/url/1786472/

Comments


Avatar
zbet commented on 2021-11-14 21:02:27 UTC

url : hxxps://capraroconsulting.com/2.exe