MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ae93266da6d1204d789cf03efc2a0e2d7192cd7309d66984340a6ff5b99a7ae8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BitRAT


Vendor detections: 9


Intelligence 9 IOCs 1 YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ae93266da6d1204d789cf03efc2a0e2d7192cd7309d66984340a6ff5b99a7ae8
SHA3-384 hash: 9db7a73625f0c45d59f289300d7d205e8dd4aed64cc7e4f8bf77d24fec4d212d3208bb79745db82079f7c6b584291e71
SHA1 hash: 3a08df2b00b5c3ab36e9b0c986de5377efa6fe22
MD5 hash: 3294ee91b924fd1e934bad97689cf4e7
humanhash: juliet-three-kansas-beryllium
File name:DHL_7661232.exe
Download: download sample
Signature BitRAT
Create hunting rule
File size:721'368 bytes
First seen:2021-05-27 19:08:02 UTC
Last seen:2021-05-27 20:19:43 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 3e7272567bf6719a2a90dbca5f3a4b3a (1 x Loki, 1 x NetWire, 1 x BitRAT)
ssdeep 12288:wuxGeRhWzrlZe7q6OWA50P3TaD8vVKlWFn+yGMhNyE:wyHWzrsOWxjQfE7yE
Threatray 178 similar samples on MalwareBazaar
TLSH 0DE48D62B2E141B6D2561A3C9C2756659879BE7039345C6637F82C08BF7F3803D2EAD3
Reporter abuse_ch
Tags:BitRAT DHL exe RAT

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
104.208.31.182:2222 https://threatfox.abuse.ch/ioc/66257/

Intelligence

File Origin
# of uploads :
2
# of downloads :
156
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
DHL_7661232.IMG
Verdict:
Malicious activity
Analysis date:
2021-05-27 18:03:29 UTC
Tags:
trojan bitrat rat
Link:
https://app.any.run/tasks/f5e74a06-ad2b-4f12-b5c1-12efa2d5c57f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/162836/
Detection(s):
PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Sending a UDP request
Launching a process
Sending a custom TCP request
Creating a file
Setting a global event handler
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Setting a global event handler for the keyboard
Unauthorized injection to a system process
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
BitRAT Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.evad.mine
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/793438
Signature
Creates a thread in another existing process (thread injection)
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Writes to foreign memory regions
Yara detected BitRAT
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 425846 Sample: DHL_7661232.exe Startdate: 27/05/2021 Architecture: WINDOWS Score: 96 37 resereved.nerdpol.ovh 2->37 39 prda.aadg.msidentity.com 2->39 45 Multi AV Scanner detection for submitted file 2->45 47 Yara detected BitRAT 2->47 49 Yara detected Xmrig cryptocurrency miner 2->49 51 Machine Learning detection for sample 2->51 8 Krujwi.exe 13 2->8         started        12 DHL_7661232.exe 1 19 2->12         started        15 Krujwi.exe 14 2->15         started        signatures3 process4 dnsIp5 53 Multi AV Scanner detection for dropped file 8->53 55 Machine Learning detection for dropped file 8->55 57 Writes to foreign memory regions 8->57 17 ieinstal.exe 8->17         started        41 cdn.discordapp.com 162.159.130.233, 443, 49717, 49719 CLOUDFLARENETUS United States 12->41 31 C:\Users\Public\Krujwi\Krujwi.exe, PE32 12->31 dropped 59 Creates a thread in another existing process (thread injection) 12->59 61 Injects a PE file into a foreign processes 12->61 21 DpiScaling.exe 1 12->21         started        23 dialer.exe 15->23         started        file6 signatures7 process8 dnsIp9 33 resereved.nerdpol.ovh 104.208.31.182, 2222, 49731, 49736 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 21->33 35 192.168.2.1 unknown unknown 21->35 43 Hides threads from debuggers 21->43 25 WerFault.exe 20 3 21->25         started        27 WerFault.exe 21->27         started        29 WerFault.exe 21->29         started        signatures10 process11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ae93266da6d1204d789cf03efc2a0e2d7192cd7309d66984340a6ff5b99a7ae8/
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2021-05-27 19:08:08 UTC
AV detection:
18 of 44 (40.91%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=v2jsm3ng2eqe26e46a7pykqofvyzftltbhlgtbbubjx7lom2plua._file
Verdict:
malicious
Similar samples:
028fb2b55806708dc61ab34ad360998449e5710eca9d0f85cae4987c6144acf6
BitRAT
0ce75a68a6c717a15ebb6bb1e62d6e2d2af1c8b64b047ec3d9dd50434e9ecf40
BitRAT
1fc8b21214b10720988c33582ca6415bf3d052a829ba4db3dcbd77655de4f95d
BitRAT
4bb5887d12b822628da418c65c8999b402dd262a58f4ee133a51f00a0c9e7881
BitRAT
4eec9ac382b6fcbf861641137d9a597a04a891a47983252137a7b0fdbbeb842b
BitRAT
604a7c2d1362f5bf1f7258b0e3f7d946f629de3f52155c1ae6b6bf6ba661f95d
BitRAT
74ff69d2acffcbe2ed4ad76db8c1025be066170a8cc5b7c7048ea8cdcb155179
BitRAT
a996cb18e61a3ac99ec0317bd0738d05e3e90b8982e6ef9271d268586647e253
BitRAT
d04efc1f583b9d7a2f2e600a43eeb8fb8359432c591a4f8cc583caf881097421
BitRAT
ddf9f373e5735daeaea928c67bf342b9a71089ef06b4b9ec4fd8f593f34969e0
BitRAT
+ 168 additional samples on MalwareBazaar
Result
Malware family:
modiloader
Create hunting rule
Score:
  10/10
Tags:
family:modiloader persistence trojan upx
Link:
https://tria.ge/reports/210527-vjhwrfa7pe/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of NtSetInformationThreadHideFromDebugger
Adds Run key to start application
Blocklisted process makes network request
UPX packed file
ModiLoader, DBatLoader
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ae93266da6d1204d789cf03efc2a0e2d7192cd7309d66984340a6ff5b99a7ae8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Email_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Email in files like avemaria
Rule name:MALWARE_Win_BitRAT
Create hunting rule
Author:ditekSHen
Description:Detects BitRAT RAT
Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

BitRAT

Executable exe ae93266da6d1204d789cf03efc2a0e2d7192cd7309d66984340a6ff5b99a7ae8

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/162836/

Comments