MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 af7800b9d14d41db33e7aeb100aac52bcae40bd7dfa2f151ffb4e76e810ea965. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BitRAT


Vendor detections: 9


Intelligence 9 IOCs 1 YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: af7800b9d14d41db33e7aeb100aac52bcae40bd7dfa2f151ffb4e76e810ea965
SHA3-384 hash: 56ae2ff848cb0cd7859abeaa731ca4a71e748b9069129b923b1acb05ae490bbd7099e13a324280ba0ccc7b0142a57959
SHA1 hash: 60655a314c86993deefa9d9f7eec64341168e9e1
MD5 hash: 284445efc60c1a68e8199c7dc675ff82
humanhash: item-mobile-dakota-maine
File name:UpdatedHUD22.exe
Download: download sample
Signature BitRAT
Create hunting rule
File size:2'642'112 bytes
First seen:2021-07-28 16:20:35 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fcf1390e9ce472c7270447fc5c61a0c1 (863 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep 49152:m8459zztzzKoPfxsNIcv+xltSiK0rXw5hn360bURtRY26YS+WhfFzMwDPwRVuf2s:mD9zztzzKoxs6cmxfSMkd3GDGvWsfPX
Threatray 596 similar samples on MalwareBazaar
TLSH T19AC52302BB89DCFAD5522C314C7C9A211039FD508B29D6ABFF4479189DF22C27676E1B
dhash icon f08f8b8c8e8a8fb0 (1 x BitRAT, 1 x AveMariaRAT)
Reporter abuse_ch
Tags:BitRAT exe RAT


Avatar
abuse_ch
BitRAT C2:
37.0.10.6:6620

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
37.0.10.6:6620 https://threatfox.abuse.ch/ioc/163424/

Intelligence

File Origin
# of uploads :
1
# of downloads :
129
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
UpdatedHUD22.exe
Verdict:
Malicious activity
Analysis date:
2021-07-28 16:24:51 UTC
Tags:
trojan bitrat rat
Link:
https://app.any.run/tasks/385d378a-7aef-4fbf-8aed-b957b364b3db

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/174723/
Detection(s):
Win.Malware.Qshell-9875653-0
Create hunting rule

SecuriteInfo.com.Gen.Variant.Razy.582340.18684.14597.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/2ba0b2f5-7af6-41d6-acc6-3604c6628fe6
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/823214
Signature
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 455622 Sample: UpdatedHUD22.exe Startdate: 28/07/2021 Architecture: WINDOWS Score: 76 31 Antivirus detection for dropped file 2->31 33 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 2->33 8 UpdatedHUD22.exe 1 14 2->8         started        process3 file4 25 C:\Users\user\AppData\Local\...\adodbe.exe, PE32 8->25 dropped 11 adodbe.exe 6 8->11         started        process5 file6 27 C:\Users\user\AppData\...27WKQwZWIgp.exe, PE32 11->27 dropped 29 C:\Users\user\AppData\Local\...\tmp68B1.tmp, XML 11->29 dropped 35 Antivirus detection for dropped file 11->35 37 Detected unpacking (changes PE section rights) 11->37 39 Detected unpacking (overwrites its own PE header) 11->39 41 2 other signatures 11->41 15 schtasks.exe 1 11->15         started        17 adodbe.exe 11->17         started        19 adodbe.exe 11->19         started        21 3 other processes 11->21 signatures7 process8 process9 23 conhost.exe 15->23         started       
Gathering data
Threat name:
ByteCode-MSIL.Trojan.Taskun
Create hunting rule
Status:
Malicious
First seen:
2021-07-28 16:21:07 UTC
AV detection:
13 of 27 (48.15%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=v54aboorjva5wm7hv2yqbkwffpfoic6x36rpcup7wttw5aiovfsq._file
Verdict:
malicious
Similar samples:
08bb4e840873a9f4aa846ecf0a00c4e2a2911c36bd591a29afc188a7c42cc0ed
BitRAT
3d63c22ce814418819c6a1783e542bd75a23ca4321f49208391f18dd781b27e7
BitRAT
60b1e21007ef93c3ac0bb8fcb0d063f2429aae47b4715d0324096887aeb165f8
BitRAT
8c584a322deb7e0731b90ae30dbdfe4821d13ad8ae7ade8fffd28ebbf0ca2504
BitRAT
befaecfa9c1207b951dcf8e72b803cb32d237f16d9e49df1c6c29fcf690b4ec3
BitRAT
d2b6ad926987074e93a769eaf34598a4df8bbb839208c57d4fc1516f9ed1eaa6
BitRAT
f69b86e22b03881dc837afc9a2c0d4f6555e1e9eb19f7c826b3eb695feaa76bb
BitRAT
+ 586 additional samples on MalwareBazaar
Result
Malware family:
bitrat
Create hunting rule
Score:
  10/10
Tags:
family:bitrat evasion suricata trojan upx
Link:
https://tria.ge/reports/210728-zgljnhkafx/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Maps connected drives based on registry
Checks BIOS information in registry
Loads dropped DLL
Executes dropped EXE
Looks for VMWare Tools registry key
UPX packed file
CustAttr .NET packer
Looks for VirtualBox Guest Additions in registry
BitRAT
BitRAT Payload
suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)
Unpacked files
SH256 hash:
c7205976287c2b60e318f53573b6c85bda4121e59305b83ec3766ea419463957
MD5 hash:
6f946b4853c213775aa7bdd751940bb4
SHA1 hash:
3579769f5676d25259f452375c29da7a3955cf70
Link:
https://www.unpac.me/results/60e0e335-48ed-49cb-b80f-64a430cc6cd4/
SH256 hash:
574de02ade0736a48b0bf43cba49e9eab5cb900d5ea27754c37963e85b280a42
MD5 hash:
e8b53f0f7babf7c197e085071bce9332
SHA1 hash:
f3d8b9b88e926b8d262221c09bc5bbc906121cc6
Link:
https://www.unpac.me/results/60e0e335-48ed-49cb-b80f-64a430cc6cd4/
SH256 hash:
97d2fa1d01b2f9a2199896e05e0cf60c14a9f41ef2d72e15fbb862b7afa08438
MD5 hash:
68463851c0e6fe7a254c99fae763d454
SHA1 hash:
4587a5371d88c296a0184fe47ee0c5245b187127
Link:
https://www.unpac.me/results/60e0e335-48ed-49cb-b80f-64a430cc6cd4/
SH256 hash:
19988cae1bccf1181689d45cc20df02f7e2592e83624016171ccdeaa5dc484df
MD5 hash:
fd1cb02bfcc264dc719820bd42eda025
SHA1 hash:
376ed6a814f85e7498929c5efd52f6b5edf96058
Link:
https://www.unpac.me/results/60e0e335-48ed-49cb-b80f-64a430cc6cd4/
SH256 hash:
af7800b9d14d41db33e7aeb100aac52bcae40bd7dfa2f151ffb4e76e810ea965
MD5 hash:
284445efc60c1a68e8199c7dc675ff82
SHA1 hash:
60655a314c86993deefa9d9f7eec64341168e9e1
Link:
https://www.unpac.me/results/60e0e335-48ed-49cb-b80f-64a430cc6cd4/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/af7800b9d14d41db33e7aeb100aac52bcae40bd7dfa2f151ffb4e76e810ea965

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_BitRAT
Create hunting rule
Author:ditekSHen
Description:Detects BitRAT RAT

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/174723/

Comments