MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 afee0b3d9b0d5b49066b1c30caa599cfda93d070170ef5e30d33e534cb185eb2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BitRAT


Vendor detections: 11


Intelligence 11 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: afee0b3d9b0d5b49066b1c30caa599cfda93d070170ef5e30d33e534cb185eb2
SHA3-384 hash: 87cb19428a8d430fbf51e31b6da707de2c17a47568a8ac7d5282b983d00b86ab33222f22d0ba897640e70de7822b6a24
SHA1 hash: e6cadd792590770e30781ca35ea4e5232114ca5f
MD5 hash: 1cd30f9b6de43c81f5b891833cd22d0d
humanhash: whiskey-leopard-undress-spaghetti
File name:1cd30f9b6de43c81f5b891833cd22d0d.exe
Download: download sample
Signature BitRAT
Create hunting rule
File size:3'429'376 bytes
First seen:2022-05-13 14:27:59 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 49152:wsgOpckOTfPEMpjVfcuVdNsTvLVNv/vfvuX2nLU0cQ2K9jyLXVhhGZIk3:wt2cDTnVpfIvhNff2mnzcQ29LjhGZIk
Threatray 1'931 similar samples on MalwareBazaar
TLSH T1DEF5BE4C67096906CE59C771EDB22B52A792C7BEAE515B03F385763DC03BBAC59C0A03
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 16174db2a88e9620 (26 x BitRAT, 16 x AsyncRAT, 9 x AveMariaRAT)
Reporter abuse_ch
Tags:BitRAT exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
311
Origin country :
n/a
Vendor Threat Intelligence
Detection:
BitRAT
Create hunting rule
Link:
https://www.capesandbox.com/analysis/270450/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Running batch commands
Creating a process with a hidden window
Launching a process
Creating a window
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/627e6af4ce11c3e7ab0972bc/reports/dc05dbfb-fd35-4dca-b225-bdff45e9bfe1/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/d5d91424-0e60-468d-9a25-97878af72ba1
Result
Threat name:
BitRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/993639
Signature
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Contains functionality to hide a thread from the debugger
Found malware configuration
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Writes to foreign memory regions
Yara detected BitRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 626132 Sample: 5Gccl4I51C.exe Startdate: 13/05/2022 Architecture: WINDOWS Score: 100 39 Found malware configuration 2->39 41 Malicious sample detected (through community Yara rule) 2->41 43 Multi AV Scanner detection for submitted file 2->43 45 4 other signatures 2->45 7 5Gccl4I51C.exe 1 5 2->7         started        11 Naqxxwd.exe 2->11         started        13 Naqxxwd.exe 2->13         started        process3 file4 27 C:\Users\user\AppData\Roaming\...27aqxxwd.exe, PE32 7->27 dropped 29 C:\Users\user\...29aqxxwd.exe:Zone.Identifier, ASCII 7->29 dropped 31 C:\Users\user\AppData\...\5Gccl4I51C.exe.log, ASCII 7->31 dropped 47 Writes to foreign memory regions 7->47 49 Injects a PE file into a foreign processes 7->49 15 InstallUtil.exe 1 7->15         started        19 InstallUtil.exe 7->19         started        21 cmd.exe 1 7->21         started        51 Multi AV Scanner detection for dropped file 11->51 53 Machine Learning detection for dropped file 11->53 signatures5 process6 dnsIp7 33 37.0.11.155, 4670, 49756, 49757 WKD-ASIE Netherlands 15->33 35 Hides threads from debuggers 15->35 37 Contains functionality to hide a thread from the debugger 19->37 23 conhost.exe 21->23         started        25 timeout.exe 1 21->25         started        signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/afee0b3d9b0d5b49066b1c30caa599cfda93d070170ef5e30d33e534cb185eb2/
Threat name:
ByteCode-MSIL.Spyware.Solmyr
Create hunting rule
Status:
Malicious
First seen:
2022-05-10 11:48:49 UTC
File Type:
PE (.Net Exe)
Extracted files:
8
AV detection:
21 of 41 (51.22%)
Threat level:
  2/5
Verdict:
malicious
Similar samples:
19a74b73bfbb078a9a9fe5c0789d7d011ea547dc2f6a8e17f44efe7c5dffcf57
BitRAT
1caa4a4e077cc954b65893bb0c11413afcaf185046d3d27277ddc2e9526a849c
BitRAT
3664c59f198b6e3ec2bc254b9758fe20046b4cddd0a35f3e9c8fbf631c5a8a50
BitRAT
37e3a3e4a0b161fbfd16602bb993ceeb34a7f25f2fc6d36459cc35afbff92363
BitRAT
604cfa1c1f0957f81456dca9dc28be711eacdb2b64ec0023b8dad52e9627ff00
BitRAT
6df1711427805cf33f297bd481fb8fdf3f04e92d25553b15060161bf972b334a
BitRAT
dd9194cf20f72e8f2f0b2fd08c9a4175e222b18de4738b43aa9274f5111cb01b
BitRAT
+ 1'921 additional samples on MalwareBazaar
Result
Malware family:
bitrat
Create hunting rule
Score:
  10/10
Tags:
family:bitrat persistence trojan upx
Link:
https://tria.ge/reports/220513-rszrbsgea8/
Behaviour
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
UPX packed file
BitRAT
Malware Config
C2 Extraction:
37.0.11.155:4670
Unpacked files
SH256 hash:
062450d42ee76accef24ea370726ef90d72f60b137124aa26f0f187b66ab3f66
MD5 hash:
30f26ee6d82686f2407d851096769020
SHA1 hash:
a239ab4fee0d8898c1c948032a2d9325588d5918
Detections:
win_bit_rat_auto
Create hunting rule
Link:
https://www.unpac.me/results/3d6c2340-e209-4ae7-8892-dff063184a60/
Parent samples :
afee0b3d9b0d5b49066b1c30caa599cfda93d070170ef5e30d33e534cb185eb2
8dae589a1806bcf1cf37a85cf9821a25527c4a271d8aba3c9a8f621061766840
SH256 hash:
f981260b3522b342f4144efe9e663660e36f09cae585ae1e715d69d368246e6b
MD5 hash:
46246b8bcfed627346d065e743e9b19d
SHA1 hash:
1adbab53f04d2981b094e8ac513d03f796dffb0e
Link:
https://www.unpac.me/results/3d6c2340-e209-4ae7-8892-dff063184a60/
SH256 hash:
afee0b3d9b0d5b49066b1c30caa599cfda93d070170ef5e30d33e534cb185eb2
MD5 hash:
1cd30f9b6de43c81f5b891833cd22d0d
SHA1 hash:
e6cadd792590770e30781ca35ea4e5232114ca5f
Link:
https://www.unpac.me/results/3d6c2340-e209-4ae7-8892-dff063184a60/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/afee0b3d9b0d5b49066b1c30caa599cfda93d070170ef5e30d33e534cb185eb2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with SmartAssembly
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Typical_Malware_String_Transforms
Create hunting rule
Author:Florian Roth
Description:Detects typical strings in a reversed or otherwise modified form
Reference:Internal Research
Rule name:Typical_Malware_String_Transforms_RID3473
Create hunting rule
Author:Florian Roth
Description:Detects typical strings in a reversed or otherwise modified form
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/270450/

Comments