MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b1ea8507fb9fce713b396b966cbe353e767bea754198c6c1c6d32f33a1919611. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BitRAT


Vendor detections: 12


Intelligence 12 IOCs 1 YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b1ea8507fb9fce713b396b966cbe353e767bea754198c6c1c6d32f33a1919611
SHA3-384 hash: 8c0c3fb7bc1040be4f8d84c2c0aa2302388d6a845ad7cbb9b1d7cce0551f270b38e3c89041ff632da5fcc14d7cb81e42
SHA1 hash: ba7280b3e57c30e84043d69a15a2b41e66f7f8bb
MD5 hash: db2b4147cb7d7bd810f7b8b2c7f04b3c
humanhash: alanine-chicken-four-sad
File name:June RFQ - Finished Products List & Selection.exe
Download: download sample
Signature BitRAT
Create hunting rule
File size:1'748'992 bytes
First seen:2022-06-16 03:11:51 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 39a5e63add263fb8a93124d0be6cfbe2 (4 x RedLineStealer, 3 x Loki, 2 x Amadey)
ssdeep 49152:pR3SqssvCBlfASypXOWBeIHczjtZ51SfOC:p7XCBlfASyprBeOczjLSt
Threatray 707 similar samples on MalwareBazaar
TLSH T162852310EA60C034F5B212F49E7792ACB92EBAB1972551CB62D91AFA07343E4FD30757
TrID 40.5% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
17.0% (.SCR) Windows screen saver (13101/52/3)
13.6% (.EXE) Win64 Executable (generic) (10523/12/4)
8.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon 848484a484a48484 (1 x BitRAT)
Reporter abuse_ch
Tags:BitRAT exe RAT


Avatar
abuse_ch
BitRAT C2:
185.156.172.149:3988

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
185.156.172.149:3988 https://threatfox.abuse.ch/ioc/712300/

Intelligence

File Origin
# of uploads :
1
# of downloads :
303
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/280455/
Detection(s):
Win.Packed.Generic-9952003-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
DNS request
Setting a global event handler
Sending a custom TCP request
Modifying an executable file
Creating a file
Enabling the 'hidden' option for recently created files
Sending an HTTP GET request
Creating a file in the %temp% directory
Reading critical registry keys
Enabling the 'hidden' option for files in the %temp% directory
Unauthorized injection to a recently created process
Moving of the original file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Setting a global event handler for the keyboard
Unauthorized injection to a recently created process by context flags manipulation
Stealing user critical data
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/21530/overview
Behaviour
MalwareBazaar
MeasuringTime
SystemUptime
CheckCmdLine
EvasionQueryPerformanceCounter
EvasionGetTickCount
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/62aa9f87b0582adf05a9f8c8/reports/296fd049-24c1-46bc-a53c-ec5cd3aef265/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
BitRAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2dbc456c-3a5e-44ef-8d87-ea35e61676ca
Result
Threat name:
BitRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad.phis.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1014217
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Creates files in alternative data streams (ADS)
Detected unpacking (changes PE section rights)
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
PE file has nameless sections
Sample uses process hollowing technique
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected BitRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 646713 Sample: June RFQ - Finished Product... Startdate: 16/06/2022 Architecture: WINDOWS Score: 100 63 Malicious sample detected (through community Yara rule) 2->63 65 Antivirus detection for dropped file 2->65 67 Multi AV Scanner detection for submitted file 2->67 69 5 other signatures 2->69 9 June RFQ - Finished Products List & Selection.exe 2->9         started        12 msfixr.exe 2->12         started        14 msfixr.exe 2->14         started        process3 signatures4 81 Injects a PE file into a foreign processes 9->81 16 June RFQ - Finished Products List & Selection.exe 2 5 9->16         started        83 Detected unpacking (changes PE section rights) 12->83 21 msfixr.exe 12->21         started        23 msfixr.exe 14->23         started        process5 dnsIp6 47 bilt.shipnotifica.com 185.156.172.149, 3988, 49742, 49743 M247GB Romania 16->47 37 C:\Users\user\AppData\Local:16-06-2022, HTML 16->37 dropped 71 Creates files in alternative data streams (ADS) 16->71 73 Writes to foreign memory regions 16->73 75 Allocates memory in foreign processes 16->75 79 2 other signatures 16->79 25 msfixr.exe 24 16->25         started        29 WerFault.exe 6 9 16->29         started        77 Hides threads from debuggers 21->77 file7 signatures8 process9 file10 39 C:\Users\user\AppData\Local\...\Unknown.dll, PE32 25->39 dropped 41 C:\Users\user\AppData\...\vcruntime140.dll, PE32 25->41 dropped 43 C:\Users\user\AppData\Local\...\softokn3.dll, PE32 25->43 dropped 45 17 other files (none is malicious) 25->45 dropped 85 Injects a PE file into a foreign processes 25->85 31 msfixr.exe 5 25->31         started        signatures11 process12 dnsIp13 49 xenarmor.com 69.64.94.128 CODERO-DFWUS United States 31->49 51 192.168.2.1 unknown unknown 31->51 53 www.xenarmor.com 31->53 55 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 31->55 57 Tries to steal Instant Messenger accounts or passwords 31->57 59 Tries to steal Mail credentials (via file / registry access) 31->59 61 2 other signatures 31->61 35 conhost.exe 31->35         started        signatures14 process15
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b1ea8507fb9fce713b396b966cbe353e767bea754198c6c1c6d32f33a1919611/
Threat name:
Win32.Ransomware.StopCrypt
Create hunting rule
Status:
Malicious
First seen:
2022-06-16 03:12:17 UTC
File Type:
PE (Exe)
Extracted files:
10
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=whvikb73t7hhcozznolgzprvhz3hx2tvigmmnqog2mxthimrsyiq._file
Verdict:
malicious
Similar samples:
00fca5381ec94c0e1901a3fa10fb5d38e73c06af17df98af463e3a4393246685
BitRAT
086292a6bfd70867d0186a92add0deca164c0588fc37c30c4401e249c2b59257
BitRAT
0eaeab189b978e9babdb4324c22d4bb708e3b33c0016f52e37aa66efae4a310e
BitRAT
18b96a50da281d031e2ce58c2143a9c1bf4868c710bbcc61b7d147038b449e2b
BitRAT
515f555c06db60243a892bbdf57704792956569387482f6a7a001a782bb6bcd1
BitRAT
7ea33c91dc1a98b9ab5229455e951d38f4d4563130f87d3fa290b9b01b2337dd
BitRAT
84857d64b73f66ef619d84c81c1fd789e3f6717e6e0aaa1bda45e1dd2d34c14f
BitRAT
879b3899bd1dc321c620a9abcd9fa2ce3222047bc49b57cd00a8dabfc9e2b0ac
BitRAT
befaecfa9c1207b951dcf8e72b803cb32d237f16d9e49df1c6c29fcf690b4ec3
BitRAT
d9f858f28cab427ea59133d06469903d937cd10334a0fdd5f77fe529e3d0ece1
BitRAT
+ 697 additional samples on MalwareBazaar
Result
Malware family:
xenarmor
Create hunting rule
Score:
  10/10
Tags:
family:bitrat family:xenarmor collection password persistence recovery spyware stealer suricata trojan upx
Link:
https://tria.ge/reports/220616-dp65cahcgr/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses Microsoft Outlook accounts
Adds Run key to start application
Checks computer location settings
Loads dropped DLL
Reads data files stored by FTP clients
Reads local data of messenger clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Executes dropped EXE
UPX packed file
ACProtect 1.3x - 1.4x DLL software
BitRAT
XenArmor Suite
suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)
Malware Config
C2 Extraction:
bilt.shipnotifica.com:3988
Unpacked files
SH256 hash:
d6055100606af42791f1e931b5a53b197dc414823fd534be98150ecd861440fc
MD5 hash:
dd059bab2a093ba8231aee0a11a11132
SHA1 hash:
184cf6e35508b490f4720dc98714f5b1ad3e2ff9
Detections:
win_bit_rat_auto
Create hunting rule
Link:
https://www.unpac.me/results/ff03e49c-037a-4290-9460-d4b0bff057ad/
SH256 hash:
b1ea8507fb9fce713b396b966cbe353e767bea754198c6c1c6d32f33a1919611
MD5 hash:
db2b4147cb7d7bd810f7b8b2c7f04b3c
SHA1 hash:
ba7280b3e57c30e84043d69a15a2b41e66f7f8bb
Link:
https://www.unpac.me/results/ff03e49c-037a-4290-9460-d4b0bff057ad/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b1ea8507fb9fce713b396b966cbe353e767bea754198c6c1c6d32f33a1919611

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:bitrat_unpacked
Create hunting rule
Author:jeFF0Falltrades
Description:Experimental rule to detect unpacked BitRat payloads on disk or in memory, looking for a combination of strings and decryption/decoding patterns
Reference:https://krabsonsecurity.com/2020/08/22/bitrat-the-latest-in-copy-pasted-malware-by-incompetent-developers/
Rule name:exploit_any_poppopret
Create hunting rule
Author:Jeff White [karttoon@gmail.com] @noottrak
Description:Identify POP -> POP -> RET opcodes for quick ROP Gadget creation in target binaries.
Rule name:MALWARE_Win_BitRAT
Create hunting rule
Author:ditekSHen
Description:Detects BitRAT RAT
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:win_bit_rat_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.bit_rat.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/280455/

Comments