MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b2cda7b8c8214e29b01cc8915de2535db62546e158f7f29b4f5cfa292b66b9a8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

BitRAT

Vendor detections: 12

Intelligence 12 IOCs YARA 3 File information Comments

SHA256 hash:	b2cda7b8c8214e29b01cc8915de2535db62546e158f7f29b4f5cfa292b66b9a8
SHA3-384 hash:	dfb9cff18e2700b2a36a1308959884d1a7aa8d97dda6fe7d60b236b4bbc308a12fdd9e1191d5cc9cc4beda0e3b30debc
SHA1 hash:	4a054f9301ece67a4d1afdeec8ebfedf86640cbd
MD5 hash:	40fbb8b9e86a05a6c7f70b16b7ed810b
humanhash:	video-fillet-west-nineteen
File name:	40fbb8b9e86a05a6c7f70b16b7ed810b.exe
Download:	download sample
Signature	BitRAT Create hunting rule
File size:	8'179'712 bytes
First seen:	2022-01-31 07:23:51 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	2b817dc1b1849c6a436f0647be7673e0 (15 x BitRAT)
ssdeep	196608:CWx+Kdiqx6F9pxwhzav1yo31CPwDv3uFZjeg2EeJUO9WLQkDxtw3iFFrS6XOfTV4:CWxVdiXjxwZ6v1CPwDv3uFteg2EeJUOf
Threatray	640 similar samples on MalwareBazaar
TLSH	T1FE86D011B5958C6BD5561238CAEFB73B223CF6600B23C7C367506A394E73AC13E66B16
Reporter	abuse_ch
Tags:	BitRAT exe

Intelligence

File Origin

# of uploads :

# of downloads :

177

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

40fbb8b9e86a05a6c7f70b16b7ed810b.exe

Verdict:

Malicious activity

Analysis date:

2022-01-31 07:39:05 UTC

Tags:

evasion

Link:

https://app.any.run/tasks/22829fc2-6ab6-4464-82f9-13f4e8cd8356

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/228321/

Detection(s):

PUA.Win.Packer.Upolyx-12

PUA.Win.Packer.Upx-49

PUA.Win.Packer.UpxProtector-1

Win.Malware.Mikey-9819889-0

Win.Dropper.BitRAT-9908151-1

ditekSHen.MALWARE.Win.Trojan.BitRAT.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Сreating synchronization primitives

Creating a file

Creating a process from a recently created file

Creating a process with a hidden window

Moving a recently created file

Setting a global event handler

Sending a custom TCP request

DNS request

Delayed writing of the file

Setting a global event handler for the keyboard

Result

Malware family:

n/a

Score:

6/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/5583/overview

Behaviour

MalwareBazaar

MeasuringTime

EvasionQueryPerformanceCounter

CheckCmdLine

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

anti-debug anti-vm greyware packed print.exe spyeye

Link:

https://www.filescan.io/uploads/61f78e9dd9e6538232d667fc/reports/8794da7f-6019-4b6a-a339-f2a4293da7b0/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

BitRAT

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/7f5f10df-ef50-4adc-8b8c-3c6a09685db4

Result

Threat name:

BitRAT Xmrig

Detection:

malicious

Classification:

troj.evad.mine

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/930675

Behaviour

Behavior Graph:

n/a

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/b2cda7b8c8214e29b01cc8915de2535db62546e158f7f29b4f5cfa292b66b9a8/

Threat name:

Win32.Trojan.Glupteba

Status:

Malicious

First seen:

2021-07-15 01:08:33 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

30 of 43 (69.77%)

Threat level:

5/5

Verdict:

malicious

BitRAT

296cb7c456c55688de080e9940722307f1ee92acbfec61696e21ec985794a3ff

BitRAT

71d0b7098599a1499e71ecfb828eef37868f31e4bc0e64d1249b90bd4404c5da

BitRAT

84c32cb403361a5d8d8117cf941b89c6c819ac453a0e1f411eb5c2952cc35e7c

BitRAT

93ac463d55f59133067b2b6d985a077b45924421db0293da03cf15ac2a933b92

BitRAT

96f69fe5148b0838909afe927aa280b4919b7f12b1593ed4a461de49fa725b1b

BitRAT

9a6e4a0945252684df6638c58bcc3f0eeb38923ab8b56972585692d43ecc532b

BitRAT

+ 630 additional samples on MalwareBazaar

Result

Malware family:

bitrat

Score:

10/10

Tags:

family:bitrat upx

Link:

https://tria.ge/reports/220131-h8eawsgfdq/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of NtSetInformationThreadHideFromDebugger

Looks up external IP address via web service

Loads dropped DLL

Executes dropped EXE

UPX packed file

ACProtect 1.3x - 1.4x DLL software

Malware Config

C2 Extraction:

6rmm37to6q6idiryu6uqdoygib6j7dab2asqmzn3ezbqj2b53sdaipqd.onion:80

Unpacked files

SH256 hash:

bf17144d079649dcf2f770f4527ddb27dab66a51a77d5725d5fb358c847fa88a

MD5 hash:

bbcb4489c483ca0ac14336cda6f941b3

SHA1 hash:

3b5bc6b21f5dce2d6c400b7f5793b909ee771d66

Link:

https://www.unpac.me/results/4b95b135-e53b-4e45-99ca-77229d2322c0/

SH256 hash:

b2cda7b8c8214e29b01cc8915de2535db62546e158f7f29b4f5cfa292b66b9a8

MD5 hash:

40fbb8b9e86a05a6c7f70b16b7ed810b

SHA1 hash:

4a054f9301ece67a4d1afdeec8ebfedf86640cbd

Link:

https://www.unpac.me/results/4b95b135-e53b-4e45-99ca-77229d2322c0/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/b2cda7b8c8214e29b01cc8915de2535db62546e158f7f29b4f5cfa292b66b9a8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	BitcoinAddress Create hunting rule
Author:	Didier Stevens (@DidierStevens)
Description:	Contains a valid Bitcoin address

Rule name:	INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture Create hunting rule
Author:	ditekSHen
Description:	Detect executables with stomped PE compilation timestamp that is greater than local current time

Rule name:	MALWARE_Win_BitRAT Create hunting rule
Author:	ditekSHen
Description:	Detects BitRAT RAT

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/228321/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample