MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b895fbf7b60e9534de3a12e5e6c3b5dbe8a5f6149be49e50beae19e0a9006999. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BitRAT


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b895fbf7b60e9534de3a12e5e6c3b5dbe8a5f6149be49e50beae19e0a9006999
SHA3-384 hash: b72946f41b1eacd5b587278a177aabb22c760cacdedb15c0a467cc53b20a9b486f18e246f980371557f11a626c02b2b3
SHA1 hash: 48e9dcd856ea4ed668ad6fe003cbc61eed246b25
MD5 hash: d9619e430db2be25cd3aa6c8fd75f734
humanhash: east-hamper-california-pizza
File name:d9619e430db2be25cd3aa6c8fd75f734.exe
Download: download sample
Signature BitRAT
Create hunting rule
File size:10'822'656 bytes
First seen:2021-02-10 14:21:19 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'647 x AgentTesla, 19'451 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 196608:ynWPdvFUqMctaKEEWJNhb5QJ25CR40f2zVIzEE4PW2TS9pDMkD2s4x:SpAa8WJNhb5Qc5CRXf2zVUUPW2TSOE76
Threatray 96 similar samples on MalwareBazaar
TLSH 61B6229C730371DFE45B98B6CBA41C3095357C6B72C2D20BB05B36A9E96D09ADE042E7
Reporter abuse_ch
Tags:BitRAT exe RAT


Avatar
abuse_ch
BitRAT C2:
svchostexplorer.ddns.net:4016 (185.239.242.118)

Intelligence

File Origin
# of uploads :
1
# of downloads :
134
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
d9619e430db2be25cd3aa6c8fd75f734.exe
Verdict:
Malicious activity
Analysis date:
2021-02-10 14:24:28 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/fc5f5f23-3ee5-4319-9d87-7f7914b956a7

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/116576/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Using the Windows Management Instrumentation requests
Creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/604646
Signature
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b895fbf7b60e9534de3a12e5e6c3b5dbe8a5f6149be49e50beae19e0a9006999/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-02-02 15:00:22 UTC
AV detection:
21 of 29 (72.41%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=xck7x55wb2ktjxr2cls6nq5v3pukl5qutpsj4uf6vym6bkiangmq._file
Verdict:
malicious
Similar samples:
1c1b2595e6838a1ee24e806ff60b80a40ad7166caaaaf65080deda57c7292c53
BitRAT
22dbe6172d32b9b90d66036688e440a9026524f8c4c61b1c05f45dbd63919483
BitRAT
2ddd796e9b53ab3d7eaf4093529077f637f182a934a851af24da8c8f189aeed3
BitRAT
533aa4375a4eac85feb6d0ab962c38a68775ed412d056ed12535605fd5c1f415
BitRAT
79e6d1b262a31a2619284f38b059e266d0fa27109c9b1f4fc9100aa6bb619e05
BitRAT
80104e0ad490b44a632a15e5875e7626db7f35fa94d7aadf19c45a621d75c7e0
BitRAT
8fdc007dd13e7c0c5bbe426da723499db81518697eb84d2fd2a0181996d276fa
BitRAT
9ffa16b91dc10936865d1d9849940c9d27276fd6acd6ab947d31e7f80322eea2
BitRAT
a294e980bb7b7e74981a67379dd4c589803d0d5c17946b3b00ce561791ecfc63
BitRAT
a52ed9486d2ccdf0a9e29fe70ea7df8ddcb8bc06f9329664a310ae32d1308d6f
BitRAT
+ 86 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:bitrat family:xmrig evasion miner ransomware trojan upx
Link:
https://tria.ge/reports/210210-a4rg5shn8e/
Behaviour
Creates scheduled task(s)
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Drops file in System32 directory
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Maps connected drives based on registry
Checks BIOS information in registry
Drops startup file
Windows security modification
Executes dropped EXE
Looks for VMWare Tools registry key
UPX packed file
Looks for VirtualBox Guest Additions in registry
XMRig Miner Payload
BitRAT
BitRAT Payload
Modifies security service
Suspicious use of NtCreateUserProcessOtherParentProcess
xmrig
Unpacked files
SH256 hash:
bd03f1419db658015507630078378ed7b24ed480166fb9855308e78cd249fb44
MD5 hash:
06ba0381250a64535e2ff8dcf4f37907
SHA1 hash:
bb9f2a2c1d8bdabeefcb7b1f0333a47ae144571c
Link:
https://www.unpac.me/results/0a591af2-ebed-4afb-bc13-ebc6c24652bc/
SH256 hash:
c392db73ebbf33ce056408009594c54418c9bb8f4bdb66b5f829c5d71019dc4f
MD5 hash:
b5c29a9a190a09e4bea9106655df564a
SHA1 hash:
b0fad1ae6d42e1f0d337574b331a3af0c1c573a0
Link:
https://www.unpac.me/results/0a591af2-ebed-4afb-bc13-ebc6c24652bc/
SH256 hash:
8c070158744fe8bed8ae2d947c450bb46811373940ed48782cd8d742c458ea67
MD5 hash:
95a0c2870edf6e48eba69a4aec977cb1
SHA1 hash:
af8129092ff1e6da26a2fad8eda71c75e8ef6b9c
Link:
https://www.unpac.me/results/0a591af2-ebed-4afb-bc13-ebc6c24652bc/
SH256 hash:
74f78089f5cec8d9b9065f69ea77a8cff55b5fa65b6d5254820e67f5a11cea43
MD5 hash:
e7375c1704d0f6f9a232d871d7948e55
SHA1 hash:
080d973437a2833332b954b69a5133c677cdc51d
Link:
https://www.unpac.me/results/0a591af2-ebed-4afb-bc13-ebc6c24652bc/
SH256 hash:
7144db3a2d73a1927c4eec18e890e273eb76f146c20e8ec553668508aff01029
MD5 hash:
9ed7cf457034e76d2ac94fb066a23dfd
SHA1 hash:
e18a04a06b328908604765fb519888aad42ff490
Link:
https://www.unpac.me/results/0a591af2-ebed-4afb-bc13-ebc6c24652bc/
Parent samples :
3a0ab5c065a213ec77176d5a29720d5b7254a89625b6caa53507c8456f0be456
10157499f507352e37a313393c24d5024123c5a4d557fc509094bad4652ddc86
SH256 hash:
5f556b89361ab895a2fc24da90323a2ca43ad1dd46a644b128caeb2879eb411d
MD5 hash:
8ec8ca109abce872ef8e54a7c6af215f
SHA1 hash:
3b4b130d9fdeef5a41a740ea52bf121f24aab713
Link:
https://www.unpac.me/results/0a591af2-ebed-4afb-bc13-ebc6c24652bc/
SH256 hash:
b895fbf7b60e9534de3a12e5e6c3b5dbe8a5f6149be49e50beae19e0a9006999
MD5 hash:
d9619e430db2be25cd3aa6c8fd75f734
SHA1 hash:
48e9dcd856ea4ed668ad6fe003cbc61eed246b25
Link:
https://www.unpac.me/results/0a591af2-ebed-4afb-bc13-ebc6c24652bc/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
AgentTesla
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b895fbf7b60e9534de3a12e5e6c3b5dbe8a5f6149be49e50beae19e0a9006999

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Email_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Email in files like avemaria
Rule name:MALWARE_Win_BitRAT
Create hunting rule
Author:ditekSHen
Description:Detects BitRAT RAT

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/116576/

Comments