MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b93811479bf82f08e97be19c596166482cdb2b31b8762c8c310307dfd6dab61e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BitRAT


Vendor detections: 11


Intelligence 11 IOCs 1 YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b93811479bf82f08e97be19c596166482cdb2b31b8762c8c310307dfd6dab61e
SHA3-384 hash: 7034065ca99e52282bf5e5475a5a62453a3d17d70883c755417808ce5f07acf983acc0cddad3a7b66902a6fa08ae2ff6
SHA1 hash: f1d3ba0fc6343e145663c944e6aeebe5e96eaa6b
MD5 hash: 2a5a12f5a3bc62ecd263e1ebde57cba7
humanhash: moon-wolfram-march-foxtrot
File name:Document.exe
Download: download sample
Signature BitRAT
Create hunting rule
File size:859'136 bytes
First seen:2022-01-19 14:56:52 UTC
Last seen:2022-01-19 16:37:13 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 91de5b52d8bb7ad58cc9d7384c309dcb (1 x BitRAT, 1 x DBatLoader)
ssdeep 12288:cvy7FkT7dEN/x9ADy2P/JQgfKKviABe4RX4tKa/B1HoGW7T3bnvwk:iuF+dENZ9ADy26cKKqAU8XranXKT7v
Threatray 1'648 similar samples on MalwareBazaar
TLSH T10605AF63B7E04436D03B1A388D6A67AD65357E012E18F587BEE47E0C5F36241B41BE8B
File icon (PE):PE icon
dhash icon 7cf6b6aa8ed8e8b4 (18 x Formbook, 8 x DBatLoader, 7 x AveMariaRAT)
Reporter abuse_ch
Tags:BitRAT exe RAT


Avatar
abuse_ch
BitRAT C2:
52.188.19.78:9090

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
52.188.19.78:9090 https://threatfox.abuse.ch/ioc/302364/

Intelligence

File Origin
# of uploads :
2
# of downloads :
196
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/220661/
Detection(s):
SecuriteInfo.com.Artemis2A5A12F5A3BC.8385.4595.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a window
DNS request
Sending a custom TCP request
Creating a file
Launching a process
Setting a global event handler
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Setting a global event handler for the keyboard
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/4747/overview
Behaviour
MalwareBazaar
CheckScreenResolution
CheckCmdLine
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
control.exe keylogger packed
Link:
https://www.filescan.io/uploads/61e826c70f8c757253ccc571/reports/cf4faae7-0a60-4f76-9305-4298867ecb46/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a246e3b3-376e-45f0-864e-ef1ce587b270
Result
Threat name:
BitRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/923536
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Creates a thread in another existing process (thread injection)
Found malware configuration
Hides threads from debuggers
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Uses dynamic DNS services
Writes to foreign memory regions
Yara detected BitRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 556010 Sample: Document.exe Startdate: 19/01/2022 Architecture: WINDOWS Score: 100 41 covid66758.ddns.net 2->41 49 Found malware configuration 2->49 51 Antivirus / Scanner detection for submitted sample 2->51 53 Icon mismatch, binary includes an icon from a different legit application in order to fool users 2->53 55 5 other signatures 2->55 8 Nzmmycmfys.exe 13 2->8         started        12 Document.exe 1 17 2->12         started        15 Nzmmycmfys.exe 13 2->15         started        signatures3 process4 dnsIp5 57 Antivirus detection for dropped file 8->57 59 Machine Learning detection for dropped file 8->59 61 Writes to foreign memory regions 8->61 17 logagent.exe 8->17         started        43 cdn.discordapp.com 162.159.135.233, 443, 49755, 49756 CLOUDFLARENETUS United States 12->43 33 C:\Users\user\Contacts33zmmycmfys.exe, PE32 12->33 dropped 35 C:\Users\...35zmmycmfys.exe:Zone.Identifier, ASCII 12->35 dropped 63 Creates a thread in another existing process (thread injection) 12->63 65 Injects a PE file into a foreign processes 12->65 21 logagent.exe 1 12->21         started        45 162.159.133.233, 443, 49760 CLOUDFLARENETUS United States 15->45 23 logagent.exe 15->23         started        file6 signatures7 process8 dnsIp9 37 covid66758.ddns.net 52.188.19.78, 49761, 49762, 49763 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 21->37 39 192.168.2.1 unknown unknown 21->39 47 Hides threads from debuggers 21->47 25 WerFault.exe 2 21->25         started        27 WerFault.exe 21->27         started        29 WerFault.exe 21->29         started        31 WerFault.exe 21->31         started        signatures10 process11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b93811479bf82f08e97be19c596166482cdb2b31b8762c8c310307dfd6dab61e/
Threat name:
Win32.Backdoor.Remcos
Create hunting rule
Status:
Malicious
First seen:
2022-01-19 14:57:10 UTC
File Type:
PE (Exe)
Extracted files:
53
AV detection:
15 of 27 (55.56%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xe4bcr437axqr2l34gofsylgjawnwkzrxb3czdbramd57vw2wypa._file
Verdict:
malicious
Similar samples:
1d8df098798099b8106386eb335e7f793d9ce4c14c863105aa2f260cea331c44
BitRAT
3faaf4c39ac62ca025232a6482aaf902472af9e56d5be60e1e7478c29d30e71c
BitRAT
49c1e306362700be6143f3dc9592a72ca5d9dc3d7237d9f8e4f14b5c14ea2155
BitRAT
6eee5d1c67a8e34e6d03d64fca1195bf26ceac2a68f454cc37e743ace0483a9f
BitRAT
83413a3a3f07ee931dbfecaefed51d0b01d2b13b85920bdd485f0b2ce41acba5
BitRAT
a899d2b8f1cf3d0a97107dcfecafb3239cade9e8aad01fe007f3b0d8762b8b7a
BitRAT
ab9041fe7e0a4a439521d6eb01cc16d74c00a0427c86b067120ac453ba7329d9
BitRAT
c409017de52a4a6ad3a0cd3ab97ad17f9be172136155bf548bef49d7777cec1a
BitRAT
db28682ec511e61fa9a6425d0c7a908a99cf19b3f08c81b0e61bec26e24a15d6
BitRAT
e3b9a35e9155fd3c927956f03d54da02f28cc27437537d67ba302ddb4a40e57b
BitRAT
+ 1'638 additional samples on MalwareBazaar
Result
Malware family:
bitrat
Create hunting rule
Score:
  10/10
Tags:
family:bitrat persistence suricata trojan upx
Link:
https://tria.ge/reports/220119-sblc2saghk/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of NtSetInformationThreadHideFromDebugger
Adds Run key to start application
UPX packed file
BitRAT
suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)
Malware Config
C2 Extraction:
covid66758.ddns.net:9090
Unpacked files
SH256 hash:
9cebbcef1bd6016dfebf4c69f4c49501d914d5a8607777eba952d7ad40346f9a
MD5 hash:
322f2da5c29542aaecc9ee17e1fe7f00
SHA1 hash:
734c432e2595d53c82ee28604f909d3390018dd8
Detections:
win_dbatloader_w0
Create hunting rule
Link:
https://www.unpac.me/results/8081b4ff-b3ce-4bdc-a9e0-8305c838dd38/
Parent samples :
a7d0cff6a05994c0ae576fa842e44a101879317f62466923f1d96adee2c4a898
770c04c7c3a53d584af17e38e8e3fe5767d431e26ca59b4dc20de71045354295
c1bd90e8816e506f387b5552b7487423da84b9818cf4e94f175ed7206cffe4f5
b93811479bf82f08e97be19c596166482cdb2b31b8762c8c310307dfd6dab61e
bed2b6abf700b607d4f856c63832bae23f4120a8786b5af4cbdaa0d8525a47bc
0d9facf6b7073de4e3db19eb64e80589d98cfe35b66942191390a891bb8b241c
3add41c98717984fa6f6d1bff7b1506024e2d91932b60a43810498c44daaef86
ddfc4415217ec461350071b0965a1132ad43472bdc15980da23c46d8f1da188e
b5cea089bb899e75deef98dc1569dc3af17a070f6fa594377b49299d63bbbd8f
7b2232160ba59858c112d6dcb2252701cdb5c1e38b216fb046bd13718c2716ce
b83152fc7fc7aa9950add1de9c3d12e107e3b6eb481c1a368018ed26d3792cdc
0ba0cd39397ce42a5a678b0ef803f99267dc16de6383f61107e298633e23e436
f69c67cbf4e8f7e6d0f9157de994b80e6eb0f7b251dcc461940d51659055640f
5508d3fe5c41c4dec4a7570f0d60af3b6ba8cb9251ee1eae91e8fc061c3f58ef
cab0b398ecbf051d2fefcd25624c8f2b8119d52304c4e9836ede3b5391119fe6
4e837a08dd24b1f710c6fce10f974a49141decf103d6aeb290c0d36bba75121b
7a5846b1a7c0bbada0892d8b315bef3b4682192268da9ea779e98449681dd7ed
94ca0af32ea93d62fa355e450747ae9755c5dcd09e7b4186cd5bd04d7fc56565
0183d2fd44e215d6dc408bec45db9767a765767737b737032ff97e75adca46cd
5a04697834016e869389ef0d6a08656669cf5597fe0a6378a993250d311482e3
01e537ab28cea013b9a08939057369aa9369e8ff009231cb95101dc24348bb2e
76389098be8a410aaf6b21297912f6ef745db6e8a2f2aaaddda8685bd91091c3
662c7dc1c6b6fbc7cb4622876c0b0b2a42dba7081adede8a65182aef085f7082
7793e93512bcef7b9d90de59ef17b8771ecc9da854da2f4c8b3be8ba3c5a2c20
SH256 hash:
b93811479bf82f08e97be19c596166482cdb2b31b8762c8c310307dfd6dab61e
MD5 hash:
2a5a12f5a3bc62ecd263e1ebde57cba7
SHA1 hash:
f1d3ba0fc6343e145663c944e6aeebe5e96eaa6b
Link:
https://www.unpac.me/results/8081b4ff-b3ce-4bdc-a9e0-8305c838dd38/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
BitRat
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b93811479bf82f08e97be19c596166482cdb2b31b8762c8c310307dfd6dab61e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:MALWARE_Win_BitRAT
Create hunting rule
Author:ditekSHen
Description:Detects BitRAT RAT

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/220661/

Comments