MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ba0bc680cff76f569d94608ec973a70100e7de49988fbe640e52173655b4374d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BitRAT


Vendor detections: 11


Intelligence 11 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ba0bc680cff76f569d94608ec973a70100e7de49988fbe640e52173655b4374d
SHA3-384 hash: 71319876eb1da835ac885bff9634a97b05fa6d1e05715c29fb34a589ce6c0d494ecbc5be26ca262d1c7797ce6baac5df
SHA1 hash: b227e11160d82add7bcd173c18683016a71fc75e
MD5 hash: 6fe8ab0b7d714c54ffb4c724aeb6d18d
humanhash: winner-xray-rugby-undress
File name:svchost.exe
Download: download sample
Signature BitRAT
Create hunting rule
File size:1'980'928 bytes
First seen:2021-03-13 12:20:42 UTC
Last seen:2021-03-13 13:39:50 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'452 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 49152:tkRDUwzMO/aYfjoe9wu04MYs89HcKrZ2Q:mRD+OiYfjoe9JMYsA8GZ2Q
Threatray 116 similar samples on MalwareBazaar
TLSH 2895234072648B40EF784BF51162E0842335B0A9AD5BD35D1D82A0CD68FEB6E67D7BE3
Reporter r3dbU7z
Tags:BitRAT exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
256
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
svchost.exe
Verdict:
Malicious activity
Analysis date:
2021-03-13 12:22:19 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/0c91d152-650b-4c46-9037-5cc1a7b4f196

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
BitRAT
Create hunting rule
Link:
https://www.capesandbox.com/analysis/124135/
Detection(s):
SecuriteInfo.com.Trojan.InjectNET.14.31661.21701.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Unauthorized injection to a recently created process
Creating a window
Launching a service
DHCP request
Sending a UDP request
Modifying a system file
DNS request
Sending an HTTP GET request
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
BitRAT Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.evad.mine
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/638644
Signature
Changes security center settings (notifications, updates, antivirus, firewall)
Contains functionality to hide a thread from the debugger
Contains functionality to inject code into remote processes
Creates files in alternative data streams (ADS)
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for sample
Sigma detected: System File Execution Location Anomaly
System process connects to network (likely due to code injection or exploit)
Yara detected BitRAT
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 368299 Sample: svchost.exe Startdate: 13/03/2021 Architecture: WINDOWS Score: 96 35 Yara detected BitRAT 2->35 37 Yara detected Xmrig cryptocurrency miner 2->37 39 Machine Learning detection for sample 2->39 41 Sigma detected: System File Execution Location Anomaly 2->41 7 svchost.exe 3 2->7         started        11 svchost.exe 2->11         started        13 svchost.exe 9 1 2->13         started        16 6 other processes 2->16 process3 dnsIp4 29 C:\Users\user\AppData\...\svchost.exe.log, ASCII 7->29 dropped 49 Contains functionality to inject code into remote processes 7->49 51 Injects a PE file into a foreign processes 7->51 53 Contains functionality to hide a thread from the debugger 7->53 18 svchost.exe 2 2 7->18         started        55 Changes security center settings (notifications, updates, antivirus, firewall) 11->55 23 MpCmdRun.exe 1 11->23         started        33 127.0.0.1 unknown unknown 13->33 file5 signatures6 process7 dnsIp8 31 45.144.65.97, 1443, 49723, 49724 SUPERSERVERSDATACENTERRU Russian Federation 18->31 27 C:\Users\user\AppData\Local:13-03-2021, HTML 18->27 dropped 43 System process connects to network (likely due to code injection or exploit) 18->43 45 Creates files in alternative data streams (ADS) 18->45 47 Hides threads from debuggers 18->47 25 conhost.exe 23->25         started        file9 signatures10 process11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ba0bc680cff76f569d94608ec973a70100e7de49988fbe640e52173655b4374d/
Threat name:
ByteCode-MSIL.Ransomware.TeslaCrypt
Create hunting rule
Status:
Malicious
First seen:
2021-03-13 12:21:06 UTC
AV detection:
18 of 28 (64.29%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xif4nagp65xvnhmumchms45haeaopxsjtch34zaokiltmvnug5gq._file
Verdict:
malicious
Similar samples:
083d5efb4da09432a206cb7fba5cef2c82dd6cc080015fe69c2b36e71bca6c89
BitRAT
16d2779eb519c6c58ac8e4b95595737f9f71f37bf214d6220036abf0fe7908b6
BitRAT
203ac3379fb9ca3dd9c50d81234c753493ac422538c30d9a9ea07cb5f5042a7b
BitRAT
533aa4375a4eac85feb6d0ab962c38a68775ed412d056ed12535605fd5c1f415
BitRAT
5dfd85a1c9a3b450d9aa14d3ea0a6bac9db88623004e5e6d7b40e7ab3b17cd31
BitRAT
68087284713cf5b3080650a0f37fa67db5eff1b18c7cac032e0fa0c19752c118
BitRAT
6c212901b861bddfecd68559ceecc3a35898d965b4e56aeb67febbfa65dc9d52
BitRAT
a52ed9486d2ccdf0a9e29fe70ea7df8ddcb8bc06f9329664a310ae32d1308d6f
BitRAT
a6bec9d9527e9ddf4e153192f5d945e4de63e96da8ef2af4c12f81aec20bff8e
BitRAT
db7619d7304cbb9c7ad4bf8c74836f241aecac1fda067f3ffadadf7ee6d44930
BitRAT
+ 106 additional samples on MalwareBazaar
Result
Malware family:
bitrat
Create hunting rule
Score:
  10/10
Tags:
family:bitrat persistence trojan upx
Link:
https://tria.ge/reports/210313-sdtv838gwx/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
UPX packed file
BitRAT
BitRAT Payload
Unpacked files
SH256 hash:
b62a78a4ff25794aeefc454debe81b878c42aee6144251167ab8356d4b68075e
MD5 hash:
6db687c793241b848ab1f5ede1aec8cc
SHA1 hash:
915c5ff481d3c4a95a539eaac349c98dcdf2afe2
Link:
https://www.unpac.me/results/b1c9dbfa-8d0f-42b5-bc69-024eb01544d2/
SH256 hash:
f8b5b51efedb3e87493ac2439473564603cc3059d57956f209a7310e311a1027
MD5 hash:
d66f89bf838fb52ed59d311a99aea214
SHA1 hash:
342525c4aabbb92abf51459081d34ed0f1cdc965
Link:
https://www.unpac.me/results/b1c9dbfa-8d0f-42b5-bc69-024eb01544d2/
SH256 hash:
ba0bc680cff76f569d94608ec973a70100e7de49988fbe640e52173655b4374d
MD5 hash:
6fe8ab0b7d714c54ffb4c724aeb6d18d
SHA1 hash:
b227e11160d82add7bcd173c18683016a71fc75e
Link:
https://www.unpac.me/results/b1c9dbfa-8d0f-42b5-bc69-024eb01544d2/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
AgentTesla
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ba0bc680cff76f569d94608ec973a70100e7de49988fbe640e52173655b4374d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Email_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Email in files like avemaria
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:MALWARE_Win_BitRAT
Create hunting rule
Author:ditekSHen
Description:Detects BitRAT RAT
Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/
Rule name:upx_packed
Create hunting rule
Description:UPX packed file

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/124135/

Comments