MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ba318072fe85e168c5fd55a30760ac306f75fa76c2d5ec40533b0505cda1c26d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BitRAT


Vendor detections: 7


Intelligence 7 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ba318072fe85e168c5fd55a30760ac306f75fa76c2d5ec40533b0505cda1c26d
SHA3-384 hash: a583a88cc1384127298e62828eba3fde0e94f1edb4cbb50eec2f26c2be1832d148128f81c53339ad8ec008218041fa32
SHA1 hash: 2cf72f55b180f044601079278f963d9dfb2d12af
MD5 hash: b94cf8dcb0b74f44bfebf091b8223fc7
humanhash: minnesota-double-crazy-papa
File name:Security_Check.scr
Download: download sample
Signature BitRAT
Create hunting rule
File size:2'086'400 bytes
First seen:2020-10-05 10:47:38 UTC
Last seen:2020-10-05 12:25:17 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:9zI+Iq3SgLDB2gIxpMuFuZ2DdnrHnSss3b3gBVKfSom6Zq/6WLm:VfDB21xpUAVHvs3b3gBVKfA
Threatray 29 similar samples on MalwareBazaar
TLSH 41A523816A82CE3BDC780E33253A4DB4E026ADFDDA79ACF97999761794B36C0317441C
Reporter srcr
Tags:BitRAT exe Ursnif


Avatar
srcr
Sample source: https://gov-live-cases-update.xyz/Security_Check.scr

Intelligence

File Origin
# of uploads :
6
# of downloads :
231
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/68118/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file
Launching a process
Setting a global event handler
Sending a UDP request
DNS request
Sending a custom TCP request
Setting a global event handler for the keyboard
Result
Threat name:
BitRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/481228
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected BitRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 293054 Sample: Security_Check.scr Startdate: 05/10/2020 Architecture: WINDOWS Score: 96 35 nagano-19599.herokussl.com 2->35 37 elb097307-934924932.us-east-1.elb.amazonaws.com 2->37 39 api.ipify.org 2->39 49 Antivirus / Scanner detection for submitted sample 2->49 51 Multi AV Scanner detection for submitted file 2->51 53 Yara detected BitRAT 2->53 55 2 other signatures 2->55 9 Security_Check.exe 3 6 2->9         started        signatures3 process4 file5 31 C:\Users\user\AppData\Local\...\Juxlivtq.exe, PE32 9->31 dropped 33 C:\Users\user\...\Security_Check.exe.log, ASCII 9->33 dropped 12 Juxlivtq.exe 1 6 9->12         started        16 AcroRd32.exe 39 9->16         started        process6 dnsIp7 43 myexternalip.com 216.239.32.21, 443, 49731, 49749 GOOGLEUS United States 12->43 45 193.239.147.16, 4561, 49730, 49748 DEDIPATH-LLCUS Brunei Darussalam 12->45 57 Antivirus detection for dropped file 12->57 59 Multi AV Scanner detection for dropped file 12->59 61 Machine Learning detection for dropped file 12->61 63 Hides threads from debuggers 12->63 47 192.168.2.1 unknown unknown 16->47 18 RdrCEF.exe 57 16->18         started        20 AcroRd32.exe 8 6 16->20         started        signatures8 process9 process10 22 RdrCEF.exe 18->22         started        25 RdrCEF.exe 18->25         started        27 RdrCEF.exe 18->27         started        29 RdrCEF.exe 18->29         started        dnsIp11 41 80.0.0.0 NTLGB United Kingdom 22->41
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ba318072fe85e168c5fd55a30760ac306f75fa76c2d5ec40533b0505cda1c26d/
Threat name:
ByteCode-MSIL.Trojan.Ursnif
Create hunting rule
Status:
Malicious
First seen:
2020-10-02 02:47:19 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=xiyya4x6qxqwrrp5kwrqoyfmgbxxl6twylk6yqcthmcqltnbyjwq._file
Verdict:
suspicious
Similar samples:
08da1c7771ae637a3b09d9d636b97d6cefdd1794fe3de4ade9b676188e057370
BitRAT
1a198ecee66fc8ec13774ac287557d82678d9b2a2f0192f9b180cc046840a36a
BitRAT
3643b3aebb0d514084a3f14314687e1fb437f8048fc0cca52de70e81cf4b0cc8
BitRAT
750d5e5f32eda7dad8b6439f8ac1800542fc27b66a8b89af498bae20dee15cad
BitRAT
76bb1098a0fc09328f1ac34847f16e4ad19d802ffb41ed2e2726aa42eae3a20e
BitRAT
7ff8f569a151047f25f2f858e562e4b5b54d9af822105780f6c8a91ec4740124
BitRAT
be2a4d827c93a657161aba979c162fc390c0f9193b11fefc3dab9fe8cf03e110
BitRAT
c4a61b581890f575ba0586cf6d7d7d3e0c7603ca40915833d6746326685282b7
BitRAT
c70b23f2fb34022b8ba6f83b9a3317b2765be7aa5277d22b8613edf80b8a10c5
BitRAT
fe4d94970553cd7601c6e0a9e6a246d885abba1479ebd1da4b80e53f83e7875b
BitRAT
+ 19 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
upx
Link:
https://tria.ge/reports/201005-qnrn58qype/
Behaviour
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Checks processor information in registry
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of NtSetInformationThreadHideFromDebugger
Looks up external IP address via web service
Executes dropped EXE
UPX packed file
Unpacked files
SH256 hash:
ba318072fe85e168c5fd55a30760ac306f75fa76c2d5ec40533b0505cda1c26d
MD5 hash:
b94cf8dcb0b74f44bfebf091b8223fc7
SHA1 hash:
2cf72f55b180f044601079278f963d9dfb2d12af
Link:
https://www.unpac.me/results/9c7981be-caa3-4c4f-844f-76c457a94372/
SH256 hash:
e78ba7c9751145c723ef906c235e2e68a097bf562bd5b7d796ce57bb824bf425
MD5 hash:
b7e3ead08be490dddc893d298c17d320
SHA1 hash:
966e143566fe731596be9f72a7570fec3539f101
Detections:
win_bit_rat_w0
Create hunting rule
Link:
https://www.unpac.me/results/9c7981be-caa3-4c4f-844f-76c457a94372/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ba318072fe85e168c5fd55a30760ac306f75fa76c2d5ec40533b0505cda1c26d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/
Rule name:win_bit_rat_w0
Create hunting rule
Author:KrabsOnSecurity
Description:String-based rule for detecting BitRAT malware payload

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/68118/

Comments