MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ba47f657a4745c96a62c444100d6c38bbff772b47ac03e83dc3ef5d94bc1d77c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BitRAT


Vendor detections: 9


Intelligence 9 IOCs 1 YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ba47f657a4745c96a62c444100d6c38bbff772b47ac03e83dc3ef5d94bc1d77c
SHA3-384 hash: d4813c73995163fdb39ba6792b4cd547cd13b46bbe65fa2dd17aba817bc915132f09837ddf9f36dff3dec7142b0d8d00
SHA1 hash: bb804be3028c6cbcc62e81fb70482c1a2444667f
MD5 hash: 1aa4ec7db318a524fdfb5aaff61a1031
humanhash: fish-bakerloo-michigan-violet
File name:1AA4EC7DB318A524FDFB5AAFF61A1031.exe
Download: download sample
Signature BitRAT
Create hunting rule
File size:2'553'856 bytes
First seen:2021-07-19 11:35:37 UTC
Last seen:2021-07-19 12:35:59 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'741 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 49152:332SKzAnWx/9H4GiwfQTuWwACHst9qxTcAGlrOOgl0UVODO:H2SKRZkLwACsqxTGlrOF0UVO
TLSH T101C5231A677CE244E2D66CBA0013935156BABC4327ADFE1580D0FFE849F8BE098563D7
Reporter abuse_ch
Tags:BitRAT exe RAT


Avatar
abuse_ch
BitRAT C2:
185.244.30.28:4898

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
185.244.30.28:4898 https://threatfox.abuse.ch/ioc/161038/

Intelligence

File Origin
# of uploads :
2
# of downloads :
141
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
1AA4EC7DB318A524FDFB5AAFF61A1031.exe
Verdict:
Suspicious activity
Analysis date:
2021-07-19 11:36:36 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/0ecc76cb-46d4-47ac-bbc9-1f7459fa5a4d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
BitRAT
Create hunting rule
Link:
https://www.capesandbox.com/analysis/172525/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.46635453.15482.7031.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f04f0516-7f38-43d5-bb47-31d1f3f50074
Result
Threat name:
BitRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/818202
Signature
.NET source code contains potential unpacker
Contains functionality to hide a thread from the debugger
Creates an undocumented autostart registry key
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected BitRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 450613 Sample: 0kEuVjiCbh.exe Startdate: 19/07/2021 Architecture: WINDOWS Score: 100 36 Multi AV Scanner detection for dropped file 2->36 38 Multi AV Scanner detection for submitted file 2->38 40 Yara detected BitRAT 2->40 42 6 other signatures 2->42 8 0kEuVjiCbh.exe 3 10 2->8         started        process3 file4 26 C:\Users\user\AppData\...\discupdate.exe, PE32 8->26 dropped 28 C:\Users\user\AppData\...\0kEuVjiCbh.exe, PE32 8->28 dropped 30 C:\Users\...\discupdate.exe:Zone.Identifier, ASCII 8->30 dropped 32 3 other malicious files 8->32 dropped 44 Creates an undocumented autostart registry key 8->44 46 Writes to foreign memory regions 8->46 48 Injects a PE file into a foreign processes 8->48 12 0kEuVjiCbh.exe 8->12         started        15 wscript.exe 1 8->15         started        17 0kEuVjiCbh.exe 1 8->17         started        20 2 other processes 8->20 signatures5 process6 dnsIp7 50 Multi AV Scanner detection for dropped file 12->50 52 Machine Learning detection for dropped file 12->52 54 Contains functionality to hide a thread from the debugger 12->54 56 Wscript starts Powershell (via cmd or directly) 15->56 22 powershell.exe 25 15->22         started        34 185.244.30.28, 4898, 49733, 49738 DAVID_CRAIGGG Netherlands 17->34 58 Hides threads from debuggers 17->58 signatures8 process9 process10 24 conhost.exe 22->24         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ba47f657a4745c96a62c444100d6c38bbff772b47ac03e83dc3ef5d94bc1d77c/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-07-16 19:36:51 UTC
File Type:
PE (.Net Exe)
Extracted files:
22
AV detection:
20 of 28 (71.43%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xjd7mv5eorojnjrmiraqbvwdro77o4vuplad5a64h325ss6b256a._file
Result
Malware family:
bitrat
Create hunting rule
Score:
  10/10
Tags:
family:bitrat trojan
Link:
https://tria.ge/reports/210719-29hzv9fwbx/
Behaviour
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Loads dropped DLL
Downloads MZ/PE file
Executes dropped EXE
BitRAT
BitRAT Payload
Unpacked files
SH256 hash:
1ce203dad45b6a999bebc78d4bb86288f0f32748b514b01641e511860b1941bf
MD5 hash:
6aad354a0439a53a0d29ae8d376e2266
SHA1 hash:
f7a3880072b8b14654fe617e1621e22dd015bef5
Link:
https://www.unpac.me/results/3025fee7-3237-4757-91f4-8e1bb702f2f5/
SH256 hash:
1a6171a084f904c46e8207abe11b575de2f2e864139ed73a088c97114fd6e6cd
MD5 hash:
c498556fa1c5ca3c4444fa9d5623d2dc
SHA1 hash:
e0b83a0e0d6ae9dd613c6ff87131dbf5dbb90781
Link:
https://www.unpac.me/results/3025fee7-3237-4757-91f4-8e1bb702f2f5/
SH256 hash:
8b1a36a537ba827a06fe03ec3cf5f89eb4c17557c4a76281845ac7ebbe93ba42
MD5 hash:
a5ab5695a446e343a91597bf4b40964e
SHA1 hash:
d193d2fc69d3edc1c61dd7c0ef6418cac1200a19
Link:
https://www.unpac.me/results/3025fee7-3237-4757-91f4-8e1bb702f2f5/
SH256 hash:
c7899871d5823fadcbebc786461697c3b34204c77ccca32a327d6392d04f4821
MD5 hash:
567be89e9020a14ac391064f59f9fdf4
SHA1 hash:
5345a70d857e864eb7c6610d8f115622006bf306
Link:
https://www.unpac.me/results/3025fee7-3237-4757-91f4-8e1bb702f2f5/
SH256 hash:
ba47f657a4745c96a62c444100d6c38bbff772b47ac03e83dc3ef5d94bc1d77c
MD5 hash:
1aa4ec7db318a524fdfb5aaff61a1031
SHA1 hash:
bb804be3028c6cbcc62e81fb70482c1a2444667f
Link:
https://www.unpac.me/results/3025fee7-3237-4757-91f4-8e1bb702f2f5/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ba47f657a4745c96a62c444100d6c38bbff772b47ac03e83dc3ef5d94bc1d77c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/172525/

Comments