MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bdeab97a1a23c98b3a53d4c7d6c60276597ca67bd80f5d622ccc20b3d703f756. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BitRAT


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bdeab97a1a23c98b3a53d4c7d6c60276597ca67bd80f5d622ccc20b3d703f756
SHA3-384 hash: 07c0a29e1d5ba9a7a2d230d88fc3a982cdb04066465760a12ee20b864b9cdfe69643f214cf6dd187ca884a916cfb8ba7
SHA1 hash: 08c6d2bd8777037aa0e77b8937e285002d3a4f23
MD5 hash: a2392a5423e76cc1046e4d25f6a62771
humanhash: violet-california-bacon-apart
File name:a2392a5423e76cc1046e4d25f6a62771.exe
Download: download sample
Signature BitRAT
Create hunting rule
File size:3'756'544 bytes
First seen:2022-09-22 14:53:52 UTC
Last seen:2022-09-22 18:02:08 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 4cea7ae85c87ddc7295d39ff9cda31d1 (85 x RedLineStealer, 70 x LummaStealer, 61 x Rhadamanthys)
ssdeep 98304:IE7qm9FINlmzCTadUwYCQs+J7zU0RYvUc:IfJ+CSUw/p+hRYvUc
Threatray 1'376 similar samples on MalwareBazaar
TLSH T10B06330503D5C2A6F9715B780CFB4B478A317C882876E5AF16CE95DE0E022BCB5B6727
TrID 83.7% (.CPL) Windows Control Panel Item (generic) (197083/11/60)
7.0% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
4.4% (.EXE) Win64 Executable (generic) (10523/12/4)
2.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
0.8% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter abuse_ch
Tags:BitRAT exe RAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
303
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
a2392a5423e76cc1046e4d25f6a62771.exe
Verdict:
No threats detected
Analysis date:
2022-09-22 14:54:50 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/20a89f2d-3383-43dc-b85a-5529fc639e95

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/312375/
Detection(s):
SecuriteInfo.com.Backdoor.Win32.ParalaxRat.Q.MTB.19623.23098.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Launching a process
Creating a process with a hidden window
Сreating synchronization primitives
DNS request
Sending an HTTP GET request
Sending a custom TCP request
Creating a process from a recently created file
Creating a file
Creating a window
Moving a recently created file
Launching cmd.exe command interpreter
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/38478/overview
Behaviour
MalwareBazaar
MeasuringTime
SystemUptime
EvasionGetTickCount
EvasionQueryPerformanceCounter
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
75%
Tags:
advpack.dll packed rundll32.exe setupapi.dll shell32.dll
Link:
https://www.filescan.io/uploads/632c77186aa625318dcec285/reports/7ca6c45c-24a1-4e7d-8299-249c20beb770/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/ea25369d-d293-47f8-bbb0-14263f2c7031
Result
Threat name:
AveMaria, BitRAT, UACMe
Create hunting rule
Detection:
malicious
Classification:
phis.troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1075378
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Contains functionality to hide user accounts
Creates a thread in another existing process (thread injection)
Creates files in alternative data streams (ADS)
Creates multiple autostart registry keys
Drops PE files to the document folder of the user
Drops PE files with benign system names
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Increases the number of concurrent connection per server for Internet Explorer
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Uses dynamic DNS services
Uses known network protocols on non-standard ports
Writes to foreign memory regions
Yara detected AveMaria stealer
Yara detected BitRAT
Yara detected UACMe UAC Bypass tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 707920 Sample: BlB8WxjJjV.exe Startdate: 22/09/2022 Architecture: WINDOWS Score: 100 83 sheet.duckdns.org 2->83 89 Malicious sample detected (through community Yara rule) 2->89 91 Antivirus detection for dropped file 2->91 93 Antivirus / Scanner detection for submitted sample 2->93 95 9 other signatures 2->95 11 BlB8WxjJjV.exe 1 3 2->11         started        15 rundll32.exe 2->15         started        17 OpenWith.exe 2->17         started        19 OpenWith.exe 2->19         started        signatures3 process4 file5 65 C:\Users\user\AppData\Local\...\sheeter.exe, PE32 11->65 dropped 111 Creates multiple autostart registry keys 11->111 21 sheeter.exe 7 5 11->21         started        25 powershell.exe 14 16 11->25         started        signatures6 process7 dnsIp8 59 C:\Users\user\AppData\Local\...\updater.exe, PE32 21->59 dropped 61 C:\Users\user\AppData\Local\...\explorer.exe, PE32 21->61 dropped 63 C:\Users\user\AppData\Local\Temp\XRCCYX.exe, PE32 21->63 dropped 97 Antivirus detection for dropped file 21->97 99 Multi AV Scanner detection for dropped file 21->99 101 Drops PE files with benign system names 21->101 28 explorer.exe 4 4 21->28         started        32 updater.exe 1 2 21->32         started        35 XRCCYX.exe 1 3 21->35         started        37 EXCEL.EXE 21->37         started        85 sheet.duckdns.org 159.223.57.212, 49712, 9000 CELANESE-US United States 25->85 39 conhost.exe 25->39         started        file9 signatures10 process11 dnsIp12 67 C:\Users\user\Documents\explorer.exe, PE32 28->67 dropped 113 Antivirus detection for dropped file 28->113 115 Multi AV Scanner detection for dropped file 28->115 117 Drops PE files to the document folder of the user 28->117 127 4 other signatures 28->127 41 explorer.exe 28->41         started        45 powershell.exe 21 28->45         started        77 sheet.duckdns.org 32->77 69 C:\Users\user\AppData\Local:22-09-2022, HTML 32->69 dropped 71 C:\Users\user\AppData\...\Install name (copy), PE32 32->71 dropped 119 Creates files in alternative data streams (ADS) 32->119 121 Machine Learning detection for dropped file 32->121 123 Creates multiple autostart registry keys 32->123 125 Hides threads from debuggers 32->125 79 sheet.duckdns.org 35->79 73 C:\Users\user\AppData\Roaming\...\browser.exe, PE32 35->73 dropped 75 C:\Users\user\AppData\Local\Temp\CUVZTV.vbs, ASCII 35->75 dropped 47 wscript.exe 35->47         started        81 192.168.2.1 unknown unknown 37->81 file13 signatures14 process15 dnsIp16 87 sheet.duckdns.org 41->87 103 Antivirus detection for dropped file 41->103 105 System process connects to network (likely due to code injection or exploit) 41->105 107 Multi AV Scanner detection for dropped file 41->107 109 5 other signatures 41->109 49 powershell.exe 41->49         started        51 cmd.exe 41->51         started        53 conhost.exe 45->53         started        signatures17 process18 process19 55 conhost.exe 49->55         started        57 conhost.exe 51->57         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bdeab97a1a23c98b3a53d4c7d6c60276597ca67bd80f5d622ccc20b3d703f756/
Threat name:
ByteCode-MSIL.Backdoor.ParalaxRat
Create hunting rule
Status:
Malicious
First seen:
2022-09-22 14:27:41 UTC
File Type:
PE+ (Exe)
Extracted files:
37
AV detection:
16 of 40 (40.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=xxvls6q2epeywost2td5nrqcozmxzjt33ahv2yrmzqqlhvyd65la._file
Verdict:
malicious
Label(s):
avemaria
Create hunting rule
Similar samples:
4e6dd147fe163628e5d79043ab25d1bdca930dfd5cbc5ca77bb345702590f199
BitRAT
5355964b992fd62a5c54529728df346511538375612d5474383e09271017ed7c
BitRAT
c274d34d71a4dfd793b69aeb11803f43d0f5a3e3e4117f7c34f658823bee14ff
BitRAT
d7c1130bfed2081ab246aa229e524dd38eb91b22af6db68ddb89f1c760379d9a
BitRAT
f3941a25493fe512c5800ffe411c0d4f3b673da008b655c2343734f077963c66
BitRAT
f9fb479de7eab6803ff7fdb25fdc447bcaabd26ba4a36c3ea3b4b7b43ed5f313
BitRAT
+ 1'366 additional samples on MalwareBazaar
Result
Malware family:
warzonerat
Create hunting rule
Score:
  10/10
Tags:
family:bitrat family:warzonerat infostealer persistence rat trojan
Link:
https://tria.ge/reports/220922-r9we8sfebm/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
AutoIT Executable
Suspicious use of NtSetInformationThreadHideFromDebugger
Adds Run key to start application
Checks computer location settings
Loads dropped DLL
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
Warzone RAT payload
BitRAT
WarzoneRat, AveMaria
Malware Config
C2 Extraction:
sheet.duckdns.org:4110
sheet.duckdns.org:8471
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/e9e4e85a-3039-40a9-b000-7960f61f09c1
Unpacked files
SH256 hash:
bdeab97a1a23c98b3a53d4c7d6c60276597ca67bd80f5d622ccc20b3d703f756
MD5 hash:
a2392a5423e76cc1046e4d25f6a62771
SHA1 hash:
08c6d2bd8777037aa0e77b8937e285002d3a4f23
Link:
https://www.unpac.me/results/883963fe-3f8e-4cea-8208-ded5639bd4bf/
Malware family:
Warzone
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/bdeab97a1a23/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/bdeab97a1a23c98b3a53d4c7d6c60276597ca67bd80f5d622ccc20b3d703f756

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

BitRAT

Executable exe bdeab97a1a23c98b3a53d4c7d6c60276597ca67bd80f5d622ccc20b3d703f756

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2310044/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/312375/

Comments