MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c115174d5a3406d4fcb05170c50293df6f3e1bd14619db5b2be777e16c0f8c5d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BitRAT


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c115174d5a3406d4fcb05170c50293df6f3e1bd14619db5b2be777e16c0f8c5d
SHA3-384 hash: 695b78f37ba5350a9fb25894f051d014743f78e17175a7cc33166aa0654a6f0d66648dea256d183284b7381ecd3fd493
SHA1 hash: 2eba624fe2ef58e1a7edb1c7d264405c76ffcc70
MD5 hash: 7f090e91a988556d2e9c7db8b714d011
humanhash: delta-undress-fillet-uranus
File name:Receipt_389449009.exe
Download: download sample
Signature BitRAT
Create hunting rule
File size:696'184 bytes
First seen:2020-10-15 10:46:34 UTC
Last seen:2020-10-15 12:15:55 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:45fZ4RJWGuGRb+CDdTph9I+uulk/ePbcPgggL0lBR6+VREzJOAPPwX/ZaRaRURaO:HRJPuGICD7h9XuulsAL0lp3aNg/ZoTq
Threatray 3 similar samples on MalwareBazaar
TLSH 80E4E175F0E7AC0AD87849B41A91884588F0BDF234C7E61B5CD066D8E1EC096EB4AFF5
Reporter abuse_ch
Tags:BitRAT exe


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: slot0.invoicez.xyz
Sending IP: 104.168.165.165
From: "Jose Peter" <postmaster@blerti.xyz>
Subject: Payment Receipt 02201R and shipping details
Attachment: Receipt_389449009.rar (contains "Receipt_389449009.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
82
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/71257/
Detection(s):
SecuriteInfo.com.Variant.MSILPerseus.237210.5536.17608.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Launching a process
Creating a process with a hidden window
Sending a UDP request
Using the Windows Management Instrumentation requests
Creating a window
Result
Threat name:
BitRAT
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/492138
Signature
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Binary contains a suspicious time stamp
Connects to a pastebin service (likely for C&C)
Contains functionality to hide a thread from the debugger
Contains functionality to inject code into remote processes
Creates an undocumented autostart registry key
Creates autostart registry keys with suspicious names
Creates multiple autostart registry keys
Drops PE files to the startup folder
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM_3
Yara detected BitRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 298517 Sample: Receipt_389449009.exe Startdate: 15/10/2020 Architecture: WINDOWS Score: 100 51 127.0.0.1 unknown unknown 2->51 53 pastebin.com 2->53 55 michaelcardillo.com 2->55 63 Antivirus detection for dropped file 2->63 65 Antivirus / Scanner detection for submitted sample 2->65 67 Multi AV Scanner detection for dropped file 2->67 69 10 other signatures 2->69 8 Receipt_389449009.exe 24 6 2->8         started        13 Receipt_389449009.exe 2->13         started        15 Receipt_389449009.exe 2->15         started        signatures3 process4 dnsIp5 57 pastebin.com 104.23.99.190, 443, 49734 CLOUDFLARENETUS United States 8->57 45 C:\Users\user\...\Receipt_389449009.exe, PE32 8->45 dropped 47 C:\...\Receipt_389449009.exe:Zone.Identifier, ASCII 8->47 dropped 71 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 8->71 73 Creates an undocumented autostart registry key 8->73 75 Drops PE files to the startup folder 8->75 87 2 other signatures 8->87 17 Receipt_389449009.exe 8->17         started        21 powershell.exe 24 8->21         started        23 powershell.exe 25 8->23         started        27 5 other processes 8->27 77 Creates autostart registry keys with suspicious names 13->77 79 Creates multiple autostart registry keys 13->79 81 Hides threads from debuggers 13->81 59 104.23.98.190, 443, 49746, 49758 CLOUDFLARENETUS United States 15->59 61 192.168.2.1 unknown unknown 15->61 83 Adds a directory exclusion to Windows Defender 15->83 85 Injects a PE file into a foreign processes 15->85 25 timeout.exe 15->25         started        file6 signatures7 process8 dnsIp9 49 michaelcardillo.com 181.214.142.112, 443, 49735, 49747 ASDETUKhttpwwwheficedcomGB Chile 17->49 41 C:\Users\user\...\a21iT3roMXk7Lyud.exe, PE32 17->41 dropped 43 C:\Users\user\AppData\Local\...\31[1].exe, PE32 17->43 dropped 29 conhost.exe 21->29         started        31 conhost.exe 23->31         started        33 conhost.exe 25->33         started        35 conhost.exe 27->35         started        37 conhost.exe 27->37         started        39 conhost.exe 27->39         started        file10 process11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c115174d5a3406d4fcb05170c50293df6f3e1bd14619db5b2be777e16c0f8c5d/
Threat name:
ByteCode-MSIL.Trojan.Perseus
Create hunting rule
Status:
Malicious
First seen:
2020-10-14 20:01:19 UTC
AV detection:
21 of 29 (72.41%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=yekrotk2gqdnj7fqkfymkaut35xt4g6riym5wwzl4536c3aprroq._file
Verdict:
unknown
Similar samples:
04c27b0ff1c12b58c1520db0ffc14e7ced2f5adae24e08a3ff66fcc1723676cf
BitRAT
52f5e7a9a44771795325822713ff8c37f4efa674bbbb375523c3982ab79a52dd
BitRAT
b028c3971be8dfe3152c5718dd75bd0b81d8fbd39f15725d35d53a47d4449a1c
BitRAT
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion trojan persistence upx
Link:
https://tria.ge/reports/201015-k1vv811gxs/
Behaviour
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Modifies system certificate store
Suspicious use of SetWindowsHookEx
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Maps connected drives based on registry
Looks up external IP address via web service
Checks BIOS information in registry
Drops startup file
Windows security modification
Loads dropped DLL
Looks for VMWare Tools registry key
Executes dropped EXE
UPX packed file
Looks for VirtualBox Guest Additions in registry
Modifies WinLogon for persistence
Modifies Windows Defender Real-time Protection settings
Windows security bypass
Turns off Windows Defender SpyNet reporting
Unpacked files
SH256 hash:
c115174d5a3406d4fcb05170c50293df6f3e1bd14619db5b2be777e16c0f8c5d
MD5 hash:
7f090e91a988556d2e9c7db8b714d011
SHA1 hash:
2eba624fe2ef58e1a7edb1c7d264405c76ffcc70
Link:
https://www.unpac.me/results/666df256-9da6-456d-85ca-93b5ace3dab7/
SH256 hash:
8d898b0fd663f54d525cdc9e31b6afed432a847963bf172393fd57597bfab6a3
MD5 hash:
cb9f1ba2b484ff05f3f8c8cf4330eb93
SHA1 hash:
242eed7949a6fc3ab88711ddd6e9a1fbcaca3ab7
Link:
https://www.unpac.me/results/666df256-9da6-456d-85ca-93b5ace3dab7/
SH256 hash:
7d7ea7f727f8f58aeb92cebac26d75876b7a4c279c2297c4a4b26ad8e2ce4459
MD5 hash:
1c2cd4293315e0e729517e1353a63ac7
SHA1 hash:
960d78e3a796ab40ac1c8860296044955aa1b671
Link:
https://www.unpac.me/results/666df256-9da6-456d-85ca-93b5ace3dab7/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c115174d5a3406d4fcb05170c50293df6f3e1bd14619db5b2be777e16c0f8c5d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

BitRAT

rar 284ee1eb7cce83fd5e676d4a96c65cd8d6732a0b6a34dad21a0dec4badc1d3ee

BitRAT

Executable exe c115174d5a3406d4fcb05170c50293df6f3e1bd14619db5b2be777e16c0f8c5d

(this sample)

  
Dropped by
MD5 b05fb65dd093e5067b5b6e0da0de6528
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/71257/
  
Dropped by
SHA256 284ee1eb7cce83fd5e676d4a96c65cd8d6732a0b6a34dad21a0dec4badc1d3ee

Comments