MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c1dfcbaabdd34ccb5257c2856121211485293a7a11a23f61c50440fb27eb2b4f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BitRAT


Vendor detections: 9


Intelligence 9 IOCs 1 YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c1dfcbaabdd34ccb5257c2856121211485293a7a11a23f61c50440fb27eb2b4f
SHA3-384 hash: e3139962b9423fdde67e50eefd8d4a75a11a3458d2db443bc66b52ff6d4c6a91d2a9c2c1dece5744171bb918c6f6aabf
SHA1 hash: c68f5a6f5fb129c8727480a628d9c45d25b2d2e5
MD5 hash: 339fec85857966c8aeec59f24584a7e9
humanhash: music-earth-alabama-spring
File name:Invoice #3392.vbs
Download: download sample
Signature BitRAT
Create hunting rule
File size:7'755 bytes
First seen:2021-10-22 18:44:53 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 96:P/NTJhS9INIKMVGQRX8+HLz9spiINIVIWjnCQRX8Lnaa:P/NT2INIRRX8+Hm4INIVI8xRXAx
Threatray 691 similar samples on MalwareBazaar
TLSH T129F11F3CE60376DE741D5E2D09CB77295A10C0B5C953E6F9C740FAAC69EEB40AB51238
Reporter abuse_ch
Tags:BitRAT RAT vbs


Avatar
abuse_ch
BitRAT C2:
23.105.171.80:33957

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
23.105.171.80:33957 https://threatfox.abuse.ch/ioc/236648/

Intelligence

File Origin
# of uploads :
1
# of downloads :
456
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/199509/
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
powershell
Link:
https://www.filescan.io/uploads/617306b89a5a1e91c5d0050e/reports/a6b37b4f-2a70-417f-b590-1707e0d6b9ee/overview
Result
Verdict:
MALICIOUS
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/875397
Signature
Creates an undocumented autostart registry key
Multi AV Scanner detection for submitted file
Sigma detected: CrackMapExec PowerShell Obfuscation
VBScript performs obfuscated calls to suspicious functions
Very long command line found
Wscript starts Powershell (via cmd or directly)
Yara detected Powershell download and execute
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c1dfcbaabdd34ccb5257c2856121211485293a7a11a23f61c50440fb27eb2b4f/
Threat name:
Script-WScript.Trojan.Valyria
Create hunting rule
Status:
Malicious
First seen:
2021-10-22 18:45:07 UTC
AV detection:
11 of 28 (39.29%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=yhp4xkv52ngmwusxykcwcijbcscssot2cgrd6yofarapwj7lfnhq._file
Verdict:
malicious
Similar samples:
0741c36ad10f51f858eefc2e2f0879c9ef1ae90af61d766bd50ebcc67f4d5579
BitRAT
0b365ef77b8b8ed330a2e48b081a20d9eb5b275b276306e5b51615cf10821fe0
BitRAT
51e6527daa5a10028c434c7ceaed1570ddd95e1de0eafa702f77860cec3d0b7c
BitRAT
6200e6a721132d15b787150d21ed3d1a153dcafa0068d7785286a84820d2cb94
BitRAT
a0ab3ba06ede4ced5c9ea2a9d87c49063249d1480c72b56ba4371b69b92c6fee
BitRAT
a8130d6e0367f83f68640720c35d12b339c1a84e371cff73524fcaa0fc62f44c
BitRAT
b4a79b7fac8b571454b8d2373623a9fa825c1bc2ef6d1370b831782237d24984
BitRAT
d1b19d456e97bede86d5bbe8c09b027b00c330e568c0474abb3e60ad154bc62d
BitRAT
f44394f10dd10600a8f25093e76fac442c594ea85debf6bfea0933766529f747
BitRAT
ffec1862f56857ad722abbcb98be7af86f2cf0763371bcb40273f0d884157c32
BitRAT
+ 681 additional samples on MalwareBazaar
Result
Malware family:
bitrat
Create hunting rule
Score:
  10/10
Tags:
family:bitrat trojan upx
Link:
https://tria.ge/reports/211022-xd4pmachgq/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Blocklisted process makes network request
UPX packed file
BitRAT
BitRAT Payload
Malware Config
Dropper Extraction:
http://40.69.216.184/get/5tons.txt
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c1dfcbaabdd34ccb5257c2856121211485293a7a11a23f61c50440fb27eb2b4f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:MALWARE_Win_BitRAT
Create hunting rule
Author:ditekSHen
Description:Detects BitRAT RAT

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/199509/

Comments