MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c6513d7fed8e4f4e3bdb5a632f06090ef81fa880b92d42f088acdfb23fc316e6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BitRAT


Vendor detections: 9


Intelligence 9 IOCs 1 YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c6513d7fed8e4f4e3bdb5a632f06090ef81fa880b92d42f088acdfb23fc316e6
SHA3-384 hash: 114438409879fa4fecff3dd592117a105d1332df3fe86c9a68f8c38663af2185cd27f6d1cb005236fcdf21502df7842a
SHA1 hash: 4efc5dbab121d59e12dcf15f9262add9d8575048
MD5 hash: 033e60b9306106332107840d1eb2477e
humanhash: quiet-winter-utah-finch
File name:033E60B9306106332107840D1EB2477E.exe
Download: download sample
Signature BitRAT
Create hunting rule
File size:2'355'712 bytes
First seen:2021-06-28 17:40:48 UTC
Last seen:2021-06-28 18:38:09 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 49152:5/Ez4k21GRRnmt1paYkRmAf6fPb0V1pS9zt0jLCU/8NABR4GA:Z2T2+nyMCAfkwD/jL2N6+9
Threatray 115 similar samples on MalwareBazaar
TLSH 61B5DF1D07E3AA6DE50AC1F610868D0C1AB0AD65FD89EB0A766F38B10F33D17AD42577
Reporter abuse_ch
Tags:BitRAT exe RAT


Avatar
abuse_ch
BitRAT C2:
185.157.162.119:57436

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
185.157.162.119:57436 https://threatfox.abuse.ch/ioc/155357/

Intelligence

File Origin
# of uploads :
2
# of downloads :
184
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
033E60B9306106332107840D1EB2477E.exe
Verdict:
Malicious activity
Analysis date:
2021-06-28 17:42:03 UTC
Tags:
trojan bitrat rat
Link:
https://app.any.run/tasks/7c7b7000-91bb-4da6-b6bf-85e9f34644ff

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/168614/
Detection(s):
SecuriteInfo.com.Trojan.Win32.Save.a.11831.21199.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
NanoCoreRAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9d402e85-6051-401e-af58-7eb0895b6f55
Result
Threat name:
BitRAT Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/808950
Signature
Connects to many ports of the same IP (likely port scanning)
Contains functionality to hide a thread from the debugger
Contains functionality to inject code into remote processes
Creates an undocumented autostart registry key
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected BitRAT
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c6513d7fed8e4f4e3bdb5a632f06090ef81fa880b92d42f088acdfb23fc316e6/
Threat name:
ByteCode-MSIL.Trojan.Injuke
Create hunting rule
Status:
Malicious
First seen:
2021-06-25 03:29:15 UTC
AV detection:
7 of 29 (24.14%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=yzit277nrzhu4o63ljrs6bqjb34b7keaxewuf4eivtp3ep6dc3ta._file
Verdict:
unknown
Similar samples:
0b639fef11b10b1b8c0bcf71e0030ef94ed4f09f4797447eef43c8a1a5707668
BitRAT
4ccf916fe0d3173dc9e6da3de749b437ff651b13bc32bf0538c29fc30c594a8d
BitRAT
53bcd055cbd5e6095af4dd15128a0a065d1ecd09e2f5882a240fc243ac04a2fe
BitRAT
60cbcdb415e08196418d8b319e4bd3e186ee78639363c5c1c92b0f73637dd581
BitRAT
74f108a1e08fa3ebc3ff8e54f4950e5fa1e75a6e4a9a9968e226b31064fe8d2b
BitRAT
7f3ca9e8e9f6aaab9b8151f262a20dff03d53a437e689cb1c9a937349051e947
BitRAT
7ff2b7827d44f9b69c19b01baef4121501ba8026fa47ea3c84041361d286e16e
BitRAT
8cdbdc48eeff6dbd8b3cf2bcbf91b4c58c5479e8c3779f36debdd3856f17b185
BitRAT
986909ccdc258f70bdb98363576fce9dc101142c6528d588f1308edceafb9ab5
BitRAT
c98f7393639b690d4b1b4a1e9af7ba01ce943ee361a9b230dd1181a3f947a6f3
BitRAT
+ 105 additional samples on MalwareBazaar
Result
Malware family:
bitrat
Create hunting rule
Score:
  10/10
Tags:
family:bitrat trojan
Link:
https://tria.ge/reports/210628-vqtepctcea/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
BitRAT
BitRAT Payload
Unpacked files
SH256 hash:
5841e1ec52ea798fb66845160d36f60444261dc0b57d7e32580c19b44250d446
MD5 hash:
01c3dabad3f686e776be75f49c9356f9
SHA1 hash:
b2b83587332d8fcbb217119906740d703c42a640
Link:
https://www.unpac.me/results/bf5c1857-e3f0-4ef1-92f6-19a5b2fac3d6/
SH256 hash:
fee947de4d05e4d081d6e4862945122e1549403d695cf78c31778c0acd8577e6
MD5 hash:
ec1f015615fb532a1d8fe78ced2e1426
SHA1 hash:
7b0ca09c4a3f997b519b72170938fa1ae63c98a6
Link:
https://www.unpac.me/results/bf5c1857-e3f0-4ef1-92f6-19a5b2fac3d6/
SH256 hash:
c6513d7fed8e4f4e3bdb5a632f06090ef81fa880b92d42f088acdfb23fc316e6
MD5 hash:
033e60b9306106332107840d1eb2477e
SHA1 hash:
4efc5dbab121d59e12dcf15f9262add9d8575048
Link:
https://www.unpac.me/results/bf5c1857-e3f0-4ef1-92f6-19a5b2fac3d6/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c6513d7fed8e4f4e3bdb5a632f06090ef81fa880b92d42f088acdfb23fc316e6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/168614/

Comments