MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c917658a5ebc82c803b3b971fe6a73035318d6eb1d95076b6f27a0b2a1ecd53a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BitRAT


Vendor detections: 7


Intelligence 7 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c917658a5ebc82c803b3b971fe6a73035318d6eb1d95076b6f27a0b2a1ecd53a
SHA3-384 hash: 5ad72f885d3707de2d3d39409c456d046d23fb761467c30abcae85cc162087cd1908f9391b786124def9b8c9f3e03438
SHA1 hash: c53db043874364798d3b3d383a1cf34843e6871d
MD5 hash: a6387fe507e39bd7c3c7531e93b7f093
humanhash: network-nineteen-montana-wisconsin
File name:gtsdghg.exe
Download: download sample
Signature BitRAT
Create hunting rule
File size:1'592'832 bytes
First seen:2020-11-12 08:08:15 UTC
Last seen:2024-07-24 21:24:47 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 6ed4f5f04d62b18d96b26d6db7c18840 (235 x SalatStealer, 78 x BitRAT, 42 x RedLineStealer)
ssdeep 49152:3++ajnIgwTVE/qoAMzaDSuyLN2JQsvBKdx9j:GIgwa/rAT+uyLdakj
Threatray 1'074 similar samples on MalwareBazaar
TLSH 547533C145C33AD5EB6B523F7099E8A9C64C91FA11EAF728BFADFDC058391410B9058B
Reporter JoulK
Tags:BitRAT exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
122
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
PUA.Win.Packer.Upolyx-12
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
DNS request
Setting a global event handler
Setting a global event handler for the keyboard
Connection attempt to an infection source
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
56 / 100
Link:
https://www.joesandbox.com/analysis/532122
Signature
Hides threads from debuggers
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c917658a5ebc82c803b3b971fe6a73035318d6eb1d95076b6f27a0b2a1ecd53a/
Threat name:
Win32.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2020-11-12 08:09:06 UTC
AV detection:
28 of 29 (96.55%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zelwlcs6xsbmqa5txfy742ttanjrrvxldwkqo23pe6qlfipm2u5a._file
Verdict:
unknown
Similar samples:
069c2e6f7dbaf794feb28bc32d90db33d030b6169c3a21133f5ad5cadf081c1b
BitRAT
0e659c7f42d4e96e05821b1df99216e5887904ada083fd61c6f77b9628a7890c
BitRAT
389875d4c35ff8da276f122cb6b4ebd1b1d65ce5da5c05defefaf40c2609dbaf
BitRAT
4f8130693067523c153d09b000e48e744ca3b86388221a840349746ea6e561df
BitRAT
7910fea09618fde1ba6c2e3ea088de50109e685d20ae1c08df2f8b530fddd964
BitRAT
7e6dc9928e049d75cd726d8542b39cf46afef0cfd37c8dcb968ea618aedbb696
BitRAT
8ea8ef6c916a4559dde761c0373d4cd662af71e00140b6be6ddf38e3c2e38b76
BitRAT
ad5d194018074784d3a8ac9aa334d5b0b4c8ec9fe721ba7870ef054e29d4529d
BitRAT
bd5d3ebe6150f53c1535e1667a18bbd4831751a414e7518dc8e1d15a19db95b3
BitRAT
fee0b02e4e0358d8025fa74d2780dd557c2de871e03a82b3dd7aadaf451ea1a3
BitRAT
+ 1'064 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
upx
Link:
https://tria.ge/reports/201112-mtkf78eszj/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of NtSetInformationThreadHideFromDebugger
Unpacked files
SH256 hash:
c917658a5ebc82c803b3b971fe6a73035318d6eb1d95076b6f27a0b2a1ecd53a
MD5 hash:
a6387fe507e39bd7c3c7531e93b7f093
SHA1 hash:
c53db043874364798d3b3d383a1cf34843e6871d
Link:
https://www.unpac.me/results/80dbfed7-dab4-40f1-b582-fffd10109a14/
SH256 hash:
e0055cbd338dc3f9c66d0df7e17595ef272636a4c5e0928b90276766ac61d4f0
MD5 hash:
f189ee2112ef8bb9ba321d80410e6a3b
SHA1 hash:
6a1e7077ef813431069c12a89511eb4fa750e379
Detections:
win_bit_rat_w0
Create hunting rule
Link:
https://www.unpac.me/results/80dbfed7-dab4-40f1-b582-fffd10109a14/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/
Rule name:win_bit_rat_w0
Create hunting rule
Author:KrabsOnSecurity
Description:String-based rule for detecting BitRAT malware payload

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

BitRAT

Executable exe c917658a5ebc82c803b3b971fe6a73035318d6eb1d95076b6f27a0b2a1ecd53a

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/809991/

Comments