MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cc3456df5b06b6f2cae266ee1be8efdfa9396fa97a4b54a68b64ed839989de56. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BitRAT


Vendor detections: 11


Intelligence 11 IOCs 1 YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cc3456df5b06b6f2cae266ee1be8efdfa9396fa97a4b54a68b64ed839989de56
SHA3-384 hash: 8f30d6b619872eab4739f415b54c15140c67d42353385ddff229fe60794d86476ab8b6448ce5e1f6bb88ff331735e696
SHA1 hash: dbc0a435c770363f4f00bdfeeaef9719d8aa5788
MD5 hash: d69f556eb6cc53d985a2f9cb85c33bc9
humanhash: item-india-muppet-bluebird
File name:d69f556eb6cc53d985a2f9cb85c33bc9.exe
Download: download sample
Signature BitRAT
Create hunting rule
File size:1'528'320 bytes
First seen:2021-10-31 07:50:41 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 6ed4f5f04d62b18d96b26d6db7c18840 (230 x SalatStealer, 78 x BitRAT, 42 x RedLineStealer)
ssdeep 24576:VndRKZCy2BrhCeU2i2cJijFbCBTPmiY05tJMSQp5ysA7Yg1nLkzbHvE3M:NXDFBU2iIBb0xY/6sUYYQs3
TLSH T15C6533E06B1A9B3EF99AC83C79B62D03CC3DC561617B05063E6CC5ED60FF9521884C66
Reporter abuse_ch
Tags:BitRAT exe RAT


Avatar
abuse_ch
BitRAT C2:
41.232.215.20:1440

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
41.232.215.20:1440 https://threatfox.abuse.ch/ioc/240138/

Intelligence

File Origin
# of uploads :
1
# of downloads :
305
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
d69f556eb6cc53d985a2f9cb85c33bc9.exe
Verdict:
Malicious activity
Analysis date:
2021-10-31 07:57:39 UTC
Tags:
trojan bitrat rat
Link:
https://app.any.run/tasks/2952b5ef-07af-46f5-9fe6-a7c84783cbfb

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
PUA.Win.Packer.Upolyx-12
Create hunting rule

PUA.Win.Packer.Asprotect-3
Create hunting rule

Win.Malware.Mikey-9819889-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a process from a recently created file
Memory dumping with NtSystemDebugControl
Changing an executable file
Creating a window
Modifying an executable file
Connection attempt to an infection source
Sending an HTTP GET request to an infection source
Launching a process
Searching for the window
Creating a file in the Windows subdirectories
Deleting a recently created file
Running batch commands
Creating a process with a hidden window
Self-deleting of the BAT file
Query of malicious DNS domain
Infecting executable files
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/054ee034-2c91-4213-92eb-a08e7eedcdbe
Result
Threat name:
BitRAT
Create hunting rule
Detection:
malicious
Classification:
spre.troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/879972
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Contains functionality to hide a thread from the debugger
Contains functionality to inject code into remote processes
Creates files in alternative data streams (ADS)
Found malware configuration
Hides threads from debuggers
Infects executable files (exe, dll, sys, html)
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has a writeable .text section
Uses known network protocols on non-standard ports
Yara detected BitRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 512406 Sample: SZf24T6abR.exe Startdate: 31/10/2021 Architecture: WINDOWS Score: 100 34 yoworldservices.space 2->34 44 Multi AV Scanner detection for domain / URL 2->44 46 Found malware configuration 2->46 48 Antivirus detection for dropped file 2->48 50 9 other signatures 2->50 8 SZf24T6abR.exe 2 3 2->8         started        13 spotiify.exe 2->13         started        15 spotiify.exe 2->15         started        signatures3 process4 dnsIp5 36 yoworldservices.space 8->36 38 192.168.2.1 unknown unknown 8->38 28 C:\Users\user\AppData\Local\Temp\tbPLVy.exe, PE32 8->28 dropped 30 C:\Users\user\AppData\Local:31-10-2021, HTML 8->30 dropped 60 Creates files in alternative data streams (ADS) 8->60 62 Hides threads from debuggers 8->62 17 tbPLVy.exe 16 8->17         started        40 yoworldservices.space 13->40 64 Contains functionality to inject code into remote processes 13->64 66 Contains functionality to hide a thread from the debugger 13->66 42 yoworldservices.space 15->42 file6 signatures7 process8 dnsIp9 32 ddos.dnsnb8.net 63.251.106.25, 49757, 49764, 49772 VOXEL-DOT-NETUS United States 17->32 24 C:\Program Files (x86)\AutoIt3\...\SciTE.exe, PE32 17->24 dropped 26 C:\Program Files (x86)\AutoIt3\...\MyProg.exe, MS-DOS 17->26 dropped 52 Antivirus detection for dropped file 17->52 54 Multi AV Scanner detection for dropped file 17->54 56 Machine Learning detection for dropped file 17->56 58 Infects executable files (exe, dll, sys, html) 17->58 22 WerFault.exe 23 9 17->22         started        file10 signatures11 process12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cc3456df5b06b6f2cae266ee1be8efdfa9396fa97a4b54a68b64ed839989de56/
Threat name:
Win32.Virus.Jadtre
Create hunting rule
Status:
Malicious
First seen:
2021-10-12 00:43:46 UTC
AV detection:
42 of 45 (93.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zq2fnx23a23pfsxcm3xbx2hp36uts35jpjfvjjulmtwyhgmj3zla._file
Verdict:
malicious
Result
Malware family:
n/a
Score:
  8/10
Tags:
aspackv2 persistence upx
Link:
https://tria.ge/reports/211031-jpt3nscedj/
Behaviour
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Adds Run key to start application
Loads dropped DLL
ASPack v2.12-2.42
Executes dropped EXE
Unpacked files
SH256 hash:
6e68e3e7146f4654e528110cdbac69d67cd9ba4e54b8b782b574ef1aa202c55b
MD5 hash:
47d0ed0792b11b1b5a17637837e69a59
SHA1 hash:
46cf132e185c9b1b1f032b1f285c9e87bfa5a2c5
Detections:
win_unidentified_045_g0
Create hunting rule
win_unidentified_045_auto
Create hunting rule
Link:
https://www.unpac.me/results/64cc2fbd-a4ff-4214-acd9-964d6c2b4cf4/
SH256 hash:
cc3456df5b06b6f2cae266ee1be8efdfa9396fa97a4b54a68b64ed839989de56
MD5 hash:
d69f556eb6cc53d985a2f9cb85c33bc9
SHA1 hash:
dbc0a435c770363f4f00bdfeeaef9719d8aa5788
Link:
https://www.unpac.me/results/64cc2fbd-a4ff-4214-acd9-964d6c2b4cf4/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/cc3456df5b06/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cc3456df5b06b6f2cae266ee1be8efdfa9396fa97a4b54a68b64ed839989de56

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:INDICATOR_EXE_Packed_ASPack
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ASPack
Rule name:MALWARE_Win_BitRAT
Create hunting rule
Author:ditekSHen
Description:Detects BitRAT RAT
Rule name:win_unidentified_045_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.unidentified_045.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

BitRAT

Executable exe cc3456df5b06b6f2cae266ee1be8efdfa9396fa97a4b54a68b64ed839989de56

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1731844/
  
Delivery method
Distributed via web download

Comments