MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cc7d7321cd0e93fb312ea39c0124256fa60b3335cd6632ec0e83ffb4bf2b3dc9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BitRAT


Vendor detections: 10


Intelligence 10 IOCs 1 YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cc7d7321cd0e93fb312ea39c0124256fa60b3335cd6632ec0e83ffb4bf2b3dc9
SHA3-384 hash: a554b1eac3d2b6560fb1e18d93b638873c281caed35f7b6ebc9960aa9a808820ce88d6f67ad51280e37d74fd9da13577
SHA1 hash: e217c9fde4b32680a11adf2200e673519f595bd3
MD5 hash: a65b75567794b4d9f2558c672bd07dd5
humanhash: fix-freddie-thirteen-oranges
File name:a65b75567794b4d9f2558c672bd07dd5.exe
Download: download sample
Signature BitRAT
Create hunting rule
File size:2'032'216 bytes
First seen:2022-01-07 13:26:23 UTC
Last seen:2022-01-07 13:36:49 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'751 x AgentTesla, 19'657 x Formbook, 12'248 x SnakeKeylogger)
ssdeep 49152:ymGIzI3c3rdicDBog2FTZ4bDr5uCFSWmW:ymF8M3hig32F6bDrDtl
Threatray 626 similar samples on MalwareBazaar
TLSH T1E995338460903265CE9C2C38F83352956739E773275A8FC47C00B59E097BFD476A6EAE
File icon (PE):PE icon
dhash icon 0020d59591912800 (1 x BitRAT)
Reporter abuse_ch
Tags:BitRAT exe RAT


Avatar
abuse_ch
BitRAT C2:
3.91.91.127:3071

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
3.91.91.127:3071 https://threatfox.abuse.ch/ioc/291746/

Intelligence

File Origin
# of uploads :
2
# of downloads :
356
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
a65b75567794b4d9f2558c672bd07dd5.exe
Verdict:
Malicious activity
Analysis date:
2022-01-07 13:32:18 UTC
Tags:
trojan bitrat rat
Link:
https://app.any.run/tasks/0c978887-0b22-4266-ac76-1a0dab29873a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AlphaCrypt
Create hunting rule
Link:
https://www.capesandbox.com/analysis/217719/
Detection(s):
SecuriteInfo.com.Variant.Adware.BrowseFox.62.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a custom TCP request
Launching a process
Creating a window
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
obfuscated overlay packed
Link:
https://www.filescan.io/uploads/61d83fae02e388f9fdb30ec7/reports/ad622691-7ef9-4bd0-a372-913194baf389/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/dd172443-5791-455d-93b0-d39c52e285bf
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/916830
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Contains functionality to hide a thread from the debugger
Creates files in alternative data streams (ADS)
Detected unpacking (overwrites its own PE header)
Document exploit detected (process start blacklist hit)
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Uses dynamic DNS services
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cc7d7321cd0e93fb312ea39c0124256fa60b3335cd6632ec0e83ffb4bf2b3dc9/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-01-07 13:27:17 UTC
File Type:
PE (.Net Exe)
Extracted files:
3
AV detection:
19 of 25 (76.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=zr6xgionb2j7wmjouooacjbfn6tawmzvzvtdf3aoqp73jpzlhxeq._file
Verdict:
malicious
Similar samples:
20c16f86d064ace9aba5b2a46939234aa154d6f1bd86d823d7baa31eb291c758
BitRAT
3a3ff370dac609a17ea67e35e81a3b82702afe6660bb3439a489ff8f4350d607
BitRAT
74dd16abbd36832a2e5a60a163b4930a51e0bb6c2a5e32a2f3a4c902e9bfaa99
BitRAT
8d3637cd959d0ea44c713b76b6ad46614b8f91a58398cad0f5929cf179cf9e80
BitRAT
a8130d6e0367f83f68640720c35d12b339c1a84e371cff73524fcaa0fc62f44c
BitRAT
ad29674b1a2bcc3ff4ef5746d9317740ab72b016ee3b89ac9aa9871bcb378b6b
BitRAT
b4a79b7fac8b571454b8d2373623a9fa825c1bc2ef6d1370b831782237d24984
BitRAT
b610d1ae855f79028cabdbd3c1160bc330ef68a7f30ab5544d00b09af341cc68
BitRAT
c1dfcbaabdd34ccb5257c2856121211485293a7a11a23f61c50440fb27eb2b4f
BitRAT
+ 616 additional samples on MalwareBazaar
Result
Malware family:
bitrat
Create hunting rule
Score:
  10/10
Tags:
family:bitrat persistence trojan upx
Link:
https://tria.ge/reports/220107-qp4qfaccf2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
UPX packed file
BitRAT
Malware Config
C2 Extraction:
severdops.ddns.net:3071
Unpacked files
SH256 hash:
db951c18a7663218ec16255ce0839d7ebb21bbfcce1797b869356b3243df4690
MD5 hash:
30d2c7c4629f289ec0c8be38cb25a341
SHA1 hash:
a85029b2b2c364a4f179e6948a7b2334d5ea31f3
Link:
https://www.unpac.me/results/28e95edd-cfc9-4fac-be62-7bb22f70bd58/
SH256 hash:
49f41f9d453538296f2ceb0b33aa6caf9647b452ece2134adabfe15b96df764e
MD5 hash:
8704a39f5ea4b0c0a795f94789f7ea2e
SHA1 hash:
222d840388a3ab675c2490df26b6e205b8d69c49
Link:
https://www.unpac.me/results/28e95edd-cfc9-4fac-be62-7bb22f70bd58/
SH256 hash:
cc7d7321cd0e93fb312ea39c0124256fa60b3335cd6632ec0e83ffb4bf2b3dc9
MD5 hash:
a65b75567794b4d9f2558c672bd07dd5
SHA1 hash:
e217c9fde4b32680a11adf2200e673519f595bd3
Link:
https://www.unpac.me/results/28e95edd-cfc9-4fac-be62-7bb22f70bd58/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/cc7d7321cd0e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/cc7d7321cd0e93fb312ea39c0124256fa60b3335cd6632ec0e83ffb4bf2b3dc9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:MALWARE_Win_BitRAT
Create hunting rule
Author:ditekSHen
Description:Detects BitRAT RAT
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

BitRAT

Executable exe cc7d7321cd0e93fb312ea39c0124256fa60b3335cd6632ec0e83ffb4bf2b3dc9

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1954117/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/217719/

Comments