MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cdc6aef29d300c937b80abade4022803e565f3895b697dbcddc11fe36e19d0f5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BitRAT


Vendor detections: 13


Intelligence 13 IOCs YARA 9 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cdc6aef29d300c937b80abade4022803e565f3895b697dbcddc11fe36e19d0f5
SHA3-384 hash: eff881471797e4f7627e68c02576ad203f95ae1be00a0faba23f364078599a2bd13ed8e36b199f99f07f14c389498cfb
SHA1 hash: 66139f98aa2efbde94c5a6d5b6abd7099b1ac8b7
MD5 hash: 90d11bc40e17839b51fcf6a2f0aebb12
humanhash: ink-december-arkansas-potato
File name:90d11bc40e17839b51fcf6a2f0aebb12
Download: download sample
Signature BitRAT
Create hunting rule
File size:7'312'384 bytes
First seen:2022-09-10 01:06:24 UTC
Last seen:2023-08-26 21:00:31 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 2a2a662be9dffc461398e7c94d0b55b4 (5 x GuLoader, 3 x CoinMiner, 3 x RedLineStealer)
ssdeep 196608:SmA20NKKI/0BfjFj0U5mEqddH/qW907NKHBk/alv/bgNTtNalBMskBQFs8AbA9mv:ST20NKKI/0BfjFj0U5mEqddH/qW907NE
Threatray 847 similar samples on MalwareBazaar
TLSH T10F76D1B770E72673F2C4B075698A8EB2388D18203179C7F50507A9A3BC66D2F5CED694
TrID 32.2% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
20.5% (.EXE) Win64 Executable (generic) (10523/12/4)
12.8% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
9.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.7% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 6004724060401060 (2 x BitRAT)
Reporter zbetcheckin
Tags:32 BitRAT exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
380
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
90d11bc40e17839b51fcf6a2f0aebb12
Verdict:
No threats detected
Analysis date:
2022-09-10 01:08:46 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/acc1f009-db5b-4939-978e-c80678077c35

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/309056/
Detection(s):
PUA.Win.Packer.Asprotect-3
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Searching for the window
Creating a process from a recently created file
Running batch commands
Creating a file in the %AppData% directory
Changing an executable file
Creating a window
Launching a process
Сreating synchronization primitives
DNS request
Moving a recently created file
Setting a global event handler
Modifying an executable file
Sending a custom TCP request
Creating a file in the %AppData% subdirectories
Using the Windows Management Instrumentation requests
Query of malicious DNS domain
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Setting a global event handler for the keyboard
Infecting executable files
Sending an HTTP GET request to an infection source
Enabling autorun by creating a file
Verdict:
No Threat
Threat level:
  2/10
Confidence:
75%
Tags:
packed
Link:
https://www.filescan.io/uploads/631be33ad94ccae410897724/reports/a5b86057-8461-4bbe-bc89-8450ecf9f05d/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
BitRAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/473eeee9-1333-4d59-b88e-d68c0cd9e6a2
Result
Threat name:
AsyncRAT, BitRAT, Quasar
Create hunting rule
Detection:
malicious
Classification:
spre.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1068055
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to hide a thread from the debugger
Contains functionality to inject code into remote processes
Creates files in alternative data streams (ADS)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Infects executable files (exe, dll, sys, html)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has a writeable .text section
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Sample uses process hollowing technique
Snort IDS alert for network traffic
Uses dynamic DNS services
Uses known network protocols on non-standard ports
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AsyncRAT
Yara detected BitRAT
Yara detected Generic Downloader
Yara detected Quasar RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 700583 Sample: dmS80AbGJd.exe Startdate: 10/09/2022 Architecture: WINDOWS Score: 100 93 anubisgod.duckdns.org 2->93 109 Snort IDS alert for network traffic 2->109 111 Multi AV Scanner detection for domain / URL 2->111 113 Malicious sample detected (through community Yara rule) 2->113 115 16 other signatures 2->115 10 dmS80AbGJd.exe 5 2->10         started        14 Yoworld.exe 2->14         started        16 spottifyy.exe 2->16         started        signatures3 process4 dnsIp5 83 C:\Users\user\AppData\Roaming\Yoworld.exe, PE32 10->83 dropped 85 C:\Users\user\...\Bitduckspottifynew.exe, PE32 10->85 dropped 87 C:\Users\user\AppData\Local\Temp\WaZjnQ.exe, PE32 10->87 dropped 89 C:\Users\user\AppData\...\BVGExpliot.exe, PE32 10->89 dropped 153 Adds a directory exclusion to Windows Defender 10->153 19 cmd.exe 1 10->19         started        21 cmd.exe 1 10->21         started        23 WaZjnQ.exe 18 10->23         started        32 4 other processes 10->32 155 Hides that the sample has been downloaded from the Internet (zone.identifier) 14->155 28 Dlscord.exe 14->28         started        30 schtasks.exe 14->30         started        91 anubisgod.duckdns.org 16->91 157 Contains functionality to inject code into remote processes 16->157 159 Hides threads from debuggers 16->159 161 Contains functionality to hide a thread from the debugger 16->161 file6 signatures7 process8 dnsIp9 34 Bitduckspottifynew.exe 2 6 19->34         started        39 conhost.exe 19->39         started        41 Yoworld.exe 21->41         started        43 conhost.exe 21->43         started        99 ddos.dnsnb8.net 63.251.106.25, 49723, 49725, 49729 VOXEL-DOT-NETUS United States 23->99 79 C:\Program Files (x86)\AutoIt3\...\SciTE.exe, PE32 23->79 dropped 81 C:\Program Files (x86)\AutoIt3\...\MyProg.exe, MS-DOS 23->81 dropped 139 Machine Learning detection for dropped file 23->139 141 Infects executable files (exe, dll, sys, html) 23->141 45 WerFault.exe 23->45         started        101 ip-api.com 208.95.112.1 TUT-ASUS United States 28->101 103 api.ipify.org.herokudns.com 52.20.78.240 AMAZON-AESUS United States 28->103 105 2 other IPs or domains 28->105 143 Antivirus detection for dropped file 28->143 145 Multi AV Scanner detection for dropped file 28->145 147 May check the online IP address of the machine 28->147 151 3 other signatures 28->151 47 schtasks.exe 28->47         started        49 conhost.exe 30->49         started        149 Adds a directory exclusion to Windows Defender 32->149 51 BVGExpliot.exe 2 32->51         started        53 5 other processes 32->53 file10 signatures11 process12 dnsIp13 95 anubisgod.duckdns.org 212.192.246.234, 1440, 49732, 49733 RHC-HOSTINGGB Russian Federation 34->95 97 192.168.2.1 unknown unknown 34->97 71 C:\Users\user\...\spottifyy.exe (copy), PE32 34->71 dropped 73 C:\Users\user\AppData\Local\Temp\WgUvKD.exe, PE32 34->73 dropped 75 C:\Users\user\AppData\Local:10-09-2022, HTML 34->75 dropped 117 Antivirus detection for dropped file 34->117 119 Multi AV Scanner detection for dropped file 34->119 121 Creates files in alternative data streams (ADS) 34->121 129 5 other signatures 34->129 55 WgUvKD.exe 34->55         started        59 spottifyy.exe 34->59         started        61 spottifyy.exe 34->61         started        77 C:\Users\user\AppData\Roaming\...\Dlscord.exe, PE32 41->77 dropped 123 Machine Learning detection for dropped file 41->123 125 Uses schtasks.exe or at.exe to add and modify task schedules 41->125 127 Hides that the sample has been downloaded from the Internet (zone.identifier) 41->127 63 schtasks.exe 41->63         started        65 conhost.exe 47->65         started        file14 signatures15 process16 dnsIp17 107 ddos.dnsnb8.net 55->107 131 Antivirus detection for dropped file 55->131 133 Multi AV Scanner detection for dropped file 55->133 135 Machine Learning detection for dropped file 55->135 137 Infects executable files (exe, dll, sys, html) 55->137 67 WerFault.exe 55->67         started        69 conhost.exe 63->69         started        signatures18 process19
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cdc6aef29d300c937b80abade4022803e565f3895b697dbcddc11fe36e19d0f5/
Threat name:
Win32.Virus.Jadtre
Create hunting rule
Status:
Malicious
First seen:
2022-09-10 01:07:42 UTC
File Type:
PE (Exe)
Extracted files:
5
AV detection:
26 of 26 (100.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zxdk54u5gagjg64avow6iariapswl44jlnux3pg5yep6g3qz2d2q._file
Verdict:
malicious
Similar samples:
1aec33c9dc704ad71932eee6e128c9eb0908cab49d85f5a0f788484777a68a57
BitRAT
51af4d4e1af93fd32fd240a7ec9df52e2af9f7d7567c7f7dff776ce0b4852323
BitRAT
704e26dbdebc8b3ad1391f5b9d671f8b9550609455821540151ff70e17bed798
BitRAT
888497ac8f3cb030dc34d198ef8e307fab6b129f31f4fc9c41ea78f94d831529
BitRAT
ad29674b1a2bcc3ff4ef5746d9317740ab72b016ee3b89ac9aa9871bcb378b6b
BitRAT
cc3456df5b06b6f2cae266ee1be8efdfa9396fa97a4b54a68b64ed839989de56
BitRAT
d9f858f28cab427ea59133d06469903d937cd10334a0fdd5f77fe529e3d0ece1
BitRAT
+ 837 additional samples on MalwareBazaar
Result
Malware family:
xenarmor
Create hunting rule
Score:
  10/10
Tags:
family:bitrat family:quasar family:xenarmor botnet:yoworld aspackv2 collection password persistence recovery spyware stealer trojan upx
Link:
https://tria.ge/reports/220910-bgm1dshdb4/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses Microsoft Outlook accounts
Adds Run key to start application
Looks up external IP address via web service
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Checks computer location settings
Loads dropped DLL
Reads data files stored by FTP clients
Reads local data of messenger clients
ASPack v2.12-2.42
Executes dropped EXE
UPX packed file
ACProtect 1.3x - 1.4x DLL software
BitRAT
Quasar RAT
Quasar payload
XenArmor Suite
Malware Config
C2 Extraction:
anubisgod.duckdns.org:1440
anubisgod.duckdns.org:1338
Unpacked files
SH256 hash:
0872edd378b3fe1c0f7f5754b8716306291632836040f888bdf1ef87e4d512b4
MD5 hash:
d208502b720a4c00ae55379a1adff4fe
SHA1 hash:
e2c71e9ba414e0070992a9d31e73c9203b48e876
Detections:
win_bit_rat_auto
Create hunting rule
Link:
https://www.unpac.me/results/ed8c3909-27c1-42dd-881a-de094ab11c51/
SH256 hash:
d4de9c0be13c02b5a6efad6befb3b27c25fc3adcd1116dc05672e859a9d4e4cc
MD5 hash:
1a57ddbff38a587a70eb6b79cd2601e6
SHA1 hash:
aa72d592d8f70bd4ae1548c52faca921f57ea784
Link:
https://www.unpac.me/results/ed8c3909-27c1-42dd-881a-de094ab11c51/
SH256 hash:
82c6a9a76749761515dc8bc59f127a6b5f3155f8cb4c79dd378478483623c587
MD5 hash:
8df0a6df45fc592b75ac6b99b2093c88
SHA1 hash:
63b0688d48a9fb81a87d81d4a523854428a526af
Link:
https://www.unpac.me/results/ed8c3909-27c1-42dd-881a-de094ab11c51/
SH256 hash:
01039ca21ae9e1adf5c92745d5e06ea74a05c0b6834412da1fc0732c3e611b81
MD5 hash:
9c7c0c60dcf6ee0b96a2820500b8ce8e
SHA1 hash:
99d2045aadf3c8ebdf04b18fb125b149d393b037
Detections:
win_unidentified_045_auto
Create hunting rule
win_unidentified_045_g0
Create hunting rule
Link:
https://www.unpac.me/results/ed8c3909-27c1-42dd-881a-de094ab11c51/
SH256 hash:
cdc6aef29d300c937b80abade4022803e565f3895b697dbcddc11fe36e19d0f5
MD5 hash:
90d11bc40e17839b51fcf6a2f0aebb12
SHA1 hash:
66139f98aa2efbde94c5a6d5b6abd7099b1ac8b7
Link:
https://www.unpac.me/results/ed8c3909-27c1-42dd-881a-de094ab11c51/
Malware family:
QuasarRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/cdc6aef29d30/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cdc6aef29d300c937b80abade4022803e565f3895b697dbcddc11fe36e19d0f5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:bitrat_unpacked
Create hunting rule
Author:jeFF0Falltrades
Description:Experimental rule to detect unpacked BitRat payloads on disk or in memory, looking for a combination of strings and decryption/decoding patterns
Reference:https://krabsonsecurity.com/2020/08/22/bitrat-the-latest-in-copy-pasted-malware-by-incompetent-developers/
Rule name:INDICATOR_EXE_Packed_ASPack
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ASPack
Rule name:MALWARE_Win_BitRAT
Create hunting rule
Author:ditekSHen
Description:Detects BitRAT RAT
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:RansomwareTest2
Create hunting rule
Author:Daoyuan Wu
Description:Test Ransomware YARA rules
Rule name:RansomwareTest3
Create hunting rule
Author:Daoyuan Wu
Description:Test Ransomware YARA rules
Rule name:win_bit_rat_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.bit_rat.
Rule name:win_unidentified_045_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.unidentified_045.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

BitRAT

Executable exe cdc6aef29d300c937b80abade4022803e565f3895b697dbcddc11fe36e19d0f5

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2298233/
Cape
Cape
https://www.capesandbox.com/analysis/309056/

Comments


Avatar
zbet commented on 2022-09-10 01:06:26 UTC

url : hxxp://212.192.246.234/Spread/BVGExpliot%20V2.exe