MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ce626c7e042469928600430d504181b8bc8d4e93d61ab4f89c3eb054acc78f78. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BitRAT


Vendor detections: 11


Intelligence 11 IOCs 1 YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ce626c7e042469928600430d504181b8bc8d4e93d61ab4f89c3eb054acc78f78
SHA3-384 hash: 25c5ca4fdb7843e91d7a129bff3e04b01928532afc48e532a7ad59b555c8d96a5e0a6c9fc0cbe38a38eea8d0e60a7c5b
SHA1 hash: afed5f7dac857a0aee019bac65ee688eaf674102
MD5 hash: 510b1b80b7e153552cf12c28c3540f79
humanhash: ink-timing-juliet-ten
File name:afed5f7dac857a0aee019bac65ee688eaf674102.exe
Download: download sample
Signature BitRAT
Create hunting rule
File size:2'076'160 bytes
First seen:2021-04-08 23:50:29 UTC
Last seen:2021-04-09 01:18:35 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'647 x AgentTesla, 19'451 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 49152:DmTcG11KXYGcdkJhlf0LRicVzYh+kV856:6TcGVteh4Fuz85
Threatray 140 similar samples on MalwareBazaar
TLSH 22A533467185AF83FA3E8FB82730014197B6E80B6425E6C85CDA34E548F2FD5CE55EA3
Reporter abuse_ch
Tags:BitRAT exe RAT


Avatar
abuse_ch
BitRAT C2:
194.5.97.116:27629

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
194.5.97.116:27629 https://threatfox.abuse.ch/ioc/7469/

Intelligence

File Origin
# of uploads :
2
# of downloads :
216
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
afed5f7dac857a0aee019bac65ee688eaf674102.exe
Verdict:
Malicious activity
Analysis date:
2021-04-08 23:53:03 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/0949f21b-db30-41c6-a4f8-7041395c35f6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
BitRAT
Create hunting rule
Link:
https://www.capesandbox.com/analysis/133303/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.36648212.16209.27618.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Sending a UDP request
Using the Windows Management Instrumentation requests
Unauthorized injection to a recently created process
Creating a file
Setting a global event handler
Setting a global event handler for the keyboard
Connection attempt to an infection source
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
BitRAT Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.evad.mine
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/670877
Signature
.NET source code contains potential unpacker
Contains functionality to hide a thread from the debugger
Contains functionality to inject code into remote processes
Drops PE files to the startup folder
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Suspicious powershell command line found
Yara detected BitRAT
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 384385 Sample: 9pZezwiVaz.exe Startdate: 09/04/2021 Architecture: WINDOWS Score: 96 41 jrandjcpa.org 2->41 53 Multi AV Scanner detection for submitted file 2->53 55 Yara detected BitRAT 2->55 57 Yara detected Xmrig cryptocurrency miner 2->57 59 4 other signatures 2->59 10 9pZezwiVaz.exe 3 2->10         started        12 9pZezwiVaz.exe 3 2->12         started        signatures3 process4 file5 16 cmd.exe 1 10->16         started        39 C:\Users\user\AppData\...\9pZezwiVaz.exe.log, ASCII 12->39 dropped 65 Injects a PE file into a foreign processes 12->65 19 9pZezwiVaz.exe 1 12->19         started        22 9pZezwiVaz.exe 12->22         started        signatures6 process7 dnsIp8 49 Suspicious powershell command line found 16->49 24 powershell.exe 18 16->24         started        26 wscript.exe 16->26         started        29 conhost.exe 16->29         started        31 timeout.exe 1 16->31         started        43 jrandjcpa.org 194.5.97.116, 27629, 49724, 49728 DANILENKODE Netherlands 19->43 45 192.168.2.1 unknown unknown 19->45 51 Hides threads from debuggers 19->51 signatures9 process10 signatures11 33 9pZezwiVaz.exe 24->33         started        63 Drops PE files to the startup folder 26->63 process12 process13 35 9pZezwiVaz.exe 33->35         started        dnsIp14 47 jrandjcpa.org 35->47 61 Hides threads from debuggers 35->61 signatures15
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ce626c7e042469928600430d504181b8bc8d4e93d61ab4f89c3eb054acc78f78/
Threat name:
ByteCode-MSIL.Trojan.Injuke
Create hunting rule
Status:
Malicious
First seen:
2021-04-06 20:14:29 UTC
File Type:
PE (.Net Exe)
Extracted files:
4
AV detection:
14 of 29 (48.28%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=zzrgy7qeeruzfbqaimgvaqmbxc6i2tut2ynlj6e4h2yfjlghr54a._file
Verdict:
malicious
Similar samples:
086292a6bfd70867d0186a92add0deca164c0588fc37c30c4401e249c2b59257
BitRAT
0bc2a5a5f41749cfba076f97404885868975ceab944455666c0d35342cd72219
BitRAT
3936db5f71715f5ef3c4807c9fe0913943ae3b0aa3f000f40ec95558789a2450
BitRAT
3c433cb1c5fbe7966fc5545c22a795866484b7bab4600598629939ed4a542b01
BitRAT
6b5e00fefc79d8345cc80d0507f4602b587aa41f1f193946c306e8388d8a90f9
BitRAT
7840f0892f2762590368de7091d31be8ace3a3ca1982dd5efd22c938a1552a47
BitRAT
98f10643b82275794bc9708dbffdb248e5f715a7207e1c4a4a453cd7cfa7a059
BitRAT
be06f303ae133e36f87ef001dc369f0212f76b26ad53ec171fd2dcdde9463cea
BitRAT
ed89efa7c8159a2158076d37effc5f0f12bba88955ee9345cf67210ec0a6e43c
BitRAT
fe0a8d4538509b238f96d42c57d73ffb49d1967c4b6dc8b397a4684446a04460
BitRAT
+ 130 additional samples on MalwareBazaar
Result
Malware family:
bitrat
Create hunting rule
Score:
  10/10
Tags:
family:bitrat trojan
Link:
https://tria.ge/reports/210408-jx7th651cj/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Drops startup file
BitRAT
BitRAT Payload
Unpacked files
SH256 hash:
4319c3cc93d80f5d6a285291232b8749f472d7d30f601a18c836cd59dd5d915b
MD5 hash:
7695eaaaa7ffc57ceb8b5c09c81edf74
SHA1 hash:
555731358bbe0172d790fa18352b2e65c9178c2e
Link:
https://www.unpac.me/results/1fbc99bb-163c-47a7-97f5-1f8a20a25d7f/
SH256 hash:
e3ce97b8f84d8bb7286af4691d29a8dbc7695ce2cbc5f012b8a20cd0d33a08a1
MD5 hash:
20beb50860c914c9b0e0507e8c71843c
SHA1 hash:
3c82d6afea1b5b10a2a2dda512a2c721146cef66
Link:
https://www.unpac.me/results/1fbc99bb-163c-47a7-97f5-1f8a20a25d7f/
SH256 hash:
ce626c7e042469928600430d504181b8bc8d4e93d61ab4f89c3eb054acc78f78
MD5 hash:
510b1b80b7e153552cf12c28c3540f79
SHA1 hash:
afed5f7dac857a0aee019bac65ee688eaf674102
Link:
https://www.unpac.me/results/1fbc99bb-163c-47a7-97f5-1f8a20a25d7f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
BitRat
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ce626c7e042469928600430d504181b8bc8d4e93d61ab4f89c3eb054acc78f78

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Email_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Email in files like avemaria
Rule name:MALWARE_Win_BitRAT
Create hunting rule
Author:ditekSHen
Description:Detects BitRAT RAT

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/133303/

Comments