MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d2b6ad926987074e93a769eaf34598a4df8bbb839208c57d4fc1516f9ed1eaa6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BitRAT


Vendor detections: 9


Intelligence 9 IOCs 1 YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d2b6ad926987074e93a769eaf34598a4df8bbb839208c57d4fc1516f9ed1eaa6
SHA3-384 hash: 6636b8f43d79115e4965ded0e77abd5c2ba4acff454e26ac74f68aa013bd30d1d4df3ad51e7e9d815c639b6a2020f430
SHA1 hash: 3dd82ec282845b3e7acb6ff19c84228754f2db3e
MD5 hash: 0d307e5302320c5ddd815e7c5ef7590c
humanhash: yankee-eleven-foxtrot-princess
File name:PO7581.exe
Download: download sample
Signature BitRAT
Create hunting rule
File size:2'644'992 bytes
First seen:2021-07-13 07:11:48 UTC
Last seen:2021-07-13 07:47:35 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'665 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 49152:qC9nYYtTB6QaApLV4Nxv75IScWOuxB9/4Mc4LaPrQxl:F9dt5pK/5I/DuxHH9LyQ
Threatray 275 similar samples on MalwareBazaar
TLSH T17BC5CE2451B01AC3EB5A8E724D62D934FEA28CC655B085EFE4D138F225B7740F9493BE
Reporter abuse_ch
Tags:BitRAT exe RAT


Avatar
abuse_ch
BitRAT C2:
45.15.143.171:5506

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
45.15.143.171:5506 https://threatfox.abuse.ch/ioc/159944/

Intelligence

File Origin
# of uploads :
2
# of downloads :
142
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
PO7581.exe
Verdict:
Malicious activity
Analysis date:
2021-07-13 07:12:40 UTC
Tags:
trojan bitrat rat
Link:
https://app.any.run/tasks/efe33400-30c2-436d-ac78-485a86d74c16

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/171263/
Detection(s):
SecuriteInfo.com.Trojan.MulDrop17.63929.32571.2971.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2dab66b0-9c6c-48a4-8be7-0a3662363879
Result
Threat name:
BitRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/815340
Signature
.NET source code contains very large strings
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected BitRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 447751 Sample: PO7581.exe Startdate: 13/07/2021 Architecture: WINDOWS Score: 80 27 Yara detected BitRAT 2->27 29 Yara detected AntiVM3 2->29 31 Machine Learning detection for sample 2->31 33 3 other signatures 2->33 7 PO7581.exe 6 2->7         started        process3 file4 19 C:\Users\user\AppData\...\ulyyIKhHOYHd.exe, PE32 7->19 dropped 21 C:\Users\user\AppData\Local\...\tmp5BA7.tmp, XML 7->21 dropped 23 C:\Users\user\AppData\...\PO7581.exe.log, ASCII 7->23 dropped 35 Uses schtasks.exe or at.exe to add and modify task schedules 7->35 11 PO7581.exe 1 7->11         started        15 schtasks.exe 1 7->15         started        signatures5 process6 dnsIp7 25 45.15.143.171, 49732, 49733, 49739 DEDIPATH-LLCUS Latvia 11->25 37 Hides threads from debuggers 11->37 17 conhost.exe 15->17         started        signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d2b6ad926987074e93a769eaf34598a4df8bbb839208c57d4fc1516f9ed1eaa6/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-07-13 07:12:12 UTC
AV detection:
16 of 46 (34.78%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=2k3k3etjq4du5e5hnhvpgrmyutpyxo4dsiemk7kpyfiw7hwr5kta._file
Verdict:
malicious
Similar samples:
299afdf96e5691a426fc9d0579dfde112bd6931c961d688b83c984f2f7f67be7
BitRAT
3d63c22ce814418819c6a1783e542bd75a23ca4321f49208391f18dd781b27e7
BitRAT
4a820b04406f4c710b08b1675a7ffa778c806285dd115404fb415a8096baadda
BitRAT
52dbaf7435516b388d60abebda89615a4c2286a663de889a15b45be3b71b0def
BitRAT
60b1e21007ef93c3ac0bb8fcb0d063f2429aae47b4715d0324096887aeb165f8
BitRAT
9438c974f3cdefd5a097e55bde4734a2db9438be7c8012fa455d4d8bceb537ca
BitRAT
befaecfa9c1207b951dcf8e72b803cb32d237f16d9e49df1c6c29fcf690b4ec3
BitRAT
+ 265 additional samples on MalwareBazaar
Result
Malware family:
bitrat
Create hunting rule
Score:
  10/10
Tags:
family:bitrat trojan upx
Link:
https://tria.ge/reports/210713-qbzk1f34gn/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
UPX packed file
BitRAT
BitRAT Payload
Unpacked files
SH256 hash:
7063e6cdcc525b53868ea9e2e593d076cdf0d742711cb1310f720bde04a71b5d
MD5 hash:
0be2cbc7d62e55bd3eca7500d750724d
SHA1 hash:
6467da8d5bd52b5126a70d6cb809b273a5fe2e65
Link:
https://www.unpac.me/results/67e64777-72a8-4031-965a-b12b915fdc3a/
SH256 hash:
c362729899c5956cfa9fc3bcf9b21ac72066a1b84a497ceb1281f76e2f55c54b
MD5 hash:
0327d1374a5ce015ad9c83c5de76e823
SHA1 hash:
e521349d9e96a4191248747c42c78b6f88fc8f63
Link:
https://www.unpac.me/results/67e64777-72a8-4031-965a-b12b915fdc3a/
SH256 hash:
491369e51e451082aef3acdd50c62227259b0786ea69dc83404332f70972fa45
MD5 hash:
bebed7686f356c8b997548818af26cdb
SHA1 hash:
2a90a438df69523bb7895fe2812496c9068d2c46
Link:
https://www.unpac.me/results/67e64777-72a8-4031-965a-b12b915fdc3a/
SH256 hash:
d2b6ad926987074e93a769eaf34598a4df8bbb839208c57d4fc1516f9ed1eaa6
MD5 hash:
0d307e5302320c5ddd815e7c5ef7590c
SHA1 hash:
3dd82ec282845b3e7acb6ff19c84228754f2db3e
Link:
https://www.unpac.me/results/67e64777-72a8-4031-965a-b12b915fdc3a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d2b6ad926987074e93a769eaf34598a4df8bbb839208c57d4fc1516f9ed1eaa6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MALWARE_Win_BitRAT
Create hunting rule
Author:ditekSHen
Description:Detects BitRAT RAT
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/171263/

Comments