MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d431d6c234dfb75c3fad9cfe53c800e68eec1df826aeee43cc02d802a234e0c2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BitRAT


Vendor detections: 11


Intelligence 11 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d431d6c234dfb75c3fad9cfe53c800e68eec1df826aeee43cc02d802a234e0c2
SHA3-384 hash: f5cb9be5cf31527195187ce13a68b80143ba339061081d91e6b5ef40cc67e845dc27e464073f911117427a6fa77d31ed
SHA1 hash: bc256b355899f7805e7313d9834767e8ab73312b
MD5 hash: 9ee396f30db2375df1ab7e935acbbcac
humanhash: washington-mississippi-ohio-nuts
File name:ORDER343346PO3455.exe
Download: download sample
Signature BitRAT
Create hunting rule
File size:2'474'944 bytes
First seen:2021-04-07 11:22:55 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'206 x SnakeKeylogger)
ssdeep 49152:NdSKw1LSbBGRPpaif65XFH6hLufnSAq58PUYY0XO226/ag:NdS5+bBGRP0SYFHILq5q0T2YH
Threatray 21 similar samples on MalwareBazaar
TLSH 35B512E669E0A201F70F377A1AA7D51EC936AD227C30AFDCB51B726115B2FD908C1B41
Reporter abuse_ch
Tags:BitRAT exe signed

Code Signing Certificate

Organisation:Microsoft Corporation
Issuer:Microsoft Code Signing PCA 2010
Algorithm:sha256WithRSAEncryption
Valid from:2019-05-02T21:25:42Z
Valid to:2020-05-02T21:25:42Z
Serial number: 33000002cf6d2cc57caa65a6d80000000002cf
Intelligence: 2 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: 8af8496d49afd06547e816345d06af8f98c5056a0a21a5a2b76582e3251bab68
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: qq.com
Sending IP: 183.3.255.89
From: 袁晓琳 <yuangxiaolin@zhongwangde.com>
Subject: PO#1817911/1817920
Attachment: ORDER343346PO3455.rar (contains "ORDER343346PO3455.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
163
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
ORDER343346PO3455.exe
Verdict:
Malicious activity
Analysis date:
2021-04-07 12:04:37 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/80612b84-5bd7-4a7a-b3b4-6b0fefd16c67

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
BitRAT
Create hunting rule
Link:
https://www.capesandbox.com/analysis/132844/
Detection(s):
SecuriteInfo.com.Trojan.Win32.Save.a.11128.25559.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file
Creating a file in the %temp% directory
Creating a process from a recently created file
DNS request
Setting a global event handler
Sending a custom TCP request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Setting a global event handler for the keyboard
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
BitRAT Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/668572
Signature
.NET source code contains potential unpacker
Contains functionality to hide a thread from the debugger
Contains functionality to inject code into remote processes
Creates files in alternative data streams (ADS)
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Multi AV Scanner detection for dropped file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected BitRAT
Yara detected Costura Assembly Loader
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 383216 Sample: ORDER343346PO3455.exe Startdate: 07/04/2021 Architecture: WINDOWS Score: 100 50 vst.fastestmaking.com 2->50 56 Yara detected BitRAT 2->56 58 Yara detected Xmrig cryptocurrency miner 2->58 60 .NET source code contains potential unpacker 2->60 62 3 other signatures 2->62 7 ORDER343346PO3455.exe 1 5 2->7         started        10 unfortuet.exe 3 2->10         started        13 unfortuet.exe 2->13         started        signatures3 process4 file5 38 C:\Users\user\AppData\Local\unfortuet.exe, PE32 7->38 dropped 40 C:\Users\user\...\ORDER343346PO3455.exe, PE32 7->40 dropped 42 C:\Users\...\unfortuet.exe:Zone.Identifier, ASCII 7->42 dropped 44 C:\...\ORDER343346PO3455.exe:Zone.Identifier, ASCII 7->44 dropped 15 ORDER343346PO3455.exe 7->15         started        18 ORDER343346PO3455.exe 1 1 7->18         started        22 ORDER343346PO3455.exe 7->22         started        24 ORDER343346PO3455.exe 7->24         started        46 C:\Users\user\AppData\Local\...\unfortuet.exe, PE32 10->46 dropped 48 C:\Users\...\unfortuet.exe:Zone.Identifier, ASCII 10->48 dropped 64 Multi AV Scanner detection for dropped file 10->64 66 Writes to foreign memory regions 10->66 68 Injects a PE file into a foreign processes 10->68 26 unfortuet.exe 10->26         started        28 unfortuet.exe 10->28         started        30 unfortuet.exe 13->30         started        32 unfortuet.exe 13->32         started        34 3 other processes 13->34 signatures6 process7 dnsIp8 70 Multi AV Scanner detection for dropped file 15->70 72 Contains functionality to inject code into remote processes 15->72 74 Contains functionality to hide a thread from the debugger 15->74 52 vst.fastestmaking.com 172.93.187.249, 49721, 49723, 49724 ASN-QUADRANET-GLOBALUS United States 18->52 54 192.168.2.1 unknown unknown 18->54 36 C:\Users\user\AppData\Local:07-04-2021, ASCII 18->36 dropped 76 Creates files in alternative data streams (ADS) 18->76 78 Hides threads from debuggers 18->78 file9 signatures10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d431d6c234dfb75c3fad9cfe53c800e68eec1df826aeee43cc02d802a234e0c2/
Threat name:
ByteCode-MSIL.Spyware.Solmyr
Create hunting rule
Status:
Malicious
First seen:
2021-04-07 11:23:10 UTC
File Type:
PE (.Net Exe)
Extracted files:
41
AV detection:
19 of 48 (39.58%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2qy5nqru363vyp5ntt7fhsaa42hoyhpye2xo4q6malmafiru4dba._file
Verdict:
malicious
Label(s):
masslogger
Create hunting rule
Similar samples:
029626fb22c7446fc6f2abd2551252a08507c68fd035d41694e2c77b6e868698
BitRAT
12e2fade9c6f17595717385e99c97a448e87bbbb6a7a30ea2c31062983f4c065
BitRAT
2ceab306e59f18b38542e68048836fc925d2563610809247b4a7d3f38678cbea
BitRAT
30303b663e0b7b9824cc59298b36f824b607b4fb85de53af6aac3a023d895513
BitRAT
334ab59399997e54878083e726a2dbc5d41f844025742b4ea35921a93bf24d68
BitRAT
9dd08cf2672502db217f9772affb88657f8559d8f4d946af25c4b22428ea336a
BitRAT
c582dac0f0f94c07579c35ab71f62b25bf499123d3bea89a33a6b8a80ee3325c
BitRAT
ce9820f87744f7cd5f16e60470ec525cf1852762d5914278815b01737d4adacd
BitRAT
da1fba1d66a44b77440ec136dec09f921d932d5ece0d35030e7c22d50f73bc8a
BitRAT
e95d8b2d7c80f9b47d7c3fb368256962c357404e85f45701a473b6354ca18133
BitRAT
+ 11 additional samples on MalwareBazaar
Result
Malware family:
bitrat
Create hunting rule
Score:
  10/10
Tags:
family:bitrat persistence trojan
Link:
https://tria.ge/reports/210407-343ly2dsax/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
BitRAT
BitRAT Payload
Unpacked files
SH256 hash:
430897f197575979f8678e18d73beede01f693df0234292bb4d48b77086ff3ea
MD5 hash:
a6b7df07e157611388758dc2dacb6a09
SHA1 hash:
67320662ff1e6948ba4ca4746e9c9a2f51586a19
Link:
https://www.unpac.me/results/8f71985f-aaf9-469a-a322-5b06db364741/
SH256 hash:
eddd344656870aa2856e370272c861ca66c08b7d4d841802a71ee17d63df6177
MD5 hash:
c7eefed3387094e34fa8719f99a4d0f5
SHA1 hash:
34ff739f6a6b8c9238a0b56ee6c328b413cb66dd
Link:
https://www.unpac.me/results/8f71985f-aaf9-469a-a322-5b06db364741/
SH256 hash:
72ebfe27f2e7a4131f98a1eb38b9a7331de1f424a5e3073464dbb7bc8c6334e4
MD5 hash:
a123101bd517ecc6b1555e8fa60b1de9
SHA1 hash:
1504de13775de42681e03297d45a3cc52974f55f
Link:
https://www.unpac.me/results/8f71985f-aaf9-469a-a322-5b06db364741/
SH256 hash:
4bf3c8e4bda728340abd12c4ef32e66ae0d5d6190e71f02876c5893624749d50
MD5 hash:
40b9a993f6f1dc0ba25546b7b84957dd
SHA1 hash:
01b2016847ad2b3097fedd777dea3158bb4c75a2
Link:
https://www.unpac.me/results/8f71985f-aaf9-469a-a322-5b06db364741/
SH256 hash:
d431d6c234dfb75c3fad9cfe53c800e68eec1df826aeee43cc02d802a234e0c2
MD5 hash:
9ee396f30db2375df1ab7e935acbbcac
SHA1 hash:
bc256b355899f7805e7313d9834767e8ab73312b
Link:
https://www.unpac.me/results/8f71985f-aaf9-469a-a322-5b06db364741/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.51
Link:
https://yomi.yoroi.company/submissions/d431d6c234dfb75c3fad9cfe53c800e68eec1df826aeee43cc02d802a234e0c2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Ping_Del_method_bin_mem
Create hunting rule
Author:James_inthe_box
Description:cmd ping IP nul del

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

BitRAT

rar 2b0e93f1d73a56b83d023faf8f08811bf58ecf2eb45a845339498901a6121720

BitRAT

Executable exe d431d6c234dfb75c3fad9cfe53c800e68eec1df826aeee43cc02d802a234e0c2

(this sample)

  
Dropped by
MD5 0a7626252200f305e4140c6d76e860f5
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 2b0e93f1d73a56b83d023faf8f08811bf58ecf2eb45a845339498901a6121720
Cape
Cape
https://www.capesandbox.com/analysis/132844/

Comments