MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d6c07400bf5901c1d43db1590474b77df52eefd02e9bb90b1c8a5d79ded4e194. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BitRAT


Vendor detections: 8


Intelligence 8 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d6c07400bf5901c1d43db1590474b77df52eefd02e9bb90b1c8a5d79ded4e194
SHA3-384 hash: c369f608939f3252e1143a29eb6072515e12b42d36b00a3ba8fd427e16648278c29bf03001f76d76ec71b523afe2dd03
SHA1 hash: 059d9551b694d37541bfa93f3c1395aae31c5ff8
MD5 hash: 59a3752d320e1166fffe6368bf43f8f7
humanhash: fillet-robin-twenty-sodium
File name:xlsm.com
Download: download sample
Signature BitRAT
Create hunting rule
File size:32'256 bytes
First seen:2021-09-06 00:48:10 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 384:uaTeZzVoJaMG2Tal+XSUqe3V5K4EmrLlsI5uy0yT7kL+BJnyFf3WCH9LM8CGZzxj:RT8ubyQLF1jhcV8laX
Threatray 428 similar samples on MalwareBazaar
TLSH T1ABE2764276FD2F7ACDB987FA562215021BF1741EA2E1E32E8FD5A0C76662F010A50F17
Reporter Anonymous
Tags:BitRAT exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
155
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
xlsm.com
Verdict:
Malicious activity
Analysis date:
2021-09-06 00:49:46 UTC
Tags:
trojan bitrat rat
Link:
https://app.any.run/tasks/07507c5d-7cb5-4b8d-b378-f517fcc7b3e0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
BitRAT
Create hunting rule
Link:
https://www.capesandbox.com/analysis/185488/
Detection(s):
SecuriteInfo.com.Trojan.YakbeexMSIL.ZZ4.26039.3512.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Connection attempt
Sending an HTTP GET request
Running batch commands
Creating a process with a hidden window
Using the Windows Management Instrumentation requests
Unauthorized injection to a recently created process
Creating a file
Setting a global event handler
Connecting to a non-recommended domain
Sending a custom TCP request
Sending a UDP request
Setting a global event handler for the keyboard
Enabling autorun by creating a file
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/8687e5c5-40d5-44a1-8c20-f3276125f2d4
Result
Threat name:
BitRAT
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/845636
Signature
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Contains functionality to hide a thread from the debugger
Contains functionality to inject code into remote processes
Drops PE files to the startup folder
Found malware configuration
Hides threads from debuggers
Injects a PE file into a foreign processes
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Suspicious powershell command line found
Yara detected BitRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 478067 Sample: xlsm.com Startdate: 06/09/2021 Architecture: WINDOWS Score: 100 52 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->52 54 Found malware configuration 2->54 56 Yara detected BitRAT 2->56 58 6 other signatures 2->58 9 xlsm.exe 15 4 2->9         started        12 xlsm.exe 3 2->12         started        process3 dnsIp4 50 107.189.4.115, 49701, 49702, 49712 PONYNETUS United States 9->50 14 cmd.exe 3 9->14         started        18 cmd.exe 1 9->18         started        20 xlsm.exe 1 12->20         started        23 xlsm.exe 12->23         started        process5 dnsIp6 42 C:\Users\user\AppData\Roaming\...\xlsm.exe, PE32 14->42 dropped 44 C:\Users\user\...\xlsm.exe:Zone.Identifier, ASCII 14->44 dropped 64 Suspicious powershell command line found 14->64 66 Drops PE files to the startup folder 14->66 25 conhost.exe 14->25         started        27 powershell.exe 18 18->27         started        29 wscript.exe 18->29         started        31 conhost.exe 18->31         started        33 timeout.exe 1 18->33         started        48 185.215.113.102, 1234, 49708, 49709 WHOLESALECONNECTIONSNL Portugal 20->48 68 Hides threads from debuggers 20->68 file7 signatures8 process9 process10 35 xlsm.exe 27->35         started        dnsIp11 46 192.168.2.1 unknown unknown 35->46 60 Injects a PE file into a foreign processes 35->60 39 xlsm.exe 35->39         started        signatures12 process13 signatures14 62 Hides threads from debuggers 39->62
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d6c07400bf5901c1d43db1590474b77df52eefd02e9bb90b1c8a5d79ded4e194/
Threat name:
ByteCode-MSIL.Backdoor.Androm
Create hunting rule
Status:
Malicious
First seen:
2021-09-06 00:49:05 UTC
AV detection:
3 of 43 (6.98%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=23ahiaf7lea4dvb5wfmqi5fxpx2s536qf2n3scy4rjoxtxwu4gka._file
Verdict:
unknown
Similar samples:
028fb2b55806708dc61ab34ad360998449e5710eca9d0f85cae4987c6144acf6
BitRAT
1ba68a19bea8cc34d1145e30c3edd928a4bbc35798f13c109be206eb7b8ac89a
BitRAT
846c3069227802dc9a79fe7ffdeaf474866d52653a620a5d03e91c23732127b8
BitRAT
8e3c9001f9377d8c55aabd93e84e71e5b0eaa73bf783e880ef70476b442348b7
BitRAT
a3c961a0fe00bc7bcfa3b0e34baa03d8c3b1d03889cb150e270f5e33f15a8007
BitRAT
cab907df419f9a95b889719e1c302c9693f711ea74e2f73e60ce14f3284704a6
BitRAT
cb5bc89cd1ed26277efef096f0db68a21d74e301e866e7bb14fb0c1207cd64eb
BitRAT
f89a5f2fb9ba4e0e3714a51dff8ca9f56cc54f66368ceadf66e503942c4abac8
BitRAT
+ 418 additional samples on MalwareBazaar
Result
Malware family:
bitrat
Create hunting rule
Score:
  10/10
Tags:
family:bitrat suricata trojan
Link:
https://tria.ge/reports/210906-a6cqaadabp/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Drops startup file
BitRAT
BitRAT Payload
suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)
Unpacked files
SH256 hash:
d6c07400bf5901c1d43db1590474b77df52eefd02e9bb90b1c8a5d79ded4e194
MD5 hash:
59a3752d320e1166fffe6368bf43f8f7
SHA1 hash:
059d9551b694d37541bfa93f3c1395aae31c5ff8
Link:
https://www.unpac.me/results/d09c7b18-0d1f-48b1-a9a3-491eadb16254/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/d6c07400bf5901c1d43db1590474b77df52eefd02e9bb90b1c8a5d79ded4e194

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/185488/

Comments