MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 db7619d7304cbb9c7ad4bf8c74836f241aecac1fda067f3ffadadf7ee6d44930. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BitRAT


Vendor detections: 10


Intelligence 10 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: db7619d7304cbb9c7ad4bf8c74836f241aecac1fda067f3ffadadf7ee6d44930
SHA3-384 hash: 1c27244c5b7ea3d9b18af7c11a6f21740441bced53da0e4ad9875d3cede7a1f75ebfbcc4d26447aaf179635745dbd064
SHA1 hash: 803131e516784cff0cb6ad6e6b5cb29bc39092b9
MD5 hash: e20a92ba803ccdce1a2508542816f047
humanhash: east-carolina-tango-skylark
File name:Codes.exe
Download: download sample
Signature BitRAT
Create hunting rule
File size:6'745'293 bytes
First seen:2021-02-14 16:24:32 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 863368c64ce108e15b8dde63c326f1e5 (2 x BitRAT)
ssdeep 196608:IqWzFJ74xQUlQDIpa86HyHp9tQ0Nirvk2qSxHyzd3kn:IqWzR6aPC9tHi/qS1yyn
Threatray 94 similar samples on MalwareBazaar
TLSH A8664C139C449B83E55853F4BE035DAC2F5A2B1CE4863AFF11520ECB7E20A665CDE16E
Reporter abuse_ch
Tags:BitRAT exe FRA geo Outlook RAT


Avatar
abuse_ch
Malspam distributing BitRAT:

HELO: EUR04-DB3-obe.outbound.protection.outlook.com
Sending IP: 40.92.74.64
From: ELODIE ALAVINS <dizys2@msn.com>
Subject: le code
Attachment: Codes.rar (contains "Codes.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
203
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Codes.exe
Verdict:
Malicious activity
Analysis date:
2021-02-14 16:25:27 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/e29b763e-179e-41a9-ac28-a64d0366e7cd

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
BitRAT
Create hunting rule
Link:
https://www.capesandbox.com/analysis/117082/
Detection(s):
Win.Trojan.Generic-6664545-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% directory
Launching a process
Creating a file
Creating a file in the %AppData% subdirectories
Unauthorized injection to a recently created process
Setting a global event handler
Connection attempt
Sending a UDP request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Setting a global event handler for the keyboard
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
BitRAT Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/607597
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Connects to many ports of the same IP (likely port scanning)
Contain functionality to detect virtual machines
Contains functionality to hide a thread from the debugger
Contains functionality to inject code into remote processes
Creates files in alternative data streams (ADS)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected BitRAT
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/db7619d7304cbb9c7ad4bf8c74836f241aecac1fda067f3ffadadf7ee6d44930/
Threat name:
Win32.Backdoor.Poison
Create hunting rule
Status:
Malicious
First seen:
2021-02-14 16:25:12 UTC
AV detection:
21 of 28 (75.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=3n3btvzqjs5zy6wux6ghja3peqnozla73idh6p723lpx5zwujeya._file
Verdict:
malicious
Similar samples:
533aa4375a4eac85feb6d0ab962c38a68775ed412d056ed12535605fd5c1f415
BitRAT
56d0c7b288fe323703e31519f296d7a1ed4811bc8eb7cf87c56082499aaff297
BitRAT
6c212901b861bddfecd68559ceecc3a35898d965b4e56aeb67febbfa65dc9d52
BitRAT
6c2a2251861a6d2701814843fadac940cf4d34db9f446f0698352fd866b31739
BitRAT
76e5467f267a4bca00af800094c3a92f6bd51de54737f07c533d091e2f219b40
BitRAT
79e6d1b262a31a2619284f38b059e266d0fa27109c9b1f4fc9100aa6bb619e05
BitRAT
83665f8cf0fc798b6dbeca777554aeaeb9d9cc53e27674c36e67294729d118f0
BitRAT
a294e980bb7b7e74981a67379dd4c589803d0d5c17946b3b00ce561791ecfc63
BitRAT
a52ed9486d2ccdf0a9e29fe70ea7df8ddcb8bc06f9329664a310ae32d1308d6f
BitRAT
b895fbf7b60e9534de3a12e5e6c3b5dbe8a5f6149be49e50beae19e0a9006999
BitRAT
+ 84 additional samples on MalwareBazaar
Result
Malware family:
bitrat
Create hunting rule
Score:
  10/10
Tags:
family:bitrat persistence trojan
Link:
https://tria.ge/reports/210214-2fgvf4g59n/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
BitRAT
BitRAT Payload
Unpacked files
SH256 hash:
d87d9d4486b55b467ff2fcc138260c4b24a09bc8346594f186cc1239b7c3a4ae
MD5 hash:
9e03f388888f5571e80ffaaa3a71d888
SHA1 hash:
0d07d442845e8abcbd45d01697d15fc02ff45259
Link:
https://www.unpac.me/results/73bf556e-b4c3-4898-9d96-df656b3fa96f/
SH256 hash:
db7619d7304cbb9c7ad4bf8c74836f241aecac1fda067f3ffadadf7ee6d44930
MD5 hash:
e20a92ba803ccdce1a2508542816f047
SHA1 hash:
803131e516784cff0cb6ad6e6b5cb29bc39092b9
Link:
https://www.unpac.me/results/73bf556e-b4c3-4898-9d96-df656b3fa96f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/db7619d7304cbb9c7ad4bf8c74836f241aecac1fda067f3ffadadf7ee6d44930

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Email_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Email in files like avemaria
Rule name:INDICATOR_SUSPICIOUS_EXE_Embedded_Gzip_B64Encoded_File
Create hunting rule
Author:ditekSHen
Description:Detects executables containing bas64 encoded gzip files
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:MALWARE_Win_BitRAT
Create hunting rule
Author:ditekSHen
Description:Detects BitRAT RAT

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

BitRAT

rar a777e0372a1a9202b89bc4528c03223e064b0e3db71559041fd884a6daed57c3

BitRAT

Executable exe db7619d7304cbb9c7ad4bf8c74836f241aecac1fda067f3ffadadf7ee6d44930

(this sample)

  
Dropped by
MD5 10a85509c4d5e93a689f543d3f8fd3ee
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/117082/
  
Dropped by
SHA256 a777e0372a1a9202b89bc4528c03223e064b0e3db71559041fd884a6daed57c3

Comments