MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dcb73a0ea23548167bd5724418377fe1e8c88f1be3125c0df6cc89722bb26f33. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

BitRAT

Vendor detections: 7

Intelligence 7 IOCs 1 YARA 7 File information Comments

SHA256 hash:	dcb73a0ea23548167bd5724418377fe1e8c88f1be3125c0df6cc89722bb26f33
SHA3-384 hash:	bc7b645eddfdca2f65ea40ff75df98b14eaa5378de072c4564cfec32c2c25e61c503cf800a3abb69dd425da791a4d9d5
SHA1 hash:	986e51c55def0a78234ded145e6c318d87ec3914
MD5 hash:	aff4d9a6a67b7d617a353ea6ebfe7019
humanhash:	music-cold-berlin-alpha
File name:	FEDEX4100985675.vbs
Download:	download sample
Signature	BitRAT Create hunting rule
File size:	743 bytes
First seen:	2021-08-10 14:26:28 UTC
Last seen:	Never
File type:	vbs
MIME type:	text/plain
ssdeep	12:dXVlTX7Fl9kQOGv9IXOMBN3747f+8irXWMMeRo8N5zliwqhP/jvVlg7:Tl7FeG9gOSN374aXLMeyMgV67
Threatray	420 similar samples on MalwareBazaar
TLSH	T190016D00B501F1F39105F747DDF11275A6E776A48891A591306C819F40BB46E3E83E50
Reporter	abuse_ch
Tags:	BitRAT RAT vbs

abuse_ch

BitRAT C2:
103.140.250.132:9178

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
103.140.250.132:9178	https://threatfox.abuse.ch/ioc/167743/

Intelligence

File Origin

# of uploads :

# of downloads :

148

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/177993/

Detection(s):

SecuriteInfo.com.VBS.Agent.VRQtr.695.23222.UNOFFICIAL

Result

Verdict:

UNKNOWN

Result

Threat name:

Unknown

Detection:

malicious

Classification:

evad

Score:

64 / 100

Link:

https://www.joesandbox.com/analysis/830256

Signature

Creates an undocumented autostart registry key

Obfuscated command line found

Sigma detected: Suspicious PowerShell Command Line

VBScript performs obfuscated calls to suspicious functions

Wscript starts Powershell (via cmd or directly)

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/dcb73a0ea23548167bd5724418377fe1e8c88f1be3125c0df6cc89722bb26f33/

Threat name:

Script.Downloader.Heuristic

Status:

Malicious

First seen:

2021-08-10 14:27:06 UTC

AV detection:

3 of 46 (6.52%)

Threat level:

2/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=3s3tudvcgvebm66vojcbqn374humrdy34mjfydpwzsexek5sn4zq._file

Verdict:

malicious

BitRAT

56a430a18e93eee6f709348fba459a6f639c032c7718806c01a6ba522dd704e6

BitRAT

87f4a4c323f26710b7acdc123173fa63f4ccb4f3c8239dfaa489ee69ab89f7cc

BitRAT

88614f9e923a5d979c64bee190f05f0932bc01f351ded417c59e1b2a92be560b

BitRAT

a895ff58cb18d3a5fa3900d36f150c9a1bd213240f77ef8218fec015d6355825

BitRAT

ab59fbf0ee10b8c5428479b1f5dfdb5cfc87dd40407b3742814ab34611f32b1d

BitRAT

eeeb29513e624adb88d3c2e9f89379361aa356001dc338cb6ec9034a48bdc2cd

BitRAT

f44394f10dd10600a8f25093e76fac442c594ea85debf6bfea0933766529f747

BitRAT

+ 410 additional samples on MalwareBazaar

Result

Malware family:

bitrat

Score:

10/10

Tags:

family:bitrat persistence suricata trojan upx

Link:

https://tria.ge/reports/210810-172ws74s4n/

Behaviour

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Program crash

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Adds Run key to start application

Blocklisted process makes network request

UPX packed file

BitRAT

BitRAT Payload

suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)

suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)

Malware Config

Dropper Extraction:

http://transfer.sh/1cjGBWJ/cleareddefencebooks.txt

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/dcb73a0ea235/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/dcb73a0ea23548167bd5724418377fe1e8c88f1be3125c0df6cc89722bb26f33

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	CN_disclosed_20180208_c Create hunting rule
Author:	Florian Roth
Description:	Detects malware from disclosed CN malware set
Reference:	https://twitter.com/cyberintproject/status/961714165550342146

Rule name:	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse Create hunting rule
Author:	ditekSHen
Description:	Detects file containing reversed ASEP Autorun registry keys

Rule name:	INDICATOR_SUSPICIOUS_EXE_attrib Create hunting rule
Author:	ditekSHen
Description:	Detects executables using attrib with suspicious attributes attributes

Rule name:	MALWARE_Win_NjRAT Create hunting rule
Author:	ditekSHen
Description:	Detects NjRAT / Bladabindi

Rule name:	Njrat Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect njRAT in memory

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/177993/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample