MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 de5c46975f4bd7759bf711ea3ecc5833c0eadac92b466806e3a2cdcb57b7da19. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BitRAT


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: de5c46975f4bd7759bf711ea3ecc5833c0eadac92b466806e3a2cdcb57b7da19
SHA3-384 hash: 87e04a268275997cfd6b70c4086938fa0d096bc6aac5d0b0183a2c51758d8c0f13cf7edf32908f5fba103200ebccaa04
SHA1 hash: d2aad9dde6bad47e789f63fb7063dd47e7f81fb0
MD5 hash: 8c2449e1efd343e82c4ad71877c0fa88
humanhash: uncle-autumn-edward-indigo
File name:Shipping_Details.exe
Download: download sample
Signature BitRAT
Create hunting rule
File size:1'166'848 bytes
First seen:2020-11-18 12:15:53 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 24576:0VRBd2mRUfVk/x8JJdv5F14bGo2CPHhsn6q/FoF:0VRBdEG/6JdB74bGH16+F
Threatray 28 similar samples on MalwareBazaar
TLSH 5A4518BC361075DFC95BCC76CAA82C64AE60287B970BD203A01715EDAA1DA97DF141F3
Reporter abuse_ch
Tags:BitRAT DHL exe RAT


Avatar
abuse_ch
Malspam distributing BitRAT:

HELO: smtp15
Sending IP: 138.91.89.223
From: DHL Customer Service <admin@dhl.com>
Subject: DHL - Pending delivery
Attachment: Shipping_Details.iso (contains "Shipping_Details.exe")

BitRAT C2:
23.105.131.165:8094

Intelligence

File Origin
# of uploads :
1
# of downloads :
91
Origin country :
n/a
Vendor Threat Intelligence
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AveMaria
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/540991
Signature
Antivirus detection for dropped file
Binary contains a suspicious time stamp
Contains functionality to hide a thread from the debugger
Contains functionality to inject code into remote processes
Contains functionality to steal e-mail passwords
Detected unpacking (changes PE section rights)
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM_3
Yara detected AveMaria stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 319595 Sample: Shipping_Details.exe Startdate: 18/11/2020 Architecture: WINDOWS Score: 100 55 mfon.greaterfr.ml 2->55 73 Antivirus detection for dropped file 2->73 75 Multi AV Scanner detection for dropped file 2->75 77 Sigma detected: Scheduled temp file as task from temp location 2->77 79 8 other signatures 2->79 11 Shipping_Details.exe 6 2->11         started        signatures3 process4 file5 41 C:\Users\user\AppData\...\HdduHLcndhmQ.exe, PE32 11->41 dropped 43 C:\Users\user\AppData\Local\...\tmp5436.tmp, XML 11->43 dropped 45 C:\Users\user\...\Shipping_Details.exe.log, ASCII 11->45 dropped 89 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 11->89 91 Contains functionality to inject code into remote processes 11->91 15 Shipping_Details.exe 16 11->15         started        19 schtasks.exe 1 11->19         started        signatures6 process7 dnsIp8 59 michaelcardillo.com 181.214.142.116, 49699, 80 ASDETUKhttpwwwheficedcomGB Chile 15->59 37 C:\Users\user\...\KpEPHm6yPOcoiF93.exe, PE32 15->37 dropped 39 C:\Users\user\AppData\Local\...\bitbit[1].exe, PE32 15->39 dropped 21 KpEPHm6yPOcoiF93.exe 1 3 15->21         started        25 conhost.exe 19->25         started        file9 process10 dnsIp11 57 mfon.greaterfr.ml 23.105.131.165, 49703, 8094 LEASEWEB-USA-NYC-11US United States 21->57 81 Multi AV Scanner detection for dropped file 21->81 83 Detected unpacking (changes PE section rights) 21->83 85 Tries to steal Mail credentials (via file registry) 21->85 87 5 other signatures 21->87 27 KpEPHm6yPOcoiF93.exe 24 21->27         started        signatures12 process13 file14 47 C:\Users\user\AppData\Local\...\Unknown.dll, PE32 27->47 dropped 49 C:\Users\user\AppData\...\vcruntime140.dll, PE32 27->49 dropped 51 C:\Users\user\AppData\Local\...\softokn3.dll, PE32 27->51 dropped 53 17 other files (none is malicious) 27->53 dropped 93 Injects a PE file into a foreign processes 27->93 31 KpEPHm6yPOcoiF93.exe 5 27->31         started        signatures15 process16 dnsIp17 61 www.xenarmor.com 31->61 63 xenarmor.com 69.64.94.128 CODERO-DFWUS United States 31->63 65 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 31->65 67 Tries to steal Instant Messenger accounts or passwords 31->67 69 Tries to steal Mail credentials (via file access) 31->69 71 2 other signatures 31->71 35 conhost.exe 31->35         started        signatures18 process19
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/de5c46975f4bd7759bf711ea3ecc5833c0eadac92b466806e3a2cdcb57b7da19/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-11-18 11:39:53 UTC
AV detection:
21 of 28 (75.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=3zoenf27jplxlg7xchvd5tcygpaovwwjfndgqbxdulg4wv5x3imq._file
Verdict:
unknown
Similar samples:
3a53fc0060de3daa43eda52ecb4348ede9d1d95ba89e81906c19da1afd9376b5
BitRAT
3d2c7d89a5f621b42e657be3304c2b7aa256645ff359f2a38bed6e187506530a
BitRAT
44af7302c97eab1187371407735c5192c41b07f4e5ead51adb620f1066d076e9
BitRAT
736cb846af9e2de5730d5b788603d49374fee0e309d2681392456aa41ec3eda1
BitRAT
c917658a5ebc82c803b3b971fe6a73035318d6eb1d95076b6f27a0b2a1ecd53a
BitRAT
cd857ee1ccdff34a0cd65732a18bc3a99d53e388423dcff0a73ca0307dcb1f7a
BitRAT
d2d1a052d4cd07f027578dd283c71ff413b895682a31a79ccbaa0e71d57cb391
BitRAT
e1f08269363e55708c850e156f5f4cdc50acc14efdce1f3464a70c91548c7548
BitRAT
ef67b30b7ae1fd2b27a17f1e0172954912c78c541f7cb162ff003a9b42f128c4
BitRAT
f671b1f716f0176dbaec5ea7ca024cb32f65fe5ceceaf99a80ce080132ec9dd7
BitRAT
+ 18 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  9/10
Tags:
evasion persistence spyware
Link:
https://tria.ge/reports/201118-7r3edblc5j/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Modifies service
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
JavaScript code in executable
Maps connected drives based on registry
Checks BIOS information in registry
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Executes dropped EXE
Looks for VMWare Tools registry key
Looks for VirtualBox Guest Additions in registry
Unpacked files
SH256 hash:
de5c46975f4bd7759bf711ea3ecc5833c0eadac92b466806e3a2cdcb57b7da19
MD5 hash:
8c2449e1efd343e82c4ad71877c0fa88
SHA1 hash:
d2aad9dde6bad47e789f63fb7063dd47e7f81fb0
Link:
https://www.unpac.me/results/5c06cc28-df0f-4591-b207-ddc9d45e9e74/
SH256 hash:
43d26ee22f33bf1fe6c47b18aa46f65762aea6157bbe00c142a07661ea98e3b5
MD5 hash:
7c89b3781a243844b027b787596e38cf
SHA1 hash:
73e0d2ed8d1be9fe74d645ffea7e0ac8335c442d
Link:
https://www.unpac.me/results/5c06cc28-df0f-4591-b207-ddc9d45e9e74/
SH256 hash:
cb951f1d2b5460456aad0d89cef1216d9be5e51784d11a92447d43e96177bd5e
MD5 hash:
8cd5d2014866f4ef60802ff1826998a6
SHA1 hash:
8ff75946905d0b117080cc5a07e6e0bbea4e9bbd
Link:
https://www.unpac.me/results/5c06cc28-df0f-4591-b207-ddc9d45e9e74/
SH256 hash:
77220dde24c0b0e291dcba10182d0171e348e814dd64504381f4635ebe5cb519
MD5 hash:
071c451a188b89e84cebe31b8befaf0b
SHA1 hash:
91e04a81e367ff3bac7d3f287b3e18e2578e7bed
Link:
https://www.unpac.me/results/5c06cc28-df0f-4591-b207-ddc9d45e9e74/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

BitRAT

iso 8992ba0ccdfcbe95e47873465bb28cb3f007b2159cfc422e724f07580bc30b37

BitRAT

Executable exe de5c46975f4bd7759bf711ea3ecc5833c0eadac92b466806e3a2cdcb57b7da19

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/829508/
  
Dropped by
MD5 153c0eec043572b4504f6025bcca7324
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 8992ba0ccdfcbe95e47873465bb28cb3f007b2159cfc422e724f07580bc30b37

Comments