MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dff85817c9f5b1bc9153495323fa7b36fc8f8b6a8100155081d885e840da9c89. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BitRAT


Vendor detections: 9


Intelligence 9 IOCs 1 YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: dff85817c9f5b1bc9153495323fa7b36fc8f8b6a8100155081d885e840da9c89
SHA3-384 hash: ea221ae3a072d80194649124ce78c9b4cc28e716d98ffe8d2549ba077484d7903eb60e50273f25074bc5c528a3e35e65
SHA1 hash: 977e0845cc6ab92ea3c587f6c3fa1945cbb2875b
MD5 hash: c422444e1ea79c35e7e83f2beabf052e
humanhash: happy-four-green-robin
File name:C422444E1EA79C35E7E83F2BEABF052E.exe
Download: download sample
Signature BitRAT
Create hunting rule
File size:2'211'328 bytes
First seen:2021-07-15 12:06:10 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 49152:Tbxpo3Om1leAPRZFj9PTLG1gpPiAycOs60/xbtXKUjwR:TbxpKOhSR/JC1IlO4ltXKUj
Threatray 48 similar samples on MalwareBazaar
TLSH T14BA533A27B002CA6E81A1BF75003D6FB56A93F997825C24B36FD75B3B33725318194D2
Reporter abuse_ch
Tags:BitRAT exe RAT


Avatar
abuse_ch
BitRAT C2:
91.109.190.4:25874

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
91.109.190.4:25874 https://threatfox.abuse.ch/ioc/160634/

Intelligence

File Origin
# of uploads :
1
# of downloads :
141
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
C422444E1EA79C35E7E83F2BEABF052E.exe
Verdict:
Suspicious activity
Analysis date:
2021-07-15 12:09:28 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/24f6e998-8dff-4d57-aa7a-11cc0eaf974f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
BitRAT
Create hunting rule
Link:
https://www.capesandbox.com/analysis/171970/
Detection(s):
Win.Trojan.Generic-9878081-0
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0355bd33-b318-4db4-b8ca-10218d7c3761
Result
Threat name:
BitRAT
Create hunting rule
Detection:
malicious
Classification:
spre.troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/816874
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Connects to many ports of the same IP (likely port scanning)
Contains functionality to hide a thread from the debugger
Creates files in alternative data streams (ADS)
Hides threads from debuggers
Infects executable files (exe, dll, sys, html)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected BitRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 449285 Sample: qp8jWI89oK.exe Startdate: 15/07/2021 Architecture: WINDOWS Score: 100 52 firewall.publicvm.com 2->52 54 Antivirus detection for dropped file 2->54 56 Antivirus / Scanner detection for submitted sample 2->56 58 Multi AV Scanner detection for dropped file 2->58 60 8 other signatures 2->60 9 qp8jWI89oK.exe 4 11 2->9         started        13 chrome.exe 2->13         started        15 chrome.exe 2->15         started        signatures3 process4 file5 36 C:\Users\user\AppData\...\qp8jWI89oK.exe, PE32 9->36 dropped 38 C:\Users\user\AppData\Local\...\chrome.exe, PE32 9->38 dropped 40 C:\Users\...\qp8jWI89oK.exe:Zone.Identifier, ASCII 9->40 dropped 46 3 other malicious files 9->46 dropped 76 Writes to foreign memory regions 9->76 78 Injects a PE file into a foreign processes 9->78 17 qp8jWI89oK.exe 1 1 9->17         started        22 wscript.exe 1 9->22         started        24 chrome.exe 13->24         started        42 C:\Users\user\AppData\Local\Temp\chrome.exe, PE32 15->42 dropped 44 C:\Users\user\...\chrome.exe:Zone.Identifier, ASCII 15->44 dropped 80 Infects executable files (exe, dll, sys, html) 15->80 26 chrome.exe 15->26         started        28 chrome.exe 15->28         started        signatures6 process7 dnsIp8 48 firewall.publicvm.com 91.109.190.4, 25874, 49746, 49751 IELOIELOMainNetworkFR France 17->48 50 192.168.2.1 unknown unknown 17->50 34 C:\Users\user\AppData\Local:15-07-2021, HTML 17->34 dropped 62 Antivirus detection for dropped file 17->62 64 Multi AV Scanner detection for dropped file 17->64 66 Creates files in alternative data streams (ADS) 17->66 68 Contains functionality to hide a thread from the debugger 17->68 70 Wscript starts Powershell (via cmd or directly) 22->70 30 powershell.exe 26 22->30         started        72 Machine Learning detection for dropped file 24->72 74 Hides threads from debuggers 24->74 file9 signatures10 process11 process12 32 conhost.exe 30->32         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/dff85817c9f5b1bc9153495323fa7b36fc8f8b6a8100155081d885e840da9c89/
Threat name:
Win32.Downloader.Seraph
Create hunting rule
Status:
Malicious
First seen:
2021-07-09 16:34:34 UTC
AV detection:
23 of 46 (50.00%)
Threat level:
  3/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=374fqf6j6wy3zektjfjsh6t3g36i7c3kqeabkueb3cc6qqg2tseq._file
Verdict:
unknown
Similar samples:
095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270
BitRAT
71d0b7098599a1499e71ecfb828eef37868f31e4bc0e64d1249b90bd4404c5da
BitRAT
8c584a322deb7e0731b90ae30dbdfe4821d13ad8ae7ade8fffd28ebbf0ca2504
BitRAT
8cdbdc48eeff6dbd8b3cf2bcbf91b4c58c5479e8c3779f36debdd3856f17b185
BitRAT
ad72b126c49eb7543b1d3e24a70d95991429c17e03f110f7cac3bfc214ebb7dc
BitRAT
b78c057366525777ab931d9a4a2962a2df499a6690aae1f3e215097d5adbb458
BitRAT
bf6ed9f5ca0c3261ed154a6ac8e40f3c036083f7be7dd8130a33b9d184a03c79
BitRAT
+ 38 additional samples on MalwareBazaar
Result
Malware family:
bitrat
Create hunting rule
Score:
  10/10
Tags:
family:bitrat persistence spyware stealer trojan
Link:
https://tria.ge/reports/210715-t87xq19zkj/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Reads user/profile data of web browsers
BitRAT
BitRAT Payload
Unpacked files
SH256 hash:
17769a2f7d1461841918ecca01ce871a9656f114e671e4af1182ae0fed08ce1a
MD5 hash:
6caf4ad9280fe05085c4d63bd7a9fb06
SHA1 hash:
e3f895c5a6171e9c63456f9064a7489ed5a47f23
Link:
https://www.unpac.me/results/dd8cabad-2c54-4a59-b3ef-3416595f44af/
SH256 hash:
297d320d404de832a5825f39c41848b9dc58d0a887be1260b79710e86057946b
MD5 hash:
e077942d9da2239559f2cff8808f101b
SHA1 hash:
75db50b8514a9f5ea3c19da7762506f97855605c
Link:
https://www.unpac.me/results/dd8cabad-2c54-4a59-b3ef-3416595f44af/
SH256 hash:
26d0b3b7ba1a78dd165c68669c07adc22807bb48a4de7b4a68ae5bf78a4fe005
MD5 hash:
18da810c47bb654f27e6695a9208c2fe
SHA1 hash:
50cf7f2cdce2fe0597d750d9f0209b77d4669ed5
Link:
https://www.unpac.me/results/dd8cabad-2c54-4a59-b3ef-3416595f44af/
SH256 hash:
dff85817c9f5b1bc9153495323fa7b36fc8f8b6a8100155081d885e840da9c89
MD5 hash:
c422444e1ea79c35e7e83f2beabf052e
SHA1 hash:
977e0845cc6ab92ea3c587f6c3fa1945cbb2875b
Link:
https://www.unpac.me/results/dd8cabad-2c54-4a59-b3ef-3416595f44af/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/dff85817c9f5b1bc9153495323fa7b36fc8f8b6a8100155081d885e840da9c89

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/171970/

Comments