MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e03954a53253f7f660e3aa933638e57280289b5002288af2b7f0a41e5b921e97. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BitRAT


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e03954a53253f7f660e3aa933638e57280289b5002288af2b7f0a41e5b921e97
SHA3-384 hash: 979762a811ed887b73861494806bfd089100fc730355a047357a5a9b6c875aa2ca830d678ced92f65f0b9efbe306445a
SHA1 hash: efaf09a2ac52eab07252524514bb6428848ad9e3
MD5 hash: 73095ae10fcd40ea2dc0865a236a6311
humanhash: fix-cat-delaware-rugby
File name:DHL_887343.exe
Download: download sample
Signature BitRAT
Create hunting rule
File size:1'184'744 bytes
First seen:2021-05-26 17:38:22 UTC
Last seen:2021-05-26 19:12:33 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f537b216fd1d228d82b4c032326b2d86 (2 x Loki, 1 x RemcosRAT, 1 x BitRAT)
ssdeep 12288:34rDy/HJMbgSSxbAQ3LkDJ1iqZ6egzItpFSofPv01jHvfbQOpwoNsv:34qmjSxbL4DJ19AegzItPjc1j7QGsv
Threatray 7 similar samples on MalwareBazaar
TLSH A0456C67B3C244F2C1271A34DD1796A8996ABF30393498467FF52E0D7EBE2413C29297
Reporter abuse_ch
Tags:BitRAT DHL exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
146
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
DHL_887343.exe
Verdict:
Malicious activity
Analysis date:
2021-05-26 21:27:11 UTC
Tags:
installer trojan bitrat rat
Link:
https://app.any.run/tasks/e24e5f2d-1827-4823-899a-6f0dcbe69138

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
BitRAT
Create hunting rule
Link:
https://www.capesandbox.com/analysis/162531/
Detection(s):
SecuriteInfo.com.Fareit-FZO73095AE10FCD.12668.24859.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
DNS request
Sending a custom TCP request
Creating a file
Launching a process
Setting a global event handler
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Setting a global event handler for the keyboard
Unauthorized injection to a system process
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
BitRAT Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.evad.mine
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/792767
Signature
Creates a thread in another existing process (thread injection)
Creates files in alternative data streams (ADS)
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Writes to foreign memory regions
Yara detected BitRAT
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 425165 Sample: DHL_887343.exe Startdate: 26/05/2021 Architecture: WINDOWS Score: 92 33 resereved.nerdpol.ovh 2->33 43 Yara detected BitRAT 2->43 45 Yara detected Xmrig cryptocurrency miner 2->45 47 Machine Learning detection for sample 2->47 7 DHL_887343.exe 1 19 2->7         started        12 Tzkjof.exe 13 2->12         started        14 Tzkjof.exe 13 2->14         started        signatures3 process4 dnsIp5 35 cdn.discordapp.com 162.159.130.233, 443, 49733, 49734 CLOUDFLARENETUS United States 7->35 27 C:\Users\Public\Tzkjof\Tzkjof.exe, PE32 7->27 dropped 49 Writes to foreign memory regions 7->49 51 Creates a thread in another existing process (thread injection) 7->51 53 Injects a PE file into a foreign processes 7->53 16 mshta.exe 1 1 7->16         started        55 Multi AV Scanner detection for dropped file 12->55 57 Machine Learning detection for dropped file 12->57 21 ieinstal.exe 12->21         started        37 162.159.129.233, 443, 49751 CLOUDFLARENETUS United States 14->37 23 secinit.exe 14->23         started        file6 signatures7 process8 dnsIp9 29 resereved.nerdpol.ovh 104.208.31.182, 2222, 49745, 49749 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 16->29 31 192.168.2.1 unknown unknown 16->31 25 C:\Users\user\AppData\Local:26-05-2021, HTML 16->25 dropped 39 Creates files in alternative data streams (ADS) 16->39 41 Hides threads from debuggers 16->41 file10 signatures11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e03954a53253f7f660e3aa933638e57280289b5002288af2b7f0a41e5b921e97/
Threat name:
Win32.Backdoor.Convagent
Create hunting rule
Status:
Malicious
First seen:
2021-05-26 17:39:17 UTC
AV detection:
15 of 29 (51.72%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4a4vjjjskp37myhdvkjtmohfokacrg2qaiuiv4vx6csb4w4sd2lq._file
Verdict:
unknown
Similar samples:
235602d2819de318cb16c1653d3e2500b64688ad18f8f4e960dff1ab0b7e4b74
BitRAT
357ab6a0cf97d36af99606bce098c476c4a24085f4d972038b11b3570486d620
BitRAT
6eee5d1c67a8e34e6d03d64fca1195bf26ceac2a68f454cc37e743ace0483a9f
BitRAT
9c998b6e088d776bcd603aa78bdbcaf4662c88c6f4ea270933db4ab153e5eea9
BitRAT
a8889ff384c38b97b5a48ef4e9586df7c281f40e2719fe248b0d252832969521
BitRAT
ac328fdc21f438733313ebb525a5118799392e49eb3e4d56a8030d618ac370a1
BitRAT
d661d0e5f0c691ce7a9602857de9d47e75802967d4375d6e9e01c0d7178b7f7f
BitRAT
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence upx
Link:
https://tria.ge/reports/210526-tnwaevjr42/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of NtSetInformationThreadHideFromDebugger
Adds Run key to start application
Blocklisted process makes network request
UPX packed file
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e03954a53253f7f660e3aa933638e57280289b5002288af2b7f0a41e5b921e97

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

BitRAT

Executable exe e03954a53253f7f660e3aa933638e57280289b5002288af2b7f0a41e5b921e97

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/162531/

Comments