MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e077c490ee9e566446bd6c2b267c057c5bd0626769e042c8ee98f5249c74841c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BitRAT


Vendor detections: 14


Intelligence 14 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e077c490ee9e566446bd6c2b267c057c5bd0626769e042c8ee98f5249c74841c
SHA3-384 hash: 20252af885e20fd0e9e774f58cc357549e902dd43b7bc6ae535e7128ccf69533b8ea81e967e70b7ca00317048ad0f711
SHA1 hash: 37c626505358828d1a9d710a48e5f9b8c620ba2d
MD5 hash: 2844578cbbd22c6efcb1a779a1bf75dc
humanhash: maine-november-mississippi-sweet
File name:2844578cbbd22c6efcb1a779a1bf75dc.exe
Download: download sample
Signature BitRAT
Create hunting rule
File size:442'880 bytes
First seen:2021-12-02 15:45:32 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 6144:/zH5wVI4vDRk0R8sdnPqjIJYV21AgRfpTs3LJzbjn3DpAGwluwHYl+KAmKwBP/D2:EI4LR5RPq0JO2bnTS3aXYFrPrGS
Threatray 1'701 similar samples on MalwareBazaar
TLSH T119945B0EF712C60AF848DB759E772FA067A4FEB6DD51D217E2483D385C2B3692C84246
File icon (PE):PE icon
dhash icon 16174db2a88e9620 (26 x BitRAT, 16 x AsyncRAT, 9 x AveMariaRAT)
Reporter abuse_ch
Tags:BitRAT exe RAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
176
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
251361061305_36420464_20211202.xlsm
Verdict:
Malicious activity
Analysis date:
2021-12-02 16:36:06 UTC
Tags:
macros macros-on-open trojan rat asyncrat
Link:
https://app.any.run/tasks/f814352b-262e-4555-8609-2cf57af35059

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
BitRAT
Create hunting rule
Link:
https://www.capesandbox.com/analysis/210774/
Detection(s):
Win.Dropper.Generic-7113183-0
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
DNS request
Creating a window
Сreating synchronization primitives
Sending a custom TCP request
Launching a process
Creating a process with a hidden window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/61a8ea3e86bf67e712201d36/reports/c9f8ec2d-2586-42a2-8e00-8ded11c81107/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/061d6212-e8b3-4e14-947d-0de0d78053dd
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj
Score:
68 / 100
Link:
https://www.joesandbox.com/analysis/900257
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Machine Learning detection for dropped file
Machine Learning detection for sample
Uses ping.exe to check the status of other devices and networks
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 532737 Sample: Q8B0rd26jp.exe Startdate: 02/12/2021 Architecture: WINDOWS Score: 68 29 Antivirus detection for dropped file 2->29 31 Antivirus / Scanner detection for submitted sample 2->31 33 Machine Learning detection for sample 2->33 35 Machine Learning detection for dropped file 2->35 7 Q8B0rd26jp.exe 1 5 2->7         started        process3 file4 23 C:\Users\user\AppData\Roaming\yth.exe, PE32 7->23 dropped 25 C:\Users\user\...\yth.exe:Zone.Identifier, ASCII 7->25 dropped 27 C:\Users\user\AppData\Local\Temp\RegAsm.exe, PE32 7->27 dropped 10 powershell.exe 9 7->10         started        13 powershell.exe 8 7->13         started        process5 signatures6 37 Uses ping.exe to check the status of other devices and networks 10->37 15 conhost.exe 10->15         started        17 PING.EXE 1 10->17         started        19 conhost.exe 13->19         started        21 PING.EXE 1 13->21         started        process7
Detection:
asyncrat
Create hunting rule
Link:
https://mwdb.cert.pl/sample/e077c490ee9e566446bd6c2b267c057c5bd0626769e042c8ee98f5249c74841c/
Threat name:
ByteCode-MSIL.Trojan.BitRAT
Create hunting rule
Status:
Malicious
First seen:
2021-12-02 15:46:14 UTC
File Type:
PE (.Net Exe)
Extracted files:
9
AV detection:
23 of 28 (82.14%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=4b34jehotzlgirv5nqvsm7afprn5aythnhqefshotd2sjhduqqoa._file
Verdict:
malicious
Label(s):
asyncrat
Create hunting rule
Similar samples:
0b8a5cbe236a7057a2904f18480b85ce9b59b891c0a1a041516248d35760744d
BitRAT
16fc0cec13d88da3d0a36e4c42e733db8f1e21cafc18fd813a25cd0bc835f35a
BitRAT
1d8f931e4e69330838c622831c8cb0225a5126f7141e77747b5cb07a23abf41b
BitRAT
220bb2b7deba41f53a8d86d677691aff283314a29c27cc49b2ba396699237825
BitRAT
b51c07d9a4e50ac499514d378320260821bd7486acd1077a6bddf8ab70c6a2b3
BitRAT
bcf7571a4d9b25fabdc2d6120b1b2d7bd8446ea2bc3a5da1d4127954920067de
BitRAT
ceddcfa72226e91f7435facafe6631d1385ca4d246d242d5136ac4e9462b8611
BitRAT
e6f2be409cbb65ed65758afcc519a1249080be41bf0cf80c32a2d7fea02bc60c
BitRAT
ecb8839117d73d33390c84f7f6e02f4970156ccb2da7b48083922f60625fa8be
BitRAT
+ 1'691 additional samples on MalwareBazaar
Result
Malware family:
bitrat
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat family:bitrat botnet:3 persistence rat suricata trojan
Link:
https://tria.ge/reports/211202-s7mwraabhj/
Behaviour
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
Async RAT payload
AsyncRat
BitRAT
BitRAT Payload
suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT)
Malware Config
C2 Extraction:
217.64.149.93:1973
Unpacked files
SH256 hash:
603f9683cfd00509e823df7ed17c7d710cd1d3fa0d38de12d9e4473bdbeaa7f7
MD5 hash:
2aa22616c21c7729b8c3b566b0c80e6d
SHA1 hash:
e4386d17640229420719ef8dc0e9840e531fb653
Link:
https://www.unpac.me/results/13c6a70b-a782-4033-b2bf-6ea69f9911e8/
SH256 hash:
024f14c9f931b327eb0c576d0096581dbd0714630900cef17697ec5f78ec5241
MD5 hash:
ceca4219a8d9708a26334832527cab1a
SHA1 hash:
ad3da38a2cda23276ef8f89809f9a63c073a0970
Detections:
win_asyncrat_w0
Create hunting rule
Link:
https://www.unpac.me/results/13c6a70b-a782-4033-b2bf-6ea69f9911e8/
Parent samples :
20145d1ea9302f0c2285c92831630676e826f5555ad8a266834778d9808a4233
e077c490ee9e566446bd6c2b267c057c5bd0626769e042c8ee98f5249c74841c
1418386128ff3aea3604cf4295bfa49c56ed30b6a2b47112cd742a74448101eb
SH256 hash:
b08fc900306a39b9bb24723121e0b95a7e35e367a7e91f81fd61b28037cddb4c
MD5 hash:
6b2e981468abb0746a65f06216457c1e
SHA1 hash:
2310f6e54847cf167651f3457418af110199fe46
Link:
https://www.unpac.me/results/13c6a70b-a782-4033-b2bf-6ea69f9911e8/
SH256 hash:
e077c490ee9e566446bd6c2b267c057c5bd0626769e042c8ee98f5249c74841c
MD5 hash:
2844578cbbd22c6efcb1a779a1bf75dc
SHA1 hash:
37c626505358828d1a9d710a48e5f9b8c620ba2d
Link:
https://www.unpac.me/results/13c6a70b-a782-4033-b2bf-6ea69f9911e8/
Malware family:
AsyncRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/e077c490ee9e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e077c490ee9e566446bd6c2b267c057c5bd0626769e042c8ee98f5249c74841c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Typical_Malware_String_Transforms
Create hunting rule
Author:Florian Roth
Description:Detects typical strings in a reversed or otherwise modified form
Reference:Internal Research
Rule name:Typical_Malware_String_Transforms_RID3473
Create hunting rule
Author:Florian Roth
Description:Detects typical strings in a reversed or otherwise modified form
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

BitRAT

Executable exe e077c490ee9e566446bd6c2b267c057c5bd0626769e042c8ee98f5249c74841c

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1845058/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/210774/

Comments