MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e0fe9f8bd65d5a1ffcca6994e9883143c4cb4f51ec33fab4105c30bec01cea69. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BitRAT


Vendor detections: 10


Intelligence 10 IOCs 1 YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e0fe9f8bd65d5a1ffcca6994e9883143c4cb4f51ec33fab4105c30bec01cea69
SHA3-384 hash: 97c36716470f1169c9f4d0ba1ce31e686d177aa28454cb07374e4e66e449b1b599cbf9272e0c8ffdc9b90d3378edd948
SHA1 hash: c03561a621b16b1fffddd6021bc2620372f6750e
MD5 hash: 8124771b232070e27afa79d448414372
humanhash: shade-table-magnesium-nitrogen
File name:8124771B232070E27AFA79D448414372.exe
Download: download sample
Signature BitRAT
Create hunting rule
File size:2'036'224 bytes
First seen:2021-04-28 01:30:40 UTC
Last seen:2021-04-28 02:01:49 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 49152:heSng863bBGRPpaif65XFH6hLufnSAq58PUYY01XA:Tng8GbBGRP0SYFHILq5q0BA
Threatray 17 similar samples on MalwareBazaar
TLSH 5E95331BF560C681D688827ACD9B27305733FF5BB0A3D699B58D73451863BABCD062C2
Reporter abuse_ch
Tags:BitRAT exe RAT


Avatar
abuse_ch
BitRAT C2:
139.99.21.207:1900

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
139.99.21.207:1900 https://threatfox.abuse.ch/ioc/18172/

Intelligence

File Origin
# of uploads :
2
# of downloads :
139
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
376E3A7DD22601E3D4CF96F294A9B29E.exe
Verdict:
Malicious activity
Analysis date:
2021-04-27 22:18:12 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/74a1d148-1766-4803-aa9d-acca9aad8c64

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/144754/
Detection(s):
Win.Packed.Bulz-9854729-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file
DNS request
Setting a global event handler
Sending a custom TCP request
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Setting a global event handler for the keyboard
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
BitRAT Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/699843
Signature
.NET source code contains potential unpacker
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Writes to foreign memory regions
Yara detected BitRAT
Yara detected Costura Assembly Loader
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e0fe9f8bd65d5a1ffcca6994e9883143c4cb4f51ec33fab4105c30bec01cea69/
Threat name:
ByteCode-MSIL.Spyware.Solmyr
Create hunting rule
Status:
Malicious
First seen:
2021-04-24 17:23:57 UTC
File Type:
PE (.Net Exe)
Extracted files:
37
AV detection:
11 of 29 (37.93%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=4d7j7c6wlvnb77gkngkotcbripcmwt2r5qz7vnaqlqyl5qa45juq._file
Verdict:
malicious
Similar samples:
30303b663e0b7b9824cc59298b36f824b607b4fb85de53af6aac3a023d895513
BitRAT
3b019e395d076e03b3b4a2d9468d3acb36df69115e059119194fbd8dd6d1dd6b
BitRAT
4f450fcf02d7006fd4fbea8c2cad999397672d44864f1e8c504633ce53c3d53d
BitRAT
55f1a2084fd1c1d5477519f06b02aa4fa4d917aaceffd116fc45820dc49a7795
BitRAT
79e2a3311700e87e6d5e4d5f8e23f8f6b5500aa9e25e71afb016df130f21bae0
BitRAT
87763547e91a17c7070d90ab3619415a470e8bf4397a57ad38d0b3dd43fc45c7
BitRAT
9463fd33646ba1e72825b00914cc2d5dfef3e31a584cc717e634fe1f685ba6da
BitRAT
be06f303ae133e36f87ef001dc369f0212f76b26ad53ec171fd2dcdde9463cea
BitRAT
d431d6c234dfb75c3fad9cfe53c800e68eec1df826aeee43cc02d802a234e0c2
BitRAT
da1fba1d66a44b77440ec136dec09f921d932d5ece0d35030e7c22d50f73bc8a
BitRAT
+ 7 additional samples on MalwareBazaar
Result
Malware family:
bitrat
Create hunting rule
Score:
  10/10
Tags:
family:bitrat trojan
Link:
https://tria.ge/reports/210428-vw61pfe5hx/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
BitRAT
BitRAT Payload
Unpacked files
SH256 hash:
e736ca41aaac02f2a8de7cb2cb40c36c87618ec2be8d03f188c825400c2fc312
MD5 hash:
4f87e48e2b041f380b9c42360f082ac3
SHA1 hash:
f2bd8ab14deafd4ae69b3ee1accbcf1a72cd4f6a
Link:
https://www.unpac.me/results/90d28451-3bd6-4f25-9a2d-bf3e68a508a1/
SH256 hash:
726f6f5dff7f2434b33136bde2d2883d8ff85e25cb8b7061675ea3b169135d10
MD5 hash:
f34e59a1f5cdcf25d6e93a956e28e4e3
SHA1 hash:
96095a3670517457d396c3e9f02d64a6a5ec6bd7
Link:
https://www.unpac.me/results/90d28451-3bd6-4f25-9a2d-bf3e68a508a1/
SH256 hash:
f9a1f165036cd1fda8b7850f283a9a3d280b63e01a1c730ec19703853f7f54ca
MD5 hash:
3c8b82c8cd41f98b552fc2b9a4392fd9
SHA1 hash:
20bcd991d41604efcd0ccbda3cc8533a66fe6a7b
Link:
https://www.unpac.me/results/90d28451-3bd6-4f25-9a2d-bf3e68a508a1/
SH256 hash:
e0fe9f8bd65d5a1ffcca6994e9883143c4cb4f51ec33fab4105c30bec01cea69
MD5 hash:
8124771b232070e27afa79d448414372
SHA1 hash:
c03561a621b16b1fffddd6021bc2620372f6750e
Link:
https://www.unpac.me/results/90d28451-3bd6-4f25-9a2d-bf3e68a508a1/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e0fe9f8bd65d5a1ffcca6994e9883143c4cb4f51ec33fab4105c30bec01cea69

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Email_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Email in files like avemaria
Rule name:MALWARE_Win_BitRAT
Create hunting rule
Author:ditekSHen
Description:Detects BitRAT RAT

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/144754/

Comments