MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e1f08269363e55708c850e156f5f4cdc50acc14efdce1f3464a70c91548c7548. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BitRAT


Vendor detections: 7


Intelligence 7 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e1f08269363e55708c850e156f5f4cdc50acc14efdce1f3464a70c91548c7548
SHA3-384 hash: 7eddcb8d30aca4d3f3a78060cdb0fe4cf9b35adb024ee5c874701cb31296c817b80008a3375686107bcae4d1ad9dfd80
SHA1 hash: 9e5a5c3a1470f45cd48409ab832dc8d0dd8facac
MD5 hash: ef4e8566e3e1183c7b42521312d92eb1
humanhash: sweet-potato-johnny-robin
File name:PO 200068914 LACA TRADE I-SCHRODER KG GMBH&Co.exe
Download: download sample
Signature BitRAT
Create hunting rule
File size:2'401'792 bytes
First seen:2020-10-23 12:13:08 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'206 x SnakeKeylogger)
ssdeep 49152:RcBjyoEkrJbc/AKBi0MKVKn5LudJGewe49ix/owLNij7+p3+:xUtcKxf5LujwX9ixXijA+
Threatray 46 similar samples on MalwareBazaar
TLSH 82B5120663E4CF58F97F13386538D42053F6BC12A626D2ADBDD114EF2DB2B824A15B27
Reporter abuse_ch
Tags:BitRAT exe RAT


Avatar
abuse_ch
Malspam distributing BitRAT:

HELO: slot0.85xainji.com
Sending IP: 45.145.185.142
From: Sofia Senserini <office@85xainji.com>
Subject: NBG#17 order
Attachment: PO 200068913.lzh (contains "PO 200068914 LACA TRADE I-SCHRODER KG GMBH&Co.exe")

BitRAT C2:
servr.superbanifabused1.xyz

Intelligence

File Origin
# of uploads :
1
# of downloads :
147
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/75045/
Detection(s):
SecuriteInfo.com.ArtemisEF4E8566E3E1.16603.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Threat name:
BitRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/508101
Signature
.NET source code contains potential unpacker
Binary contains a suspicious time stamp
Contains functionality to hide a thread from the debugger
Contains functionality to inject code into remote processes
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM_3
Yara detected BitRAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e1f08269363e55708c850e156f5f4cdc50acc14efdce1f3464a70c91548c7548/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-10-23 12:03:55 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=4hyie2jwhzkxbdefbykw6x2m3rikzqko7xhb6ndeu4gjcvemovea._file
Verdict:
unknown
Similar samples:
2fe26662d53b976914fd7bd9fbb589f5bd4114f47753c9437593b29fcd04c236
BitRAT
564d8ca154a08dbbe3af33d3ec5b5345c31fa8a56d536f9b22063c99db8455d7
BitRAT
6bc296fc9ae6bdb27ca23398f69bfb7b44d69734ff0e03a3322fdf688117e2f5
BitRAT
911f22d0fdceeec6e8e6426b0111c1632e6b70f21940584aa05345ac470c4c4f
BitRAT
9e184fecd3e0be67e11c78d407fe8e1f5f75573b32801bf00055745ef3c86225
BitRAT
c3c62460fce1e7c6964339da00bc229e02872c21de66a35c3aba8592ef7a8872
BitRAT
cc15e8a9e04355389815d8a7be4c34746c87a2a9d672e426c01b00ad0a583069
BitRAT
d8e49c2f12a39f106cc3449ec923265bb5cd10d8b67cc58f45719c9ed4b666f1
BitRAT
d9503dc6cff1393c176eb25789982c93cd5055f27934c43e57154c642d2ea5d4
BitRAT
f535414d7bdcacff5db6ba209be888ebcd7996b1602a3b78a574b72d03cca147
BitRAT
+ 36 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
upx
Link:
https://tria.ge/reports/201023-mlb6gft2rs/
Behaviour
Creates scheduled task(s)
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
UPX packed file
Unpacked files
SH256 hash:
4eb8def8df7465a68cce07739f3798decfa315da9dbd810604ce149a79586c8c
MD5 hash:
f08ce2191c034ff8e9f4d933c948b063
SHA1 hash:
6aade28518b75d497b5bac407a070ee2aa833600
Detections:
win_bit_rat_w0
Create hunting rule
Link:
https://www.unpac.me/results/d6999868-8d70-448b-80b3-259c3dc3d9e5/
SH256 hash:
e1f08269363e55708c850e156f5f4cdc50acc14efdce1f3464a70c91548c7548
MD5 hash:
ef4e8566e3e1183c7b42521312d92eb1
SHA1 hash:
9e5a5c3a1470f45cd48409ab832dc8d0dd8facac
Link:
https://www.unpac.me/results/d6999868-8d70-448b-80b3-259c3dc3d9e5/
SH256 hash:
4565f7d4d2cd822c771604f468f55fe64df50fe51baa42e2b3d88f6760260c75
MD5 hash:
b3454db8ce96eb88ace6016e78f3b0a2
SHA1 hash:
28de69c0470cb95ec3c9d1b9e2624ababefa5358
Link:
https://www.unpac.me/results/d6999868-8d70-448b-80b3-259c3dc3d9e5/
SH256 hash:
bac5797bde4b2810766a40d95bcdb825ac5b395fcbadd139daa19a44a6cdc049
MD5 hash:
a92cc1f6e0a2742350dfda6726db14c0
SHA1 hash:
e5404e3ed46498deb8ad8966a774540c2b8e9c1e
Link:
https://www.unpac.me/results/d6999868-8d70-448b-80b3-259c3dc3d9e5/
SH256 hash:
89ff4e00e4984a722e841a156ec361ff1cccbca11535dae3aca70a84485b5180
MD5 hash:
ab8a4bb2e4fb8960e33db6955aedc572
SHA1 hash:
eb09f91ccc4551bd179ea9d5664b6da9479b0566
Link:
https://www.unpac.me/results/d6999868-8d70-448b-80b3-259c3dc3d9e5/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e1f08269363e55708c850e156f5f4cdc50acc14efdce1f3464a70c91548c7548

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/
Rule name:win_bit_rat_w0
Create hunting rule
Author:KrabsOnSecurity
Description:String-based rule for detecting BitRAT malware payload

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

BitRAT

rar 9d15e5cb8c5018f0367bc8e359ab8e519eaa89bbf19f70d61ca7048d75841249

BitRAT

Executable exe e1f08269363e55708c850e156f5f4cdc50acc14efdce1f3464a70c91548c7548

(this sample)

  
Dropped by
MD5 5230b1b23eb54428f088d5247c15fc47
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/75045/
  
Dropped by
SHA256 9d15e5cb8c5018f0367bc8e359ab8e519eaa89bbf19f70d61ca7048d75841249

Comments