MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e4a364bc4301da3e0a1280d627bb19810e94828e4d2c44b477a9cd576039c664. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BitRAT


Vendor detections: 6


Intelligence 6 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e4a364bc4301da3e0a1280d627bb19810e94828e4d2c44b477a9cd576039c664
SHA3-384 hash: 01972ded31453a4e6ddce76fff26186bc28a32ae91c73f29e2e78a2f40f8a64973e43bfc940790df83fd72e3490f0212
SHA1 hash: ce0c57144682e805c0aff95bfe8bb5864a2ef777
MD5 hash: 58aed1afcb85ae619220f0b86506a6ec
humanhash: echo-florida-april-salami
File name:ORDER SPECIFICATIONS.scr
Download: download sample
Signature BitRAT
Create hunting rule
File size:1'631'744 bytes
First seen:2021-04-27 08:32:23 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 24576:+SmRYLioYVFavXqyY7zprQnKfHhDi6JHmsi2m9mHAMN1pqupK:+S3qiZmVrQnAi6VmsieDpqu
Threatray 47 similar samples on MalwareBazaar
TLSH 157523E8B0510291F97029749330DE903329AEE49CF1FE995D89B45B37F66C36C96C8E
Reporter abuse_ch
Tags:BitRAT RAT scr

Intelligence

File Origin
# of uploads :
1
# of downloads :
139
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
ORDER SPECIFICATIONS.scr
Verdict:
No threats detected
Analysis date:
2021-04-27 08:34:32 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/1e3b2251-f005-4e8a-b433-e5e4eced0bf2

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/144492/
Detection(s):
Win.Packed.Bulz-9854729-0
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a UDP request
Launching a process
Creating a window
Creating a process with a hidden window
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
BitRAT Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/698770
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Contains functionality to hide a thread from the debugger
Contains functionality to inject code into remote processes
Creates files in alternative data streams (ADS)
Drops executable to a common third party application directory
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected BitRAT
Yara detected Costura Assembly Loader
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 398302 Sample: ORDER SPECIFICATIONS.scr Startdate: 27/04/2021 Architecture: WINDOWS Score: 100 48 jegebit.duckdns.org 2->48 50 Multi AV Scanner detection for dropped file 2->50 52 Multi AV Scanner detection for submitted file 2->52 54 Yara detected BitRAT 2->54 56 7 other signatures 2->56 9 ORDER SPECIFICATIONS.exe 4 9 2->9         started        13 firefox.exe 2 2->13         started        15 firefox.exe 2->15         started        signatures3 process4 file5 36 C:\Users\user\AppData\Roaming\firefox.exe, PE32 9->36 dropped 38 C:\Users\user\...\ORDER SPECIFICATIONS.exe, PE32 9->38 dropped 40 ORDER SPECIFICATIONS.exe:Zone.Identifier, ASCII 9->40 dropped 42 C:\Users\...\ORDER SPECIFICATIONS.exe.log, ASCII 9->42 dropped 68 Writes to foreign memory regions 9->68 70 Allocates memory in foreign processes 9->70 72 Drops executable to a common third party application directory 9->72 74 Injects a PE file into a foreign processes 9->74 17 ORDER SPECIFICATIONS.exe 1 5 9->17         started        22 wscript.exe 1 9->22         started        24 ORDER SPECIFICATIONS.exe 9->24         started        76 Multi AV Scanner detection for dropped file 13->76 signatures6 process7 dnsIp8 44 jegebit.duckdns.org 45.144.225.107, 43360, 49732, 49735 DEDIPATH-LLCUS Netherlands 17->44 46 192.168.2.1 unknown unknown 17->46 32 C:\Users\user\AppData\Local\...\eTgZJss9.exe, MS-DOS 17->32 dropped 34 C:\Users\user\AppData\Local:27-04-2021, HTML 17->34 dropped 58 Creates files in alternative data streams (ADS) 17->58 60 Hides threads from debuggers 17->60 62 Injects a PE file into a foreign processes 17->62 26 ORDER SPECIFICATIONS.exe 17->26         started        64 Wscript starts Powershell (via cmd or directly) 22->64 66 Adds a directory exclusion to Windows Defender 22->66 28 powershell.exe 26 22->28         started        file9 signatures10 process11 process12 30 conhost.exe 28->30         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e4a364bc4301da3e0a1280d627bb19810e94828e4d2c44b477a9cd576039c664/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-04-27 08:33:08 UTC
AV detection:
12 of 47 (25.53%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=4srwjpcdahnd4cqsqdlcpoyzqehjjauojuwejndxvhgvoybzyzsa._file
Verdict:
unknown
Similar samples:
5391a6ed1fe458685e02c04cad045a5148d4f01e4d45b9dd70927c46b5e6420f
BitRAT
62dfec4ae1b54d763d3ae01d9a0458c6ebf2e35f898bcaebac5e10d5ff477c7c
BitRAT
751b3fa113056b20cd9b3c6a2f2c06d0b8fa0ecd23696feb27adeb0f53d73b36
BitRAT
99cf59c32e63c462f895449382f0243085f4a85f482b325d9457149bc7cfadd7
BitRAT
b33514e7b334b8aee694323114c7d2694f3cdb49c7614291ca8f064c23ff8542
BitRAT
c52477b06f41b4e78b419e5843c6e14545e7add486185373a66c8de3865f44c0
BitRAT
cf8994976d58b8778246f5c5908ec64a0fdfebfe2bd80ecaa96ed27baf9d1ed2
BitRAT
d6ec5d9dbff79fbd96cf26d533feabb9c77087fc59be1d7b6f74d196b26d19cd
BitRAT
f27c6d23143bb1c0ea77515c806ee7d75889c31262c7c26a5868989fef41e466
BitRAT
f4af46ad96a86cad60d613a3387a0a68c580247ef88943e2ea0e5b9679a38c2e
BitRAT
+ 37 additional samples on MalwareBazaar
Result
Malware family:
bitrat
Create hunting rule
Score:
  10/10
Tags:
family:bitrat persistence trojan upx
Link:
https://tria.ge/reports/210427-b7rbgnt6aj/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
UPX packed file
BitRAT
BitRAT Payload
Unpacked files
SH256 hash:
cfa90d4891cee3f416f329ccd168443e22efac60628ed854541bb51ee8a12fe8
MD5 hash:
a26b6e93fa3688ca014cf445fb765f21
SHA1 hash:
c3255d136dd5ab8cb2076c1a772e9d100c78d138
Link:
https://www.unpac.me/results/7e8487a2-2346-430d-a295-41af934bc3c8/
SH256 hash:
5740ec2eeabddbd741c47a0c70abe28d4f1bfb9898e173619842c57f871cbeaa
MD5 hash:
effb4379c1d5955b638d2e7bfecb3ea7
SHA1 hash:
903881042c7e3d2997c00068893bdedef09dac84
Link:
https://www.unpac.me/results/7e8487a2-2346-430d-a295-41af934bc3c8/
SH256 hash:
e68826c7341aa0b6d14ccf1c75e0228ee9c748dff1d207b1b81da9135cf909ee
MD5 hash:
25f7753a81264e8b2cba98311317febd
SHA1 hash:
8932e608c370ae05aa486a5518c9a89f90dc1eeb
Link:
https://www.unpac.me/results/7e8487a2-2346-430d-a295-41af934bc3c8/
SH256 hash:
e4a364bc4301da3e0a1280d627bb19810e94828e4d2c44b477a9cd576039c664
MD5 hash:
58aed1afcb85ae619220f0b86506a6ec
SHA1 hash:
ce0c57144682e805c0aff95bfe8bb5864a2ef777
Link:
https://www.unpac.me/results/7e8487a2-2346-430d-a295-41af934bc3c8/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e4a364bc4301da3e0a1280d627bb19810e94828e4d2c44b477a9cd576039c664

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Email_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Email in files like avemaria
Rule name:INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with SmartAssembly
Rule name:MALWARE_Win_BitRAT
Create hunting rule
Author:ditekSHen
Description:Detects BitRAT RAT
Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/144492/

Comments