MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e4b8b65d748dfb2be2021309f39211105841bfeb9d453e5bd7013aa57cf81a8c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FirebirdRAT


Vendor detections: 8


Intelligence 8 IOCs 2 YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e4b8b65d748dfb2be2021309f39211105841bfeb9d453e5bd7013aa57cf81a8c
SHA3-384 hash: aa5eac56da7606d9d36e311f67ff2d09781591041f3859be5325f0c0caa82618ec39013fefec7f377ff792d11c628fea
SHA1 hash: 2dede84d1d46d1cf76b9239f82bbcc7e43270469
MD5 hash: bbaf114ab1f900dec185a878908f15fb
humanhash: north-nevada-virginia-hawaii
File name:bbaf114ab1f900dec185a878908f15fb.exe
Download: download sample
Signature FirebirdRAT
Create hunting rule
File size:138'752 bytes
First seen:2022-03-16 11:36:12 UTC
Last seen:2022-04-20 09:53:46 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'748 x AgentTesla, 19'642 x Formbook, 12'245 x SnakeKeylogger)
ssdeep 3072:9aZ6E9Ko9XPIYaKhzxlIFh1YhfZyHXMcf9618SEgxHE:lUKolPCKZxjfZoMyY15
Threatray 1'246 similar samples on MalwareBazaar
TLSH T180D302EABBCC427DCC944739DC27A72147B0E5294AD3CF4B45DA32676CA05E90D82EC5
File icon (PE):PE icon
dhash icon 60f4d2daeefec000 (3 x RedLineStealer, 1 x RaccoonStealer, 1 x FirebirdRAT)
Reporter abuse_ch
Tags:exe FirebirdRAT


Avatar
abuse_ch
FirebirdRAT C2:
45.9.20.70:81

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
45.9.20.70:81 https://threatfox.abuse.ch/ioc/395697/
5.206.227.37:3389 https://threatfox.abuse.ch/ioc/395698/

Intelligence

File Origin
# of uploads :
3
# of downloads :
229
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/251389/
Detection(s):
SecuriteInfo.com.ArtemisBBAF114AB1F9.7981.20150.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% subdirectories
Сreating synchronization primitives
Sending an HTTP GET request
Sending a custom TCP request
Running batch commands
Creating a process with a hidden window
Launching a process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/6231cc04b94fb38cb48df9a0/reports/c8bcb651-448f-4d8f-ac4a-71153b7c8af0/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/437c6494-0c61-4df3-af76-1e946280f9e9
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
99 / 100
Link:
https://www.joesandbox.com/analysis/957899
Signature
Antivirus detection for URL or domain
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Sigma detected: Suspicious Remote Thread Created
Sigma detected: Suspicious Svchost Process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Yara detected Costura Assembly Loader
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e4b8b65d748dfb2be2021309f39211105841bfeb9d453e5bd7013aa57cf81a8c/
Threat name:
ByteCode-MSIL.Trojan.RealProtectPENGSD
Create hunting rule
Status:
Malicious
First seen:
2022-03-16 11:37:12 UTC
File Type:
PE (.Net Exe)
Extracted files:
20
AV detection:
18 of 27 (66.67%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=4s4lmxlurx5sxyqccme7heqrcbmedp7ltvct4w6xae5kk7hydkga._file
Verdict:
malicious
Similar samples:
13687a295bb273d7d9f1c2eea25ce5ae3766b53f1192fb77a7db931e40e21c7b
FirebirdRAT
6d656133f5bac8282f31cc82ca0e3869692164a6907037aabc134736adc87b35
FirebirdRAT
937e8cf5c406f171696985b30f88d3e91f1d6c69e7489e2e4ea2609c641f7bd9
FirebirdRAT
abd985aa1bfe39c848147583e821f9a2b0c806db69900e96850a7a9d70dbb75d
FirebirdRAT
b4929f7fb874ed756d9a535f255eb29057f5f8bc80ca34471cc3681a20282ec9
FirebirdRAT
e962f44882a6fc4f5289556b7b0169b24838ea2285cf961b82447ff71ff2dc0d
FirebirdRAT
f6e4842040712cdd0f767cd5a2a5be80c0928872f2399a671f66ad544b37fa5d
FirebirdRAT
faa265a4262f8913da3fea01c9def0a666c0fd7630c35a63463af4a51b5de6e1
FirebirdRAT
+ 1'236 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
agilenet
Link:
https://tria.ge/reports/220316-nq735sbdaj/
Behaviour
Delays execution with timeout.exe
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Loads dropped DLL
Obfuscated with Agile.Net obfuscator
Unpacked files
SH256 hash:
632c7c32b2a79f2034f3b8e230a63edb4511bd2521fcb61b23ecead2bdc77745
MD5 hash:
160c08efbe260d116a62277671921d5e
SHA1 hash:
8b09d20f85f40e502cadb3ec7795b36768cfab00
Link:
https://www.unpac.me/results/43ff0194-9856-4271-a7c0-304a77a690e7/
SH256 hash:
e4b8b65d748dfb2be2021309f39211105841bfeb9d453e5bd7013aa57cf81a8c
MD5 hash:
bbaf114ab1f900dec185a878908f15fb
SHA1 hash:
2dede84d1d46d1cf76b9239f82bbcc7e43270469
Link:
https://www.unpac.me/results/43ff0194-9856-4271-a7c0-304a77a690e7/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/e4b8b65d748d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.80
Link:
https://yomi.yoroi.company/submissions/e4b8b65d748dfb2be2021309f39211105841bfeb9d453e5bd7013aa57cf81a8c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with SmartAssembly
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

FirebirdRAT

Executable exe e4b8b65d748dfb2be2021309f39211105841bfeb9d453e5bd7013aa57cf81a8c

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1829213/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/251389/

Comments