MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e4fae47c8647fc72fb1bbcadc0df6814c22298b3040938f81cbe0b83fec8b8b3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

BitRAT

Vendor detections: 9

Intelligence 9 IOCs 1 YARA 3 File information Comments

SHA256 hash:	e4fae47c8647fc72fb1bbcadc0df6814c22298b3040938f81cbe0b83fec8b8b3
SHA3-384 hash:	3fe27775e9fa985c27489af705d796f3b7b2d8d0fbd3c51e9afd282a9357374b7437afe14450a1c236fe577b009c211b
SHA1 hash:	2efc9e67fade2a54b97712fb6b55e2f9cf9348dc
MD5 hash:	8b1007a3d642dc4cab47d198bb1b586d
humanhash:	sixteen-montana-apart-blossom
File name:	8B1007A3D642DC4CAB47D198BB1B586D.exe
Download:	download sample
Signature	BitRAT Create hunting rule
File size:	1'729'411 bytes
First seen:	2021-06-20 23:11:03 UTC
Last seen:	2021-06-20 23:42:38 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	42df58c55f636a16fb6429a9ab9b5d58 (1 x BitRAT)
ssdeep	49152:y4ZSVvusbsEaF9QHFaRiIqcH84wiPdeZPeMrqFx:y4ZSVvuGaRib2VXleu/
Threatray	5'349 similar samples on MalwareBazaar
TLSH	548512136F243641E51340706DBA66665922AC2E6502AF4B22C7BF1A4C72E43EDF773F
Reporter	abuse_ch
Tags:	BitRAT exe RAT

abuse_ch

BitRAT C2:
178.238.8.135:4898

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
178.238.8.135:4898	https://threatfox.abuse.ch/ioc/137867/

Intelligence

File Origin

# of uploads :

# of downloads :

159

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

8B1007A3D642DC4CAB47D198BB1B586D.exe

Verdict:

Malicious activity

Analysis date:

2021-06-20 23:12:06 UTC

Tags:

trojan bitrat rat

Link:

https://app.any.run/tasks/aa427ae2-bd60-495b-9848-1ed19388029b

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

SecuriteInfo.com.Trojan.VbCrypt.250.6392.190.UNOFFICIAL

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/23d57815-0bc2-4a7e-86e7-8a16d3c5278f

Result

Threat name:

BitRAT Xmrig

Detection:

malicious

Classification:

troj.evad.mine

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/804996

Signature

Allocates memory in foreign processes

Contains functionality to hide a thread from the debugger

Contains functionality to inject code into remote processes

Hides threads from debuggers

Injects a PE file into a foreign processes

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

System process connects to network (likely due to code injection or exploit)

Tries to evade analysis by execution special instruction which cause usermode exception

Writes to foreign memory regions

Yara detected BitRAT

Yara detected Xmrig cryptocurrency miner

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/e4fae47c8647fc72fb1bbcadc0df6814c22298b3040938f81cbe0b83fec8b8b3/

Threat name:

Win32.Spyware.Solmyr

Status:

Malicious

First seen:

2021-06-18 08:44:57 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

25 of 46 (54.35%)

Threat level:

2/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=4t5oi7egi76hf6y3xsw4bx3ictbcfgftaqetr6a4xyfyh7wixczq._file

Verdict:

malicious

Result

Malware family:

bitrat

Score:

10/10

Tags:

family:bitrat trojan upx

Link:

https://tria.ge/reports/210620-8akgkpwls6/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Program crash

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

UPX packed file

BitRAT

BitRAT Payload

Unpacked files

SH256 hash:

c07f6fbc4940f48aad27aaaf59706df42a0644ee663fce0e077f4ac3797f10f6

MD5 hash:

89cede4e82b96d266076b92f5dc3aa71

SHA1 hash:

45f0af20455d1c6e88486ef9f01d6152681a52c9

Link:

https://www.unpac.me/results/34e371c7-903a-43d6-8f8d-513aee19144c/

SH256 hash:

e4fae47c8647fc72fb1bbcadc0df6814c22298b3040938f81cbe0b83fec8b8b3

MD5 hash:

8b1007a3d642dc4cab47d198bb1b586d

SHA1 hash:

2efc9e67fade2a54b97712fb6b55e2f9cf9348dc

Link:

https://www.unpac.me/results/34e371c7-903a-43d6-8f8d-513aee19144c/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/e4fae47c8647fc72fb1bbcadc0df6814c22298b3040938f81cbe0b83fec8b8b3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Email_stealer_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Email in files like avemaria

Rule name:	MALWARE_Win_BitRAT Create hunting rule
Author:	ditekSHen
Description:	Detects BitRAT RAT

Rule name:	suspicious_packer_section Create hunting rule
Author:	@j0sm1
Description:	The packer/protector section names/keywords
Reference:	http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample